HackTheBox Report: Devvortex

Report Prepared By : Avinash K.A

HTB username : styxabhor

Date of Completion :18th February 2024

Summary Overview

DevVortex is a virtual machine (VM) on the platform HackTheBox, designed for cybersecurity
enthusiasts like me to practice my skills in penetration testing, vulnerability assessment, and
exploitation. The machine is set up with various security vulnerabilities that I must identify
and exploit to gain root or administrative access.

DevVortex typically involves a combination of web application security, network

enumeration, privilege escalation, and other cybersecurity techniques. It may include
challenges related to web application vulnerabilities such as SQL injection, command
injection, or insecure file uploads, as well as system-level vulnerabilities like misconfigured
permissions or outdated software.

I engage with DevVortex to enhance my understanding of cybersecurity concepts and to

improve my practical skills in a controlled environment. By successfully exploiting
vulnerabilities on DevVortex, I can learn valuable lessons about securing systems and
defending against potential cyber threats.

Summary of Results
Initial Reconnaissance: Conducted an Nmap scan and directory fuzzing to identify open
ports, services, and potential entry points.

Joomla Exploitation: Leveraged a Joomla CVE exploit to gain unauthorized access to the
administrator panel, obtaining credentials and further system insights.

Database Interaction: Utilized MySQL commands and the Joomla command line interface to
extract user information and access critical data stored within the database.

Password Cracking: Employed John the Ripper to crack BCrypt hashed passwords, facilitating
unauthorized access to user accounts and escalating privileges.

Privilege Escalation: Exploited system vulnerabilities and misconfigurations to escalate

privileges, gaining root access to the target system.

Flag Retrieval: Successfully retrieved user flags and root flags, providing tangible evidence of
system compromise and penetration testing success.

Overall, the assessment demonstrated adept exploitation of vulnerabilities, thorough

reconnaissance, and effective privilege escalation techniques. These results underscore the
importance of robust security measures and regular system audits to mitigate the risk of
unauthorized access and potential exploitation.

Attack Discourse

Initial Reconnaissance:

During the initial reconnaissance phase of the penetration testing engagement on the target
machine "devvortex" by HackTheBox, a comprehensive scan was conducted using the Nmap
tool to identify open ports, running services, and potential vulnerabilities.
OpenSSH: This indicates that the machine has an SSH (Secure Shell) service running, which
typically provides remote access to the system. The version detected suggests it is running
on an Ubuntu operating system.

HTTP (nginx 1.18.0): This indicates that the machine is hosting a web server using the nginx
software version 1.18.0 on an Ubuntu operating system. This suggests there might be a web
application or website hosted on the machine accessible via HTTP

Hosts File Configuration

To facilitate easier access to the target website "devvortex.htb," the hosts file on the testing
machine was modified. Using the sudo nano /etc/hosts command, the IP address of the target
machine (10.10.11.242) and its corresponding domain name ("devvortex.htb") were added to
the hosts file. This configuration allows the testing machine to resolve the domain name to
the specified IP address, enabling seamless access to the target website.
Web Directory and Subdomain Enumeration

In an attempt to discover additional web directories and subdomains on the target website
"devvortex.htb," various enumeration techniques were employed.

Initially, the Dirsearch tool was utilized to perform a directory brute-force scan on the target
website. Despite the effort, the scan did not yield significant results, indicating limited
success in discovering hidden directories

Subsequently, a DNS subdomain enumeration technique was employed using the WFuzz tool.
By fuzzing common subdomains against the target domain "devvortex.htb," the presence of
additional subdomains was discovered. Specifically, the subdomain "dev" was identified
through the fuzzing process.
Modification of Hosts file For Subdomain Access

Following the discovery of the subdomain "dev" during DNS subdomain enumeration, access
to this subdomain was facilitated by updating the hosts file on the testing machine. Using the
command sudo nano /etc/hosts, the IP address of the target machine (10.10.11.242) along
with the subdomain "dev.devvortex.htb" were added to the hosts file. This configuration
enables the testing machine to resolve the subdomain to the specified IP address, allowing
seamless access to the target website hosted on the "dev" subdomain.

With the hosts file updated to include the subdomain "dev.devvortex.htb," access to the
website hosted on this subdomain became possible, providing additional avenues for
reconnaissance and exploitation.

Joomla CMS Version Identification and Exploit Discovery

After updating the hosts file to include the subdomain "dev.devvortex.htb" and gaining
access to the website hosted on this subdomain, a subsequent dirsearch was performed to
enumerate web directories.

The dirsearch scan on the subdomain "dev.devvortex.htb" yielded numerous directories,

including notable findings such as "/robots.txt" and "/administrator". These directories may
contain sensitive information or potential entry points for further exploitation.

Upon accessing the "/robots.txt" file discovered during web directory enumeration on the
subdomain "dev.devvortex.htb," it was revealed that the website is powered by Joomla CMS
The presence of Joomla CMS signifies a potential attack surface for further exploration and
exploitation. Joomla vulnerabilities, plugins, and misconfigurations may present opportunities for
unauthorized access, privilege escalation, or other security issues.

Subsequently, the "/README.txt" file was accessed to gather additional information about the version
of Joomla CMS being used on the target website. And it was Joomla CMS ver.4.2

With the Joomla version identified, research was conducted to identify potential vulnerabilities and
exploits associated with Joomla 4.2. This led to the discovery of an exploit on GitHub targeting known
vulnerabilities in Joomla 4.2.
 Penetration Phase:
Having identified the Joomla CMS version and discovered a relevant exploit for CVE-2023-
23752, the exploitation phase was initiated. The exploit files were downloaded and navigated
to the directory containing the exploit script, typically located at /Downloads/exploit-CVE-
2023-23752.

The exploit was executed by running the command ruby exploit.rb http://dev.devvortex.htb.
This command initiated the exploitation process, leveraging the identified vulnerability in the
Joomla CMS.
Upon successful execution of the exploit script, the Joomla administrator credentials
(username and password) were obtained, providing unauthorized access to the Joomla
administrator panel.
With the obtained credentials, unauthorized access was gained to the Joomla administrator
panel as the user "lewis" enabling further reconnaissance and potential exploitation of the
Joomla CMS.

Remote Code Injection:

Following unauthorized access to the administrator panel of the Joomla CMS, further
exploration of the website was conducted to identify potential vulnerabilities or entry points
for exploitation. Subsequently, attention was drawn to the "Systems" menu, specifically the
"Templates (Administrator)" option, indicating a potential avenue for code manipulation and
injection
Upon accessing the administrator templates, focus was directed towards the "Atum Details
and Files" option, leading to the discovery of an editor menu where website code could be
modified.

Within the editor menu, the presence of an "index.php" file was observed, representing a
potential target for code injection and execution of a reverse shell.

After identifying the "index.php" file within the editor menu of the Joomla CMS, a decision
was made to proceed with injecting a payload obtained from GitHub into the code. The
payload was copied and pasted into the second line of the "index.php" file, initiating the
process of remote code injection

Following the implementation of the payload for remote code injection into the "index.php"
file within the Joomla CMS, a netcat listener was initiated on the attacker's machine using the
command nc -lvnp 3113. Subsequently, upon triggering the injected payload, a reverse shell
connection was established, providing the attacker with interactive access to the target
system.

Upon successful execution of the injected payload, the attacker received a shell prompt,
indicating the establishment of a reverse shell connection from the target system to the
attacker's machine.

effective troubleshooting and utilization:

Upon gaining an interactive shell on the target system, attempts to read the "user.txt" file
were unsuccessful. Additionally, further investigation revealed the presence of another user
named "logan," who is a registered user compared to "lewis," who holds superuser privileges.

To elevate privileges and gain full interactive access to the system, a TTY shell code was
executed. This code enables the spawning of a pseudo-terminal (TTY), facilitating a more
interactive shell environment and potentially allowing for enhanced privilege escalation
techniques. python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

Following the successful execution of the TTY shell code and the attainment of an interactive
shell, MySQL commands were employed to interact with the database. Specifically, the
MySQL command mysql -u lewis -p was utilized to log in to the database management system
under the user "lewis," prompting for the corresponding password
Upon successful authentication, access to the database was granted, enabling the execution
of queries to retrieve information stored within the database tables. The primary objective
was to query the database to obtain the password hash of the user "logan" for further
analysis and potential exploitation.

Upon encountering difficulties accessing the database tables directly through MySQL
commands, an alternative approach was pursued by leveraging the Joomla command line
interface.

After accessing the Joomla command line interface, the command show tables; was
successfully executed, providing a list of available database tables. However, attempts to
directly query the "Users" table encountered errors.

To resolve this issue, the command joomla was invoked, granting access to Joomla's built-in
functionality and potentially circumventing the errors encountered with MySQL commands.
Subsequently, the command show tables; was re-executed, successfully listing the available
database tables.
 Brute Force Attack
After identifying the BCrypt hashed password for the user "logan" in the "sd4fg_users" table,
the decision was made to crack this hash using the powerful password cracking tool, John the
Ripper.

Privilege Escalation To Logan

With the cracked password in hand, SSH access to the target system under the user "logan"
was achieved using the command: “ssh [email protected]”
By providing the cracked password during the SSH authentication process, unauthorized
access to the target system was gained under the user "logan," facilitating further exploration
and potential exploitation.

After gaining unauthorized access to the shell under the user "logan" via SSH, a directory
listing (ls) was performed to examine the contents of the current directory.

the presence of the file "user.txt" was noted. This file likely contains the user flag, which
signifies successful exploitation and unauthorized access to the target system.

Privilege Escalation To Root

The first thing I did as a user was to list logan's sudo privileges: “sudo -l”

I could run /usr/bin/apport-cliwith sudo, but needed to figure out how to exploit it. Quick
research revealed a CVE:

A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to
CVE-2023-26604. If a system is specially configured to allow unprivileged users to run
sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local
attacker can escalate privilege. It is extremely unlikely that a system administrator
would configure sudo to allow unprivileged users to perform this class of exploit.

I started exploring
Following this, I utilized the command sudo /usr/bin/apport-cli. --help to familiarize myself
with the available switches. Subsequently, leveraging the -f switch, I attempted to generate a
crash report.

After initiating the crash report using the -f switch, I was prompted with choices regarding the
type of problem to report. Opting for the second option, I specified the display problem
observed. Subsequently, upon creating the report, I was presented with four options,
selecting the "view report" option denoted by 'V'.
By choosing to view the report, a Vi-like editor appeared, and I immediately
remembered that by passing the !:command syntax, I could execute code. Since I was
running the binary in a privileged context, I could gain root access by executing
!/bin/bash:

I successfully gained root access and accessed the root.txt file:

Pwned!
 Conclusion

In conclusion, the penetration testing engagement on the "devvortex" system demonstrated

a comprehensive exploration of vulnerabilities and exploitation techniques. Beginning with
initial reconnaissance through tools like Nmap and directory fuzzing, the assessment
progressed through Joomla exploitation, database interaction, password cracking, and
privilege escalation. Each step illustrated adept navigation of security layers, leading to
unauthorized access, user flag retrieval, and ultimately, root privilege attainment. The
engagement showcased proficiency in exploiting weaknesses, highlighting the critical
importance of robust security measures to safeguard against such exploits. Moving forward,
it is imperative for organizations to implement rigorous security protocols and regularly
update systems to mitigate the risk of unauthorized access and potential compromise