Hello folks, I'm Abzee a n00b trying to be the best one day. I decided to kick-start 2024 by rooting Devvortex on HackTheBox platform and it was really fun to play with and learnt a few things.
Enumeration
Let start with a simple nmap scan to check all open ports on the given IP with this simple command.
We have two open port which is HTTP and SSH. Let see what we have on port 80 and get to the juicy part.
We have a domain in which we have to add to our host to access the webpage.
sudo gedit /etc/hosts
Now we are good to go, They shouldn't be any prob accessing the webpage since what we need as already been added.
A nice webpage to dive into but unfortunately couldn't get anything from it then I move on to scan for subdomain using FFUF.
ohh nice, with this we can surely get one two things to exploit and get a foothole but first of let visit the subdomain we just got from our scan.
It running JOOMLA CMS which is vulnerable to Unauthenticated information disclosure (CVE-2023-23752).
Link to exploit: https://www.exploit-db.com/exploits/51334
Boom!! having some juicy user and pass it cool, Time to test them out by visiting the administrator login page.
And we are in by trying this credentials.
Foothold
Since we are in we can proceed by selecting system then under site templates there should should be a template that we can edit.
The index.php can't be edited because of the permission given to it then I decided to edit the offline.php instead by replacing it with my php shell payload then saved it and start my listener. After then by accessing http://dev.devvortex.htb/templates/cassiopeia/offline.php
and boom we receive a connection back.
Got in as www-data but not a problem. Time to read the content of user.txt
We don't have permission to read user.txt unless we are user logan so let move around for a possible credential.
Mysql credentials to try out.
A hash to crack, This is where JohnTheRipper comes in.
John to the rescue and we found ourself a password, let try them on ssh.
Privilege Escalation
The wait is over time to owned system cos that is the sweetest thing ever. First of all let see what we have in sudo -l.
This vulnerability is privilege escalation in apport-cli 2.26.0 (CVE-2023–1326).
Let see how we can use it to gain system.
running sudo /usr/bin/apport-cli -f
will bring out some options then select 1 after then 3 which will bring another options, this time it not numbers but alphabet so it will be V this time to select after that it !/bin/bash and boom we are system.
This is all for today and thanks for reading.