Swagshop

There is indeed two ways to get a user shell : Another exploit and the froghopper method.

It’s interesting to check both methods.

Thanks @cyan101 and @letMel00kDeepr for the tips!

Surely giving the exact exploit is a spoiler?

Is the machine down? i can’t visit the connection manager page anymore… (404 not found) wtf?

Type your comment> @requiem said:

Surely giving the exact exploit is a spoiler?

Idk its no automated method you still have to read the anatomy of the attack then perform it yourself. I apologize if it is.

User popped

So I have a strange error. In the ud on the p**s phase when uploading shell i get SSL Error: Invalid or self-signed certificate.

Any ideas?

Got user and then root almost back to back. Huge thanks to @letMel00kDeepr.

Got root via v* :!*******

No longer works

Box keeps getting reset. Can someone tell me if VIP uses the same box? Because good lord it’s annoying.

Type your comment> @Acli said:

Is the machine down? i can’t visit the connection manager page anymore… (404 not found) wtf?

Not meant to use that, the creator removed it cause it was getting abused.

@falsetruth said:
So I have a strange error. In the ud on the p**s phase when uploading shell i get SSL Error: Invalid or self-signed certificate.

Any ideas?
Shouldn’t be getting an SSL error because the box is only using port 80 for the web server, there is no https/443 running.

@letMel00kDeepr said:
Type your comment> @Cyan101 said:

can also search “magento” on exploit-db

I couldnt find it on exploitdb

chuck me a dm on here/discord if you need some better pointers

Sorry to bump this thread yet again, but i’ve gotten a few more messages about swagshop and a f********* method, personally I didn’t use this one and if you look around a bit more you should be able to find something a bit less complex

should the points/difficulty maybe be upped after this downloader was disabled?

Finally started on this box after downloader being disabled. I’ve gotten into the admin panel okay, now working on getting initial access without any luck.

I can upload files onto the server okay and try to view them without issue - can’t get any code to execute though. Have been reading about hopping frogs and trying their suggestions, not much in the way of luck yet.

Is this on the right track? Any suggestions for things to look at?

Check out the product categories. See if you find anything worth while.

Anyone having the same issue of getting 404 downloader not found? I am almost there for the user.txt but unable to load my payload. Please HELP! Thank you!

Finally rooted, I can’t believe it took me soo long. The box is not stable, even in VIP.

Rooted, PM for hints. Thank you to @letMel00kDeepr for the nudge

Solved with the downloader page disabled. Feel free to reach out for hints. Should be on most the afternoon today.

8/31

what should be done after logging in with f… user and f… pass is there a console?

Type your comment> @NativePWN said:

Anyone having the same issue of getting 404 downloader not found? I am almost there for the user.txt but unable to load my payload. Please HELP! Thank you!

Yes, downloader is no longer the right path. You have to find another way