HTB SEA
WonderCMS discovery, CVE-based shell access, and a log analysis path to root.
SEA begins with a standard Nmap scan that exposes ports 80, 22, and 21. Web enumeration against the HTTP service leads to a contact page and additional paths such as LICENSE and version after running Feroxbuster.
The site references WonderCMS, which narrows the attack surface. I used the CVE-2023-41425 path to trigger code execution via the contact page and connected back with a listener.
Inside the shell, /var/www/database.js exposed encrypted credential material. I also confirmed the local account list through /etc/passwd, cracked the user password, and logged in as amay.
Privilege escalation came from a dashboard accessible on an internal port. I forwarded the service back to my machine with SSH local port forwarding, inspected the logs and request handling in the browser, then adjusted the log_file parameter to expose the root flag.
Key sequence: nmap -sC -sV → feroxbuster → WonderCMS/CVE-2023-41425 → database.js → crack hash → ssh amay → ssh -L → log_file manipulation