Target Experience:
My observations while working this target:
· Enumeration: Life-like
· Vulnerabilities: Life-like
· Exploitation: Life-like
· Difficulty: Easy
· Community Notes: CTF-like/Life-like
Tools:
The recommended tools for this lab were:
· Nmap
· Dirb
· Nikto
· Browser
· Searchsploit
· Magpleasure_Filesystem
· Perl Shell Script
· Netcat
· Python Reverse Shell Script
Vulnerabilities:
The following vulnerabilities were found:
· Misconfiguration
· Remote Code Execution
· Local Privilege Escalation
Information Gathering:
Going right to work, I used Nmap to scan for service version detection, OS detection, script scanning, and traceroute.
SSH Enumeration:
Detecting that OpenSSH was version 7.2, I knew that it was vulnerable to CVE-2018–15472. However, I decided not to brute force user enumeration and performed no further investigation.
Web Enumeration:
As the only other open port on the system, I launched dirb to scan the system TCP Port 80.
Unfortunately, the stability of this system was in question (discussed later) and I could not get a clean scan with dirb nor Nikto. So, I launched the website in a browser and started to enumerate.
I was not able to determine the exact Magento version of the code being used. So, I went to https://magento.com/blog/magento-news/magento-community-edition-1.9.1-now-available-download and validated that the community version of 1.9.1 was released in Nov 2014. Based on the copywrite of 2014, displayed at the bottom of the login page, I was certain that I identified the version of Magento being used.
I continued to enumerate the contents of the directory structure as well as periodically rerunning dirb and Nikto.
Admin Panel Exploit:
Reviewing the RCE exploit, I was able to determine that there was an existence of a /admin site.
However, I was having a difficult time finding it. I reviewed the Magento documentation and then returned to the web site to further enumerate.
https://docs.magento.com/m1/ce/user_guide/configuration/url-admin-custom.html
I eventually found the URL for the website at the following location: http://10.10.10.140/index.php/admin
Knowing the proper URL, I returned to the Magento RCE and reviewed the code. After a little cleanup of the comments, I modified the target and target_url variables.
With the code modified, I used Python version 2 to execute the script; where new credentials were created.
I then returned to the Magento Admin Panel and logged in with the credentials.
Foothold:
In effort to obtain a shell, a file system plugin was needed to be uploaded to the web site. The Magpleasure_Filesystem could be downloaded from the following site:
Next, I selected System>Magento Connect>Magento Connection Manager from the dropdown menu within the Admin Panel.
With the plugin downloaded, I connected to the Magento Connect Manager and click on the Browse button within the Direct package file upload section of the web site.
Courtesy Note: In order to avoid continual HTTP 503 errors, one should uncheck the box to Put sore on the maintenance mode while… If not, the system will become unstable for others.
After the plugin was uploaded without errors, I returned to the Magento Admin Panel. Next, I selected System to review the Filesystem>IDE menu.
At this point, I decided to use the Cron.php file and replaced the contents with the following shell code:
Next, I connected to http://10.10.10.140/cron.php to validate the shell functionality.
After validating the shell, I wanted to start a reverse shell using Python. The typical python –version command did not work, so I used whereis python within the shell to locate the active version.
With the Python version identified, a quick trip to PentestMonkey.com allowed me to find the code for a Python Reverse Shell. I then started a netcat listen on my attacker system and launched the following code within the PHP shell.
User Flag:
With an established shell, I needed to determine my current credentials and privileges.
Knowing that I had a low-level privileged account, I changed directories to the /home directory and found a directory of haris. The privileges allowed me to review the contents of the directory; where I found the user.txt file.
Privilege Escalation:
Next up was the root flag. I decided to review the /etc/sudoers file to determine if I had the ability to privilege escalate.
Knowing that www-data had elevated privileges using VI, with any file located within the /var/www/html/ directory, I launched VI and used the command of :!/bin/bash to escape the text editor. I then changed directories to /root and reviewed the contents of the file.
Note: the shell double-typed the entered text when escaping VI.
Disclaimer:
This article is made available for educational purposes only!!! In addition, this article provides general information on cyber security topics used for “Ethical Hacking”.
Persons accessing this information assume full responsibility for the use and agree to not use this content for any illegal purpose. Furthermore, the author is not liable for any direct or indirect damages or expense incurred which may result from the use of the information covered within this article.
Information within this article is “as is”, without warranty of any sort.
