🏴☠️HTB - Devvortex
p0db0t writeup of the easy-difficulty Linux machine Devvortex from https://hackthebox.eu
Last updated
p0db0t writeup of the easy-difficulty Linux machine Devvortex from https://hackthebox.eu
Last updated
First off, I started my enumeration with an Nmap scan of 10.10.11.242. The options I regularly use are: -sC is the equivalent to --script=default and runs a collection of Nmap enumeration scripts against the target, -sV does a service scan.
I added devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242
Since I still didn't have a way in, the next place to enumerate was HTTP on port 80. Navigating to http://devvortex.htb
After visiting http://devvortex.htb I decided to brute-force hidden directories with Gobuster and didn't find anything 😢
I used also gobuster for this host Subdomain enumeration and found dev.devvortex.htb
I added dev.devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242
After visiting http://dev.devvortex.htb
I decided to brute-force hidden directories with Dirsearch and find /administrator/ and /Readme.txt 🎉
On the Administrator page, I found out that is the login page of Joomla CMS.
On the Readme.txt page, I found out the version of Joomla CMS 4.2.
I found out that Joomla CMS 4.2 is Vulnerable to CVE-2023-23752 and used the tool Curl to get some sensitive information including the Username and Password of user Lewis. About CVE-2023-23752 more on this link:https://nvd.nist.gov/vuln/detail/CVE-2023-23752
After login on to the Administrator page with credentials that I found with Curl, I edited error.php which was located at /template/Cassiopeia/error.php and set up reverse shell script.
I ran Netcat to listen to incoming connections and used Curl to trigger a reverse shell at the error.php page.
Boom! I got the shell as www-data
Credentials that I found with Curl have also a Database name so I went for MySQL checking.
Bingo 🎉 I found the hash of Lewis and saved the hash locally in a .txt file.
I cracked the hash of Logan using the tool John The Ripper
Sweet !!!! I log in as a user Logan via SSH.
The sudo -l command gives me some interesting output
I found out that Apport-cli is Vulnerable to CVE-2023-1326 About CVE-2023-1326 more on this link: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023
