Devvortex HTB

When typing the IP in our browser we can see we're redirected to a domain but we can't access the content.

Let's add this domain in the /ect/hosts file.

echo '10.129.229.146 devvortex.htb' | sudo tee -a /etc/hosts

We have access to their website now.

Now it's time to investigate the website. Meanwhile, I launch nmap -sV 10.129.229.146 to learn more about the services running on the server. The website doesn't seem to have any particular vulnerabilities. There is a form, but when submitting it, we can see through Burp that it makes a GET request. This doesn't seem to be a good path.

Any particular result from our nmap scan as well.

Let's check for subdomain enumeration, there is various tools for it. In this case we'll use Gobuster which is a GO tool used for brute-forcing URLs and DNS subdomains to discover hidden directories and subdomains on a web server.

./gobuster vhost --domain devvortex.htb --append-domain -u http://devvortex.htb -w /home/ayra/Tools/SecLists-master/Discovery/Web-Content/big.txt -t 100 -o result.txt

Found dev.devvortex.htb, add it to the /etc/hosts file.

Nothing really interesting on the website. While continuing the recon, we can launch some Gobuster attacks again to find new directories.

We found a Joomla admin directory. When it comes to CMSs like this, there is a high chance that some vulnerabilities have public PoCs available on the internet. Finding the CMS version will help us a lot in the process of finding and exploiting a vulnerability.

After some enumerating on Joomla, we found that /administrator/manifests/files/joomla.xml file which give us the Joomla version, which is 4.2.6.

There is an unauthenticated information disclosure exploit in this version of Joomla. Let's dive into the PoC and try to adapt it to our target.

The CVE-2023-23752 worked. We got creds, now, let's try to connect to the Joomla dashboard with them.

We are inside the Joomla dashboard as Lewis. Great. Now we can start thinking about gaining access to the website's server for further escalation.

In this kind of dashboard environment, I want to find a way to upload a reverse shell file somewhere, as there are many user inputs and file upload options, etc. After trying to write in a few files, we found that one in the administrator template who seems to be vulnerable to a reverse shell.

It worked, we're finally inside the server.

While trying to clear my terminal, I encountered an error with my TERM environment variable. Having the TERM environment variable improperly set or unset can cause various errors depending on the program you are trying to use in the terminal.

There are various ways to fix this. Here, we'll simply import pty and export TERM. python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm

Connect to MySQL with our found credentials. After some investigation, we found the hash "$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12" for a user named "Logan."

Now, the goal is to decrypt this hash so we can potentially solve the first user flag.

Given the format of the hash, it appears to be a bcrypt hash. Bcrypt hashes are designed to be secure and are not reversible. To find the original password, you would need to perform a brute force / dictionary attack. Let's use John the Riper to solve that.

It worked, we got the password "tequieromucho." Now we can try to log in to various services with these credentials.

It worked with an SSH connection. We can find the first user flag in the directory. This is a basic example of why we should use different passwords.

Now we should find a way to do privilege escalation. When you run sudo -l, it shows what commands you can run with sudo privileges without providing a password, as well as those that require a password. We can find a way to abuse /usr/bin/apport-cli.

With some research we can easily find a CVE-2023–1326 on the version of apport-cli.

Following the CVE, we have to run sudo /usr/bin/apport-cli --file-bug and then use random parameters until reaching V for View report. After that, we'll have a prompt where entering !/bin/bash will give us a root shell.

We found the user.txt file with the root flag. This is the end of the Devvortex box.