Planning
Recon
ports
sudo nmap -sT -sC -sV -p22,80 planning.htb
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-14 14:47 CST
Nmap scan report for planning.htb (10.129.242.146)
Host is up (0.27s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_ 256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open http nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Edukate - Online Education Website
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.91 seconds
存在22,80端口。浏览80端口,为一个前端静态页面,无特殊功能点。
Edukate
Home About Courses Contact
Learn From Home
Education Courses
Courses
Web Design Web Development Online Marketing
[ ]
Search
[about]
About Us
First Choice For Online Education Anywhere
Your ultimate destination for flexible, high-quality online education. Whether you're looking to enhance your career, explore new subjects, or develop valuable skills, we provide a diverse range of courses designed to fit your unique needs. Our platform offers easy access
to top-notch learning materials and expert instructors, available anytime, anywhere, so you can learn at your own pace and from the comfort of your home.
123
AvailableSubjects
500
OnlineCourses
342
SkilledInstructors
621
HappyStudents
Why Choose Us?
Why You Should Start Learning with Us?
At Edukate, we believe in empowering you to learn and grow on your own terms. Here's why you should start your educational journey with us.
Skilled Instructors
Gain knowledge from industry professionals and experienced educators who are passionate about teaching and dedicated to your success.
International Certificate
By completing our high-quality, expert-led courses, you earn a certification that is valued by employers and educational institutions worldwide.
Online Classes
Learn at your own pace, anytime, anywhere. Our platform is designed to fit your schedule, making it easy for you to balance education with everyday life.
[feature]
Our Courses
Checkout New Releases Of Our Courses
[courses-1]
Web design course for beginners
Rose Mary 4.5 (250)
且目录扫描无有效路径。
dirsearch -u http://planning.htb/ -w /usr/share/wordlists/seclists/Discovery/Web-Content/common.txt
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 4744
Output File: /home/Hackthebox/planning/reports/http_planning.htb/__25-05-14_15-18-19.txt
Target: http://planning.htb/
[15:18:19] Starting:
[15:18:37] 301 - 178B - /css -> http://planning.htb/css/
[15:18:46] 301 - 178B - /img -> http://planning.htb/img/
[15:18:48] 301 - 178B - /js -> http://planning.htb/js/
[15:18:49] 301 - 178B - /lib -> http://planning.htb/lib/
遂进行子域名扫描(这里使用了多个字典进行扫描,这个字典出了一个):
ffuf -u http://planning.htb/ -H "Host: FUZZ.planning.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -fs 178
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://planning.htb/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
:: Header : Host: FUZZ.planning.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
:: Filter : Response size: 178
________________________________________________
grafana [Status: 302, Size: 29, Words: 2, Lines: 3, Duration: 328ms]
访问,发现是grafana的登陆界面,根据版本号找到了cve-2024-9264。直接利用后得到了初始shell
First_foothold
通过主机名可知,初始shell多半在docker容器内,还是root权限,容器内无有效信息。在查看环境信息时发现:
root@7ce659d667d7:/tmp# env
env
AWS_AUTH_SESSION_DURATION=15m
HOSTNAME=7ce659d667d7
PWD=/tmp
AWS_AUTH_AssumeRoleEnabled=true
GF_PATHS_HOME=/usr/share/grafana
AWS_CW_LIST_METRICS_PAGE_LIMIT=500
HOME=/usr/share/grafana
TERM=xterm
AWS_AUTH_EXTERNAL_ID=
SHLVL=2
GF_PATHS_PROVISIONING=/etc/grafana/provisioning
GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
GF_SECURITY_ADMIN_USER=enzo
GF_PATHS_DATA=/var/lib/grafana
GF_PATHS_LOGS=/var/log/grafana
PATH=/usr/local/bin:/usr/share/grafana/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
AWS_AUTH_AllowedAuthProviders=default,keys,credentials
GF_PATHS_PLUGINS=/var/lib/grafana/plugins
GF_PATHS_CONFIG=/etc/grafana/grafana.ini
_=/usr/bin/env
OLDPWD=/var/mail
找到了一个用户及其凭据。可ssh登录。
在\/opt\/crontabs\/crontab.db 中发现了一个泄露凭据。留待备用。
Root
进行初始信息搜集,发现本地开启端口8000,3000端口。ssh端口转发:
ssh -fN -L 8000:127.0.0.1:8000 -L 3000:127.0.0.1:3000 enzo@planning.htb,
3000端口为grafana的login页面
enzo@planning:~$ ss -antlp
State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:36541 0.0.0.0:*
LISTEN 0 511 127.0.0.1:8000 0.0.0.0:*
LISTEN 0 4096 127.0.0.1:3000 0.0.0.0:*
LISTEN 0 151 127.0.0.1:3306 0.0.0.0:*
LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
LISTEN 0 4096 127.0.0.54:53 0.0.0.0:*
LISTEN 0 70 127.0.0.1:33060 0.0.0.0:*
LISTEN 0 4096 *:22 *:*
8000端口需要登录进入 这里结合已知信息,排列组合出:root:xxxxxx。 进入后发现为一个开源项目:web端的cronjobs控制页面,地址。而且我们可以添加新的cronjob,直接弹shell或者cp bash 后chmod +s 获得root权限。 因为8000端口是root进行,所以是以root权限执行计划任务。但是以enzo用户无权查看相关信息。
bash-5.2# lsof -i:8000
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
node 1436 root 18u IPv4 17982 0t0 TCP localhost:8000 (LISTEN)
CMD: UID=0 PID=1436 | node /usr/bin/crontab-ui
Summary
与计划任务相关的easy靶机,