SuriyaBoon/HackTheBox-Silentium
GitHub: SuriyaBoon/HackTheBox-Silentium
HackTheBox靶场Silentium漏洞利用实战分析
Stars: 0 | Forks: 0
# HTB Silentium — 完整分析报告
## 漏洞概要
| CVE | 组件 | 影响 | CVSS |
|-----|-----------|--------|------|
| CVE-2025-58434 | Flowise 3.0.5 | 未授权账户接管 | 9.8 严重 |
| CVE-2025-59528 | Flowise 3.0.5 | 通过 CustomMCP 的远程代码执行 | 10.0 严重 |
| CVE-2025-8110 | Gogs | 通过符号链接作为 root 随意写入文件 | 高 |
## 攻击链概要
```
Recon
└─> Subdomain enum → staging.silentium.htb (Flowise 3.0.5)
└─> CVE-2025-58434: Forgot-password leaks tempToken
└─> Reset ben's password → Login to Flowise dashboard
└─> Get API key
└─> CVE-2025-59528: CustomMCP RCE → shell in Docker container
└─> env vars leak SSH credentials (r04D!!_R4ge)
└─> SSH as ben → user.txt
└─> Discover Gogs running as root on :3001
└─> CVE-2025-8110: Symlink + API write
└─> /etc/sudoers.d/ben → sudo root
└─> root.txt
```
标签:请求拦截