Hack The Box – Swagshop Write-up/Walkthrough By Nikhil Sahoo

Introduction

Back with a new blog. Today we will go through the walkthrough of the Hack the Box machine Swagshop which retired very recently. It was actually a fairly easy box and was based on the Linux machine. Getting the root flag was much easier compared to the user flag. So let’s begin..

 

Recon

We’ll start with our recon by doing a nmap scan.

 

As we can see that port 80 is open so let’s check that first in our browser.

 

On opening the IP in our browser we can clearly see that it is some sort of online store for buying out cool swags and stickers and is built using the magento ecommerce framework.

So let’s search for any possible exploits using searchsploit.

 

The Magento eCommerce – Remote Code Execution looks quite interesting so let’s try it first. So what it will do is it will exploit a remote code execution vulnerability in the framework and add a set of credentials for login through which we can enter the admin dashboard.

Before executing we need to make a small change in the url path in the code so copy the code to some other loaction (use the locate command if you have no idea where the code is present in your system). Now open the code and just add index.php to your path as beacuse our admin path is present at this location:

http://10.10.10.140/index.php/admin

 

Now let’s run the exploit code.

 

And it worked so now let’s move on to our browser and go to the following url:http://10.10.10.140/index.php/admin

and then login with the new creds “forme:forme”.

Now for getting the reverse shell there is a very common and easy way in magento using file upload and IDE but unfortunately, this feature had been disabled by the author of the box when I started it as everyone was using this method and making the box unstable.

On searching more on google we can actually find another possible way for reverse shell using the method called “froghopper”.

Here is a detailed and very well explained post about each and every process: https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper. Highly recommend going through it more than once as it would be much easier to understand and things will get clearer.

So in short magento gives an option to attach an image while adding a product category and only allows image files to be uploaded like JPG and PNG extension however it does not check for malicious code inside it so we can bind our malicious code inside the jpg contents. Now even after uploading this malicious image file, it will still be interpreted as an image file only so to exploit it there is another functionality named newsletter which allows creating customer newsletters from templates and all we have to do is to add the template path to the path of our malicious image.

First things first, let’s upload the malicious image. We can simply create a malicious image by adding magic bytes to the beginning of our PHP code and changing the extension of our file to png like this:

 

The reverse shell was taken from pentestmonkey and to know more about magic bytes refer this link: https://en.wikipedia.org/wiki/List_of_file_signatures

Now let’s go to our dashboard and then to Catalog -> Product Category and then add a new root category, fill up the details, upload the malicious image file and then save it.

 

Next move to System -> Configuration -> Developer -> Template Setting . Select allow symlinks to yes and save the config. This will allow the newsletter to allow template files other than the template root directory. This is very important as our malicious image is present in the “media/catalog/category” directory.

 

Now let’s move to Newsletter -> Newsletter Template -> Add new new template

Fill up the name, subject and other things randomly and in place of Template Content type the following code:

{{block type=”core/template” template=”../../../../../../media/catalog/category/malicious_image.png”}}

So here we are adding the template file not from our root directory but from the media/catalog/category directory where we had uploaded our malicious image. Let’s just click on save template now and move back to our terminal and open our port for the reverse shell. So type in the following command for listening in a port: nc -lnvp 4444

Again come back to your template file and click on the preview template option.

 

If everything goes right then on clicking on the preview template option we should be getting our reverse shell.

 

Got it!! Now move to /home/haris folder where we will be getting our user flag.

 

Moving on to our root flag let’s check our sudo privileges by typing in “sudo -l“. We can clearly see here that we can run vi as root on any file present in /var/www/html/. We can search in google for possible privilege escalations for vi.

Now type in the command: “sudo vi /var/www/html/nikhil.sh -c ‘!sh’ “. Here -c refers to execution of the command for the file so that we can escape to a shell using the vi command.

 

We can now check if we are root or not and then let’s move to the root directory and view the root.txt file.

 

Thus we got our root flag and the challenge was successfully completed.

So that’s for now. See you next time. Goodbye

You can have a look at my previous article on Hack The Box: Netmon Writeup. Here is the link of the article

Loved what you read?

If so, then kindly comment, follow and share our website for much more interesting stuff  ?

For any queries you can send a Hi to my Linkedin Handle: Here

 

 

 

 

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *