SwagShop from HackTheBox is an retired machine which had a web service running with an outdated vulnerable Magento CMS that allows us to perform an RCE using Froghopper Attack and get a reverse shell. Later we can exploit sudo privileges to run vi as root through sudo command and exploit it to get root shell.
Enumeration
Lets start out with Nmap scan to find out open ports and services:
We got open port 22 & 80 and HTTP service running on port 80.
Web Service Enumeration
The web application is running on Magento CMS and on the bottom of the page we observe that it’s running on 2014 version so lets try searching for exploits and in background run wfuzz to find out directories associated with this application
Lets run Searchsploit to look for publicly available exploits and we found out a exploit Magento eCommerce- Remote code Execution-37977.py that creates a admin account on Magento CMS which can be used to login to admin panel on http://swagshop.htb/index.php/admin/
Creating an Admin User
The Magento eCommerce- Remote code Execution exploit creates a new admin account with forme/forme as credentials. I just modified the target and the credentials as cfx/cfx and launched it to get an admin account
Now we can login to the admin panel on http://swagshop.htb/index.php/admin/ using the credentials cfx:cfx
Froghopper Attack - Magento RCE
Initially when I did this box I used Magento connect manager to add an file system extension through you could add or edit PHP files to get an reverse shell but now that vector has been removed and the only method which we can use is called Froghopper attack
Using this article I was able to use this attack, We start by allowing the symlinks option in template settings:
Now since we have to upload a png file as a category thumbnail so we take a png file and echo a reverse shell in it:
Uploading the png file to Catalog > Manage categories:
As we can check if our image file has been uploaded successfully by visiting http://swagshop.htb/media/catalog/category/shell.php.png
Now we have to create a newsletter template and inject the payload mentioned in the article: ``
We just have to save the template and later preview template to spawn our reverse shell.
Shell as www-data
Lets start the listener on port 4444 and then click on preview template button.
We see the user flag in the home directory of user haris.
Privilege Escalation
The user www-data has sudo privileges to execute binary vi as root. We can spawn a shell from within vi using :!/bin/sh and it’ll spawn root shell.
Thanks for reading <3