SKYSEC Articles

Sea

1 min read

Author: lomar

lomar

Sea

  • T1566.002
  • T1204.001
  • T1068
  • T1127

Discovery

Screenshot_20240813_104437

When we look at the source code of the HTML page, we see that static files for the website are kept in the path themes/bike/velik71***. Unfortunately, we cannot access the /themes path because we are not authorized, but we can easily access it if we know the names of the files.

Screenshot_20240813_105124

When we search themes/bike/velik71 on Google, we see that a Content Management System called WonderCMS uses these theme files, you can also find the Github repository when you search in detail.

Screenshot_20240813_105224

Screenshot_20240813_105401

Screenshot_20240813_105720

Screenshot_20240813_110021

As you can see from the photos above, in a CVE vulnerability created for WonderCMS, the administrator of our website is phishing attacked and creates a vulnerability in the website.

Web Exploit

Screenshot_20240813_110241

Screenshot_20240813_110421

Screenshot_20240813_110540

In the /var/www/sea folder we see some files related to our website, if we take a look at the data folder you can see the configuration files related to the database. The user password required to access the database is encrypted in Becrypt format.

Screenshot_20240813_110751

Screenshot_20240813_110903

Screenshot_20240813_111027

Screenshot_20240813_111108

Screenshot_20240813_111204

Privilege Esc.

Screenshot_20240813_111255

Screenshot_20240813_111417

Screenshot_20240813_111538

Screenshot_20240813_111608

Screenshot_20240813_112512

Graph View