Hello hackers,wanted to share with season-6 machine from hackthebox,
SEA is Easy machine from HTB which relies on enumerating to get initial footholding. As usually with pentesting you will need to start with scanning and move on to other steps.
With scanning nmap and rustscan was able to identify two open ports.
As you can see above we got two open ports i.e 22, and port 80. From here i saw port 22 was running latest version of openssh so its defficult to get an initial access from here,but we can try the other way which is brute-forcing username and password but since I knew that maybe they will be something like Rate-Limite on ssh i didn't want to bother here.
With port 80
is running a web server, as seen from nmap, so i decided to give it a smoke and see what i can do with it.
Now from here, i decided to run dirsearch, and gobuster at once meanwhile the keep running i will proceed with manual searching.
But after some time i realized that all the directories i can also get them with manual without wasting my CPU like this. If we check the source code from the default page we can see all this and some addition pages.
After looking around the source-code again i managed to find the /contant.php
directory.
After some testing things like xss,ssrf, but all of them didn't work so i decided to keep moving around with any hope of getting anything around again.
From the source code again, There is /themes/
directory decide to do some fuzzing on it.
From the README.md
and version
, I saw that i was dealing with WonderCMS v3.2.0
After some google with wondercms and its version found that v3.2.0
i found the version was vulnerable to rce.article
The article with its docs says i need a admin-password to exploit this authenticated remote code execution. So from here i kept moving around searching for unauthenticated rce.
After some times i found this article, which sayes there is a xss which can read us to rce.
The exploit takes three arguments target-url, our local-ip and lport, When we run the exploit it generates a malicious xss.js
file which inside it contains a php-reverse-shell path to our localmachine, So in order to trigger the rce, we need to use the malicious url that is being generated by our exploit to send it to the target and once an admin clicks the exploit we get a trigger to our localmachine.
NB: I have just summarize how the exploit works, if you can read the exploit-source code and the xss.js file u will understan more about the exploit, and even more about everything works
Everything can be summarized here
Sending the xss to the admin by using the contant page
And we wait like some 5-10 seconds for the trigger
And the simplest way to trigger the exploit is navigating to this url
Going back to the /var/www/sea
we found a database.js file which contains a hash and its crackable.
Privilee Escalation is kinda simple, after we have gain access to the system, trying basics enumeration without running linpeas or pspy64, always i like to stick to the basics with easy-machine.
After moving here and there i found something very interesting with an internal network.
As we can see that there is port 8080
running local, so i decided to forward it to my computer as follows.(Local portforwading)
After checking what is running via browser, we can see that it need authentication to access it, even via curl.
If you click analyze logs we can see it print logs that is so weird, i decided to fire up my burpsuite to analyze what it is trying to call at the backend.
After check with burpsuite i realised it recalling a POST
request when you click analyze
.
After some checking here and there i found that there is LFI/path traversal and OS-command injection.
If you analyze what this POST
request is trying to do is that is trying to call the log-file (/var/log/apache2/access.log)
.Where by can try to to change the file path from the one it call to any type of file.
And to prove were reading this file as root we can try to fetch the /etc/shadow
file.
This was very interesting,
Anyway this one was beyond root, but you can poison logs and get command injection and then root
Apart from LFI
there is also a command injection exploit check this.
As you can see i managed to change the SUID binary, going back to the target machine.
EXTRA-STUFFS:
I wasn't sastified with blind command injection,Earlier i saw LFI, Beyond root there is another way you can get rce with LFI by using the LFI we say earlier, this is just bonus, so give it a try.
Hint: use curl with creds to send a poison log to the server basically you can just send the simple php command payload and since, check it with /var/log/apache2....
and then try from there you can try.
Like this since i was able to read file like /etc/shadow
and other among, the only file that i was not able to read was /root/root.txt