4 min read
September 28, 2019

HackTheBox Writeup: SwagShop

SwagShop was an easy rated box that was very straightforward. Enumerate, find Magento running, find and edit an exploit to access an admin panel, another exploit for a reverse shell, then an easy root.

Nmap results:

Http shows a Magento powered shop selling some pretty sweet swag:

I clicked around exploring but didn't find anything interesting so I fired up gobuster:

Searchsploit shows some possible exploits:

RCE? Yes please and thank you.

37977.py looked juicy so I ran it, only to find it didn't work out of the box so I started googling around.  A short while later, I found this exploit code. Inspecting that showed a different target URL:

Compare that to the target URL in 37977.py:

Going to the right URL brought up an admin panel:

I modified 37977.py with the correct target URL and a custom username/password so I'd know if the exploit worked for me instead riding in on someone else's exploit:

I ran the exploit which said it worked (I didn't bother modifying the exploit to print out the creds I modified):

After the exploit ran, I was able to login to the admin panel as myself:

I looked around quite a bit but didn't find anything good. I ran a nikto scan which revealed a 'release_notes.txt' file.

Armed with the version number, some more googling and I learned about the froghopper attack, which involves uploading a malicious PHP file with a .jpg or .png extension, enabling symlinks then some directory traversal. Let's get started then.

First I edited pentestmonkey's reverse PHP shell with my IP and port and named it rs.jpg (shameless plug, I wrote a script here that does it for you very quickly):

To upload the file,  go to Catalog/Manage Products:

I created a new category with my malicious rs.jpg as a thumbnail:

Now that the file has been uploaded, the next step is to enable symlinks. You can do this from System/Configuration/Developer:

The final step is to create a newsletter template and link to the malicious .jpg uploaded earlier. Go to Newsletter/Newsletter Templates/Add New Template and add a line as below:

Save the template, preview it and with a netcat listener you get a shell:

The user flag is found in /home/haris:

One of the first things I do when I get a shell on a Linux box is run sudo -l to see if my user can run anything as root:

Sweet, vi as root:

Oops. That's easily fixed though:

Let's try that again:

Typing :shell drops you into a root shell:

Finally the root flag: