Embedded Files
Nmap Scan Result
We have port 80 and 22 open, since 80 indicates a web service, I outrightly scanned for subdomain and subdirectory and I found a "dev" subdomain using ffuf
Doing basic recon on dev.devvortex.htb, I found possible endpoints in the robots.txt file.
there seems to be a Joomla unauth vulnerability https://www.exploit-db.com/exploits/51334.
to confirm we run the exploit against our server and it's indeed vulnerable.
Using the found creds to login to the admin page
Joomla Templates just like Wordpress's uses PHP files and this means we can replace one of the files with our PHP reverse shell. in this use we are using error_login.php file
...and we got a shell, as www-data though. also copied linpeas.sh for priv esc.
From linpeas, notice that port 3306 is opened meaning MySQL is running, this is reasonble since Joomla is using this to store user info. tried logging in with the credential we already have and it worked.
Dumped the content of sd4fg_users and we got the password hash of user Lewis (which we already have) and Logan
From hashcat wiki and hashid, we know the password is type Bcrypt and we are able to crack it with hashcat
Password hash cracked and we are able to switch user to Logan from www-data
Privilege Escalation
using sudo -l, we can see logan can run sudo command on apport-cli. A bit lookup and you'll see the below or similar exploit https://github.com/diego-tella/CVE-2023-1326-PoC
and we are root, hope the below is self explanatory. Bit tacky but it's new year and I've got to do this now😒
Page updated
Google Sites
Report abuse