本文介绍了对目标主机(IP: 10.10.11.79)的初步枚举和攻击链路。通过使用Nmap进行端口扫描,发现目标主机上开放了FTP和HTTP服务。接着,描述了利用Web应用程序漏洞(CVE-2025-49113)进行攻击的步骤,包括获取Docker环境的shell,升级shell权限,查看配置,登录数据库,破解密码,以及最终获取SSH密码和sudo命令的过程,最后利用另一个漏洞(CVE-2025-27591)进行进一步的攻击。 This article introduces the initial enumeration and attack chain on the target host (IP: 10.10.11.79). Through port scanning with Nmap, it was discovered that FTP and HTTP services are open on the target host. Then, it describes the steps to exploit the web application vulnerability (CVE-2025-49113), including obtaining a shell in the Docker environment, escalating shell privileges, viewing configurations, logging into the database, cracking passwords, and finally obtaining the SSH password and sudo command, followed by further attacks using another vulnerability (CVE-2025-27591).
初步枚举
nmap 10.10.11.79 -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-26 04:01 EST
Nmap scan report for era.htb (10.10.11.79)
Host is up (5.7s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.89 seconds攻击链路
攻击Web应用程序(CVE-2025-49113)-->得到Docker环境shell-->升级shell-->查看config配置-->登录数据库-->查看user和session表-->破解密码-->使用该账户登录到Web-->得到ssh密码-->进入ssh后查看sudo命令-->得到below(CVE-2025-27591)Initial Enumeration
nmap 10.10.11.79 -sV
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-26 04:01 EST
Nmap scan report for era.htb (10.10.11.79)
Host is up (5.7s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
80/tcp open http nginx 1.18.0 (Ubuntu)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 36.89 secondsAttack Chain
Attack Web Application (CVE-2025-49113) --> Obtain Docker environment shell --> Upgrade shell --> View config --> Login to database --> View user and session tables --> Crack password --> Login to Web with this account --> Obtain SSH password --> After SSH, check sudo commands --> Obtain below (CVE-2025-27591)