Elevation of Privilege: Information Gathering.
Privilege escalation is referred to as privilege escalation . Since the operating system is a multi-user operating system , users have permission control . For example, the permissions obtained through Web vulnerabilities are Web process permissions. Often, Web services are started with an account with very low permissions. Therefore, some operations through the Webshell will be restricted, which requires it to be elevated to administrative or even System privileges. Privileges are usually escalated through operating system vulnerabilities or misconfigurations of the operating system, or through third-party software services, such as database or FTP software vulnerabilities.
Table of contents:
Elevation of Privilege: Information Gathering.
Information Gathering: LinEnum Tool
Step 1: Upload the file to the tmp (temporary) directory of the Linux system.
Step 2: Switch to the tmp directory, and then execute the LinEnum.sh file.
Information collection: linuxprivchecker tool
Step 1: Upload the file to the tmp (temporary) directory of the Linux system.Edit
Step 2: Switch to the tmp directory, and then execute the linuxprivchecker file.
Disclaimer:
It is strictly forbidden to use the technology mentioned in this article to carry out illegal attacks, otherwise the consequences will be at your own risk, and the uploader will not bear any responsibility.
Information Gathering: LinEnum Tool
Introduction: LinEnum is a Linux file enumeration and privilege escalation check tool, which can help penetration testers to analyze Linux system vulnerabilities or security issues with one click.
下载LinEnum工具:GitHub - rebootuser/LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks
(1)内核和发行版本
(2)系统信息:1.主机名
2.网络详情:
3.当前IP
4.默认路由详细信息
5.DNS服务器信息
(3)用户信息:1.当前用户详细信息
2.上次登录的用户
3.显示登录到主机的用户
4.列出所有用户,包括uid/gid信息
5.列出根帐户
6.提取密码策略和哈希存储方法信息
7.检查umask值
8.检查密码哈希是否存储在/etc/passwd中
9.提取'default' uid的完整详细信息,例如0、1000、1001等
10.尝试读取受限制的文件。例如/etc/shadow
11.列出当前用户的历史记录文件(即e .bash_history,.纳米历史等)
12.基本SSH检查
(4)特权访问:1.哪些用户最近使用了sudo
2.确定/etc/sudoers是否可访问
3.确定当前用户是否具有无需密码的Sudo访问权限
4.是否可以通过Sudo获得已知的“良好”突破二进制文件(i.即nmap、vim等。)
5.根目录的主目录是否可访问 5.列出/home/的权限
(5)环境:1.显示当前$PATH
2.显示env信息
(6)作业/任务:1.列出所有cron作业
2.查找所有全局可写的cron作业
3.查找系统其他用户拥有的cron作业
4.列出活动和非活动systemd计时器
(7)服务项目:1.列出网络连接(TCP和UDP)
2.列出正在运行的进程
3.查找和列出进程二进制文件和关联的权限
4.列出inetd.conf/xined。conf内容和关联的二进制文件权限
5.列出init.d二进制权限
(8)版本信息(以下): 1.须户
2.MYSQL
3.波斯特格雷斯
4.阿帕奇:(1)检查用户配置
(2)显示启用的模块
(3)检查htpasswd文件
(4)查看www目录
(9)默认/弱凭据:1.检查默认/弱Postgres帐户
2.检查默认/弱MYSQL帐户
(10)搜索:1.找到所有SUID/GUID文件
2.找到所有可全局写入的SUID/GUID文件
3.找到root拥有的所有SUID/GUID文件
4.找到“感兴趣的”SUID/GUID文件(即例如nmap、vim等)
5.查找具有POSIX功能的文件
6.列出所有全局可写文件
7.查找/列出所有可访问的 *。计划文件和显示内容
8.查找/列出所有可访问的 *。rhosts文件和显示内容
9.显示NFS服务器详细信息
10.找到 *.conf和 *。包含脚本运行时提供的关键字的日志文件
11.列出位于/etc中的所有 *.conf文件
12.巴克文件搜索
13.定位邮件
(11)平台/软件特定测试:1.检查是否在Docker容器中
2.检查主机是否安装了Docker
3.检查以确定我们是否在LXC容器中Step 1: Upload the file to the tmp (temporary) directory of the Linux system.
Step 2: Switch to the tmp directory, and then execute the LinEnum.sh file.
cd /tmp //切换 tmp 目录.
chmod +x LinEnum.sh //复制一个可执行权限.
./LinEnum.sh > bgxg.txt //执行文件,把文件保存在bgxg.txt文件中
Information collection: linuxprivchecker tool
Download the linuxprivchecker tool: GitHub - flywithoutwings/linuxprivchecker: Linux Privilege Escalation Check Tool linuxprivchecker.py -- a Linux Privilege Escalation Check Script
Step 1: Upload the file to the tmp (temporary) directory of the Linux system.
Step 2: Switch to the tmp directory, and then execute the linuxprivchecker file. (The function is similar to the above.)
cd /tmp //切换 tmp 目录.
python linuxprivchecker.py > bgxg2.txt
//执行 linuxprivchecker.py 文件,把结果保存在 bgxg2.txt 文件.
Learning Link: Day 63: Privilege Escalation - Linux Dirty Cow Kernel Vulnerability & SUID & Information Collection_哔哩哔哩_bilibili