hackthebox.eu: SwagShop Walkthrough
Time for another hackthebox walkthrough. This time I’m tackling SwagShop. This one has some cool features and a few sneaky rabbit holes that I went down so follow along.
SPOILERS BELOW!!! You have been warned.
Looking at our standard nmap, we have only port 22 and 80 open so this one is going to be interesting. Probably a web application attack.
Next I decided to run dirb (link) to see if there are any hidden directories that would be worth checking out.
The app directory is interesting and has LOTS of files and subdirectories. I looked around in that for a while and didn’t find anything juicy so it was time to move on.
Looking at the site just tells me some basics about what it is running. Magento shopping site software… interesting. After some searching and consulting the forums, this shopping software has an available exploit called ShopLift. So I found a POC on github and gave it a try.
well crap
Interesting… but not entirely unexpected. It’s not uncommon to have exploits that you find not work. I went through the code before running it to make sure it was not malicious in any way, but looks like I need to do some more looking.
Manually verifying that this directory exists was a good start.
It looks like the code needs the following directory to do what it needs to do. Let’s look and see if that’s there.
Does not look like it. I did a bit more research and reading and it turns out there are multiple versions of this exploit. Some use another directory, which led me to this site: https://github.com/joren485/Magento-Shoplift-SQLI
Similar… but different
Aha! This one looks different. Let’s see if that file exists.
Now we’re in business. I pulled down that code, changed a few things (this is a CTF afterall… don’t want to give anyone else and advantage) and ran the code.
So that’s a good sign. Let’s see if those credentials give me access to the admin panel.
Success! We can login to the administrative interface for the app. And it seems to run in php. That means we need a php reverse shell. I tried meterpreter first and it worked, but I didn’t really want to run that shell because I think I’ll need fully interactive which I should be able to get with netcat. Let’s adjust a bit and try again.
So it turns out that messing with mage.php on this application is a bad idea. I bricked the box at one point and had to reset it completely. That’s an embarrassing lesson to learn.
So now I was editing the get.php page which seemed to work a LOT better (except for people using the same page). I found a working php reverse shell here: https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php that seemed to be pretty solid.
I found that the user in my shell www-data has access to run vi as root and there is a useful technique to drop out of vi into a root shell.
The problem is that while this user can do this… the shell I have cannot.
Ok, so I need a shell with tty… now how to get that. I tried all of the methods that I know and found from this site: https://netsec.ws/?p=337 but no dice. I wonder if I go back to meterpreter?
Nope… think about python for a bit… which python returns nothing but there are other versions of python. Python3 for example.
Fully interactive tty here I come! This will make things easier.
I tried just running vi for a while and had no luck, but it turns out that I needed to do some more research into how sudo permissions work. Once I read some more and figured out that my user only had permissions to run vi as root in /var/www/html I figured out that I could just vi any file in that folder and it should work. That command worked and now I can jump out of vi for the file to something VERY useful.
Pwn3d! Now I grabbed the root.txt and the neat surprise at the end. :)
___ ___
/| |/|\| |\
/_| ´ |.` |_\ We are open! (Almost)
| |. |
| |. | Join the beta HTB Swag Store!
|___|.__| https://hackthebox.store/password
PS: Use root flag as password!