Devvortex — HackTheBox
Devvortex is an easy machine from HackTheBox. It involves leaking Administrator credentials by exploiting an information disclosure vulnerability and RCE in Joomla CMS for the initial foothold, followed by the exploitation of apport-cli to escalate privileges to root.
NMAP
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPort 80 (HTTP)
Browsing the URL, we get the following webpage. There’s nothing much to see as it’s a static site.
Fuzzing for subdomain, we find a subdomain dev .
Add this in our /etc/hosts file. Browsing the URL, this time a new website is found.
Checking the robots.txt file, we find the following hidden endpoints.
Going to /administrator/ endpoint, we get the following login page. Here we find that the website is created on Joomla CMS.
Fuzzing for directories, a README.txt file is found which reveals that the installed version of Joomla is 4.2.
Searching for vulnerabilities, it is found to be vulnerable to CVE-2023-23752 which is Unauthenticated Information Disclosure. A POC is available publicly. Exploiting it, we get a set of credentials.
curl http://dev.devvortex.htb/api/index.php/v1/config/application?public=true -q | jq
These credentials do not work on the SSH. However, we get can login into Joomla Administrator portal using the found credentials.
Now that we have access to the admin interface, we can go to Templates in System settings and put our payload in the php file to get reverse shell on the system.
Now, accessing the file in which we put our payload, we get a reverse shell.
Using the credentials of lewis, we can connect to the mysql database.
In the sd4fg_users tables, we found credentials for logan user.
Cracking the hash, we get the password.
hashcat hashes /usr/share/wordlists/rockyou.txt --user -m 3200
Using the credentials, we get logged in via SSH.
Privilege Escalation (root)
Checking sudo permissions, we can run apport-cli with sudo.
The version of apport-cli on the system is 2.20.11.
Searching for vulnerabilities, it is found to be vulnerable to CVE-2023–1326 which is a privilege escalation vulnerability. More details can be found on below link:
To exploit this vulnerability, first we need to create a crash dump. This can be done using the following method.
First open any file with the less command. I will open the /etc/passwd file. Then, background it by pressing the CTRL + z buttons.
Then, abort the process using the following command and try to foreground it. This will create a crash dump in /var/crash directory.
pkill -ABRT less
fg
Copy the crash file in some other directory before it is removed. Now, open the crash file using apport-cli .
sudo apport-cli -c _usr_bin_less.1000.crash
Select View Report option. This will open a pager like less command. Press ESC button and enter !/bin/bash .
This will open a shell as root.
