# Hack The Box - Swagshop

## Quick Summary

Hey guys, today Swagshop retired and here’s my write-up about it. It was a very easy box, it had an outdated version of Magento which had a lot of vulnerabilities that allowed me to get command execution. The user could run vi with sudo as root so I used the basic vi/vim escape to get a root shell. It’s a Linux box and its ip is 10.10.10.140, I added it to /etc/hosts as swagshop.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services :

We got http on port 80 and ssh. Let’s check the http service.

## Web Enumeration, Creating an admin user

http://swagshop.htb/ :

On port 80 there’s a web application called Magento.

Magento is an open-source e-commerce platform written in PHP. It is one of the most popular open e-commerce systems in the network. This software is created using the Zend Framework. -Wikipedia

By looking at the bottom I saw that the version is from 2014 which is very outdated, so I searched for exploits and this one which creates a new admin user worked, but I had to edit it first.
By browsing the web application I noticed that all paths are after /index.php, for example the login page :

So I set the target to http://swagshop.htb/index.php and I changed the credentials from forme : forme to rick : rick :

## RCE (The Froghopper Attack), User Flag

This machine had several paths for getting RCE but it has been patched several times and now the only method I could use is an attack called froghopper.
System –> Configuration :

Template Settings –> Allow Symlinks :

Then I got a blank png image and echoed a php reverse shell to it :

I uploaded the image as a category thumbnail :
Catalog –> Manage Categories :

Now if we check /media/catalog/category/shell.php.png the image should be there :

Last step is to create the newsletter template and inject the payload :

Then I saved the template and clicked on the preview template button :

And I got a shell :

We owned user.

## Privilege Escalation, Root Flag

First thing I did after getting a shell was to get a stable tty shell :

I checked sudo and found that www-data can run vi as root on any file in /var/www/html/ :

So I opened index.php in vi as root :

Then I executed /bin/bash from vi :

And we owned root !
That’s it , Feedback is appreciated !