HTB – DevVortex

Nathan Hailu 5 mins0
Devvortex

Information

  • CTF Name: Devvotex
  • CTF Level: Easy
  • CTF Description: Old Version, Joomla, Vhost, no password sudo
  • Date: 5/4/2024
  • Platform: HTB
  • Category: Machine

Findings

External

Enumeration

  • As Always I started with my Nmap Scan and it gave me 4 ports those are open.
  • Tried to access and enumerate The main domain But there was nothing, so i went to subdomain enumeration i got nothing there, Finally on VHOST enumeration i got a domain dev.devvortex.htb.
  • This Vhost was a joomla Web, i got that information from Wappalyzer Browser extension and also, the robot.txt file on the server.
  • As soon as i knew it is Joomla, I tried to enumerate it with tool called joomscan.
  • i Found that the joomla Installed on the server is old and vulnerable.
    • It is Joomla 4.2.6

Gaining Access

  • I tested the server with Different Exploits of joomla 4.2.6, some of them were not working as you can see.
  • but finally i got one Exploit

  • It worked and gave me a Credentials for the user lewis.

Internal

Enumeration

  • The Credentials we got on the External Process was not used to access the server using ssh(i knew that after trying lol),
    • Then After i tried it on the joomla admin login page.

Gaining Access

  • The username and password we got worked on the joomla login page.
  • On this step what i did is just trying to upload some php shell because previously i have played some CTFs that have this kinda Content manangement system and i got access with php shell.
  • I uploaded a php shell that i got from Pentest Monkey
  • Then i started my listener
  • Then I tried to access the page i put my php payload.
  • Boom we got shell

Maintaining Access

  • I tried Different Priv Esc techniques but non of them were working, But as you can see when we try to enumerate the network part, there is a listening port on 3306 and 33060, by default 3306 is a mysql server port, so the another port is same but with 0 at the end,that was confusing.
  • I tried to access the mysql server, with lewis credentials. But it was not working.
  • after so many trys i realized that I can use mysql server with another port, and there is another port with 0 at the end, then i tried that
  • We got the MySQL server cli, Then i tried to get Credentials, and Congratulations we got for the user lewis and logan.
  • We have the lewis Credentials so, i tried to copy the logans Credentials and tried to Crack it with john, and Boom we got it!!!
  • Tried to ssh and we are IN!
  • And We got the user flag (●’◡’●)
  • Then Contined to get the root flag, So when i tried the sudo -l for any program that can be run with sudo and no password we got the /usr/bin/apport-cli
  • So i tried to Google how i can use this tool and do Privilege escalate.
  • and Got This Exploit
  • And BOOM BOOM BOOM, we are root

    • Thank You 😉

Nathan Hailu

Content Creator | Penetration testing Specialist | Mentor | Hackthebox top 1%

Related Articles

You May Have Missed