In this post, I would like to share a walkthrough of the Devvortex Machine from Hack the Box


This room will be considered an Easy machine on Hack the Box

What will you gain from the Devvortex machine?


For the user flag, you will need to expose the list of users along with the database connection password, leveraging this information to gain entry to the admin panel. Within the admin panel, I’ll demonstrate obtaining execution privileges through two methods: by altering a template and by creating a webshell plugin. Upon obtaining access, I’ll proceed to pivot to the next user by decrypting their hash from the database.


As for the root flag, you need to abuse a pager vulnerability in apport-cli that allows escaping to a root shell when run with sudo.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me

Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvv

Information Gathering on Devvortex Machine


Once we have started the VPN connection which requires a download from Hackthebox, we can start

┌─[darknite@parrot]─[~/Documents/htb/Devvortex]
└──╼ $ nmap -sC -sV 10.10.11.242 -oA inital
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-26 08:43 EST
Nmap scan report for 10.10.11.242
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.76 seconds
┌─[darknite@parrot]─[~/Documents/htb/Devvortex]
└──╼ $ 

Let’s access the website interface


Sadly, we didn’t see anything useful to be abused by us.


Therefore, let’s try to enumerate the directory with gobuster but not much of the directory that we can investigate into


As a result, let’s try to retrieve any subdomain with gobuster and we only obtain one subdomain which is dev.devvortex.htb


The screenshot above shows the website interface for the subdomain that we found earlier.


Let’s see the response via burpsuite which there’s nothing that we can look into


After we analyze the website interface thoroughly, there’s nothing that we use in the next step. Therefore, let’s enumerate the directory by using the gobuster. From the output, we can access the administrator on the browser.


Let’s access the /administrator directory on the website which we are presented with login page. If you notice, the page shows the Joomla Interface.


There is nothing stored on the /modules/ directory


From my experience of playing with the Joomla application before, there should be a robots.txt file stored inside the website


The screenshot above shows the default information for JOOMLA on the website which led us to notify the version of JOOMLA use

CVE-2023-23752 Vulnerability


As a result, let’s do some research on it


There’s a GitHub page that can be found here which we can abuse later on


We can use the GitHub – Pushkarup/CVE-2023-23752: Exploit for CVE-2023-23752 (4.0.0 <= Joomla <= 4.2.7) for further step


Let’s install it manually on our machine


By using those scripts, we can obtain the username and password using this method


We should be accessing the dashboard using the credentials that we found earlier



We can enter the exploit shown above


Let’s start our listener


Let’s create an empty HTML file


We should zip those files into one file


On the System Dashboard, we need to find somewhere that we can upload the malicious file


As a result, we should be looking at the plugins that have been installed within the JOOMLA


We are required to upload the malicious file into the Joomla Application


At last, we have successfully uploaded the malicious file


After a while, we should be getting the reverse shell connection back to us.

Another method to get the www-data shell


As we abuse the WordPress theme, we might be able to abuse the theme on the JOOMLA application


However, we are presented with only one theme on the JOOMLA application


On the error.php file, we need to add the malicious PHP command which will lead us to obtain the reverse shell on our machine


We can trigger the malicious command by accessing the error.php page


At last, we can also obtain the shell this way

Enumerate the MySQL database on the machine


Let’s access the database


We should be presented the database as shown above



The screenshot above shows the tables that can be investigated further


It doesn’t look pretty organized


After a while of analysis, we managed to obtain the hashes that were stored inside the database


We should be copy-paste the hashes that we found earlier into a file


Let’s start our hashcat process


Finally, we have retrieved the password for logan


Boom! We have successfully accessed the machine as logan


Let’s get the access as login by using pwncat-cs or SSH service


e


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access


As usual, we found the binary we can abuse in the next stage.

CVE-2023–26604 Vulnerability


The screenshot above shows the source code for the binary


Let’s execute the binary


The picture above shows the help manual for the binary


We also can find the version of the binary


Firstly, we can check the crash in which only two files are stored.


We need to check the process by using the sleep command


Therefore, let’s kill the process that we found earlier.


There is one new crash file after that progress


Let’s use the new crash file



Let’s try to execute the simple and basic command as shown above


As a result, we managed to execute the command injection by using the crash file


We can use the command injection to give the bash permission as SUID binary


We can read the user flag by typing the “cat root.txt” command

Extra Information on Devvortex machine