HackTheBox - Swagshop


00:45 - Begin of recon
01:36 - Examining the web page to find Magento, noticing /index.php/ mod-rewrite misconfig and old copyright
04:50 - Whoops should of done apt search magescan, either way this package is not in Kali
05:30 - Running MageScan to scan the website
08:20 - Finding an open configuration file (app/etc/local.xml)
10:30 - Running searchsploit to identify public exploits
12:10 - Examining an exploit that will add an administrative user via SQL Injection
15:15 - Running the exploit out of the box didn't work, send it through burp in order to debug it
16:45 - Exploit needed to be modified to include index.php due to mod-rewrite misconfig
19:25 - Going back to SearchSploit and using the Authenticated RCE Exploit
21:30 - Making the obvious changes to fix the exploit script
24:17 - Debugging the exploit by running it through burpsuite, find out we need to use an login page
29:00 - Bit more in-depth debugging by setting a breakpoint with pdb
30:30 - The regex is failing due to page not returning anything, the URL has a time span lets increase that
33:15 - Finally fixed this exploit! Reverse Shell Returned
35:30 - Noticing we can exec vim with sudo, lets privesc
37:10 - Mentioning GTFOBins which helps find privesc paths from privileged programs
38:15 - EXTRA: Examining the PHP Object Injection RCE Exploit

HackTheBox - Swagshop HackTheBox - Swagshop Reviewed by Unknown on September 28, 2019 Rating: 5