MazeSec Merge靶机设计流程
攻击链
命令注入(www-data)
opt目录泄露mono密码(www-data>mono)
sudo -u lnnn PATH劫持(mono>lnnn)
/opt/admin/ 目录放置 admin 用户suid curl(lnnn>admin)
/etc/group可写(admin>sudo组+已知密码=任意命令执行 或 disk 组提权)
流程图
基础环境
安装环境
apt update
apt install -y nginx php-fpm创建 mono、lnnn、admin用户
# 创建用户mono
useradd -m -s /bin/bash mono
# 生成密码
openssl rand -base64 18
0ysP8axqGSAkvXnkvxxukVnz
# 设置密码(手动输入上面生成的密码)
passwd mono
# 创建用户lnnn
useradd -m -s /bin/bash lnnn
# 生成密码
openssl rand -base64 18
vdvv2HGFv7tVEXNXqqaQh2Sl
passwd lnnn
# 创建用户
useradd -m -s /bin/bash admin
# 生成密码
openssl rand -base64 18
eF27DvosNkei1RyqDzF8IkL7
passwd admin
# 生成密码
openssl rand -base64 18
7NIKKVqcuzE3UkYLVlqSTLZ7
# 修改root密码
passwd修改主机名
hostname="Merge"
hostnamectl set-hostname $hostname
cat >/etc/hosts <<EOF
127.0.0.1 localhost
127.0.1.1 $hostname
::1 localhost ip6-localhost ip6-loopback
EOF
su配置 Web 环境
创建目录结构
mkdir -p /var/www/html
mkdir -p /var/www/tool/.nali
chown -R www-data:www-data /var/www
# 下载nali工具(检查最新版本)
wget "https://ghfile.geekertao.top/https://github.com/zu1k/nali/releases/download/v0.8.1/nali-linux-amd64-v0.8.1.gz" -O /tmp/nali.gz
gunzip /tmp/nali.gz
# 移动到tool目录
mv /tmp/nali /var/www/tool/nali
chmod +x /var/www/tool/nali
chmod 755 /var/www/tool/nali
chown www-data:www-data /var/www/tool/nali
# 下载nali数据库(qqwry.dat)
wget https://ghfile.geekertao.top/https://github.com/FW27623/qqwry/releases/download/2024-09-25/qqwry.dat -O /tmp/qqwry.dat
cp /tmp/qqwry.dat /var/www/tool/.nali/qqwry.dat
chown www-data:www-data /var/www/tool/.nali/qqwry.dat
# 检查PHP socket路径
ls /var/run/php/ # 查看PHP版本,记下socket文件名,例如 php8.4-fpm.sock配置Nginx(手动编辑 /etc/nginx/sites-available/default)
vim /etc/nginx/sites-available/defaultNginx配置参考:
server {
listen 80 default_server;
listen [::]:80 default_server;
root /var/www/html;
# 添加index.php
index index.php index.html;
server_name _;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php8.4-fpm.sock; # 根据实际socket文件名修改
}
}# 测试Nginx配置
nginx -t
# 重启Nginx
systemctl restart nginx
systemctl enable nginx创建漏洞 Web 页面
# 创建index.php
vim /var/www/html/index.phpindex.php内容:
<?php
putenv('NALI_DB_IP4=qqwry');
putenv('NALI_HOME=/var/www/tool/.nali');
$output = '';
$error = '';
$input_val = '';
$blacklist = [' ', ';', '&', '|', '$','`'];
if (isset($_POST['ip']) && $_POST['ip'] !== '') {
$input_val = $_POST['ip'];
$input = $_POST['ip'];
foreach ($blacklist as $char) {
if (strpos($input, $char) !== false) {
$error = 'Invalid characters detected';
break;
}
}
if ($error === '') {
$cmd = '/var/www/tool/nali ' . $input . ' 2>&1';
$output = shell_exec($cmd);
if ($output === null || $output === '') {
$error = 'Query failed or no result';
}
}
}
?>
<!DOCTYPE html>
<html lang="zh">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>离线IP地址查询</title>
<style>
*{margin:0;padding:0;box-sizing:border-box}
body{background:#0d1117;color:#c9d1d9;font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif;display:flex;justify-content:center;align-items:center;min-height:100vh;flex-direction:column}
.main{width:100%;max-width:600px;padding:2rem;display:flex;flex-direction:column;align-items:center;justify-content:center;margin-top:-8vh}
.form-group{width:100%;display:flex;gap:0.5rem}
.form-group input{flex:1;background:#161b22;border:1px solid #30363d;border-radius:6px;padding:0.75rem 1rem;color:#c9d1d9;font-size:0.95rem;outline:none;transition:border-color 0.2s}
.form-group input:focus{border-color:#58a6ff}
.form-group button{background:#238636;color:#fff;border:none;border-radius:6px;padding:0.75rem 1.5rem;font-size:0.9rem;cursor:pointer;transition:background 0.2s;white-space:nowrap}
.form-group button:hover{background:#2ea043}
.result{width:100%;margin-top:1.5rem;padding:1rem;border-radius:6px;min-height:3rem}
.result-success{background:#161b22;border:1px solid #238636}
.result-error{background:#161b22;border:1px solid #da3633;color:#f85149}
.result pre{font-size:0.9rem;white-space:pre-wrap;word-break:break-all}
.placeholder-result{width:100%;margin-top:1.5rem;min-height:3rem;visibility:hidden}
.footer{position:fixed;bottom:0;left:0;right:0;padding:1.5rem 0;text-align:center;width:100%}
.footer a{display:inline-block;font-size:0.7rem;color:#8b949e;border:1px solid #30363d;padding:2px 8px;border-radius:12px;letter-spacing:0.5px;text-decoration:none;transition:color 0.2s,border-color 0.2s}
.footer a:hover{color:#58a6ff;border-color:#58a6ff}
</style>
</head>
<body>
<div class="main">
<form class="form-group" method="POST" action="">
<input type="text" name="ip" id="ipInput" placeholder="输入IP地址查询" value="<?php echo htmlspecialchars($input_val); ?>" autofocus>
<button type="submit">查询</button>
</form>
<?php if ($error !== ''): ?>
<div class="result result-error"><pre><?php echo htmlspecialchars($error); ?></pre></div>
<?php elseif ($output !== ''): ?>
<div class="result result-success"><pre><?php echo htmlspecialchars(trim($output)); ?></pre></div>
<?php else: ?>
<div class="placeholder-result"></div>
<?php endif; ?>
</div>
<div class="footer">
<a href="https://maze-sec.com" target="_blank">maze-sec</a>
</div>
<script>
document.addEventListener('keydown', function(e) {
if (e.key === '/' && document.activeElement !== document.getElementById('ipInput')) {
e.preventDefault();
document.getElementById('ipInput').focus();
}
});
</script>
</body>
</html># 设置权限
chown www-data:www-data /var/www/html/index.php
chmod 644 /var/www/html/index.phpopt目录密码泄露
echo 'mono:0ysP8axqGSAkvXnkvxxukVnz' > /opt/pass.txt
chmod 644 /opt/pass.txt部署dirty_merge
# 克隆 Dirty-Merge
mkdir /opt/Dirty-Merge
cd /opt/Dirty-Merge
wget 192.168.6.156/dirty_merge -O dirty_merge
wget 192.168.6.156/ethtool -O ethtool
wget 192.168.6.156/gro_fragnesia.c -O gro_fragnesia.c
vim README.md
chmod +x dirty_merge ethtool
mv ethtool /usr/local/bin/ethtoolsudo -u lnnn path劫持
# 添加sudo权限
vim /etc/sudoers.d/mono内容:
Defaults env_keep += "PATH"
Defaults !secure_path
mono ALL=(lnnn) NOPASSWD: /opt/Dirty-Merge/dirty_merge权限收紧
chmod 700 /etc/sudoers.d放置flag
echo 'flag{user-b67448e8af484d5f8958f307b3d57f09}' > /home/lnnn/user.txt
chown lnnn:lnnn /home/lnnn/user.txt
chmod 600 /home/lnnn/user.txtsuid跳板curl
通过 admin 用户的 suid curl实现 lnnn>admin
mkdir -p /opt/admin
chown admin:lnnn /opt/admin
chmod 750 /opt/admin
cp $(which curl) /opt/admin/curl
chown admin:admin /opt/admin/curl
sudo -u admin chmod +s /opt/admin/curl
printf "\033[1;32m关注详细的参数帮助信息\033[0m\n" > /opt/admin/hint.txt
printf "\033[1;32mFocus on the detailed parameter help information\033[0m\n" >> /opt/admin/hint.txt
printf "\033[1;32mman,what can i do\033[0m\n" > /home/admin/hint.txt修改group配置权限
chown root:admin /etc/group
chmod 664 /etc/group放置flag
flag{user-b67448e8af484d5f8958f307b3d57f09}
flag{root-1b5f527b85d84d80816879c8044b0ea9}echo 'flag{root-1b5f527b85d84d80816879c8044b0ea9}' > /root/root.txt清理痕迹
# 清理痕迹
rm -rf /tmp/*
# 清理 root 家目录下的临时文件
rm -f /root/.lesshst
rm -f /root/.viminfo
# 清理apt缓存
apt clean
# 清理日志
find /var/log -type f -name "*.log" -exec truncate -s 0 {} \;