?

Sea HTB - Writeup

this one throws you in for a loop because it was hard to find an exploit that worked well, also requires you to do more than just.....recon enumerate because you don't really expect it to be in the source sometimes

in the css file, it hints at there being a /theme/bike directory if you enumerate further:

h

you'll find a README file:

h

and learn that it's powered by wonderCMS - which has a few exploits, but as we have no credentials, we can't use the authenticated one and go for the xss to rce one

exploit states that there is a loginURL somewhere, and it's pretty easy to find at /loginURL

h

this is the exploit that worked for me, skill issue maybe I don't know

h

h

once you get a shell, there's a database js file with a blowfish encrypted pw on it:

h

remove the backslashes, they're only here as escape characters and the hash will be crackable

h

i went on a rabbit hole here trying to use the authenticated RCE. Actually you can just ssh into the users you find in the www-data shell

h

h

and that's user - for root, if you netstat you'll see 8080 running, which is usually an indicator for a web service of sorts, just port forward it

h

you'll find this - you can use burp to intercept the request and access more sensitive files, such as root.txt

h

this doesn't work as there's no suspicious activity detected on here, but if you inject a command...

h

and that's it!