Swagshop

I just did a quick search in google and magento backdoor brings up a github link. Currently trying to figure it out and use it possibly . For anyone that is stuck after admin login give it a try and let me know If you figure anything out.

Got to the admin panel, and got stuck. Have no idea to upload shell payload since the CM is disabled. Can someone PM hints ?

Could someone nudge me over where to upload/how to get the reverse shell?
Thanks, PM me

Rooted! My first box ever! :smiley:

Feel free to PM me if you need a hint .

Between resets and backend timeouts… this is practically impossible to figure out… geez

finally rooted! Nice machine but users made it harder to solve.

Type your comment> @bipolarmorgan said:

Between resets and backend timeouts… this is practically impossible to figure out… geez

I had this problem, make sure you have a plan on what you need to do and go through it quickly before somebody resets

Kinda stuck on the last part.Can any1 PM me a hepfull pointer towards root escalation? Cheers

You should check logs, tasks, processes, who are you, what you are allowed to do,

Finally after many hours of hard work…I finally got root :slight_smile:

Hi guys, this is my very first machine and I already learning a lot. Yet, I’m still stuck in frog hopper… I’m not sure if I should use a backdoor script or a shell (I don’t even know this things). and this machine is going to retire in 1 day so I’m in a rush to get root.

please help!

Rooted! thank you @letMel00kDeepr for helping me on both users… the user was very taff because a lose a lot of time trying to get /downloader page (without read the information on this forum)…

Just now I saw the box is retired. Very Sad, but true.

hi guys; I’m stuck with uploading the shell … any hints???

I was told that it was normal not to visualize the site content and that i had to work with it, but now, watching ippsec tutorial he can load easily the site. Is it because he did the machine before it broke?

Hey, I have a shell and realize I have to run Vi with sudo but I can’t escape the shell in to a terminal to run this I just keep getting ‘sudo: no tty present and no askpass program specified’ - any ideas?

I am able to run a php script (checked with phpinfo), but the reverse shell is not connecting. No errors on the web page, I just get nothing. I tried multiple ports including those open on swagshop. I checked I had no firewall blocking these ports.
I run this from a VM in case it helps.
Any hints?

@SaMUTa check the forum and google froghopper. Good luck.

@Malvik said:

Can someone help me with the 2nd py? It won’t work and I am pretty sure I have the right one.

Or guide me on the right path? Already have admin access to m******.

@bestion2 said:

same error bro …

Did You solved it?
is it something like 3***1.py? then just uncomment a manual entry to the mechanize!
Adjust the script with some date(s) and re-run.

This box would’ve been easier if it wasn’t getting reset so much…

am pretty new to HTB and pentesting, have done the nmap scan, used nikto for port 80 enumeration, i don’t know how to move forward can anybody help

NOTE: have seen a lot of write up on it via but am not ready to read them cos i believe i wont learn from it instead i try to exploit it myself with some hints offcourse

If anyone is having issues with the exploit. All you need to do is add an order on the sales page and make sure the status says “Processing” which will change when you create the order set it to shipped :slight_smile: