# Devvortex

{% embed url="<https://app.hackthebox.com/machines/Devvortex>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

## Summary

An Nmap scan identified open SSH and Nginx web server ports. Through directory and VHOST scanning, the target `dev.devvortex.htb` was pinpointed, revealing a vulnerable Joomla CMS on its administrator page. Exploiting a known RCE vulnerability in Joomla version 4.2.6, MySQL database credentials were extracted and used to gain administrative access at the Joomla backend.

With administrative access, a web shell was uploaded to Joomla, allowing command execution on the server. This capability led to a reverse shell as `www-data`, and subsequent access to user `logan`'s account after cracking password hashes found in the database.

The final stage involved exploiting a vulnerability in `apport-cli` for privilege escalation. By creating a crash report and escaping out of a crash report view, a root shell was spawned, providing complete control over the system.

## Recon

We scan the target with a Nmap scan and discover 2 open ports. We have SSH on port 22 and a Nginx web server in version `1.18.0` on port 80

<figure><img src="/files/8lWqv7vv76gKcLSs4qJP" alt=""><figcaption></figcaption></figure>

We then enumerate the web server's directories using Gobuster, but find nothing special.

<figure><img src="/files/AyuNvK6RvHBvWrDbLNXL" alt=""><figcaption></figcaption></figure>

Inspecting the site manually only reveals static links and no possible entry points.

<figure><img src="/files/paTwg9mNwxSkp5H7BUFA" alt=""><figcaption></figcaption></figure>

We use Ffuf to enumerate further VHOSTs, and we find what we are looking for: `dev.devvortex.htb` will be our next target.

<figure><img src="/files/zyw07uRIP9nY4ftx0CyA" alt=""><figcaption></figcaption></figure>

A directory scan on `dev.devvortex.htb` reveals an administrator page and an api page. A little more interesting.

<figure><img src="/files/mH8EPd8HFPmELHvpA4iQ" alt=""><figcaption></figcaption></figure>

The index page is not that promising.

<figure><img src="/files/PIJLco896eoyh8jSCnRm" alt=""><figcaption></figcaption></figure>

When we visit the administrators page, we see that we are dealing with the Joomla cms.

<figure><img src="/files/E6FNaXqxBNIeFO0WEeQm" alt=""><figcaption></figcaption></figure>

## Shell as www-data

Let's see what kind of version and possible vulnerabilities we are dealing with this Joomla. For this we make use of `joomscan`. And we are dealing with version `4.2.6`.

```sh
joomscan --url http://dev.devvortex.htb
```

<figure><img src="/files/1ChL8xp0nm5y9z6VslPB" alt=""><figcaption></figcaption></figure>

After a short research, we find an RCE vulnerability for this old version, whose POC can also be found in the following article. First, we are dealing with an information leak vulnerability that allows us unauthorized to extract sensitive information such as MySQL database credentials in clear text.

{% embed url="<https://vulncheck.com/blog/joomla-for-rce>" %}

With the following request to the web server, we receive the MySQL credentials of the user `lewis`.

```sh
┌──(0xb0b㉿kali)-[~/Documents/htb-app/devvortex]
└─$ curl -v http://dev.devvortex.htb/api/index.php/v1/config/application?public=true
```

<figure><img src="/files/LQCQf2RSOZl3JPpDBQxu" alt=""><figcaption></figcaption></figure>

On exploit-db you can also find a ruby script that provides a clearer output.

```
sudo gem install httpx
sudo gem install docopt
sudo gem install paint

https://www.exploit-db.com/exploits/51334
```

<figure><img src="/files/RKKm8aiQ9H8KnjaVikYk" alt=""><figcaption></figcaption></figure>

Next, we try to log in with those credentials via SSH and the Joomla login. And are able to log in successfully at Joomla. Nice, now we need to manage to get a web shell.

<figure><img src="/files/DKGSEYviy9dhVuWDElns" alt=""><figcaption></figcaption></figure>

For this, there are various web shell plugins for Joomla available:

{% embed url="<https://github.com/p0dalirius/Joomla-webshell-plugin>" %}

We request the following page, and we see that we are allowed to upload plugins.

```
http://dev.devvortex.htb/administrator/index.php?option=com_installer&view=install 
```

<figure><img src="/files/hofnQakxl82Jc0aKMpP6" alt=""><figcaption></figcaption></figure>

Next, we download the web shell plugin mentioned before and build it.&#x20;

<figure><img src="/files/AF06e6rMdsR161TwrxsI" alt=""><figcaption></figcaption></figure>

Then we can just drop the created zip into the field of uploading and installing Joomla extensions.

<figure><img src="/files/BfYxSEQCDNmesZ4hKiBM" alt=""><figcaption></figcaption></figure>

Now we are able to execute commands at the following page.

```url
http://dev.devvortex.htb/modules/mod_webshell/mod_webshell.php?action=exec&cmd=id
```

<figure><img src="/files/DIGHAoCV4fCHS8TQLS2i" alt=""><figcaption></figcaption></figure>

The exploit also comes with a python script that makes the web shell a bit more interactive. However, it is still a web shell. We use revshells.com, set up a listener and spawn a reverse shell.

<figure><img src="/files/AL8m6fk3xc5VD2OuiRyH" alt=""><figcaption></figcaption></figure>

After having the interactive reverse shell as `www-data` we upgrade the shell. Unfortunately, we did not reach the user flag yet.

{% embed url="<https://0xffsec.com/handbook/shells/full-tty/>" %}

<figure><img src="/files/F7DHVmwScuQbZUJKGubP" alt=""><figcaption></figcaption></figure>

## Shell as logan

We have the user logan on the system. From our automated exploit `CVE-2023-23752`, we know that logan is also registered with Joomla. We may also find his credentials in the user database. With a bit of luck, these could have been reused. We use the credentials from the previous steps to login to the MySQL database.

<figure><img src="/files/ltI1rRupUr52bvX6mMQh" alt=""><figcaption></figcaption></figure>

`sd4fg_users` looks promising.

<figure><img src="/files/Mn653TGxID2kkkgLRQV8" alt=""><figcaption></figcaption></figure>

Querying the contents of the table `sd4fg_users`, we find the hashes of `lewis` and logan.

<figure><img src="/files/mFwUekZkU5aaFHGjRKuM" alt=""><figcaption></figcaption></figure>

The hash is a `bcrypt $2*$, Blowfish (Unix)` hash and can be cracked with mode `3200`.&#x20;

<figure><img src="/files/YYOgGZ7ARYY5J7PHypz9" alt=""><figcaption></figcaption></figure>

We are able to log in with the credentials of logan and find the user's flag in the home directory of the user.

<figure><img src="/files/lVHAmW0R3efgM8PkgVF0" alt=""><figcaption></figcaption></figure>

## Shell as root

When enumerating as logan, we immediately notice that we can call `/usr/bin/apport-cli` using sudo. Not the nasty binary found on GTFOBins. So let's take a look at the version to find possible vulnerabilities.

<figure><img src="/files/4jskrrsT7iSyULDORw8I" alt=""><figcaption></figcaption></figure>

After a little research, we find what we need. Our version is vulnerable and allows us to extend our rights. In short, when we read a crash report, we can spawn a shell. Below are all the resources and explanations found:

{% embed url="<https://github.com/advisories/GHSA-qgrc-7333-5cgx>" %}

> A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to [CVE-2023-26604](https://github.com/advisories/GHSA-8989-8fhv-vq42). If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.

{% embed url="<https://vuldb.com/?id.225896>" %}

<figure><img src="/files/kEiiJpEyrcwbWTg813S2" alt=""><figcaption></figcaption></figure>

{% embed url="<https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb>" %}

> The apport-cli supports view a crash. These features invoke the default pager, which is likely to be less, other functions may apply.&#x20;
>
> It can be used to break out from restricted environments by spawning an interactive system shell. If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
>
> apport-cli should normally not be called with sudo or pkexec. In case it is called via sudo or pkexec execute \`sensible-pager\` as the original user to avoid privilege elevation.
>
> Proof of concept:
>
> `$ sudo apport-cli -c /var/crash/xxx.crash`&#x20;
>
> `[...]`
>
> `Please choose (S/E/V/K/I/C): v`&#x20;
>
> `!id`
>
> `uid=0(root) gid=0(root) groups=0(root)`&#x20;
>
> `!done (press RETURN)`&#x20;
>
> This fixes [CVE-2023-1326](https://github.com/advisories/GHSA-qgrc-7333-5cgx).&#x20;
>
> Bug: <https://launchpad.net/bugs/2016023> Signed-off-by: Benjamin Drung <<benjamin.drung@canonical.com>>

Unfortunately, we do not have any crash reports on the system. What a pity.

<figure><img src="/files/VDGbe80nWvwjbgEHR1cx" alt=""><figcaption></figcaption></figure>

But we can create one ourselves using the parameter tag `-f`.

<figure><img src="/files/teMM9yNGBcCEx3Gl8hHS" alt=""><figcaption></figcaption></figure>

After creating the report we can immediately view the report by entering V. There we place `:!/bin/bash` to spawn a shell, since we run this in the context of root using sudo we get a `root` shell, and are able to reach out to `/roo`t and read the root flag at `/root/root.txt`.<br>

```
:!/bin/bash
```

<figure><img src="/files/6MDf04eBCbcPNZryvpzT" alt=""><figcaption></figcaption></figure>

Another way to generate a crash report could be to kill a process with the SIGSEGV signal, which would mean a SEGFAULT.

<figure><img src="/files/zbJTDgxkr40MsE0kvLTs" alt=""><figcaption></figcaption></figure>

1. **Background Execution of `sleep` Command:**`sleep 10 &` starts a background process that pauses for 10 seconds, allowing parallel command execution.
2. **Inducing a Segmentation Fault:**`killall -SIGSEGV sleep` sends a segmentation fault signal to all active `sleep` processes. The `SIGSEGV` signal forces these processes to terminate as if they encountered an invalid memory access. This action results in the operating system generating a crash report, useful for debugging and testing system error handling.

We can then read in the report using `-c` and enter `!:/bin/bash` to spawn a root shell.

<figure><img src="/files/kKQaeHjugW4wabHwBskw" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/gByKjrR6eHD4TRFVbsRf" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xb0b.gitbook.io/writeups/hackthebox/2024/devvortex.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.