Devvortex

Nmap Scan Result

We have port 80 and 22 open, since 80 indicates a web service, I outrightly scanned for subdomain and subdirectory and I found a "dev" subdomain using ffuf

Doing basic recon on dev.devvortex.htb, I found possible endpoints in the robots.txt file.

there seems to be a Joomla unauth vulnerability https://www.exploit-db.com/exploits/51334.

to confirm we run the exploit against our server and it's indeed vulnerable.

Using the found creds to login to the admin page

Joomla Templates just like Wordpress's uses PHP files and this means we can replace one of the files with our PHP reverse shell. in this use we are using error_login.php file

...and we got a shell, as www-data though. also copied linpeas.sh  for priv esc.

From linpeas, notice that port 3306 is opened meaning MySQL is running, this is reasonble since Joomla is using this to store user info. tried logging in with the credential we already have and it worked.

Dumped the content of sd4fg_users and we got the password hash of user Lewis (which we already have) and Logan

From hashcat wiki and hashid, we know the password is type Bcrypt and we are able to crack it with hashcat

Password hash cracked and we are able to switch user to Logan from www-data

Privilege Escalation

using sudo -l, we can see logan can run sudo command on apport-cli. A bit lookup and you'll see the below or similar exploit https://github.com/diego-tella/CVE-2023-1326-PoC

and we are root, hope the below is self explanatory. Bit tacky but it's new year and I've got to do this now😒