Skip to main content
Muqaram Majid
  1. CTF Writeups/

swagshop

·385 words·2 mins
Muqaram Majid
Author
Muqaram Majid
Just jotting down my thoughts
Table of Contents

swagshop
#

Overview
#

  • OS: Linux
  • IP: 10.10.10.140
  • Difficulty: Easy
  • Platform: HackTheBox
  • OSCP: No
  • Lists: N/A

Summary
#

to be continued.

Enumeration
#

nmap results

adding 10.10.10.140 swagshop.htb to our /etc/hosts folder we are able to access the site

dirsearch

Release_notes.txt directory

ok so i thought this site would be useful for getting the version of magneto running, but no its redirecting us to another site to get the current release notes, which makes this useless.

lets try using a tool called magescan instead to get the version

follow these commands

    sudo apt update
    sudo apt install php-cli -y
    wget https://github.com/steverobbins/magescan/releases/latest/download/magescan.phar
    chmod +x magescan.phar
    ./magescan.phar

nice , our magento version is 1.9.0.0

oh wow we got some db credentials form the local xml directory we found from dirbusting.

root:fMVWh7bDHpgZkyfqQXreTjU9

dbname:swagshop

key:b355a9e0cd018d3f7f03607141518419

Vulnerabilities
#

lets check out the remote code exec one

shoplift

Exploitation
#

ok lets check out this and see if there any changes that have to be made to the script.

lets see if we can access that link specified as the target url

ok so we cant access the page, lets try

on messing with the site

i realized that any page that i visit has index.php being added at the start of the url , lets try adding that to the target url and see if we can access the page or not.

and boom it works, lets change this in the script accordingly

first remove these unnecessary characters

ok so once this script executes it will create a another acc with these credentials for us to login with.

ok now lets run it

ok wow it worked , lets try those credentials no w

we are getting this page??

oh nvm on pressing the back page button we are greeted with this

we are in the admin panel!

remember we came across some magento exploit that required us to be authenticated?

now that we are authenticated, lets visit that

lets get the exact date from the local xml file

comment the first few lines out and these lines to the script

change from 7d to 2y here as there were no orders in the past 2 years

ok we are ready to run the script now

lets fix this error

kept getting this error , got fustrated will attempt again