Hacking a Magento Web Application
A lot of e-commerce website is using Magento so I demonstrate here how I hacked into a web application that used this technology.
Enumeration
Let us check first what are the running ports within the target machine. Although we already have an idea that our main target will be on port 80 or 443, the other ports can be useful later either for further exploitation or privilege escalation.
When scanning for ports, I have this method to check first the top 1000 common ports without much flags, then scan the specific open ports with -sV and -sC flags, then scan for all TCP ports from 1–65535 and then lastly, scan for top 20 UDP ports.
The reason for doing this is for me to start enumerate right away the ports that will be discovered quickly in the first scan while waiting for the results of the other scan. This saved me a lot of time.
Here are the results:
By looking at the source code within the port 80, you can see a software named Magento and a date which is 2014:
Of course, we also ran directory brute force and fuzz if there are hidden virtual hosts.
While waiting for result of the above scan, I dig deeper on what is the specific version of the Magento for 2014 and I found that it is 1.9:
Exploitation
From the results above, we can now start researching for public exploits that we can use for this specific version. After some trial and error, I found that this exploit here can be the one that can be useful for us:
https://www.exploit-db.com/exploits/37977
Remember, always assess what kind of exploit you are dealing with before using it. In this step we will understand more what are the things it can do and what are the things that we can modify:
- First, we can see that it focus the exploit in the admin page:
2. Then, we can see that a query has been stored in a variable that creates a user that has an admin privilege within the web application:
3. After that, we must specify the new username and password for the new user that was created:
4. Then it will check if we successfully logged in using those newly created user and credentials:
Since we already know how our exploit works, we can start to modify it on our own preference and to make it work. I started by changing the target variable into our own target website:
And then I also change the credentials just in case there are other hackers that is already leveraging this exploit using the default credentials given. By doing so, they cannot mess with my exploit:
Another thing is to remove all unnecessary lines that makes our code produce some errors and after that we are ready to go.
Since it is using Python 2.7, we should ran it with python2.7 binary:
Now, we can use the credentials to login to the admin panel:
However, logging in to the admin panel is not the goal here. The goal is for us to have a terminal access inside the target machine. Since we already have an authenticated access in the Magento admin panel, we can now use the remote code execution exploit that we encountered a while ago that we cannot use because we still do not have a valid username and password for the admin panel: https://www.exploit-db.com/exploits/37811
After assessing the code, we can now modify it and add the username, password and the install_data.
Had a hard time finding the install_date but I found it within the directories here: http://swagshop.htb/app/etc/local.xml
So after all, the directory brute force we did a while ago is still useful.
The code needs 2 arguments. First is the target site and second is the command we wanted to execute. For this kind of situation, what I usually do is I prepare a listener in an unfamiliar port and then put my reverse shell in the command argument. So after running a listener, I ran the code with the following arguments:
And then look in your listener and we already got shell:
As you can see, we are not yet the ROOT user so we still need to perform privilege escalation.
Privilege Escalation
First, we checked what are the things that we can run as root within the www-data user:
In here, we can see that we can run vi as root as long as it has an argument of /var/www/html/*. This is easy. We can use the -c flag of vi to spawn a root terminal as long as we include the required path.
And then by entering the command above, we can check that we are already ROOT!:
Lessons Learned:
- If you have these kind of technologies, always use an updated software for your e-commerce web applications
- Assess the public exploit first before running it to avoid regrets afterwards and having knowledge in common languages like Python can be a plus for easier modification of exploits
- Always enumerate well since those data may not be useful as of the moment but can be useful in the exploitation or privilege escalation part
Wanted to Learn More About Hacking?
Train here: https://referral.hackthebox.com/mzw8Olf