In this post, I would like to share a walkthrough of the Devvortex Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the Devvortex machine?

For the user flag, you will need to expose the list of users along with the database connection password, leveraging this information to gain entry to the admin panel. Within the admin panel, I’ll demonstrate obtaining execution privileges through two methods: by altering a template and by creating a webshell plugin. Upon obtaining access, I’ll proceed to pivot to the next user by decrypting their hash from the database.

As for the root flag, you need to abuse a pager vulnerability in apport-cli that allows escaping to a root shell when run with sudo.

For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link to support me

Academy link can be found

Information Gathering on Devvortex Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start

└──╼ $ nmap -sC -sV -oA inital
Starting Nmap 7.93 ( ) at 2023-11-26 08:43 EST
Nmap scan report for
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 42.76 seconds
└──╼ $ 

Let’s access the website interface

Sadly, we didn’t see anything useful to be abused by us.

Therefore, let’s try to enumerate the directory with gobuster but not much of the directory that we can investigate into

As a result, let’s try to retrieve any subdomain with gobuster and we only obtain one subdomain which is dev.devvortex.htb

The screenshot above shows the website interface for the subdomain that we found earlier.

Let’s see the response via burpsuite which there’s nothing that we can look into

After we analyze the website interface thoroughly, there’s nothing that we use in the next step. Therefore, let’s enumerate the directory by using the gobuster. From the output, we can access the administrator on the browser.

Let’s access the /administrator directory on the website which we are presented with login page. If you notice, the page shows the Joomla Interface.

There is nothing stored on the /modules/ directory

From my experience of playing with the Joomla application before, there should be a robots.txt file stored inside the website

The screenshot above shows the default information for JOOMLA on the website which led us to notify the version of JOOMLA use

CVE-2023-23752 Vulnerability

As a result, let’s do some research on it

There’s a GitHub page that can be found here which we can abuse later on

We can use the GitHub – Pushkarup/CVE-2023-23752: Exploit for CVE-2023-23752 (4.0.0 <= Joomla <= 4.2.7) for further step

Let’s install it manually on our machine

By using those scripts, we can obtain the username and password using this method

We should be accessing the dashboard using the credentials that we found earlier

We can enter the exploit shown above

Let’s start our listener

Let’s create an empty HTML file

We should zip those files into one file

On the System Dashboard, we need to find somewhere that we can upload the malicious file

As a result, we should be looking at the plugins that have been installed within the JOOMLA

We are required to upload the malicious file into the Joomla Application

At last, we have successfully uploaded the malicious file

After a while, we should be getting the reverse shell connection back to us.

Another method to get the www-data shell

As we abuse the WordPress theme, we might be able to abuse the theme on the JOOMLA application

However, we are presented with only one theme on the JOOMLA application

On the error.php file, we need to add the malicious PHP command which will lead us to obtain the reverse shell on our machine

We can trigger the malicious command by accessing the error.php page

At last, we can also obtain the shell this way

Enumerate the MySQL database on the machine

Let’s access the database

We should be presented the database as shown above

The screenshot above shows the tables that can be investigated further

It doesn’t look pretty organized

After a while of analysis, we managed to obtain the hashes that were stored inside the database

We should be copy-paste the hashes that we found earlier into a file

Let’s start our hashcat process

Finally, we have retrieved the password for logan

Boom! We have successfully accessed the machine as logan

Let’s get the access as login by using pwncat-cs or SSH service


We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

As usual, we found the binary we can abuse in the next stage.

CVE-2023–26604 Vulnerability

The screenshot above shows the source code for the binary

Let’s execute the binary

The picture above shows the help manual for the binary

We also can find the version of the binary

Firstly, we can check the crash in which only two files are stored.

We need to check the process by using the sleep command

Therefore, let’s kill the process that we found earlier.

There is one new crash file after that progress

Let’s use the new crash file

Let’s try to execute the simple and basic command as shown above

As a result, we managed to execute the command injection by using the crash file

We can use the command injection to give the bash permission as SUID binary

We can read the user flag by typing the “cat root.txt” command

Extra Information on Devvortex machine