Devvortex Writeup Hack The box (Rian Friedt)

Enumeration first!

2 of the OG ports

lets run an agressive scan against these 2

sudo nmap 10.10.11.242 -p 22,80 -A

DONT forget to add devvortex.htb in /etc/hosts

lets browse to http://devvortex.htb/

poked alittle bit around but no luck lets continue with a subdomain brute force

add the dev.devvortex.htb to your /etc/hosts

again poked around but no luck!

a quick “dirsearch -u http://dev.devvortex.htb/” helped me and found some interesting subdomains

there is an adimistrator login portal

Joomla interesting lets see if we can find out the version

Joomla 4.2 lets dig and search for some exploits

didnt take long and we found

https://github.com/Acceis/exploit-CVE-2023-23752

NO LUCK!

the exploit doesnt work at the first try lets try to fix it

FIXXED IT!!!!!

Lets login to lewis on the administrator portal

poking and lurking around to find a way to get a shell brought me to

System ➡ Templates ➡ Administrator Templates.

browsing to http://dev.devvortex.htb/administrator/templates/atum/login.php

popped me a SHELL!!! what a feeling

lets look for the user flag

its under /home/logan but we cant open it..

a few minutes later(not)

got the hash

hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt — show
$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho

lets go for the ssh

got the user flag

now to the Privesc

found this POC https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb?source=post_page-----605d60f2d5ef-------------------------------- but it didnt worked after reading the error massage it seemed that we need a crash report so lets create one

Choosing to view the report, a Vi editor appeared, and I immediately remembered that by passing the !:command syntax, I was able to execute code. Since I was running the binary in a privileged context, I could try gain root privileges by executing the !/bin/bash command and it worked!

FINALLY! Im sorry for rushing it without alot of emotions but its 2 AM and im tried now that im done i can sleep.

See you guys around here ❤