天道酬勤

Linux提权相关的基础命令

记录一下关于Linux提权相关的命令

获取系统信息

cat /etc/issue   查看发行版
cat /etc/*-release   查看发行版
cat /proc/version
uname -a   查看内核版本
rpm -q kernel   红帽系统特有
dmesg | grep Linux
ls /boot | grep vmlinuz-
lsb_release -a

测试

root@kali:~/桌面# uname -a
Linux kali 5.3.0-kali2-amd64 #1 SMP Debian 5.3.9-3kali1 (2019-11-20) x86_64 GNU/Linux
root@kali:~/桌面# cat /etc/issue
Kali GNU/Linux Rolling \n \l

root@kali:~/桌面# cat /etc/*-release
DISTRIB_ID=Kali
DISTRIB_RELEASE=kali-rolling
DISTRIB_CODENAME=kali-rolling
DISTRIB_DESCRIPTION="Kali GNU/Linux Rolling"
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2019.4"
VERSION_ID="2019.4"
VERSION_CODENAME="kali-rolling"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="https://www.kali.org/"
SUPPORT_URL="https://forums.kali.org/"
BUG_REPORT_URL="https://bugs.kali.org/"
root@kali:~/桌面# cat /proc/version
Linux version 5.3.0-kali2-amd64 (devel@kali.org) (gcc version 9.2.1 20191109 (Debian 9.2.1-19)) #1 SMP Debian 5.3.9-3kali1 (2019-11-20)
root@kali:~/桌面# rpm -q kernel
bash: rpm:未找到命令
root@kali:~/桌面# dmesg | grep Linux
[    0.000000] Linux version 5.3.0-kali2-amd64 (devel@kali.org) (gcc version 9.2.1 20191109 (Debian 9.2.1-19)) #1 SMP Debian 5.3.9-3kali1 (2019-11-20)
[    0.395363] TOMOYO Linux initialized
[    0.663260] ACPI: Added _OSI(Linux-Dell-Video)
[    0.663260] ACPI: Added _OSI(Linux-Lenovo-NV-HDMI-Audio)
[    0.663261] ACPI: Added _OSI(Linux-HPI-Hybrid-Graphics)
[    0.674411] ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored
[    2.096841] Linux agpgart interface v0.103
[    2.403251] usb usb1: Manufacturer: Linux 5.3.0-kali2-amd64 ehci_hcd
[    2.404491] usb usb2: Manufacturer: Linux 5.3.0-kali2-amd64 uhci_hcd
root@kali:~/桌面# ls /boot | grep vmlinuz-
vmlinuz-4.19.0-kali4-amd64
vmlinuz-5.3.0-kali2-amd64
root@kali:~/桌面# lsb_release -a
No LSB modules are available.
Distributor ID:	Kali
Description:	Kali GNU/Linux Rolling
Release:	2019.4
Codename:	kali-rolling

检查用户权限

sudo -l
cat /etc/sudoers
whoami

测试

root@kali:~# sudo -l
匹配 %2$s 上 %1$s 的默认条目:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

用户 root 可以在 kali 上运行以下命令:
    (ALL : ALL) ALL
root@kali:~# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults	env_reset
Defaults	mail_badpass
Defaults	secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root	ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo	ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d
root@kali:~# whoami
root

检查密码文件

cat /etc/passwd
cat /etc/shadow
ls -l /etc/passwd
ls -l /etc/shadow

测试

root@kali:~# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
mysql:x:104:110:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:105:111::/nonexistent:/usr/sbin/nologin
messagebus:x:106:112::/nonexistent:/usr/sbin/nologin
arpwatch:x:107:113:ARP Watcher,,,:/var/lib/arpwatch:/bin/sh
Debian-exim:x:108:114::/var/spool/exim4:/usr/sbin/nologin
uuidd:x:109:115::/run/uuidd:/usr/sbin/nologin
redsocks:x:110:116::/var/run/redsocks:/usr/sbin/nologin
tss:x:111:117:TPM2 software stack,,,:/var/lib/tpm:/bin/false
rwhod:x:112:65534::/var/spool/rwho:/usr/sbin/nologin
iodine:x:113:65534::/var/run/iodine:/usr/sbin/nologin
miredo:x:114:65534::/var/run/miredo:/usr/sbin/nologin
dnsmasq:x:115:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
postgres:x:116:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
usbmux:x:117:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
rtkit:x:118:123:RealtimeKit,,,:/proc:/usr/sbin/nologin
stunnel4:x:119:127::/var/run/stunnel4:/usr/sbin/nologin
sshd:x:120:65534::/run/sshd:/usr/sbin/nologin
Debian-snmp:x:121:128::/var/lib/snmp:/bin/false
sslh:x:122:129::/nonexistent:/usr/sbin/nologin
pulse:x:123:131:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
speech-dispatcher:x:124:29:Speech Dispatcher,,,:/var/run/speech-dispatcher:/bin/false
avahi:x:125:134:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/usr/sbin/nologin
saned:x:126:135::/var/lib/saned:/usr/sbin/nologin
inetsim:x:127:137::/var/lib/inetsim:/usr/sbin/nologin
colord:x:128:138:colord colour management daemon,,,:/var/lib/colord:/usr/sbin/nologin
geoclue:x:129:139::/var/lib/geoclue:/usr/sbin/nologin
king-phisher:x:130:140::/var/lib/king-phisher:/usr/sbin/nologin
Debian-gdm:x:131:141:Gnome Display Manager:/var/lib/gdm3:/bin/false
dradis:x:132:142::/var/lib/dradis:/usr/sbin/nologin
beef-xss:x:133:143::/var/lib/beef-xss:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/sbin/nologin
tcpdump:x:134:144::/nonexistent:/usr/sbin/nologin
_rpc:x:135:65534::/run/rpcbind:/usr/sbin/nologin
statd:x:136:65534::/var/lib/nfs:/usr/sbin/nologin
lightdm:x:137:146:Light Display Manager:/var/lib/lightdm:/bin/false
root@kali:~# cat /etc/shadow
root:$6$ggye29CWqUs1m9rQ$aCEepyFLOBjwiAVOxOMTHSGGFAa3JZPB1XW.hJmqiOBZRdgjgP49p8/rHvBUW6H4Fzpdq5YcIfMF2cGbOBdQq.:18137:0:99999:7:::
daemon:*:18024:0:99999:7:::
bin:*:18024:0:99999:7:::
sys:*:18024:0:99999:7:::
sync:*:18024:0:99999:7:::
games:*:18024:0:99999:7:::
man:*:18024:0:99999:7:::
lp:*:18024:0:99999:7:::
mail:*:18024:0:99999:7:::
news:*:18024:0:99999:7:::
uucp:*:18024:0:99999:7:::
proxy:*:18024:0:99999:7:::
www-data:*:18024:0:99999:7:::
backup:*:18024:0:99999:7:::
list:*:18024:0:99999:7:::
irc:*:18024:0:99999:7:::
gnats:*:18024:0:99999:7:::
nobody:*:18024:0:99999:7:::
_apt:*:18024:0:99999:7:::
systemd-timesync:*:18024:0:99999:7:::
systemd-network:*:18024:0:99999:7:::
systemd-resolve:*:18024:0:99999:7:::
mysql:!:18024:0:99999:7:::
ntp:*:18024:0:99999:7:::
messagebus:*:18024:0:99999:7:::
arpwatch:!:18024:0:99999:7:::
Debian-exim:!:18024:0:99999:7:::
uuidd:*:18024:0:99999:7:::
redsocks:!:18024:0:99999:7:::
tss:*:18024:0:99999:7:::
rwhod:*:18024:0:99999:7:::
iodine:*:18024:0:99999:7:::
miredo:*:18024:0:99999:7:::
dnsmasq:*:18024:0:99999:7:::
postgres:*:18024:0:99999:7:::
usbmux:*:18024:0:99999:7:::
rtkit:*:18024:0:99999:7:::
stunnel4:!:18024:0:99999:7:::
sshd:*:18024:0:99999:7:::
Debian-snmp:!:18024:0:99999:7:::
sslh:!:18024:0:99999:7:::
pulse:*:18024:0:99999:7:::
speech-dispatcher:!:18024:0:99999:7:::
avahi:*:18024:0:99999:7:::
saned:*:18024:0:99999:7:::
inetsim:*:18024:0:99999:7:::
colord:*:18024:0:99999:7:::
geoclue:*:18024:0:99999:7:::
king-phisher:*:18024:0:99999:7:::
Debian-gdm:*:18024:0:99999:7:::
dradis:*:18024:0:99999:7:::
beef-xss:*:18024:0:99999:7:::
systemd-coredump:!!:18137::::::
tcpdump:*:18231:0:99999:7:::
_rpc:*:18231:0:99999:7:::
statd:*:18231:0:99999:7:::
lightdm:*:18233:0:99999:7:::
root@kali:~# ls -l /etc/passwd
-rw-r--r-- 1 root root 3233 12月  3 21:26 /etc/passwd
root@kali:~# ls -l /etc/shadow
-rw-r----- 1 root shadow 1732 12月  3 21:26 /etc/shadow

passwd文件中存储了用户,shadow文件中存储的是密码的hash。出于安全的考虑,passwd是全用户可读,root可写的。而Shadow是仅root可读写的。

passwd由冒号分割,第一列是用户名,第二列是密码,x代表密码hash被放在shadow里面了(这样非root就看不到了)。

如果passwd文件可写,可以此利用

查看环境变量

搜寻有配置错误的环境变量,查看是否优先从不安全的路径执行文件。

cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
cat ~/.bash_history
env
set

检查历史文件及命令

cat ~/.*_history

搜寻可被低权限用户使用的root权限程序

crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root

检查以root权限的进程是否存在漏洞

ps aux | grep root
ps -ef | grep root

搜索纯文本凭据的文件

grep -ir user *
grep -ir pass *

查找可写的配置文件

find /etc/ -writable -type f 2>/dev/null

查找suid权限的程序

find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / type f -perm -u=s 2>/dev/null

 

可利用的脚本

LinEnum 
linuxprivchecker.py
unix-privesc-check 

获取反弹shell

python -c 'import pty;pty.spawn("/bin/bash")' 
echo os.system('/bin/bash')
/bin/sh -i

 

参考链接:https://www.cnblogs.com/hookjoy/p/6612595.html

 

赞(0) 打赏
未经允许不得转载:HackerGu‘s Blog » Linux提权相关的基础命令
分享到: 更多 (0)

评论 抢沙发

评论前必须登录!

 

专注黑客技术的研究

联系我们联系我们

觉得文章有用就打赏一下文章作者

微信扫一扫打赏