mychemicalromance, enabling SSH access. A localhost-only system monitor
exposes a command injection in its log analysis feature — injecting a newline into the
filename sets SUID on /bin/bash, giving root.
Full port scan reveals only SSH and HTTP — a minimal attack surface.
/etc/hosts to get correct content.Directory fuzzing finds several interesting paths. The /themes/ directory reveals a bike theme — fuzzing it further uncovers version info and the CMS identity.
Confirm the admin login URL. WonderCMS uses a query-string format rather than a path segment:
/?loginURL (query string), not /loginURL (path). The path returns 404.
CVE-2023-41425 is a stored XSS → RCE chain. An admin bot periodically reviews
contact form submissions using HeadlessChrome. Injecting a <script> tag into
the website field executes JavaScript in the admin's authenticated browser context.
The script calls WonderCMS's installModule API with the admin's session token,
installing a malicious zip that contains a PHP reverse shell.
Start a listener, then deliver the XSS payload via the contact form:
The backend makes a
mail() call that fails when no mail server is configured, intermittently blocking the submission from being stored. Fix: reset the machine and submit immediately after it comes up.
http://sea.htb/loginURL returns 404. WonderCMS uses a query string: http://sea.htb/?loginURL.
xss.js crashing silently (original exploit fork):The original
prodigiousMind fork queries document.querySelectorAll('[name="token"]')[0].value on the unauthenticated login page, which has no token element — a TypeError crashes the script before any requests are made. The thefizzyfish fork fetches the page first (as the authenticated admin), then extracts the token from the response correctly.
The original exploit's
installModule call points to a github.com URL for the reverse shell zip. HTB machines have no outbound internet access, so the download silently fails. Use the thefizzyfish fork which serves shell.zip locally via python3 -m http.server.
The bot visits the admin panel and renders it in a real browser — JavaScript executes. The XSS must be injected into content rendered by Chrome (the contact form's website field shown in the admin UI), not just a URL that gets fetched.
WonderCMS stores its configuration, including the admin password hash, in /var/www/sea/data/database.js:
$2y$ prefix, cost factor 10). Mode 3200 in hashcat.Password reuse — the admin password also works for SSH as amay:
Enumerate listening services — port 8080 is bound to localhost only:
Forward port 8080 and browse to it. HTTP Basic Auth uses amay:mychemicalromance. The app is a System Monitor with an "Analyze Log File" feature that lets you select access.log or auth.log.
The log_file POST parameter is passed unsanitized to a shell command. Injecting a newline character (\n) splits the filename into two commands — the second executes as root. Setting SUID on /bin/bash is the cleanest path:
\n terminates the first command and begins a second — the app executes both as root. No other sanitization is in place.nmap → ffuf → WonderCMS 3.2.0 identified → CVE-2023-41425 stored XSS → HeadlessChrome bot triggers installModule → PHP reverse shell (www-data) →
database.js bcrypt hash → hashcat rockyou
→ amay:mychemicalromance (SSH) → ss -tlnp reveals port 8080 → SSH forward → System Monitor
→ newline injection in log_file param → chmod +s /bin/bash → bash -p → root