HTB | Sea

This is a Linux box. You can find it here.

Skill Learned

NMAP

IP:10.10.11.28

nmap -sT -p- --min-rate 10000 10.10.11.28

nmap -sC -sV -p 22,80 10.10.11.28

Let's do a directory search on the website

dirsearch -u http://10.10.11.28/ -x 403,404

when enumerating /themes further using fuff

ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/FUZZ" -t 200

when enumerating /themes/bike further using fuff

ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/bike/FUZZ" -t 200 -fc 403

on visiting /themes/bike/version it gives us version 3.2.0

on visiting /themes/bike/README.md it downloads the readme file, further analysing the file we found CMS - WonderCMS

On googling the Wonder CMS exploit for version 3.2.0 we found this GitHub repo.

Download the Python script run it with proper argument values and Simultaneously start the NC listener

After getting the shell we were not able to find the user.txt.

On looking we found the password in database.js

We found the password but it is in the format used by bcrypt(refer hashcat examples),

$2y$: it is a prefix, which is a variant of bcrypt
$10$: Indicates the cost parameter, determining how computationally difficult the hashing process is.
The next 22 characters are the salt.
The rest of the string after the salt is the actual hashed password.

To crack the hash, we just need to remove those slash escapers. Then use Hashcat with mode 3200, we have a password:

hashcat -m 3200 hash.txt /home/anurag/stuff/rockyou.txt

Now we will ssh with the password we just cracked and we are in the server. We also found users.txt.

We will run netstat -ano to see all the socket(port) communication. We see port 8080 is hosting something.

Let's do local port forwarding for 8080 So that we can access it via localhost

ssh -L 8888:localhost:8080 amay@10.10.11.28

Now let's visit localhost:8888

on using amay's password we were able to login

This looks like some monitoring software. We can see the Analyze log file option when we click analyze for access.log we were able to see logs

There is another option besides access.log and that is auth.log, when looking at the auth.log we saw

Let's spin up the burpsuite and look at the request again.We found a post-request for log_file=/var/log/apache2/access.log

we also confirmed that accessing /var/log/apache2 root permission is needed, which implies unauthenticated information leak

let's try command injection

when trying to read /root/root.txt it gives 'No suspicious traffic patterns detected in /root/root.txt.' maybe there is some filtering

when trying with ;id we were able to read the content of root.txt

Last updated 1 year ago