Was SwagShop patched again?

f00d4w0rm5 · March 3, 2021, 3:18pm

Long story short every walkthrough I read says you need to change 7d to 2y in the exploit code because 7d returns “no data found” whereas 2y returns “chart”. However, I went to the page and selected 2y from the drop down menu, as well as every other option (24h, 7d, 1m, 1y), and they all returned “no data found”. I double checked that the url was changing too.

@ch4p I read you talked about the previous 2 patches at this step that were caused by the removal of the /download page, do you think this was patched again?

Page I’m talking about:
http://10.10.10.140/index.php/admin/dashboard/ajaxBlock/key/891672993be652f24b39858d25f5970b/block/tab_orders/period/2y/?isAjax=true

Exploit:

Exploit edits:

username = 'forme'
password = 'forme'
...
install_date = 'Wed, 08 May 2019 07:23:09 +0000'  # This needs to be the exact date from /app/etc/local.xml
...
request = br.open(url + 'block/tab_orders/period/2y/?isAjax=true', data='isAjax=false&form_key=' + key)

0xdf and Security Ninja were able to get it to run from here, without changing it form 7d to 2y.

Epi and Ivan were able to get it to work after changing it.

Rana and myself had to make some additional tweaks:

#Comment out the following code
#br.form.new_control('text', 'login[username]', {'value': username})  
#br.form.fixup()
#br['login[username]'] = username
#br['login[password]'] = password

#Add the following code
userone = br.find_control(name="login[username]", nr=0)
userone.value = username
pwone = br.find_control(name="login[password]", nr=0)
pwone.value = password

At this point it runs for her, but I get the same error that we got before we change it from 7d to 2y:

┌──(f00d4w0rm5㉿kali)-[~/Documents/htb/140-SwagShop]
└─$ python 37811.py http://10.10.10.140/index.php/admin "whoami"                                                                                
Traceback (most recent call last):
  File "37811.py", line 75, in <module>
    tunnel = tunnel.group(1)
AttributeError: 'NoneType' object has no attribute 'group'

So was this patched or is there another way to edit the exploit code?

Hackong · March 17, 2021, 5:33pm

Update?

f00d4w0rm5 · March 17, 2021, 5:43pm

Hey, I got your message too so I’ll just reply here. No I haven’t figured out how to root this box since I posted this, although I haven’t tried it again. I’m assuming it was patched, especially when considering you get ‘no data’ when setting it to 2y as well. I looked at so many writeups and everyone did this same step, and I couldn’t find anyone who found another way. I recommend moving on to another box before you get as frustrated as I got hahah. Goodluck!

Hackong · March 17, 2021, 5:56pm

Ok! Thank you!

bolazoo · March 20, 2021, 6:05pm

I had this problem too, I resolved it by making a new order and then “shipping” it on admin panel! After that the order tab had an item and exploit started working

f00d4w0rm5 · March 20, 2021, 6:39pm

Oh no way! I’ll try this next week, thank you!!

valdaarhun · August 2, 2021, 3:28pm

Hi. I just did this machine so I thought I would give my input on this.

To take care of the AmbiguityError exception, I modified the code as shown below.

# br.form.new_control('text', 'login[username]', {'value': username})  
# br.form.fixup()
br['login[username]'] = username
br['login[password]'] = password

As for the 7d part, I left it as it is.

request = br.open(url + 'block/tab_orders/period/7d/?isAjax=true', data='isAjax=false&form_key=' + key)

One point to note is that with the above changes, I too would get a 'NoneType' object problem while running the exploit with the ip address of the machine. But it would work when using the hostname of the machine (swagshop.htb) instead.

After this, the exploit started working although I wasn’t able to get a reverse shell using bash. However, I was able to get a reverse shell using python (the python command in pentestmonkey’s cheatsheet).

Hope this helps
Feel free to PM me if you need more help.

InsomniaNoir · August 25, 2021, 7:41pm

I’ve tried a few different exploits on this box, specifically EDB-ID: 37811. I cannot get this thing to crack.

skilfoy · September 9, 2022, 4:54am

I’ve been struggling with this for wayyy more time than I should’ve spent. But anyways, I got it to work by indicating 3y instead of 2y and switching the reverse shell quotes around from what the ippsec video showed. I didn’t try placing an order, so maybe it just needed a bit more time travel.

ageofdoom · July 1, 2024, 10:32pm

i got it to work by changing 37811.py. But did a lot of modification:

using python2
installed mechanize
update username/password/install_date
commented out “br.form.new_control” line
change to 2y
run with swagshop.htb instead of IP address, so: python2 37811.py http://swagshop.htb/index.php/admin whoami

Topic		Replies	Views
swagshop write-up by epi Writeups writeup , writeups , swagshop	3	719	September 28, 2019
Is Retired Machine SwagShop broken? Machines swagshop , bug	3	518	June 15, 2021
Swagshop didn't run exploit code Machines machines , swagshop	0	279	July 21, 2023
SWAGSHOP Broken? Machines swagshop	9	986	September 26, 2019
API ATTACKS Skills Assessment -- new Academy	3	149	August 25, 2024

Was SwagShop patched again?

Related topics