Devvortex Writeup Hack The box (Rian Friedt)
Enumeration first!
2 of the OG ports
lets run an agressive scan against these 2
sudo nmap 10.10.11.242 -p 22,80 -A
DONT forget to add devvortex.htb in /etc/hosts
lets browse to http://devvortex.htb/
poked alittle bit around but no luck lets continue with a subdomain brute force
add the dev.devvortex.htb to your /etc/hosts
again poked around but no luck!
a quick “dirsearch -u http://dev.devvortex.htb/” helped me and found some interesting subdomains
there is an adimistrator login portal
Joomla interesting lets see if we can find out the version
Joomla 4.2 lets dig and search for some exploits
didnt take long and we found
https://github.com/Acceis/exploit-CVE-2023-23752
NO LUCK!
the exploit doesnt work at the first try lets try to fix it
FIXXED IT!!!!!
Lets login to lewis on the administrator portal
poking and lurking around to find a way to get a shell brought me to
System ➡ Templates ➡ Administrator Templates.
browsing to http://dev.devvortex.htb/administrator/templates/atum/login.php
popped me a SHELL!!! what a feeling
lets look for the user flag
its under /home/logan but we cant open it..
a few minutes later(not)
got the hash
hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt — show
$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho
lets go for the ssh
got the user flag
now to the Privesc
found this POC https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb?source=post_page-----605d60f2d5ef-------------------------------- but it didnt worked after reading the error massage it seemed that we need a crash report so lets create one
Choosing to view the report, a Vi editor appeared, and I immediately remembered that by passing the !:command syntax, I was able to execute code. Since I was running the binary in a privileged context, I could try gain root privileges by executing the !/bin/bash command and it worked!
FINALLY! Im sorry for rushing it without alot of emotions but its 2 AM and im tried now that im done i can sleep.
See you guys around here ❤