HTB-Planning

此为一个简单的Linux靶机,考察点在于DNS子域名枚举,信息收集CMS Nday,端口转发等。

As is common in real life pentests, you will start the Planning box with credentials for the following account: admin / 0D5oT70Fq13EvB5r

端口探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
Nmap scan report for 10.10.11.68
Host is up, received user-set (0.13s latency).
Scanned at 2025-06-07 06:19:29 CST for 68s
Not shown: 34230 filtered tcp ports (no-response), 31303 closed tcp ports (reset)
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.6p1 Ubuntu 3ubuntu13.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 62:ff:f6:d4:57:88:05:ad:f4:d3:de:5b:9b:f8:50:f1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMv/TbRhuPIAz+BOq4x+61TDVtlp0CfnTA2y6mk03/g2CffQmx8EL/uYKHNYNdnkO7MO3DXpUbQGq1k2H6mP6Fg=
|   256 4c:ce:7d:5c:fb:2d:a0:9e:9f:bd:f5:5c:5e:61:50:8a (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKpJkWOBF3N5HVlTJhPDWhOeW+p9G7f2E9JnYIhKs6R0
80/tcp open  http    syn-ack ttl 63 nginx 1.24.0 (Ubuntu)
|_http-server-header: nginx/1.24.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://planning.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 06:20
Completed NSE at 06:20, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 06:20
Completed NSE at 06:20, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 06:20
Completed NSE at 06:20, 0.00s elapsed
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.43 seconds
           Raw packets sent: 548285 (24.125MB) | Rcvd: 32629 (1.306MB)

需要添加域名planning.htb/etc/hosts

子域名枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿vbox)-[~]
└─# ffuf -u http://planning.htb -H "Host: FUZZ.planning.htb" -w /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt -fs 178 -t 100

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://planning.htb
 :: Wordlist         : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/namelist.txt
 :: Header           : Host: FUZZ.planning.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 100
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 178
________________________________________________

grafana                 [Status: 302, Size: 29, Words: 2, Lines: 3, Duration: 97ms]

将子域名grafana.planning.htb也添加进 /etc/hosts

Web

使用描述中给的用户凭证进行登录。

存在框架版本。

搜索获取nday poc https://github.com/nollium/CVE-2024-9264

存在rce用法。

1
python3 CVE-2024-9264.py -u user -p user -c <shell-cmd> http://localhost:3000

确认可以命令执行。

env下存在信息

获取新用户enzo:RioTecRANDEntANT!

SSH

当前目录中存在 linpeas.sh,应该是靶机自带的。此为主机信息脚本。

存在db文件泄露。

这是计划任务的json配置文件,从中可以得到一个密码P4ssw0rdS0pRi0T3c

尝试root登录失败。

在最初我们应该好好看这个脚本的运行结果。

开启了多个端口,其中3000与8000令人疑惑。但3000就是grafana框架的端口。进行端口转发8000。

端口转发

ssh端口转发

转发后本地访问http://localhost:8000,需要登录,账号是root,密码就是json文件中的。

看起来是一个管理定时任务的webui。尝试添加定时任务。

Root

靶机
#渗透
HTB-Planning
https://r3bir7hcx.github.io/2025/06/06/HTB-Planning/
Author
CXCX
Posted on
June 6, 2025
Licensed under