Devvortex¶
Linux machine
Foothold¶
Do not forget to update the /etc/hosts file.
Nmap port scan¶
Website enumeration and exploit¶
Scan subdomains:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154
We find the dev subdomain (http://dev.devvortex.htb).
Find out the service -> Wappalyzer says it’s Joomla. Optionally use joomscan to get more info/version.
Find an exploit which gives us returns credentials to DB.
We can log in with the credentials (lewis:P4ntherg0t1n5r3c0n##).
User¶
Add file to an existing template in system. Path: site-templates -> existing template edit -> new file -> upload php shell. We can use the powny shell.
Once we have a working shell, access the page its on. To get an interactive shell we use python shell (the php shell doesn't allow input and can be problematic).
From the python shell, access mysql using the retrieved credentials from the first exploit.
Get the hash from joomla db -> users.
Crack the found hash (bcrypt) using hashcat:
Found credentials: logan:tequieromucho.
Log in using ssh and the new credentials -> user flag.
Root¶
Check for sudo privileges:
Check the apport-cli version and help page.
We find an exploit, which uses a less/interactive shell vulnerability in which you can run a shell.
To generate a report you can use to exploit the apport use:
Use the apport-cli
Wait fo the prompt -> use the v option -> wait -> type !id -> you are root.