Devvortex Htb
Introduction
Devvortex is an Easy rated box and was released on HackTheBox on the 25th of November, 2023.
Enumeration
Running Nmap shows that port 22 (SSH) and port 80 (HTTP) are open.
Adding devvortex.htb to /etc/hosts and going to the website doesn’t show any low hanging fruit and neither does enumerating directories with Gobuster. 
Enumerating VHosts however, does reveal a new subdomain.
Initial Shell
Adding this new subdomain to our /etc/hosts file shows us a new website that doesn’t have anything super interesting on it. Navigating to /robots.txt shows that the website is running Joomla and Joomscan shows the same.
Doing a quick Google search of this version gives us a Github link to a POC that leaks credentials for the connected database. Running it shows us registered users as well as the type of database that’s running, as well as the user and password for the database.
Going to the Joomla administrator login panel at http://dev.devvortex.htb/administrator and logging in with the ‘lewis’ user and the password for the DB brings us to the Admin panel. Navigating to System > Site Templates and replacing the contents of any of the PHP files with a reverse shell will allows us to connect back to the box. In one terminal, start a Netcat listener on the port you chose for the reverse shell, and either navigating to the PHP file in your web browser, or use curl to make a request to that PHP file. Both work the same and will allow you to get a shell as www-data. 
Looking in /home shows a folder for the Logan user, but we can’t access the user.txt file inside.
Logging in as Logan/User Flag
Remembering back to when we found the password for the Joomla admin page, the exploit we ran showed that there was a MySQL database running on the box. Running the MySQL command and provided the credentials from the exploit allows us to connect to the database. 
Selecting the Joomla database, finding the users_XXXXX table, and dumping the contents with SELECT * FROM users_XXXXX; allows us to get the password hash for the Logan user. Running it through hashcat allows us to get the password to login to the Logan account. 
SSH’ing into the box as the Logan user and putting the password in allows us to get the user flag. 
PrivEsc and Root Flag
After logging into Logan and getting the flag, we have to move into the root account and get the root flag. Running sudo -l and putting in logan’s password shows a binary called apport-cli that we are allowed to run with privileged permissions. 
Googling the name of the program shows a CVE that allows us to open Bash as the root user. Running the program with sudo /usr/bin/apport-cli and the --file-bug argument and then filling in any number for the first 2 choices, and then typing V and hitting enter will bring us to a session of the less program and from there, we can enter any command by typing ! followed by the name of the command. I did /bin/bash so I could have a full shell, but you could just do cat /root/root.txt if you just wanted the flag.
