HTB | Sea — CVE-2023–41425
This is a Linux box. You can find it here.
You can watch the video walkthrough here
Skill Learned
- CVE-2023–41425
- Port Forwarding
- Unauthenticated Information leak & command Injection
NMAP
IP:10.10.11.28
nmap -sT -p- --min-rate 10000 10.10.11.28
nmap -sC -sV -p 22,80 10.10.11.28
Port 80
Let’s do a directory search on the website
dirsearch -u http://10.10.11.28/ -x 403,404
when enumerating /themes further using fuff
ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/FUZZ" -t 200
when enumerating /themes/bike further using fuff
ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/bike/FUZZ" -t 200 -fc 403
on visiting /themes/bike/version
it gives us version 3.2.0
on visiting /themes/bike/README.md
it downloads the readme file, further analysing the file we found CMS - WonderCMS
Foothold/shell
CVE-2023–41425
On googling the Wonder CMS exploit for version 3.2.0 we found this GitHub repo.
Download the Python script run it with proper argument values and Simultaneously start the NC listener
After getting the shell we were not able to find the user.txt.
On looking we found the password in database.js
We found the password but it is in the format used by bcrypt(refer hashcat examples),
- $2y$: it is a prefix, which is a variant of bcrypt
- $10$: Indicates the cost parameter, determining how computationally difficult the hashing process is.
- The next 22 characters are the salt.
- The rest of the string after the salt is the actual hashed password.
To crack the hash, we just need to remove those slash escapers. Then use Hashcat with mode 3200, we have a password:
hashcat -m 3200 hash.txt /home/anurag/stuff/rockyou.txt
Now we will ssh with the password we just cracked and we are in the server. We also found users.txt.
Priv Esc
We will run netstat -ano
to see all the socket(port) communication. We see port 8080 is hosting something.
Let’s do local port forwarding for 8080 So that we can access it via localhost
ssh -L 8888:localhost:8080 amay@10.10.11.28
Unauthenticated information leak & Command Injection
Now let’s visit localhost:8888
on using amay’s password we were able to login
This looks like some monitoring software. We can see the Analyze log file option when we click analyze for access.log we were able to see logs
There is another option besides access.log and that is auth.log, when looking at the auth.log we saw
Let’s spin up the burpsuite and look at the request again.We found a post-request for log_file=/var/log/apache2/access.log
we also confirmed that accessing /var/log/apache2
root permission is needed, which implies unauthenticated information leak
let’s try command injection
when trying to read /root/root.txt it gives ‘No suspicious traffic patterns detected in /root/root.txt.’ maybe there is some filtering
when trying with ;id
we were able to read the content of root.txt
If you enjoyed this article and want to dive deeper into cybersecurity topics, feel free to explore my detailed write-ups on GitBook. I cover a range of topics including vulnerability assessments, penetration testing techniques, and security methodologies.
👉 Check out my GitBook for more insights
👉 Watch my videos on YouTube: AnuragSec
Stay tuned for more content, and don’t forget to follow for future updates!