HackTheBox | Devvortex Walkthrough

Hi Folks!

Hope you are doing well ❤️.

let’s get started with enumeration.

But first, let’s add the domain name to the hosts file.

echo "<target_ip>  devvortex.htb" >> /etc/hosts

Enumeration

Nmap Scan

nmap -T4 -v -p- -sCV <target_ip>

nmap scan

We got two open ports: port 22 running a SSH, port 80 running HTTP.

Web Enumeration

web interface

Doing some manual enumeration as well as using dirsearch to fuzz directories and reading the source code, I got nothing.

I thought of brute forcing subdomains, as a last step before digging deeper.

Here, I like to use wfuzz and as I expected, I found a subdomain.

wfuzz -w <wordlist> -u http://devvortex.htb/ -H 'Host: FUZZ.devvortex.htb' -t 60 --hc 302

subdomain brute force

So let’s add the new subdomain to /etc/hosts file.

Subdomain Enumeration

subdomain interface

Doing manual enumeration again, I got nothing.

Here I used dirsearch to fuzz directories.

dirsearch

Administrator endpoint caught my eyes.

/administrator endpoint

It’s Joomla CMS. So let’s look for its version as it may have a CVE.

Navigating through /README.txt endpoint reveals the version.

Joomla version

Googling this version, I found it has Unauthenticated Information Disclosure CVE-2023–23752.

We can use this POC.

GitHub - Acceis/exploit-CVE-2023-23752: Joomla! < 4.2.8 - Unauthenticated information disclosure

It didn’t work with me and it gave me a lot of errors. Here, I read the source code and I get where the vulnerability is.

manual exploitation

Navigating through the response, I found credentials.

Founding credentials

Here, I tried to login to SSH, but it didn’t work. So let’s login to Joomla Administrator Portal.

Joomla Dashboard

So let’s try to modify any template to get a shell on the box.

modifying a template

On clicking save and going to the modified link, I got a hit.

shell on the box

Lateral Movement

Enumeration

By doing some basic enumeration, I found mysql port is open used by Joomla.

So let’s connect to MySQL server using the found credentials.

connect to mysql

Duming the joomla database, I got the hash of the other user on the box.

dumping joomla database

Let’s crack the hash.

cracking the hash

SSH

Let’s try to SSH using the new credentials and it worked this time.

ssh login

Privilege Escalation

By running sudo -l as a basic enumeration, we can run apport-cli as root.

sudo -l

Here, I decided to get its version as it may have an exploitation.

Here, I googled the version and after some time, I got another CVE-2023–1326.

(CVE-2023-1326)[Privilege Escalation] apport-cli 2.26.0

By following the POC, I was able to become root!!

root

Conclusion

This was great fun!

I hope you enjoyed the walkthrough. I waiting for your feedbacks.

Don’t forget to check other walkthroughs.