HTB | Sea

This is a Linux box. You can find it here.

Skill Learned

• CVE-2023-41425

• Port Forwarding

• Unauthenticated Information leak & command Injection

NMAP

IP:10.10.11.28

nmap -sT -p- --min-rate 10000 10.10.11.28

nmap -sC -sV -p 22,80 10.10.11.28

nmap

Port 80

Port 80

Let's do a directory search on the website

dirsearch -u http://10.10.11.28/ -x 403,404

dirsearch

when enumerating /themes further using fuff

ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/FUZZ" -t 200

ffuf /themes

when enumerating /themes/bike further using fuff

ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/bike/FUZZ" -t 200 -fc 403

ffuf /themes/bike

on visiting /themes/bike/version it gives us version 3.2.0

/version

on visiting /themes/bike/README.md it downloads the readme file, further analysing the file we found CMS - WonderCMS

readme.md

Foothold/shell

CVE-2023-41425

On googling the Wonder CMS exploit for version 3.2.0 we found this GitHub repo.

Download the Python script run it with proper argument values and Simultaneously start the NC listener

CVE-2023-41425.py

nc -nlvp 4444

After getting the shell we were not able to find the user.txt.

On looking we found the password in database.js

database.js

We found the password but it is in the format used by bcrypt(refer hashcat examples),

• $2y$: it is a prefix, which is a variant of bcrypt

• $10$: Indicates the cost parameter, determining how computationally difficult the hashing process is.

• The next 22 characters are the salt.

• The rest of the string after the salt is the actual hashed password.

To crack the hash, we just need to remove those slash escapers. Then use Hashcat with mode 3200, we have a password:

hashcat -m 3200 hash.txt /home/anurag/stuff/rockyou.txt

hashcat

Now we will ssh with the password we just cracked and we are in the server. We also found users.txt.

user.txt

Priv Esc

We will run netstat -ano to see all the socket(port) communication. We see port 8080 is hosting something.

netstat -ano

Let's do local port forwarding for 8080 So that we can access it via localhost

ssh -L 8888:localhost:8080 amay@10.10.11.28

Unauthenticated information leak & Command Injection

Now let's visit localhost:8888

localhost:8888

on using amay's password we were able to login

port 8080

This looks like some monitoring software. We can see the Analyze log file option when we click analyze for access.log we were able to see logs

access.log

There is another option besides access.log and that is auth.log, when looking at the auth.log we saw

auth.log

Let's spin up the burpsuite and look at the request again.We found a post-request for log_file=/var/log/apache2/access.log

burp

we also confirmed that accessing /var/log/apache2 root permission is needed, which implies unauthenticated information leak

let's try command injection

when trying to read /root/root.txt it gives 'No suspicious traffic patterns detected in /root/root.txt.' maybe there is some filtering

when trying with ;id we were able to read the content of root.txt

root.txt