Devvortex

- 3 mins read

#joomla IP: 10.10.11.242 OS: Linux

PortScanner


nmap --min-rate 1000 -sV -sC -p- -oG fullscan 10.10.11.242
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-06 09:41 -03
Nmap scan report for 10.10.11.242 (10.10.11.242)
Host is up (0.21s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.19 seconds

DirScan

dirsearch -u http://devvortex.htb/ -e php,jsp,aspx,asp,js,md,bak,zip,tgz,yaml,yml -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, aspx, asp, js, md, bak, zip, tgz, yaml, yml | HTTP method: GET | Threads: 25 | Wordlist size: 14662

Output File: /home/parallels/Documents/htb/machines/Devvortex/reports/http_devvortex.htb/__24-02-06_09-45-39.txt

Target: http://devvortex.htb/

[09:45:40] Starting: 
[09:45:43] 301 -  178B  - /js  ->  http://devvortex.htb/js/                 
[09:46:34] 301 -  178B  - /css  ->  http://devvortex.htb/css/               
[09:46:46] 301 -  178B  - /images  ->  http://devvortex.htb/images/         
[09:46:46] 403 -  564B  - /images/                                          
[09:46:49] 403 -  564B  - /js/

VhostScan

ffuf -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -w /usr/share/wordlists/dnsmap.txt -fs 154

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://devvortex.htb/
 :: Wordlist         : FUZZ: /usr/share/wordlists/dnsmap.txt
 :: Header           : Host: FUZZ.devvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 191ms]
:: Progress: [17576/17576] :: Job [1/1] :: 295 req/sec :: Duration: [0:01:06] :: Errors: 0 ::
  • Adding the vhost to the /etc/hosts

DirScan vhost

dirsearch -u http://dev.devvortex.htb/ -e php,jsp,aspx,asp,js,md,bak,zip,tgz,yaml,yml -x 404
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, jsp, aspx, asp, js, md, bak, zip, tgz, yaml, yml | HTTP method: GET | Threads: 25 | Wordlist size: 14662

Output File: /home/parallels/Documents/htb/machines/Devvortex/reports/http_dev.devvortex.htb/__24-02-06_10-41-58.txt

Target: http://dev.devvortex.htb/

[10:41:58] Starting: 
[10:42:03] 403 -  564B  - /%2e%2e;/test                                     
[10:42:44] 403 -  564B  - /admin/.config                                    
[10:43:41] 301 -  178B  - /administrator  ->  http://dev.devvortex.htb/administrator/
[10:43:42] 403 -  564B  - /administrator/includes/                          
[10:43:42] 200 -   31B  - /administrator/cache/
[10:43:43] 200 -   12KB - /administrator/                                   
[10:43:43] 200 -   12KB - /administrator/index.php                          
[10:43:43] 301 -  178B  - /administrator/logs  ->  http://dev.devvortex.htb/administrator/logs/
[10:43:43] 200 -   31B  - /administrator/logs/                              
[10:43:54] 403 -  564B  - /admpar/.ftppass                                  
[10:43:54] 403 -  564B  - /admrev/.ftppass                                  
[10:43:58] 301 -  178B  - /api  ->  http://dev.devvortex.htb/api/           
[10:44:18] 403 -  564B  - /bitrix/.settings                                 
[10:44:18] 403 -  564B  - /bitrix/.settings.bak                             
[10:44:18] 403 -  564B  - /bitrix/.settings.php.bak
[10:44:23] 301 -  178B  - /cache  ->  http://dev.devvortex.htb/cache/       
[10:44:23] 200 -   31B  - /cache/
[10:44:24] 403 -    4KB - /cache/sql_error_latest.cgi                       
[10:44:32] 200 -   31B  - /cli/                                             
[10:44:38] 301 -  178B  - /components  ->  http://dev.devvortex.htb/components/
[10:44:38] 200 -   31B  - /components/                                      
[10:44:42] 200 -    0B  - /configuration.php                                
[10:45:15] 403 -  564B  - /ext/.deps

Joomla Version

  • Version 4.2

Getting information from the exploit

  • Access the admin panel with the credentials

  • Getting the reverse shell with admin templates

Access the database and get the user credentials

  • Breaking the hash with hashcat

  • password: tequieromucho

Access using SSH Logan user

PrivEscal

root.txt