HTB | Sea — CVE-2023–41425

anuragtaparia
InfoSec Write-ups
Published in
4 min readDec 30, 2024

This is a Linux box. You can find it here.

You can watch the video walkthrough here

Skill Learned

  • CVE-2023–41425
  • Port Forwarding
  • Unauthenticated Information leak & command Injection

NMAP

IP:10.10.11.28

nmap -sT -p- --min-rate 10000 10.10.11.28
nmap -sC -sV -p 22,80 10.10.11.28
nmap

Port 80

Port 80

Let’s do a directory search on the website

dirsearch -u http://10.10.11.28/ -x 403,404
dirsearch

when enumerating /themes further using fuff

ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/FUZZ" -t 200
ffuf /themes

when enumerating /themes/bike further using fuff

ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-medium-directories.txt -u "http://sea.htb/themes/bike/FUZZ" -t 200 -fc 403
ffuf /themes/bike

on visiting /themes/bike/version it gives us version 3.2.0

/version

on visiting /themes/bike/README.md it downloads the readme file, further analysing the file we found CMS - WonderCMS

readme.md

Foothold/shell

CVE-2023–41425

On googling the Wonder CMS exploit for version 3.2.0 we found this GitHub repo.

Download the Python script run it with proper argument values and Simultaneously start the NC listener

CVE-2023–41425.py
nc -nlvp 4444

After getting the shell we were not able to find the user.txt.

On looking we found the password in database.js

database.js

We found the password but it is in the format used by bcrypt(refer hashcat examples),

  • $2y$: it is a prefix, which is a variant of bcrypt
  • $10$: Indicates the cost parameter, determining how computationally difficult the hashing process is.
  • The next 22 characters are the salt.
  • The rest of the string after the salt is the actual hashed password.

To crack the hash, we just need to remove those slash escapers. Then use Hashcat with mode 3200, we have a password:

hashcat -m 3200 hash.txt /home/anurag/stuff/rockyou.txt
hashcat

Now we will ssh with the password we just cracked and we are in the server. We also found users.txt.

user.txt

Priv Esc

We will run netstat -ano to see all the socket(port) communication. We see port 8080 is hosting something.

netstat -ano

Let’s do local port forwarding for 8080 So that we can access it via localhost

ssh -L 8888:localhost:8080 amay@10.10.11.28

Unauthenticated information leak & Command Injection

Now let’s visit localhost:8888

localhost:8888

on using amay’s password we were able to login

port 8080

This looks like some monitoring software. We can see the Analyze log file option when we click analyze for access.log we were able to see logs

access.log

There is another option besides access.log and that is auth.log, when looking at the auth.log we saw

auth.log

Let’s spin up the burpsuite and look at the request again.We found a post-request for log_file=/var/log/apache2/access.log

burp

we also confirmed that accessing /var/log/apache2 root permission is needed, which implies unauthenticated information leak

let’s try command injection

when trying to read /root/root.txt it gives ‘No suspicious traffic patterns detected in /root/root.txt.’ maybe there is some filtering

when trying with ;id we were able to read the content of root.txt

root.txt

If you enjoyed this article and want to dive deeper into cybersecurity topics, feel free to explore my detailed write-ups on GitBook. I cover a range of topics including vulnerability assessments, penetration testing techniques, and security methodologies.

👉 Check out my GitBook for more insights

👉 Watch my videos on YouTube: AnuragSec

Stay tuned for more content, and don’t forget to follow for future updates!

Free

Distraction-free reading. No ads.

Organize your knowledge with lists and highlights.

Tell your story. Find your audience.

Membership

Read member-only stories

Support writers you read most

Earn money for your writing

Listen to audio narrations

Read offline with the Medium app

Published in InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. Subscribe to our weekly newsletter for the coolest infosec updates: https://weekly.infosecwriteups.com/

No responses yet

What are your thoughts?