Try โ€‚โ€‰HackMD

Hello fellow hacker,just got bored then i thought i should write something for the sake of infosec people. DevVortex is seasonal 3 machine from HTB rated easy but somehow is not kinda easy but on the other side kinda very easy.

OBJECTIVE

  1. Sub-domain enumeration
  2. Enumerating services and version(joomla cms)
  3. Exploiting joomla v4.x
  4. Cracking hash offline and online
  5. RCE via backdoor
  6. Exploit apport-cli binary

Lets begin our pentesting now

STEP 1: SCANNING
As always,were only given an ip(10.10.11.242) address so we need to move from here and exploit the system.

lets scan the target first.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We got 2 open port from our first scanning.

port 22 (ssh)
port 80 (web server)

from here lets move into enumeration and dissecting our target.

STEP 2:ENUMERATION
From port 22 is secure remote protocol so definitly we need creds to login in here but we have no creds, so lets move into another port

port 80 is a web server (add the ip add into your /etc/hosts)

If we browser to our domain we get this thing

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Oky lets move on and try to check any interesting directories here

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

I Didn't find anything interesting here with this domain, so i decide to enumerate sub-domains and see if i can get anything to cook and roast.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

And i found some sexy old sub-domains here to dance with, lets add this into our /etc/hosts and see what we can find in there maybe some juice information.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Lets try something normally when i see a sub-domain i do its(robots.txt and source code).

robots.txt have some juice information ,so lets check it out. But source code nothing cool out there.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

STEP 3:FOOTHOLDING
They are using joomla as there cms for more information about joomla check out this

Reference

After the struggle of here and there with every direcotry i got the administrator directory and it was the most interesting one for me.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Got the login page for administrator, but so far we have no any user creds i stucked( default creds were not working here) and I decide to take some break first here.

Here i got stucked again because i didn't have the version of the joomla atleast i can google for its exploit,i decide to fire-up my terminal and run gobuster for searching directories again and last i found README.txt

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Now we got some juice (joomla 4.x) and if you google it you will find it is vulnerable to Unauthenticated information disclosure

exploit from google

STEP 4:EXPLOITATION
Download the exploit from exploit-db and run the exploit

command: ruby 51334.py http://dev.devvortex.htb

OUTPUT
And we got the database juice information but also the site itself

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

And now we have some creds after a long wait, lets try to login as lewis.

we got some users here:

user1:lewis (administrator)
user2: logan (user via ssh )

After moving around, i found a template page where i can edit and input my backdoor and get a shell.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Lets edit the error.php page,copy your exploit and input it there

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Now we need to set a netcat listerner in our terminal and activate the exploit from this path(/templates/cassiopeia/error.php)

And now we got the reverse shell

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Lets stablelize our shell into something interactive

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Lets see what kind of user we are present in this system(file=/etc/passwd)

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

We got 2 interactive user with shell root and logan. Moving direct to root is insane method so lets start with user logan.

If we run the below (netstat -l), we will observe that we have a mysql port running(33060), And to conferm the mysql creds you can find them in the in form of plaintext /var/www/dev.devvortex/configuration.php

mysql creds:
mysql_user:lewis
mysql_password:REDACTED

Lets access mysql server and dump some users data here.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

After we have got access to the mysql try we can try to dump the table=sd4fg_users FROM database=joomla

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

After dumping the the table (sd4fg_users) you will get the folling output.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

Now lets crack the user logan because he is the one with the access with ssh and we need that remote access.

username:logan
hash:$2y

10IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
cracked_hash:tequieromucho

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

And now we need to login via ssh
username:logan@devvortex.htb
password:tequieromucho

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

STEP 5:PRIVILEGE ESCALATION
Privilege esclation was simple

command: sudo -l

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

After googling i found out this PoC usefully here.

Resources for root

If we read this article here Reference, We will understand that the binary collects data from crashed processes and compiles a problem report in /var/crash/

So in order to abuse this binary we need to specify any filename of our choice and try to force the binary to enter in a view report and there we can execute(!sh) to gain root access

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

I have just specify a file named pewpew.log using option -c

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

And finally we got root access by abusing the binary.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

HACK THE PLANET GUYS(By alienkeric AKA alienX)

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More โ†’

If you have any qns ping me from here
Twitter AKA X