# HTB | Sea This is a Linux box. You can find it [here](https://app.hackthebox.com/machines/Sea). **Skill Learned** * CVE-2023-41425 * Port Forwarding * Unauthenticated Information leak & command Injection ## NMAP IP:10.10.11.28 ``` nmap -sT -p- --min-rate 10000 10.10.11.28 ```

``` nmap -sC -sV -p 22,80 10.10.11.28 ```

### Port 80

Let's do a directory search on the website ``` dirsearch -u http://10.10.11.28/ -x 403,404 ```

when enumerating /themes further using fuff ``` ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/FUZZ" -t 200 ```

when enumerating /themes/bike further using fuff ``` ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/bike/FUZZ" -t 200 -fc 403 ```

on visiting `/themes/bike/version` it gives us version **3.2.0**

on visiting `/themes/bike/README.md` it downloads the readme file, further analysing the file we found CMS - **WonderCMS**

## Foothold/shell ### CVE-2023-41425 On googling the Wonder CMS exploit for version 3.2.0 we found [this](https://github.com/thefizzyfish/CVE-2023-41425-wonderCMS_RCE) GitHub[ ](https://github.com/thefizzyfish/CVE-2023-41425-wonderCMS_RCE)repo. Download the Python script run it with proper argument values and Simultaneously start the NC listener

After getting the shell we were not able to find the user.txt. On looking we found the password in database.js

We found the password but it is in the format used by bcrypt(refer [hashcat examples](https://hashcat.net/wiki/doku.php?id=example_hashes)), * $2y$: it is a prefix, which is a variant of bcrypt * $10$: Indicates the cost parameter, determining how computationally difficult the hashing process is. * The next 22 characters are the salt. * The rest of the string after the salt is the actual hashed password. To crack the hash, we just need to remove those slash escapers. Then use Hashcat with mode 3200, we have a password: ``` hashcat -m 3200 hash.txt /home/anurag/stuff/rockyou.txt ```

Now we will ssh with the password we just cracked and we are in the server. We also found **users.txt.**

## Priv Esc We will run `netstat -ano` to see all the socket(port) communication. We see port 8080 is hosting something.

Let's do local port forwarding for 8080 So that we can access it via localhost ``` ssh -L 8888:localhost:8080 amay@10.10.11.28 ``` ### Unauthenticated information leak & Command Injection Now let's visit `localhost:8888`

on using amay's password we were able to login

This looks like some monitoring software. We can see the Analyze log file option when we click analyze for access.log we were able to see logs

There is another option besides access.log and that is auth.log, when looking at the auth.log we saw

Let's spin up the burpsuite and look at the request again.We found a post-request for `log_file=/var/log/apache2/access.log`

we also confirmed that accessing `/var/log/apache2` root permission is needed, which implies unauthenticated information leak

let's try command injection when trying to read /root/root.txt it gives 'No suspicious traffic patterns detected in /root/root.txt.' maybe there is some filtering

when trying with `;id` we were able to read the content of **root.txt**