Was SwagShop patched again?

Long story short every walkthrough I read says you need to change 7d to 2y in the exploit code because 7d returns “no data found” whereas 2y returns “chart”. However, I went to the page and selected 2y from the drop down menu, as well as every other option (24h, 7d, 1m, 1y), and they all returned “no data found”. I double checked that the url was changing too.

@ch4p I read you talked about the previous 2 patches at this step that were caused by the removal of the /download page, do you think this was patched again?

Page I’m talking about:
http://10.10.10.140/index.php/admin/dashboard/ajaxBlock/key/891672993be652f24b39858d25f5970b/block/tab_orders/period/2y/?isAjax=true

Exploit:

Exploit edits:

username = 'forme'
password = 'forme'
...
install_date = 'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml
...
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)

0xdf and Security Ninja were able to get it to run from here, without changing it form 7d to 2y.

Epi and Ivan were able to get it to work after changing it.

Rana and myself had to make some additional tweaks:

#Comment out the following code
#br.form.new_control('text', 'login[username]', {'value': username})  
#br.form.fixup()
#br['login[username]'] = username
#br['login[password]'] = password

#Add the following code
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwone = br.find_control(name="login[password]", nr=0)
pwone.value = password

At this point it runs for her, but I get the same error that we got before we change it from 7d to 2y:

┌──(f00d4w0rm5㉿kali)-[~/Documents/htb/140-SwagShop]
└─$ python 37811.py http://10.10.10.140/index.php/admin "whoami"                                                                                
Traceback (most recent call last):
  File "37811.py", line 75, in <module>
    tunnel = tunnel.group(1)
AttributeError: 'NoneType' object has no attribute 'group'

So was this patched or is there another way to edit the exploit code?

Update?

Hey, I got your message too so I’ll just reply here. No I haven’t figured out how to root this box since I posted this, although I haven’t tried it again. I’m assuming it was patched, especially when considering you get ‘no data’ when setting it to 2y as well. I looked at so many writeups and everyone did this same step, and I couldn’t find anyone who found another way. I recommend moving on to another box before you get as frustrated as I got hahah. Goodluck!

Ok! Thank you!

I had this problem too, I resolved it by making a new order and then “shipping” it on admin panel! After that the order tab had an item and exploit started working

Oh no way! I’ll try this next week, thank you!!

Hi. I just did this machine so I thought I would give my input on this.

To take care of the AmbiguityError exception, I modified the code as shown below.

# br.form.new_control('text', 'login[username]', {'value': username})  
# br.form.fixup()
br['login[username]'] = username
br['login[password]'] = password

As for the 7d part, I left it as it is.

request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)

One point to note is that with the above changes, I too would get a 'NoneType' object problem while running the exploit with the ip address of the machine. But it would work when using the hostname of the machine (swagshop.htb) instead.

After this, the exploit started working although I wasn’t able to get a reverse shell using bash. However, I was able to get a reverse shell using python (the python command in pentestmonkey’s cheatsheet).

Hope this helps :slight_smile:
Feel free to PM me if you need more help.

I’ve tried a few different exploits on this box, specifically EDB-ID: 37811. I cannot get this thing to crack.

I’ve been struggling with this for wayyy more time than I should’ve spent. But anyways, I got it to work by indicating 3y instead of 2y and switching the reverse shell quotes around from what the ippsec video showed. I didn’t try placing an order, so maybe it just needed a bit more time travel.