nmap -p- --min-rate 10000 10.10.11.242 -Pn
After detection of open ports, let's do greater scan for these ports.
nmap -A -sC -sV -p22,80 10.10.11.242 -Pn
From nmap scan result, I see that this ip address is resolved into devvortex.htb domain name, that's why I need to write this into /etc/hosts file.
Our web application is like below.
Let's do Subdomain Enumeration.
ffuf -u http://devvortex.htb/ -H "Host: FUZZ.devvortex.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -fs 154
Let's add dev.devvortex.htb domain into /etc/hosts file also.
While we look at robots.txt file for dev.devvortex.htb, I see administrator endpoint.
Let's access into /administrator endpoint, we see login form of Joomla application.
I tried defualt credentials for Joomla, but it doesn't work.
Let's check CVE-2023-23752
I run this exploit and see credentials as below.
lewis: P4ntherg0t1n5r3c0n##
I successfully login into Joomla admin page.
To get remote code execution, we need to add webshell into one of .php files.
Go to System -> Templates -> Administrator -> Templates -> index.php.
I got reverse shell from port 1337.
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo;fg
export TERM=xterm
export SHELL=bash
While I run netstat -ntpl command, I see that mysql port is open.
Let's access into here via mysql command and we use lewis credentials which we used before.
mysql -u lewis -pI found sd4fg_users table on joomla database.
I can see logan password hash is located here.
Let's crack this password via hashcat command.
hashcat -m 3200 hash.txt --wordlist /usr/share/wordlists/rockyou.txt 
logan: tequieromucho
user.txt
While I run sudo -l command to check privileges of this user.
I searched publicly known exploit for this vulnerability, I found CVE-2023-1326.
root.txt
