Rm -rf "survivor"

self-entertainment, I decided to start a Linux server, then execute the "ld & ldquo;rm –rf /” command as the root user, and then observe which files or instructions will survive Come down. The result is nothing! So you have to add —no-preserce-root to try again: # rm -rf --no-preserve-root /

When you press “Enter”, some important tools like /Bin/ls/bin/cat/bin/chmod/usr/bin/file

will disappear! But your current SSH connection and bash terminal are still there, which means that all bash-related built-in instructions are not affected, such as echo.

Become Bash Daren root@rmrf:/# ls-bash: /bin/ls: No such file or directory

Execute the above command and find that no ls is available, but echo and fileglobs Still. With these "survivors", what can we do? Root@rmrf:/# echo *dev proc run sys# echo /dev/pts/*/dev/pts/0 /dev/pts/3 /dev/pts/ptmx

Note! /dev, /proc, /run, /sys are still there, we must save them. If you have the ls command, then reading the contents of the directory will be easier. Root@rmrf:/# for ii in /dev/pts/*; do echo $ii; done/dev/pts/0/dev/pts/3/dev/pts/ptmx

Many Reddit users point out , printf is still available. CAMH- says: printf will format the parameters into the output string in turn. Root@rmrf:/# ls() { printf '%s\ ' ${1:+${1%/}/}*; }

Since we can define functions under bash, then we can Self-built ls tool, although the function is not perfect. Root@rmrf:/# ls() { printf '%s\ ' ${1:+${1%/}/}*; }-bash: syntax error near unexpected token `('

No, this operation should be completely legal. Is ls already mapped, or is it an alias for other commands? root@rmrf:/# type lsls is aliased to `ls --color=auto'

So, our instructions above have been extended to ls–color=auto () { printf ‘%s\ ’ ${1:+${1%/}/}*; }. So, we can start Use the unalias directive to remove the association between ls and ls—color. root@rmrf:/# ls () { for ii in $1/*; do echo $ii; done }root@rmrf:/# ls/dev/proc/run /sysroot@rmrf:/# ls /dev/dev/pts

Store the function to the utils.sh file root@rmrf:/# echo 'ls () { for ii in $1/*; do echo $ Ii; done }' >> utils.shroot@rmrf:/# source utils.sh

How is the cat command implemented? With read!read one of the survivors, using read combined with pipes and heavy Orientation, a basic cat is basically formed! root@rmrf:/# (while read line; do echo "$line"; done) < utils.shls () { for ii in $1/*; do Echo $ii; done }

In combination with the above method of "survivor", some methods can be restored, and echo can write any multi-byte feature, we can rebuild the linux tool system. And you can get the binary we want directly through curl or wget. First, refer to echoed by others to get busybox. Busybox is the Swiss army knife for embedded Linux, embedded wget, dd, tar and many other tools. EusebeîaDetails How to get an escaped version of busybox, I won't go into details here.

But there is still a problem.

Even if we echo all the bytes needed for the entire binary, these binary files will not be executed. Can't start busybox! The early solution to this problem was to find some executable programs and then overwrite them with echo. We have made such modifications to the files under /usr and /bin, but this is a bit more complicated.

You can use the shell wildcards and bash to filter out files with executable groups, remember to exclude the directory. Executable () { if [[ ( ! -d $1 ) && -x $1 ]] ; then echo "$1"; fi }

Found the executable! Root@rmrf:/# for ii in /*; do executable $ii; doneroot@rmrf:/# for ii in /*/*; do executable $ii; doneroot@rmrf:/# for ii in /*/*/*; do executable $ii; done/proc/1107/exe/proc/1136/exe/proc/1149/exe/proc/1179/exe/proc/1215/exe/proc/1217/exe/proc/1220/exe /proc/1221/exe/proc/1223/exe/proc/1248/exe/proc/1277/exe/proc/1468/exe/proc/1478/exe/proc/1625/exe/proc/1644/exe/proc /1/exe/proc/374/exe/proc/378/exe/proc/471/exe/proc/616/exe/proc/657/exe/proc/self/exe

Great! But don't worry, these are just link files that are soft-linked to the executable. The original file no longer exists on disk. So now we have to rewrite executable() to exclude these soft links. Root@rmrf:/# executable () { if [[ ( ! -d $1 ) && ( ! -h $1 ) && -x $1 ]] ; then echo "$1"; fi }root @rmrf:/# for ii in /*/*/*; do executable $ii; doneroot@rmrf:/# for ii in /*/*/*/*; do executable $ii; doneroot@rmrf:/# for Ii in /*/*/*/*/*; do executable $ii; doneroot@rmrf:/# for ii in /*/*/*/*/*/*; do executable $ii; done

loss, no output. Maybe you can take advantage of kernel-level stuff. After all, we can use the Magic Sysrq key combination to restart busybox. Root@rmrf:/# echo 1 > /proc/sys/kernel/sysrqroot@rmrf:/# echo "b" > /proc/sysrq-trigger

We have been riding the tiger now, Friday I will continue to study. Thanks for your attention, if you find a good way to get executable groups, please let me know.

UPDATE: Reddi user throw_away5046 proposes a solution: a full solution to this.

Get a trusted box$ mkdir $(xxd -p -l 16 /dev/urandom)$ cd $_$ apt-get download busybox-static$ dpkg -x for native architecture *.deb .$ alias encode='{ tr -d \\\ |  Sed "s#\\\\(..\\\\)#\\\\\\\\x\\\\1#g"; echo; }'$ alias upload='{ xxd -p |  Encode |  Nc -q0 -lp 5050; }'$ upload < bin/busybox

Executing rm – machine after rf# cd /# alias decode='while read -ru9 line; do printf "$line" ;; done'# alias download='( exec 9<>/dev/tcp/{IP OF NON HOSED BOX}/5050; decode )'# download > busybox

Create a change to busybox access Permissioned object $ cat > setx.c <

Enable setx with built-in tools to make busybox executable# ( download > setx; enable -f ./setx setx; setx; )# /busybox mkdir .bin# /busybox --install -s .bin# PATH=/.bin