Swagshop

1313234363741

Comments

  • Type your comment> @requiem said:
    > Surely giving the exact exploit is a spoiler?

    Idk its no automated method you still have to read the anatomy of the attack then perform it yourself. I apologize if it is.
  • User popped

  • So I have a strange error. In the u***d on the p*****s phase when uploading shell i get SSL Error: Invalid or self-signed certificate.

    Any ideas?

  • Got user and then root almost back to back. Huge thanks to @letMel00kDeepr.

  • Got root via v* :!*******

    No longer works

    Box keeps getting reset. Can someone tell me if VIP uses the same box? Because good lord it's annoying.

  • Type your comment> @Acli said:

    Is the machine down? i can't visit the connection manager page anymore... (404 not found) wtf?

    Not meant to use that, the creator removed it cause it was getting abused.

    @falsetruth said:
    So I have a strange error. In the u***d on the p*****s phase when uploading shell i get SSL Error: Invalid or self-signed certificate.

    Any ideas?

    Shouldn't be getting an SSL error because the box is only using port 80 for the web server, there is no https/443 running.

    Programming, Anime, Vidya Games~!

    Cyan101

  • @letMel00kDeepr said:
    Type your comment> @Cyan101 said:
    > can also search "magento" on exploit-db

    I couldnt find it on exploitdb

    chuck me a dm on here/discord if you need some better pointers

    Programming, Anime, Vidya Games~!

    Cyan101

  • Sorry to bump this thread yet again, but i've gotten a few more messages about swagshop and a f********* method, personally I didn't use this one and if you look around a bit more you should be able to find something a bit less complex

    Programming, Anime, Vidya Games~!

    Cyan101

  • should the points/difficulty maybe be upped after this downloader was disabled?

    Programming, Anime, Vidya Games~!

    Cyan101

  • Finally started on this box after downloader being disabled. I've gotten into the admin panel okay, now working on getting initial access without any luck.

    I can upload files onto the server okay and try to view them without issue - can't get any code to execute though. Have been reading about hopping frogs and trying their suggestions, not much in the way of luck yet.

    Is this on the right track? Any suggestions for things to look at?


    OSCP | PMP

  • Check out the product categories. See if you find anything worth while.
  • Anyone having the same issue of getting 404 downloader not found? I am almost there for the user.txt but unable to load my payload. Please HELP! Thank you!

  • edited August 2019

    Finally rooted, I can't believe it took me soo long. The box is not stable, even in VIP.

  • Rooted, PM for hints. Thank you to @letMel00kDeepr for the nudge


    OSCP | PMP

  • Solved with the downloader page disabled. Feel free to reach out for hints. Should be on most the afternoon today.

    8/31

  • edited August 2019

    what should be done after logging in with f.... user and f.... pass is there a console?

  • Type your comment> @NativePWN said:

    Anyone having the same issue of getting 404 downloader not found? I am almost there for the user.txt but unable to load my payload. Please HELP! Thank you!

    Yes, downloader is no longer the right path. You have to find another way

  • If you're brute forcing for a login right now, I recommend trying an alternative method.

    I don't normally say anything, but it's getting a bit out of hand.

    Arrexel

  • Got root

    Was a fun box for a noob :)

  • Got Root!!! Learned a lot. Thanks @ch4p. But the machine was very unstable tho...

  • I need help. I have ran one exploit and gained access to the web portal. I think I know what needs to be done but they are not working. I have researched a few vulnerabilities but their dependencies are not installed.

    Hack The Box
    Follow me on Twitter: @C_3PJoe

  • I have access to the panel, plus any root tips?

  • rooted. Thanks @Cyan101 for all your help!

  • edited September 2019

    It's normal that the exploit mag--to-s--i.py returns an http error. I admit that until then I managed to access the panel on my own but for this flaw, if someone would be kind enough to give me a hint. :smiley:

  • I am in need of a nudge. I have made access to the a**** panel, but I cannot seem to find how people are able to upload the missing tools. I believe I have found the proper RCE method, but I don't know how to install the tools via the panel. PM me pls
  • hey guys, I found creds, but they don't seem to work in the An pl. I don't know where to go next. If anyone could pm me with some help, that would be awesome

  • First box I rooted, that was frustrating and fun. Thanks for all the comments, definitely helped!

  • Can someone tell me why I'm getting a 404 error trying to access MagentoConnect Manager. What am I missing here?...thanks!

  • I'm getting a 404error when trying to access the MG Connect Manager. Anyone know what's up?

  • Same!! 404 for "Connect Manager", Can Somebody please advise ?

Sign In to comment.