Hack The Box: Machine
Devvortex
Release Date: November 25th, 2023
OS: Linux
Categories: Web Application, Vulnerability Assessment
Area of Interest: Databases, Common Applications
Difficulty: Easy
Created By: 7u9y
Link: https://app.hackthebox.com/machines/577
Soundtrack: If You Only Knew — Blackwater Holylight
Summary
In this walkthrough, we explore the Devvortex machine, focusing on a Joomla API vulnerability that allows information disclosure. After identifying the vulnerability (CVE-2023–23752) in the Joomla API, we exploit it using curl to leak database credentials for the user lewis. These credentials grant administrator panel access, enabling the upload of a plugin for Remote Code Execution as the www-data user. Subsequent database enumeration reveals a password hash for user logan, which is cracked using hashcat. Final privilege escalation to root is achieved by exploiting a vulnerability (CVE-2023–1326) in apport-cli accessed via sudo.