A port scan using nmap reveals SSH on port 22 and an HTTP server on port 80.
Visiting the HTTP server brings us to a Magento E-commerce page.
Using searchsploit finds several vulnerabilities for magento.
Remote Code Execution sounds good, I checked out the script for it at 37997.py which creates a new admin user.
I copied the script section of the file as it needed some tweaks. I edited the target and target_url variables to match the location of the admin page and saved the script as Shoplift.py.
The script runs successfully and I have an admin account with the credentials forme:forme
The first time I completed this box I used a different method to gain a shell which no longer works where I uploaded a backdoor via the CMS and spawned a reverse shell from there. So this time I had to find a new approach.
In my earlier searchsploit findings there was an authenticated RCE script which affects the version of Magento that the machine is running, I decided to go down that route, reading the script however shows that it’s not as straightforward as running it and getting a shell.
I saved the script as Magento.py and began working on it, first of all editing the config section, where I needed a username, password and the install date which I could find at /app/etc/local.xml.
I used the admin credentials form the previous exploit as the username and password and navigated to the directory where I could find the install date.
I ran the script based upon the example usage but ran into an error based on line 69 of the script as there was no data stored in tunnel.group(1)
I used BurpSuite to intercept the requests to and from the webpage, this confirmed that the login section of the script worked, which narrowed the issue down, eventually leading me to change “7d” which I presumed was for 7 days to “1y” for 1 year, this gave the tunnel.group(1) parameter the data required to execute the script properly.
Running the script again with the command “id” worked perfectly, now I can use this to leverage a shell.
I set up a listener on port 900, for some reason several ports didn’t work, trial and error lead me to port 900.
I then ran the script issuing a bash reverse shell command, which gave me access.
Using sudo –l showed that I can use sudo to edit files within /var/www/html with vi. Vi has a very well-known privilege escalation trick.
I used vi to edit a new file called hello.txt in /var/www/html, once I was editing it I could run a command using :! And because we’re running it with sudo privileges the command will be executed as sudo.
Trying :!/bin/bash…
And I have root access, meaning I could grab the root flag!
Dan Rigby PenTesting 