HackTheBox Writeup — Swagshop

HTB Swagshop

Hello Guys , I am Faisal Husaini and this is my writeup on Medium for Swagshop machine which has retired. My username on HTB is “faisalelino” .

I was not able to publish other writeups as I was off since 6 months from Infosec and related stuffs due to my exams. Now finally after getting free , the first box I thought to do the simplest one as I almost forgot everything I had in my mind as my skills. So I tried to solve SwagShop as suggested from my friends.

The IP for this box is 10.10.10.140, so let’s get started

nmap -sC -sV 10.10.10.140

NMAP Results

We see that only 2 ports are open , Port 22 and Port 80 , which runs OpenSSH and Apache httpd services

Magento

As we can see that it is running Magento , in background , we run gobuster

gobuster dir -u http://10.10.10.140 -w (wordlist) -t 50

Gobuster Results

We get few results , but before we check all these , lets check the magento version so that we can find any available exploit for the magento version.

If we check the /downloader directory on webpage , we get the Magento version of the below

Magento Version 1.9.0.0

After searching alot for exploit on Magento version 1.9.0.0 or onwards , I got the exploit which worked for me , link for which will be at the end of this writeup.

The exploit is actually creates a user on the database of Magento

Now we try to login with the creds we just created through the exploit and login on ‘http://10.10.10.140/downloader

Magento Connect Manager

As to go further and add or edit stuffs , we need to upload a Magento upload package

We find another admin panel to the Magento ,i.e, “http://10.10.10.140/index.php/admin” and we can login to it as admin through the same credentials we got from the exploit

We edit one of the php files and put our reverse shell and get a shell through Netcat by accessing the php file (here get.php) , i.e , “http://10.10.10.140/get.php

nc -nvlp (port)

We successfully get our reverse shell , now we do the formalities of getting a better tty shell

So we get a better shell now , time to get the user flag first

The user flag was located at “/home/haris/” folder as user.txt file

For privelege escalation , we run the “sudo -l” command to see the sudoers

sudo -l

As we can see that we can run /usr/bin/vi as root without password on /var/www/html/*

Lets use the vi privelege escalation technique

As soon as we press Enter , we get a root shell

We successfully got the root shell , the root flag on HTB boxes are usually located at /root folder

So here ends the writeup part of the box , below I will mention the vulnerabilities used to pwn this box and also the resources.

  1. Remote Code Execution and SQLi to create the admin creds
  2. Uploading PHP shell after admin access
  3. vi post exploit technique to get root as vi was allowed as sudo without password

Important Links Which I Used To Solve This Box

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store