Swagshop

Type your comment> @Acli said:

Is the machine down? i can’t visit the connection manager page anymore… (404 not found) wtf?

Not meant to use that, the creator removed it cause it was getting abused.

@falsetruth said:
So I have a strange error. In the ud on the p**s phase when uploading shell i get SSL Error: Invalid or self-signed certificate.

Any ideas?
Shouldn’t be getting an SSL error because the box is only using port 80 for the web server, there is no https/443 running.

@letMel00kDeepr said:
Type your comment> @Cyan101 said:

can also search “magento” on exploit-db

I couldnt find it on exploitdb

chuck me a dm on here/discord if you need some better pointers

Sorry to bump this thread yet again, but i’ve gotten a few more messages about swagshop and a f********* method, personally I didn’t use this one and if you look around a bit more you should be able to find something a bit less complex

should the points/difficulty maybe be upped after this downloader was disabled?

Finally started on this box after downloader being disabled. I’ve gotten into the admin panel okay, now working on getting initial access without any luck.

I can upload files onto the server okay and try to view them without issue - can’t get any code to execute though. Have been reading about hopping frogs and trying their suggestions, not much in the way of luck yet.

Is this on the right track? Any suggestions for things to look at?

Check out the product categories. See if you find anything worth while.

Anyone having the same issue of getting 404 downloader not found? I am almost there for the user.txt but unable to load my payload. Please HELP! Thank you!

Finally rooted, I can’t believe it took me soo long. The box is not stable, even in VIP.

Rooted, PM for hints. Thank you to @letMel00kDeepr for the nudge

Solved with the downloader page disabled. Feel free to reach out for hints. Should be on most the afternoon today.

8/31

what should be done after logging in with f… user and f… pass is there a console?

Type your comment> @NativePWN said:

Anyone having the same issue of getting 404 downloader not found? I am almost there for the user.txt but unable to load my payload. Please HELP! Thank you!

Yes, downloader is no longer the right path. You have to find another way

If you’re brute forcing for a login right now, I recommend trying an alternative method.

I don’t normally say anything, but it’s getting a bit out of hand.

Got root

Was a fun box for a noob :slight_smile:

Got Root!!! Learned a lot. Thanks @ch4p. But the machine was very unstable tho…

I need help. I have ran one exploit and gained access to the web portal. I think I know what needs to be done but they are not working. I have researched a few vulnerabilities but their dependencies are not installed.

I have access to the panel, plus any root tips?

rooted. Thanks @Cyan101 for all your help!

It’s normal that the exploit mag–to-s–i.py returns an http error. I admit that until then I managed to access the panel on my own but for this flaw, if someone would be kind enough to give me a hint. :smiley:

I am in need of a nudge. I have made access to the a**** panel, but I cannot seem to find how people are able to upload the missing tools. I believe I have found the proper RCE method, but I don’t know how to install the tools via the panel. PM me pls