Writeup for the retired HTB machine Swag Shop
A qick portscan reveals multiple open ports:
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Home page
As a website is involved, investigation into interesting files is conducted with gobuster.
By investigating the dirs a bit, one can find
/app/etc/local.xml, which holds credentials:
as well as a crypt key:
The DB name is
As we don’t have any credentials that yield a successful login, we switch to running an exploit to generate them.
37977.py works after a quick code cleanup and setting the target to
The admin interface is located at
Thanks to the exploit we end up with an admin login
Admin interface & shell
The next step after login is opening a reverse shell.
Most of this is based on the Froghopper attack, which is explained in detail in the liked article.
Prepare a php reverse shell (shell.php) with your IP and Port and change the extension to .jpg to pass the upload filter.
That can be uploaded as the image for a new Category (Catalog -> Manage Categories -> Add Category).
If everything worked well, the file will show up under
Now, to execute the shell, it has to be called. To do that, symlinks need to be activated in System - Configuration - Developer - Template Settings.
Then a new Newsletter Template has to be created with the following content:
Afterwards, a click on “preview” will force the server to render the php shell. After the shell connects to the local netcat listener, the user flag can be printed.
Road to root
Enumerating common privilege escalation paths, a sudo entry reveals a possible path:
User www-data may run the following commands on swagshop: (root) NOPASSWD: /usr/bin/vi /var/www/html/*
As one can spawn shells within vi, this can be exploited to spawn an elevated shell.
So it’s a matter of running
sudo vi /var/www/html/LICENSE.txt and then