HTB Devvortex Write up
Devvortex
Difficulty: easy
4th DEC 2023
IP: 10.10.11.242
Enumeration
1
nmap -Pn -T4 -sVC 10.10.11.242
Foothold
When accessing the IP directly thru the browser, it showed that we should resolve the domain devvortex.htb.
Adding 10.10.11.242 devvortex.htb to /etc/hosts file.
1
sudo nano /etc/hosts
Then we refresh the page.
A well designed website. Going around the site, checking linked pages and forms. It is just a static html, there is nothing interesting.
Directory enumeration
1
gobuster dir -u http://devvortex.htb -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt -t 50
No new results, we can check images, js and css directories but we will get 403 Forbidden.
VHOST enumeration
There might me another sites running on the same server.
1
gobuster vhost -u devvortex.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain
We get a hit, virtual host dev.devvortex.htb exists.
Adding it to /etc/hosts file.
Visiting it.
A slightly different website. Going around wont lead to anything.
Checking if robots.txtexists.
Joomla! is a well known CMS.
Checking the administrator directory, we get a log in form.
Searching for default credentials for joomla CMS we find that the username is admin with no password.
Trying it the login will fail.
Usually CMSs have CVEs but we have first to find out the version of Joomla.
Check hacktricks on how to find joomla version.
By visiting /administrator/manifests/files/joomla.xml we find that it is version 4.2.6.
Search for joomla v 4.2.6 exploit github, we find that there is a recent CVE for this version.
https://github.com/Acceis/exploit-CVE-2023-23752
Joomla! < 4.2.8 - Unauthenticated information disclosure.
Download the Ruby script and run it.
1
ruby exploit.rb http://dev.devvortex.htb
We found 2 users and the database password.
The password could be reused, so we try to login.
And we are in!! We already know user lewis is the super user so we can alter PHP pages to get a reverse shell. In Joomla, such a page can typically be found within installed templates. To locate it, we’ll navigate through System -> Templates -> Site Templates.
We can see all the pages related to this template.
Chose error.php, and we can add a PHP code to give us a reverse shell.
Replace the whole code with PHP PentestMonkey reverse shell.
(Get reverse shell payload form https://www.revshells.com/ )
After saving it, start a listener.
1
nc -nvlp 1234
Now execute it by visiting the page thru the path written above the editor.
Back to our listener.
We are in as www-data.
List all users with shell on the machine.
1
cat /etc/passwd | grep sh$
Privilege Escalation
www-data to logan
To read user.txt we need to be user logan. We already know the database credentials, we can get user logan password hash and crack it.
1
mysql -u lewis -p -D joomla
List all tables available.
1
show tables;
Return all data from table sd4fg_users.
1
select * from sd4fg_users;
Copy hash to local machine into a file called hash, and crack it using john with rockyou.txt wordlist.
Switch user to logan, and read user.txt flag.
1
su logan
logan to root
Running sudo -l to check what the user logan can run using sudo.
Apport intercepts Program crashes, collects debugging information about the crash and the operating system environment, and sends it to bug trackers in a standardized form. It also offers the user to report a bug about a package, with again collecting as much information about it as possible.
Search for Apport exploits, we find a recent CVE CVE-2023-1326, on the official apport github repository we cam find a PoC. https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb
So we just need to make a fake crash file called xxx.crash inside /var/crash directory.
1
touch /var/crash/xxx.crash
After entering V, type !id.
Get a shell as root. !bash
