HackTheBox SwagShop

Swag Shop info card

Over a year has passed since I’ve last done anything related to penetration testing. I decided to tackle the SwagShop machine on HackTheBox to ease back into things since it has a nice friendly green “Easy” rating. Note: This post is hidden until the machine is “Retired” to avoid spoilers to the community.

Enumeration and Information Gathering

First thing’s first. HackTheBox gives out the machine IP, so I run a quick nmap scan to look for open ports.

$ nmap -v -sS -A -T4 10.10.10.140
...
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 88733EE53676A47FC354A61C32516E82
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
...

There’s a couple key pieces of information I got from that scan. There’s only two visible services at the moment - OpenSSH 7.2p2 and Apache httpd 2.4.18. I check out what’s running on the web server since that seems like a likely place to find a vulnerability.

Magento storefront

A quick visit using the browser shows that the site is running Magento. Based on the look of the page, it seems to be an old version as well. I ran nikto in the background while looking up some CVEs for Magento to see what vulnerabilities have been reported.

$ nikto -h 10.10.10.140
...
+ OSVDB-3268: /app/: Directory indexing found.
+ OSVDB-3092: /app/: This might be interesting...
+ OSVDB-3268: /includes/: Directory indexing found.
+ OSVDB-3092: /includes/: This might be interesting...
+ OSVDB-3268: /lib/: Directory indexing found.
+ OSVDB-3092: /lib/: This might be interesting...
+ OSVDB-3092: /install.php: install.php file found.
+ OSVDB-3092: /LICENSE.txt: License file found may identify site software.
+ OSVDB-3233: /icons/README: Apache default file found.
+ /RELEASE_NOTES.txt: A database error may reveal internal details about the running database.
+ /RELEASE_NOTES.txt: Magento Shop Changelog identified.
...

Nikto gives me a pretty good idea of where to look around for more information. The website was carelessly uploaded with unneeded files that can reveal useful information such as a version number.

/RELEASE_NOTES.txt:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
] NOTE: Current Release Notes are maintained at:                                 [
]                                                                                [
] http://www.magentocommerce.com/knowledge-base/entry/ce-19-later-release-notes  [
]                                                                                [
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

==== 1.7.0.2 ====

=== Fixes ===
Fixed: Security vulnerability in Zend_XmlRpc - http://framework.zend.com/security/advisory/ZF2012-01 
Fixed: PayPal Standard does not display on frontend during checkout with some merchant countries
...

Based on the release notes, the version of Magento is probably 1.9.x or lower. Several vulnerabilities for <1.9.x exist, however this one caught my eye. CVE-2019-7139 allows an unauthenticated user to register an account with admin access. Some Googling for information on the vulnerability led to posts referring to this exploit as Shoplift and that it was especially dangerous with the Magpleasure File System extension.

Exploiting the Machine

A proof of concept for the Shoplift exploit is already available on exploit-db. No modifications needed to be made to execute this and it worked out of the box. The only modification I made was the newly created admin username and password to not clash with anyone else on the box that may have ran the same exploit as me.

After gaining access to the admin panel, I familiarised myself with the layout since I never used Magento before, tried to find an easy way to execute code on the host. In the end I ended up installing the Magpleasure File System extension, which allows editing local PHP files in the web server directory.

This looks like the perfect way to install a PHP reverse shell. I set up a netcat listener on my host machine and decide to set up my reverse shell in /install.php to avoid interfering with people who are doing the lab at the same time as me.

File system extension

After hitting /install.php, my local listener granted me user shell access to the server:

File system extension

Local Privilege Escalation

Next step will be figuring out how to escalate user permissions to gain root access. After doing some basic enumeration, I noticed something strange in the /etc/sudoers file:

File system extension

www-data ALL=NOPASSWD:/usr/bin/vi /var/www/html/*

That very last line grants passwordless sudo to www-data, the user I’m currently logged in as, only when using vi in the /var/www/html/* directory.

vi and vim both have a feature to exit back to shell with :sh, and sudo is permitted when targeting a specific directory. I can escalate myself to root by using vi to exit back to drop back to the shell that was spawned from the root user because it was executed using sudo:

sudo vi /var/www/html/test -c '!sh'

The output is messed up since the shell was not configured properly, but no matter.

File system extension

Side Note:

Shoplift was one of several ways to exploit the machine. Earlier I ran into exposed MySQL credentials when exploring the open web server directory tree, so gaining admin access may have been possible through that avenue.

Exposed MySQL credentials