Hello fellow hacker,just got bored then i thought i should write something for the sake of infosec people. DevVortex is seasonal 3 machine from HTB rated easy but somehow is not kinda easy but on the other side kinda very easy.
**OBJECTIVE**
1. Sub-domain enumeration
2. Enumerating services and version(joomla cms)
3. Exploiting joomla v4.x
4. Cracking hash offline and online
5. RCE via backdoor
6. Exploit apport-cli binary
Lets begin our pentesting now
**STEP 1: SCANNING**
As always,were only given an ip(10.10.11.242) address so we need to move from here and exploit the system.
lets scan the target first.
We got 2 open port from our first scanning.
port 22 (ssh)
port 80 (web server)
from here lets move into enumeration and dissecting our target.
**STEP 2:ENUMERATION**
From port 22 is secure remote protocol so definitly we need creds to login in here but we have no creds, so lets move into another port
port 80 is a web server (add the ip add into your /etc/hosts)
If we browser to our domain we get this thing
Oky lets move on and try to check any interesting directories here
I Didn't find anything interesting here with this domain, so i decide to enumerate sub-domains and see if i can get anything to cook and roast.
And i found some sexy old sub-domains here to dance with, lets add this into our /etc/hosts and see what we can find in there maybe some juice information.
Lets try something normally when i see a sub-domain i do its(robots.txt and source code).
robots.txt have some juice information ,so lets check it out. But source code nothing cool out there.
**STEP 3:FOOTHOLDING**
They are using joomla as there cms for more information about joomla check out this
[Reference](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwjKzMK22Y2DAxVDQ_EDHXFXBckQFnoECAkQAQ&url=https%3A%2F%2Fwww.joomla.org%2F&usg=AOvVaw1MgjjaEbgdto5czwtJxvnW&opi=89978449)
After the struggle of here and there with every direcotry i got the administrator directory and it was the most interesting one for me.
Got the login page for administrator, but so far we have no any user creds i stucked( default creds were not working here) and I decide to take some break first here.
Here i got stucked again because i didn't have the version of the joomla atleast i can google for its exploit,i decide to fire-up my terminal and run gobuster for searching directories again and last i found README.txt
Now we got some juice (joomla 4.x) and if you google it you will find it is vulnerable to Unauthenticated information disclosure
[exploit from google](https://www.exploit-db.com/exploits/51334)
**STEP 4:EXPLOITATION**
Download the exploit from exploit-db and run the exploit
**command:** ruby 51334.py http://dev.devvortex.htb
**OUTPUT**
And we got the database juice information but also the site itself
And now we have some creds after a long wait, lets try to login as lewis.
we got some users here:
**user1**:lewis (administrator)
**user2**: logan (user via ssh )
After moving around, i found a template page where i can edit and input my backdoor and get a shell.
Lets edit the error.php page,copy your exploit and input it there
Now we need to set a netcat listerner in our terminal and activate the exploit from this path(/templates/cassiopeia/error.php)
And now we got the reverse shell
Lets stablelize our shell into something interactive
Lets see what kind of user we are present in this system(file=/etc/passwd)
We got 2 interactive user with shell root and logan. Moving direct to root is insane method so lets start with user logan.
If we run the below (netstat -l), we will observe that we have a mysql port running(33060), And to conferm the mysql creds you can find them in the in form of plaintext /var/www/dev.devvortex/configuration.php
**mysql creds:**
mysql_user:lewis
mysql_password:REDACTED
Lets access mysql server and dump some users data here.
After we have got access to the mysql try we can try to dump the table=sd4fg_users FROM database=joomla
After dumping the the table (sd4fg_users) you will get the folling output.
Now lets crack the user logan because he is the one with the access with ssh and we need that remote access.
username:logan
hash:$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
cracked_hash:tequieromucho
And now we need to login via ssh
username:logan@devvortex.htb
password:tequieromucho
**STEP 5:PRIVILEGE ESCALATION**
Privilege esclation was simple
**command**: sudo -l
After googling i found out this PoC usefully here.
[Resources for root](https://github.com/alien-keric/CVE-2023-1326-PoC)
If we read this article here [Reference](https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=&cad=rja&uact=8&ved=2ahUKEwiQuq_e8Y2DAxXIQ6QEHdiSCn0QFnoECBYQAQ&url=https%3A%2F%2Fmanpages.ubuntu.com%2Fmanpages%2Ffocal%2Fen%2Fman1%2Fapport-cli.1.html&usg=AOvVaw2A27FUF21XyzcEj8PApbLB&opi=89978449), We will understand that the binary collects data from crashed processes and compiles a problem report in /var/crash/
So in order to abuse this binary we need to specify any filename of our choice and try to force the binary to enter in a view report and there we can execute(**!sh**) to gain root access
I have just specify a file named pewpew.log using option -c
And finally we got root access by abusing the binary.
**HACK THE PLANET GUYS(By alienkeric AKA alienX)**
If you have any qns ping me from here
[Twitter AKA X](https://twitter.com/AlienKeric)
Sign in with Wallet
Connect another wallet