Повышение прав [задай вопрос - получи ответ]

Discussion in 'Уязвимости' started by Expl0ited, 1 Oct 2011.

  1. kacergei

    kacergei Member

    Joined:
    26 May 2007
    Messages:
    294
    Likes Received:
    89
    Reputations:
    1
    Имеется web shell на Windows платформе
    Windows NT 6.3 build 9600 (Windows Server 2012 R2 Standard Edition) i586
    Microsoft Windows [Version 6.3.9600]
    PHP/5.6.31
    Microsoft-IIS/8.5
    cURLMySQL/mysqlnd 5.0.11-dev

    ----
    Host Name: SERVER1
    OS Name: Microsoft Windows Server 2012 R2 Standard
    OS Version: 6.3.9600 N/A Build 9600
    OS Manufacturer: Microsoft Corporation
    OS Configuration: Standalone Server
    OS Build Type: Multiprocessor Free
    Registered Owner: Windows User
    Registered Organization:
    Original Install Date: 7/24/2015, 6:06:36 PM
    System Boot Time: 7/24/2017, 8:50:48 PM
    System Manufacturer: Supermicro
    System Model: SYS-6018R-MT
    System Type: x64-based PC
    Processor(s): 2 Processor(s) Installed.
    [01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~1200 Mhz
    [02]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~1200 Mhz
    BIOS Version: American Megatrends Inc. 2.0, 12/18/2015
    Windows Directory: C:\Windows
    System Directory: C:\Windows\system32
    Boot Device: \Device\HarddiskVolume2
    System Locale: en-us;English (United States)
    Input Locale: en-us;English (United States)
    Time Zone: (UTC-05:00) Eastern Time (US & Canada)
    Total Physical Memory: 65,426 MB
    Available Physical Memory: 19,966 MB
    Virtual Memory: Max Size: 130,962 MB
    Virtual Memory: Available: 79,531 MB
    Virtual Memory: In Use: 51,431 MB
    Page File Location(s): C:\pagefile.sys
    Domain: WORKGROUP
    Logon Server: N/A
    Hotfix(s): N/A
    Network Card(s): 2 NIC(s) Installed.
    [01]: Intel(R) I210 Gigabit Network Connection
    Connection Name: Ethernet 8
    DHCP Enabled: No
    IP address(es)
    [01]: ---IP---
    [02]: ---MAC---
    [02]: Intel(R) I210 Gigabit Network Connection
    Connection Name: Internet
    DHCP Enabled: No
    IP address(es)
    [01]: ---IP--- <----ПО ДАННОМУ IP ДОСТУПЕН САЙТ
    Hyper-V Requirements: VM Monitor Mode Extensions: Yes
    Virtualization Enabled In Firmware: Yes
    Second Level Address Translation: Yes
    Data Execution Prevention Available: Yes

    server1\iwpd_1(---DELETE---)
    Как поднять права на данной машине?
    PS Посоветуйте web shell для windows
     
  2. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    1) Выполни на серваке команду "systeminfo > C:\temp\1.txt" полученный файл мне в лс.
    2) passthru вместо system, ибо system по дефолту cmd не понимает.
     
    _________________________
  3. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    1) Дай вывод sudo -l
    2) Вывод /etc/cron или файлы в cron.d
    3) что находится в tmp, opt
    4) Попробуй sudo -i (а вдруг ты уже в sudoers :))
    5) Попробуй создать symlink
    6) Попробуй скриптик http://www.securitysift.com/download/linuxprivchecker.py
     
    _________________________
  4. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    UPDATE: Sysinfo кинул. Лови список
    Code:
    [M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
    [*]   https://github.com/foxglovesec/RottenPotato
    [*]   https://github.com/Kevin-Robertson/Tater
    [*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
    [*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
    [*]
    [E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
    [*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
    [*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
    [*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
    [*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
    [*]
    [M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
    [*]   https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
    [*]   https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
    [*]   https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
    [*]
    [E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
    [*]   https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
    [*]   https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
    [*]   https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
    [*]
    [M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
    [*]   https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
    [*]   https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
    [*]
    [E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
    [*]   https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
    [*]   https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
    [*]
    [E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
    [*]   http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC
     
    _________________________
  5. spize0r

    spize0r Member

    Joined:
    2 Apr 2016
    Messages:
    40
    Likes Received:
    12
    Reputations:
    4
    Подскажите как повысить привилегии. Каким эксплойтом?

    есть два сервера
    1:
    $ uname -a
    Linux ks209234.kimsufi.com 2.6.38.2-xxxx-std-ipv6-64 #2 SMP Thu Aug 25 16:43:23 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

    $ cat /etc/*-release
    CentOS release 6.2 (Final)
    CentOS release 6.2 (Final)
    CentOS release 6.2 (Final)


    2:
    $ uname -a
    Linux php54-web-21 4.4.0-53-generic #74-Ubuntu SMP Fri Dec 2 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


    $ cat /etc/*-release
    DISTRIB_ID=Ubuntu
    DISTRIB_RELEASE=16.04
    DISTRIB_CODENAME=xenial
    DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
    NAME="Ubuntu"
    VERSION="16.04.2 LTS (Xenial Xerus)"
    ID=ubuntu
    ID_LIKE=debian
    PRETTY_NAME="Ubuntu 16.04.2 LTS"
    VERSION_ID="16.04"
    HOME_URL="http://www.ubuntu.com/"
    SUPPORT_URL="http://help.ubuntu.com/"
    BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
    VERSION_CODENAME=xenial
    UBUNTU_CODENAME=xenial

    Спасибо
     
  6. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    http://www.securitysift.com/download/linuxprivchecker.py - вывод скрипта мне в лс
     
    _________________________
  7. DezMond™

    DezMond™ Elder - Старейшина

    Joined:
    10 Jan 2008
    Messages:
    3,619
    Likes Received:
    432
    Reputations:
    234
    Хелп
    * uname -a
    Code:
    Linux ip-10-149-5-107 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux
    * ls -la /boot
    Code:
    total 39464
    dr-xr-xr-x.  4 root root    4096 Dec 23  2013 .
    drwxr-xr-x. 24 root root    4096 Jun 20 06:40 ..
    -rw-r--r--.  1 root root     171 Oct 16  2012 .vmlinuz-2.6.32-279.11.1.el6.x86_64.hmac
    -rw-r--r--.  1 root root     170 Mar 12  2013 .vmlinuz-2.6.32-358.2.1.el6.x86_64.hmac
    -rw-r--r--.  1 root root     174 Dec 13  2013 .vmlinuz-2.6.32-431.1.2.0.1.el6.x86_64.hmac
    -rw-r--r--.  1 root root 2342243 Oct 16  2012 System.map-2.6.32-279.11.1.el6.x86_64
    -rw-r--r--.  1 root root 2407544 Mar 12  2013 System.map-2.6.32-358.2.1.el6.x86_64
    -rw-r--r--.  1 root root 2518212 Dec 13  2013 System.map-2.6.32-431.1.2.0.1.el6.x86_64
    -rw-r--r--.  1 root root  101977 Oct 16  2012 config-2.6.32-279.11.1.el6.x86_64
    -rw-r--r--.  1 root root  104085 Mar 12  2013 config-2.6.32-358.2.1.el6.x86_64
    -rw-r--r--.  1 root root  105203 Dec 13  2013 config-2.6.32-431.1.2.0.1.el6.x86_64
    drwxr-xr-x.  3 root root    4096 Oct 30  2012 efi
    drwxr-xr-x.  2 root root    4096 Dec 23  2013 grub
    -rw-r--r--.  1 root root 6512664 Oct 30  2012 initramfs-2.6.32-279.11.1.el6.x86_64.img
    -rw-r--r--.  1 root root 6619790 Apr 22  2013 initramfs-2.6.32-358.2.1.el6.x86_64.img
    -rw-------.  1 root root 6921745 Dec 23  2013 initramfs-2.6.32-431.1.2.0.1.el6.x86_64.img
    -rw-r--r--.  1 root root  179202 Oct 16  2012 symvers-2.6.32-279.11.1.el6.x86_64.gz
    -rw-r--r--.  1 root root  185828 Mar 12  2013 symvers-2.6.32-358.2.1.el6.x86_64.gz
    -rw-r--r--.  1 root root  193760 Dec 13  2013 symvers-2.6.32-431.1.2.0.1.el6.x86_64.gz
    -rwxr-xr-x.  1 root root 3987760 Oct 16  2012 vmlinuz-2.6.32-279.11.1.el6.x86_64
    -rwxr-xr-x.  1 root root 4043920 Mar 12  2013 vmlinuz-2.6.32-358.2.1.el6.x86_64
    -rwxr-xr-x.  1 root root 4128784 Dec 13  2013 vmlinuz-2.6.32-431.1.2.0.1.el6.x86_64
    * ls -la --full-time /lib
    Code:
    dr-xr-xr-x.  9 root root 4096 2013-12-15 12:30:03.701829792 -0800 .
    drwxr-xr-x. 24 root root 4096 2017-06-20 06:40:08.269205113 -0700 ..
    lrwxrwxrwx.  1 root root   14 2013-12-15 12:30:03.698829792 -0800 cpp -> ../usr/bin/cpp
    drwxr-xr-x. 42 root root 4096 2013-11-22 11:09:17.000000000 -0800 firmware
    drwxr-xr-x.  6 root root 4096 2012-10-30 18:33:20.000000000 -0700 kbd
    drwxr-xr-x.  2 root root 4096 2013-05-09 17:49:28.605425768 -0700 lsb
    dr-xr-xr-x.  5 root root 4096 2013-12-23 02:31:35.810829793 -0800 modules
    drwxr-xr-x.  2 root root 4096 2013-12-15 12:32:06.450829793 -0800 security
    drwxr-xr-x.  6 root root 4096 2012-10-30 18:33:20.000000000 -0700 terminfo
    drwxr-xr-x.  5 root root 4096 2013-12-23 02:31:18.871829793 -0800 udev
    * cat /etc/*-release
    Code:
    CentOS release 6.5 (Final)
    LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
    CentOS release 6.5 (Final)
    CentOS release 6.5 (Final)
     
  8. zifus

    zifus Member

    Joined:
    15 Aug 2015
    Messages:
    85
    Likes Received:
    11
    Reputations:
    0


    Не пробовали dirtyc0w ?
     
  9. zifus

    zifus Member

    Joined:
    15 Aug 2015
    Messages:
    85
    Likes Received:
    11
    Reputations:
    0
    Приветствую всех.. Есть проблема, залился на сервак, а там все конкретно урезано.
    Не могу сделать бекконект, gcc не работает , perl тоже. Может у когото есть соображения.
    Server software :PHP/5.2.17-pl0-gentoo Apache cURL MySQL/5.1.62
    User info :uid=81(apache) gid=445(usergrp)
    Disable functions : escapeshellarg, escapeshellcmd, exec, passthru, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, popen, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority
     
  10. SooLFaa

    SooLFaa Members of Antichat

    Joined:
    17 Mar 2014
    Messages:
    530
    Likes Received:
    499
    Reputations:
    154
    Средствами php, можно творить многие вещи. Например читать файл не через system('cat flag') а file_get_contents('flag.txt'). Получить листинг так через другие функции. а в списках запрещенных функций я не вижу eval и call_user_func. С помощью PHP ты можешь записать переменную окружения, посмотреть, а то и попробовать, прописаться в крон ну и так далее. А perl, gcc, могут быть просто не установлены. Посмотри питон, или лучше глянь папку /usr/bin, /bin, /usr/sbin и т.п. Какие интерпретаторы/компиляторы стоят теми и пробуй прокинуть reverse connect. В конечном итоге через php можно открыть сокет....
     
    _________________________
    #670 SooLFaa, 10 Aug 2017
    Last edited: 10 Aug 2017
    zifus, t0ma5 and erwerr2321 like this.
  11. t0ma5

    t0ma5 Reservists Of Antichat

    Joined:
    10 Feb 2012
    Messages:
    829
    Likes Received:
    815
    Reputations:
    90
    пых не самый свежий, попробуй обойти блокировку функций http://blog.safebuff.com/2016/05/06/disable-functions-bypass/
     
    _________________________
    zifus likes this.
  12. zifus

    zifus Member

    Joined:
    15 Aug 2015
    Messages:
    85
    Likes Received:
    11
    Reputations:
    0
    Подскажите есть что-то под этого зверя...
    apache@http5 / $ uname -a

    Linux http5 3.2.83 #1 SMP Sat Oct 22 11:27:37 CEST 2016 x86_64 Intel(R) Xeon(R) CPU E5320 @ 1.86GHz GenuineIntel GNU/Linux

    apache@http5 / $ ls -la /boot

    total 16392
    drwxr-xr-x 4 root root 1024 Oct 22 2016 .
    drwxr-xr-x 22 root root 4096 Sep 14 2012 ..
    lrwxrwxrwx 1 root root 1 Nov 14 2007 boot -> .
    drwxr-xr-x 2 root root 1024 Oct 22 2016 grub
    -rw-r--r-- 1 root root 0 Sep 14 2012 .keep
    -rw-r--r-- 1 root root 1631704 Mar 9 2008 kernel-2.6.23-gentoo-r9
    -rw-r--r-- 1 root root 1685240 May 27 2008 kernel-2.6.24-gentoo-r8
    -rw-r--r-- 1 root root 2001344 Jan 12 2010 kernel-2.6.31-gentoo-r6
    -rw-r--r-- 1 root root 2126896 Jul 14 2010 kernel-2.6.34-gentoo-r1
    -rw-r--r-- 1 root root 2127984 Oct 12 2010 kernel-2.6.34-gentoo-r11
    -rw-r--r-- 1 root root 2366768 Oct 22 2016 kernel-3.2.83
    -rw-r--r-- 1 root root 2369296 Aug 20 2012 kernel-3.3.8-gentoo
    -rw-r--r-- 1 root root 2386912 Sep 14 2012 kernel-3.4.9-gentoo
    drwx------ 2 root root 1024 Nov 14 2007 lost+found

    apache@http5 / $ mount

    rootfs on / type rootfs (rw)
    /dev/root on / type ext3 (rw,noatime,errors=continue,barrier=1,data=writeback)
    proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
    tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
    rc-svcdir on /lib64/rc/init.d type tmpfs (rw,nosuid,nodev,noexec,relatime,size=1024k,mode=755)
    sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
    udev on /dev type devtmpfs (rw,nosuid,relatime,size=10240k,nr_inodes=1021437,mode=755)
    devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620)
    shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
    /dev/md0 on /boot type ext3 (rw,noatime)
    /dev/md3 on /tmp type ext3 (rw,noexec,nosuid,nodev,noatime)
    /tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind,noatime)
    10.0.0.41:/data/nfs/userhomes/userhome3 on /home type nfs (rw,nosuid,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)
    10.0.0.41:/data/nfs/vhosts/vhosts3/vhosts.in_one on /etc/apache2/vhosts.d type nfs (ro,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)
    10.0.0.41:/data/nfs/checkdirs/checkdir3 on /checkdir type nfs (rw,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)
    10.0.0.41:/data/nfs/php/php3 on /etc/php/nfs type nfs (ro,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)

    apache@http5 / $ df -h
    df -h

    Filesystem Size Used Avail Use% Mounted on
    rootfs 37G 19G 17G 55% /
    /dev/root 37G 19G 17G 55% /
    tmpfs 3.9G 68K 3.9G 1% /run
    rc-svcdir 1.0M 68K 956K 7% /lib64/rc/init.d
    udev 10M 4.0K 10M 1% /dev
    shm 3.9G 0 3.9G 0% /dev/shm
    /dev/md0 99M 23M 72M 24% /boot
    /dev/md3 132G 189M 126G 1% /tmp
    10.0.0.41:/data/nfs/userhomes/userhome3 3.2T 2.1T 1.1T 66% /home
    10.0.0.41:/data/nfs/vhosts/vhosts3/vhosts.in_one 3.2T 2.1T 1.1T 66% /etc/apache2/vhosts.d
    10.0.0.41:/data/nfs/checkdirs/checkdir3 3.2T 2.1T 1.1T 66% /checkdir
    10.0.0.41:/data/nfs/php/php3 3.2T 2.1T 1.1T 66% /etc/php/nfs

    apache@http5 / $ cat /etc/issue
    cat /etc/issue

    This is \n.\O (\s \m \r) \t

    apache@http5 / $ cat /etc/crontab
    cat /etc/crontab
    # for vixie cron
    # $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/files/crontab-3.0.1-r4,v 1.3 2011/09/20 15:13:51 idl0r Exp $

    # Global variables
    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=root
    HOME=/

    # check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly
    59 * * * * root rm -f /var/spool/cron/lastrun/cron.hourly
    9 3 * * * root rm -f /var/spool/cron/lastrun/cron.daily
    19 4 * * 6 root rm -f /var/spool/cron/lastrun/cron.weekly
    29 5 1 * * root rm -f /var/spool/cron/lastrun/cron.monthly
    */10 * * * * root test -x /usr/sbin/run-crons && /usr/sbin/run-crons

    29 0,6,12,18 * * * root /root/bin/apache-restart.sh >> /root/bin/apache-restart.log 2>&1

    3-58/5 * * * * root /root/bin/copy_loghost_shorewall_rules.sh > /dev/null 2>&1

    apache@http5 / $ cat /proc/version
    cat /proc/version
    Linux version 3.2.83 (root@http5) (gcc version 4.5.4 (Gentoo 4.5.4 p1.0, pie-0.4.7) ) #1 SMP Sat Oct 22 11:27:37 CEST 2016

    apache@http5 / $ cat /proc/sys/vm/mmap_min_addr
    cat /proc/sys/vm/mmap_min_addr
    65536

    apache@http5 / $ pwd
    pwd
    /
    apache@http5 / $ ls -la /usr/bin/staprun
    ls -la /usr/bin/staprun
    ls: cannot access /usr/bin/staprun: No such file or directory

    apache@http5 / $ find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
    find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
    -r-s--x--x 1 root root 102784 Sep 14 2012 /sbin/mount.nfs
    -rws--x--x 1 root root 31152 Sep 14 2012 /sbin/unix_chkpwd
    -rws--x--x 1 root root 39672 Sep 14 2012 /bin/ping
    -rws--x--x 1 root root 60672 Sep 14 2012 /bin/umount
    -rws--x--x 1 root root 82064 Sep 14 2012 /bin/mount
    -rws--x--x 1 root root 42592 Sep 14 2012 /bin/passwd
    -rws--x--x 1 root root 36680 Sep 14 2012 /bin/su
    -rws--x--x 1 root root 259144 Sep 14 2012 /usr/lib64/misc/ssh-keysign
    -rws--x--x 1 root root 10184 Sep 14 2012 /usr/lib64/misc/glibc/pt_chown
    -rws--x--x 1 root root 36296 Sep 14 2012 /usr/bin/newgrp
    -rws--x--x 1 root root 59520 Sep 14 2012 /usr/bin/gpasswd
    -rws--x--x 1 root root 41664 Sep 14 2012 /usr/bin/chfn
    -rws--x--x 1 root root 36896 Sep 14 2012 /usr/bin/chsh
    -rws--x--x 1 root root 58848 Sep 14 2012 /usr/bin/chage
    -rwsr-x--x 1 root root 544534 Aug 14 2011 /usr/bin/sudo
    -rws--x--x 1 root root 23064 Sep 14 2012 /usr/bin/expiry
     
  13. Kevin Shindel

    Kevin Shindel Elder - Старейшина

    Joined:
    24 May 2015
    Messages:
    1,011
    Likes Received:
    1,192
    Reputations:
    62
    Помогите поднять права на Win Server 2016 x64
    Есть учётка юзера.
     
  14. salam477

    salam477 New Member

    Joined:
    29 Sep 2017
    Messages:
    2
    Likes Received:
    0
    Reputations:
    0
    Подскажите, возможно ли повышение прав?

    $ uname -a
    Linux /-hiddenlink-/ 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017 x86_64 x86_64 x86_64 GNU/Linux

    $ uname -a

    Linux /-hiddenlink-/ 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017 x86_64 x86_64 x86_64 GNU/Linux

    $ ls -la /boot

    total 34040
    dr-xr-xr-x 3 root root 4096 Dec 12 2011 .
    drwxr-xr-x 24 root root 4096 Sep 5 22:07 ..
    -rw-r--r-- 1 root root 171 Nov 23 2011 .vmlinuz-2.6.32-131.21.1.el6.x86_64.hmac
    -rw-r--r-- 1 root root 170 Jun 27 2011 .vmlinuz-2.6.32-71.29.1.el6.x86_64.hmac
    -rw-r--r-- 1 root root 2280032 Nov 23 2011 System.map-2.6.32-131.21.1.el6.x86_64
    -rw-r--r-- 1 root root 2228188 Jun 27 2011 System.map-2.6.32-71.29.1.el6.x86_64
    -rw-r--r-- 1 root root 100203 Nov 23 2011 config-2.6.32-131.21.1.el6.x86_64
    -rw-r--r-- 1 root root 97911 Jun 27 2011 config-2.6.32-71.29.1.el6.x86_64
    drwxr-xr-x 2 root root 4096 Aug 29 2011 grub
    -rw-r--r-- 1 root root 11547111 Dec 12 2011 initramfs-2.6.32-131.21.1.el6.x86_64.img
    -rw-r--r-- 1 root root 10562525 Sep 13 2011 initramfs-2.6.32-71.29.1.el6.x86_64.img
    -rw-r--r-- 1 root root 165881 Nov 23 2011 symvers-2.6.32-131.21.1.el6.x86_64.gz
    -rw-r--r-- 1 root root 160602 Jun 27 2011 symvers-2.6.32-71.29.1.el6.x86_64.gz
    -rwxr-xr-x 1 root root 3882160 Nov 23 2011 vmlinuz-2.6.32-131.21.1.el6.x86_64
    -rwxr-xr-x 1 root root 3795744 Jun 27 2011 vmlinuz-2.6.32-71.29.1.el6.x86_64

    $ ls -la --full-time /lib

    total 6564
    dr-xr-xr-x 10 root root 4096 2015-01-29 21:32:21.000000000 +0400 .
    drwxr-xr-x 24 root root 4096 2017-09-05 22:07:46.541133565 +0400 ..
    lrwxrwxrwx 1 root root 14 2014-07-04 10:55:52.000000000 +0400 cpp -> ../usr/bin/cpp
    drwxr-xr-x 39 root root 4096 2011-12-12 12:33:25.000000000 +0400 firmware
    drwxr-xr-x 3 root root 4096 2015-01-27 22:41:16.000000000 +0400 i686
    drwxr-xr-x 6 root root 4096 2011-09-13 10:39:04.000000000 +0400 kbd
    -rwxr-xr-x 1 root root 141144 2015-01-27 23:11:03.000000000 +0400 ld-2.12.so
    lrwxrwxrwx 1 root root 10 2015-01-29 21:32:21.000000000 +0400 ld-linux.so.2 -> ld-2.12.so
    -rwxr-xr-x 1 root root 7224 2015-01-27 23:11:05.000000000 +0400 libBrokenLocale-2.12.so
    lrwxrwxrwx 1 root root 23 2015-01-29 21:32:21.000000000 +0400 libBrokenLocale.so.1 -> libBrokenLocale-2.12.so
    -rwxr-xr-x 1 root root 20376 2015-01-27 23:11:04.000000000 +0400 libSegFault.so
    lrwxrwxrwx 1 root root 15 2014-07-04 10:55:20.000000000 +0400 libacl.so.1 -> libacl.so.1.1.0
    -rwxr-xr-x 1 root root 29788 2011-09-23 15:25:08.000000000 +0400 libacl.so.1.1.0
    -rwxr-xr-x 1 root root 13416 2015-01-27 23:11:04.000000000 +0400 libanl-2.12.so
    lrwxrwxrwx 1 root root 14 2015-01-29 21:32:21.000000000 +0400 libanl.so.1 -> libanl-2.12.so
    lrwxrwxrwx 1 root root 16 2014-07-04 10:55:19.000000000 +0400 libattr.so.1 -> libattr.so.1.1.0
    -rwxr-xr-x 1 root root 17904 2011-09-23 22:52:26.000000000 +0400 libattr.so.1.1.0
    lrwxrwxrwx 1 root root 15 2014-07-04 10:55:20.000000000 +0400 libbz2.so.1 -> libbz2.so.1.0.4
    -rwxr-xr-x 1 root root 70464 2011-06-25 05:44:14.000000000 +0400 libbz2.so.1.0.4
    -rwxr-xr-x 1 root root 1902892 2015-01-27 23:11:06.000000000 +0400 libc-2.12.so
    lrwxrwxrwx 1 root root 12 2015-01-29 21:32:21.000000000 +0400 libc.so.6 -> libc-2.12.so
    -rwxr-xr-x 1 root root 190992 2015-01-27 23:11:03.000000000 +0400 libcidn-2.12.so
    lrwxrwxrwx 1 root root 15 2015-01-29 21:32:21.000000000 +0400 libcidn.so.1 -> libcidn-2.12.so
    lrwxrwxrwx 1 root root 17 2014-07-04 10:55:19.000000000 +0400 libcom_err.so.2 -> libcom_err.so.2.1
    -rwxr-xr-x 1 root root 10340 2011-07-19 15:54:50.000000000 +0400 libcom_err.so.2.1
    -rwxr-xr-x 1 root root 38380 2015-01-27 23:11:04.000000000 +0400 libcrypt-2.12.so
    lrwxrwxrwx 1 root root 16 2015-01-29 21:32:21.000000000 +0400 libcrypt.so.1 -> libcrypt-2.12.so
    -rwxr-xr-x 1 root root 17896 2015-01-27 23:11:03.000000000 +0400 libdl-2.12.so
    lrwxrwxrwx 1 root root 13 2015-01-29 21:32:21.000000000 +0400 libdl.so.2 -> libdl-2.12.so
    lrwxrwxrwx 1 root root 13 2014-07-04 10:55:17.000000000 +0400 libe2p.so.2 -> libe2p.so.2.3
    -rwxr-xr-x 1 root root 23892 2011-07-19 15:54:50.000000000 +0400 libe2p.so.2.3
    lrwxrwxrwx 1 root root 16 2014-07-04 10:55:20.000000000 +0400 libext2fs.so.2 -> libext2fs.so.2.4
    -rwxr-xr-x 1 root root 197140 2011-07-19 15:54:50.000000000 +0400 libext2fs.so.2.4
    -rw-r--r-- 1 root root 478 2011-10-04 05:55:29.000000000 +0400 libfreebl3.chk
    -rwxr-xr-x 1 root root 298084 2011-10-04 05:55:29.000000000 +0400 libfreebl3.so
    -rwxr-xr-x 1 root root 120672 2011-12-06 19:16:03.000000000 +0400 libgcc_s-4.4.6-20110824.so.1
    lrwxrwxrwx 1 root root 28 2014-07-04 10:55:17.000000000 +0400 libgcc_s.so.1 -> libgcc_s-4.4.6-20110824.so.1
    lrwxrwxrwx 1 root root 22 2014-07-04 10:55:17.000000000 +0400 libgio-2.0.so.0 -> libgio-2.0.so.0.2200.5
    -rwxr-xr-x 1 root root 723100 2011-07-19 03:04:26.000000000 +0400 libgio-2.0.so.0.2200.5
    lrwxrwxrwx 1 root root 23 2014-07-04 10:55:19.000000000 +0400 libglib-2.0.so.0 -> libglib-2.0.so.0.2200.5
    -rwxr-xr-x 1 root root 953224 2011-07-19 03:04:26.000000000 +0400 libglib-2.0.so.0.2200.5
    lrwxrwxrwx 1 root root 26 2014-07-04 10:55:20.000000000 +0400 libgmodule-2.0.so.0 -> libgmodule-2.0.so.0.2200.5
    -rwxr-xr-x 1 root root 10548 2011-07-19 03:04:26.000000000 +0400 libgmodule-2.0.so.0.2200.5
    lrwxrwxrwx 1 root root 26 2014-07-04 10:55:19.000000000 +0400 libgobject-2.0.so.0 -> libgobject-2.0.so.0.2200.5
    -rwxr-xr-x 1 root root 278148 2011-07-19 03:04:26.000000000 +0400 libgobject-2.0.so.0.2200.5
    lrwxrwxrwx 1 root root 26 2014-07-04 10:55:17.000000000 +0400 libgthread-2.0.so.0 -> libgthread-2.0.so.0.2200.5
    -rwxr-xr-x 1 root root 15424 2011-07-19 03:04:26.000000000 +0400 libgthread-2.0.so.0.2200.5
    -rwxr-xr-x 1 root root 200024 2015-01-27 23:11:05.000000000 +0400 libm-2.12.so
    lrwxrwxrwx 1 root root 12 2015-01-29 21:32:21.000000000 +0400 libm.so.6 -> libm-2.12.so
    lrwxrwxrwx 1 root root 17 2014-07-04 10:55:19.000000000 +0400 libncurses.so.5 -> libncurses.so.5.7
    -rwxr-xr-x 1 root root 139980 2010-08-18 19:33:59.000000000 +0400 libncurses.so.5.7
    lrwxrwxrwx 1 root root 18 2014-07-04 10:55:17.000000000 +0400 libncursesw.so.5 -> libncursesw.so.5.7
    -rwxr-xr-x 1 root root 195244 2010-08-18 19:33:59.000000000 +0400 libncursesw.so.5.7
    -rwxr-xr-x 1 root root 113912 2015-01-27 23:11:05.000000000 +0400 libnsl-2.12.so
    lrwxrwxrwx 1 root root 14 2015-01-29 21:32:21.000000000 +0400 libnsl.so.1 -> libnsl-2.12.so
    -rwxr-xr-x 1 root root 40200 2015-01-27 23:11:04.000000000 +0400 libnss_compat-2.12.so
    lrwxrwxrwx 1 root root 21 2015-01-29 21:32:21.000000000 +0400 libnss_compat.so.2 -> libnss_compat-2.12.so
    -rwxr-xr-x 1 root root 25596 2015-01-27 23:11:05.000000000 +0400 libnss_dns-2.12.so
    lrwxrwxrwx 1 root root 18 2015-01-29 21:32:21.000000000 +0400 libnss_dns.so.2 -> libnss_dns-2.12.so
    -rwxr-xr-x 1 root root 58708 2015-01-27 23:11:04.000000000 +0400 libnss_files-2.12.so
    lrwxrwxrwx 1 root root 20 2015-01-29 21:32:21.000000000 +0400 libnss_files.so.2 -> libnss_files-2.12.so
    -rwxr-xr-x 1 root root 22140 2015-01-27 23:11:03.000000000 +0400 libnss_hesiod-2.12.so
    lrwxrwxrwx 1 root root 21 2015-01-29 21:32:21.000000000 +0400 libnss_hesiod.so.2 -> libnss_hesiod-2.12.so
    -rwxr-xr-x 1 root root 49712 2015-01-27 23:11:04.000000000 +0400 libnss_nis-2.12.so
    lrwxrwxrwx 1 root root 18 2015-01-29 21:32:21.000000000 +0400 libnss_nis.so.2 -> libnss_nis-2.12.so
    -rwxr-xr-x 1 root root 58712 2015-01-27 23:11:03.000000000 +0400 libnss_nisplus-2.12.so
    lrwxrwxrwx 1 root root 22 2015-01-29 21:32:21.000000000 +0400 libnss_nisplus.so.2 -> libnss_nisplus-2.12.so
    -rwxr-xr-x 1 root root 131220 2015-01-27 23:11:05.000000000 +0400 libpthread-2.12.so
    lrwxrwxrwx 1 root root 18 2015-01-29 21:32:21.000000000 +0400 libpthread.so.0 -> libpthread-2.12.so
    -rwxr-xr-x 1 root root 103388 2015-01-27 23:11:04.000000000 +0400 libresolv-2.12.so
    lrwxrwxrwx 1 root root 17 2015-01-29 21:32:21.000000000 +0400 libresolv.so.2 -> libresolv-2.12.so
    -rwxr-xr-x 1 root root 39712 2015-01-27 23:11:03.000000000 +0400 librt-2.12.so
    lrwxrwxrwx 1 root root 13 2015-01-29 21:32:21.000000000 +0400 librt.so.1 -> librt-2.12.so
    -rwxr-xr-x 1 root root 120780 2011-07-20 03:53:36.000000000 +0400 libselinux.so.1
    -rwxr-xr-x 1 root root 31620 2015-01-27 23:11:05.000000000 +0400 libthread_db-1.0.so
    lrwxrwxrwx 1 root root 19 2015-01-29 21:32:21.000000000 +0400 libthread_db.so.1 -> libthread_db-1.0.so
    lrwxrwxrwx 1 root root 15 2014-07-04 10:55:17.000000000 +0400 libtinfo.so.5 -> libtinfo.so.5.7
    -rwxr-xr-x 1 root root 98120 2010-08-18 19:33:59.000000000 +0400 libtinfo.so.5.7
    -rwxr-xr-x 1 root root 12792 2015-01-27 23:11:03.000000000 +0400 libutil-2.12.so
    lrwxrwxrwx 1 root root 15 2015-01-29 21:32:21.000000000 +0400 libutil.so.1 -> libutil-2.12.so
    lrwxrwxrwx 1 root root 13 2014-07-04 10:55:20.000000000 +0400 libz.so.1 -> libz.so.1.2.3
    -rwxr-xr-x 1 root root 75384 2013-02-22 03:01:21.000000000 +0400 libz.so.1.2.3
    dr-xr-xr-x 15 root root 4096 2017-09-05 22:07:45.248133567 +0400 modules
    drwxr-xr-x 3 root root 4096 2015-01-29 21:32:21.000000000 +0400 rtkaio
    drwxr-xr-x 2 root root 4096 2011-07-20 04:23:00.000000000 +0400 security
    drwxr-xr-x 6 root root 4096 2011-08-29 15:45:21.000000000 +0400 terminfo
    drwxr-xr-x 5 root root 4096 2011-12-12 12:33:20.000000000 +0400 udev

    $ mount

    /dev/simfs on / type simfs (rw,relatime,usrquota,grpquota)
    proc on /proc type proc (rw,relatime)
    sysfs on /sys type sysfs (rw,relatime)
    none on /dev type devtmpfs (rw,relatime,mode=755)
    none on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
    none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)

    $ df -h

    Filesystem Size Used Avail Use% Mounted on
    /dev/simfs 120G 28G 93G 23% /
    none 2.0G 4.0K 2.0G 1% /dev

    $ cat /etc/issue

    CentOS release 6.1 (Final)
    Kernel \r on an \m

    $ cat /etc/crontab

    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=root
    HOME=/

    # For details see man 4 crontabs

    # Example of job definition:
    # .---------------- minute (0 - 59)
    # | .------------- hour (0 - 23)
    # | | .---------- day of month (1 - 31)
    # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
    # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
    # | | | | |
    # * * * * * user-name command to be executed


    $ cat /proc/version
    Linux version 2.6.32-042stab123.3 ([email protected]) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Fri May 5 12:29:05 MSK 2017

    $ cat /proc/sys/vm/mmap_min_addr
    4096

    $ pwd
    /var/www/-hiddenlink-/data/www/-hiddenlink-

    $ ls -la /usr/bin/staprun

    $ find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
    -r-sr-xr-x 1 root root 53992 Aug 1 2013 /usr/local/ispmgr/cgi/download
    -r-sr-xr-x 1 root root 13024 Aug 1 2013 /usr/local/ispmgr/cgi/login
    -r-sr-xr-x 1 root root 38264 Aug 1 2013 /usr/local/ispmgr/cgi/xml2csv
    -r-sr-xr-x 1 root root 49016 Aug 1 2013 /usr/local/ispmgr/cgi/upload
    -r-sr-xr-x 1 root root 8280 Aug 1 2013 /usr/local/ispmgr/cgi/ispmgr
    -r-sr-xr-x 1 root root 140408 Aug 1 2013 /usr/local/ispmgr/cgi/getuser
    -r-sr-xr-x 1 root root 53248 Aug 1 2013 /usr/local/ispmgr/cgi/cronrun
    -r-sr-xr-x 1 root root 53280 Aug 1 2013 /usr/local/ispmgr/cgi/mindterm
    -r-sr-xr-x 1 root root 140888 Aug 1 2013 /usr/local/ispmgr/cgi/bdownload
    -r-sr-xr-x 1 root root 19816 Aug 1 2013 /usr/local/ispmgr/cgi/outlook
    -r-sr-xr-x 1 root root 32752 Aug 1 2013 /usr/local/ispmgr/cgi/dbdownload
    -r-sr-xr-x 1 root root 57344 Aug 1 2013 /usr/local/ispmgr/cgi/certdownload
    -r-sr-xr-x 1 root root 1547912 Aug 1 2013 /usr/local/ispmgr/bin/ispmgr
    -r-sr-xr-x 1 root root 1146280 Aug 1 2013 /usr/local/ispmgr/sbin/pbackup
    -r-sr-xr-x 1 root root 5704 Sep 29 2015 /usr/local/ispmgr/sbin/suexec
    -r-sr-xr-x 1 root root 66392 Aug 1 2013 /usr/local/ispmgr/sbin/responder
    -r-sr-xr-x 1 root root 36480 Aug 1 2013 /usr/local/ispmgr/sbin/vacation
    -r-sr-xr-x 1 root root 1774704 Aug 1 2013 /usr/local/ispmgr/sbin/usermove
    -rwsr-xr-x 1 root root 18080 Jun 25 2011 /usr/bin/pkexec
    -rwsr-xr-x 1 root root 51784 Nov 23 2013 /usr/bin/crontab
    -rwsr-xr-x 1 root root 59440 Jul 19 2011 /usr/bin/chage
    -rws--x--x 1 root root 20056 Jul 20 2011 /usr/bin/chsh
    ---s--x--x 2 root root 212904 Sep 23 2011 /usr/bin/sudo
    -rwsr-xr-x 1 root root 25304 Aug 22 2010 /usr/bin/passwd
    -rwsr-xr-x 1 root root 64688 Jul 19 2011 /usr/bin/gpasswd
    -rws--x--x 1 root root 20184 Jul 20 2011 /usr/bin/chfn
    -rwsr-xr-x 1 root root 54240 Jun 25 2011 /usr/bin/at
    -rwsr-xr-x 1 root root 33192 Jul 19 2011 /usr/bin/newgrp
    ---s--x--x 2 root root 212904 Sep 23 2011 /usr/bin/sudoedit
    -rws--x--x 1 root root 14280 Jan 27 2015 /usr/libexec/pt_chown
    -rws--x--x 1 vcsa root 7352 Aug 23 2010 /usr/libexec/mc/cons.saver
    -rwsr-xr-x 1 root root 224912 Oct 24 2011 /usr/libexec/openssh/ssh-keysign
    -rwsr-xr-x 1 root root 11080 Jun 25 2011 /usr/libexec/polkit-1/polkit-agent-helper-1
    -rwsr-xr-x 1 root root 1118184 May 24 2011 /usr/sbin/exim
    -rws--x--x 1 root root 33952 Aug 22 2010 /usr/sbin/userhelper
    -r-s--x--- 1 root apache 13984 Apr 4 2014 /usr/sbin/suexec
    -rwsr-xr-x 1 root root 9000 Dec 3 2011 /usr/sbin/usernetctl
    -rwsr-xr-x 1 root root 34904 Nov 22 2011 /bin/su
    -rwsr-xr-x 1 root root 36488 Jul 19 2011 /bin/ping6
    -rwsr-xr-x 1 root root 76152 Jul 20 2011 /bin/mount
    -rwsr-xr-x 1 root root 50272 Jul 20 2011 /bin/umount
    -rwsr-xr-x 1 root root 40760 Jul 19 2011 /bin/ping
    -rwsr-x--- 1 root dbus 46232 Sep 13 2012 /lib64/dbus-1/dbus-daemon-launch-helper
    -rwsr-xr-x 1 root root 32160 Jul 20 2011 /sbin/unix_chkpwd
    -rwsr-xr-x 1 root root 9632 Jul 20 2011 /sbin/pam_timestamp_check
     
    #674 salam477, 29 Sep 2017
    Last edited: 30 Sep 2017
  15. passwd

    passwd New Member

    Joined:
    23 Dec 2010
    Messages:
    78
    Likes Received:
    2
    Reputations:
    5
    Подскажите как дальше действовать?
    Создал пользователя с помощью DirtyCow. Но по SSH не коннектится(даже логин не спрашивает, сразу connection timeout). Есть залитый шелл(wso).
    Каким образом выполнять команды от рута? Или как сменить user:group на шелле?

    Linux version 2.6.18-408.el5 ([email protected]) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-55)) #1 SMP Tue Jan 19 08:14:00 EST 2016

    CentOS release 5.11 (Final)
    Kernel \r on an \m

    Userful: gcc, cc, ld, make, php, perl, python, ruby, tar, gzip, bzip2, nc, locate
    Danger: clamd, iptables, tripwire, logwatch
    Downloaders: wget, lynx, links, curl, lwp-mirror
     
  16. Muracha

    Muracha Member

    Joined:
    30 Jul 2011
    Messages:
    153
    Likes Received:
    10
    Reputations:
    0
    Апач - права доступа шелла nobody .
    Есть скрипты nobody и пользователя.
    При заливке шелла от nobody - будет нободи, а если от пользователя?
    Или не в зависимости от этого все права будут под 0 урезаны?
     
  17. dmax0fw

    dmax0fw Level 8

    Joined:
    31 Dec 2017
    Messages:
    107
    Likes Received:
    131
    Reputations:
    46
    не важно чьи скрипты,важно от чьего имени они исполняются
    если у вас есть возможность залить веб шелл от имени пользователя, то апач исполнит его от nobody,так как в конфиге апача прописано от чьего имени исполнять php
    но конфиги могут быть разными для каждого сайта, тоесть в конфиге для сайта site1 может быть прописано исполнять php скрипты от user1, а в конфиге для сайта site2 - исполнять от user2
     
  18. Dr_Wile

    Dr_Wile Member

    Joined:
    19 Oct 2016
    Messages:
    121
    Likes Received:
    54
    Reputations:
    2
    Здравствуйте, вопрос по рутанью Linux машин. Дело обстоит так, есть некоторые права на сервере и доступ через SSH. Есть некоторая инфа Linux localhost.localdomain 2.6.32-696.13.2.el6.i686. Вопрос: какой дальнейший шаг нужно предпринять? Искать сплоиты под ядро и учиться их юзать?
    Спасибо!
     
  19. ShpillyWilly

    ShpillyWilly New Member

    Joined:
    27 Sep 2012
    Messages:
    71
    Likes Received:
    3
    Reputations:
    0
    для начала вот

    Сообщение с вопросом должно содержать информацию из вывода следующих команд:
    • uname -a
    • ls -la /boot
    • lls -la --full-time /lib (или /lib64)
    • mount
    • df -h
    • cat /etc/issue
    • cat /etc/crontab (ls -la cron.d, cron.hourly, cron.monthly, cron.weekly) + вывод содержимого каждого файла из этих директорий.
    • cat /proc/version
    • cat /proc/sys/vm/mmap_min_addr
    • pwd
    • ls -la /usr/bin/staprun
    • find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
    Так же обязательно писать всё, что вы пробовали для повышения привилегий, какие возникли ошибки.
     
  20. Dr_Wile

    Dr_Wile Member

    Joined:
    19 Oct 2016
    Messages:
    121
    Likes Received:
    54
    Reputations:
    2
    uname -a
    Linux localhost.localdomain 2.6.32-696.13.2.el6.i686 #1 SMP Thu Oct 5 20:42:25 UTC 2017 i686 i686 i386 GNU/Linux

    ls -la /boot

    total 46022
    dr-xr-xr-x. 5 root root 1024 Nov 3 10:26 .
    dr-xr-xr-x. 21 root root 4096 Dec 28 09:15 ..
    -rw-r--r--. 1 root root 109953 Nov 22 2013 config-2.6.32-431.el6.i686
    -rw-r--r--. 1 root root 112821 Oct 6 02:47 config-2.6.32-696.13.2.el6.i686
    drwxr-xr-x. 3 root root 1024 Nov 3 09:51 efi
    drwxr-xr-x. 2 root root 1024 Nov 3 10:26 grub
    -rw-------. 1 root root 14825818 Nov 3 09:53 initramfs-2.6.32-431.el6.i686.img
    -rw-------. 1 root root 19445667 Nov 3 10:26 initramfs-2.6.32-696.13.2.el6.i686.img
    drwx------. 2 root root 12288 Nov 3 09:45 lost+found
    -rw-r--r--. 1 root root 190104 Nov 22 2013 symvers-2.6.32-431.el6.i686.gz
    -rw-r--r--. 1 root root 211993 Oct 6 02:48 symvers-2.6.32-696.13.2.el6.i686.gz
    -rw-r--r--. 1 root root 1982877 Nov 22 2013 System.map-2.6.32-431.el6.i686
    -rw-r--r--. 1 root root 2064350 Oct 6 02:47 System.map-2.6.32-696.13.2.el6.i686
    -rwxr-xr-x. 1 root root 4002656 Nov 22 2013 vmlinuz-2.6.32-431.el6.i686
    -rw-r--r--. 1 root root 164 Nov 22 2013 .vmlinuz-2.6.32-431.el6.i686.hmac
    -rwxr-xr-x. 1 root root 4137568 Oct 6 02:47 vmlinuz-2.6.32-696.13.2.el6.i686
    -rw-r--r--. 1 root root 169 Oct 6 02:47 .vmlinuz-2.6.32-696.13.2.el6.i686.hmac

    mount
    /dev/mapper/VolGroup-lv_root on / type ext4 (rw)
    proc on /proc type proc (rw)
    sysfs on /sys type sysfs (rw)
    devpts on /dev/pts type devpts (rw,gid=5,mode=620)
    tmpfs on /dev/shm type tmpfs (rw)
    /dev/sda1 on /boot type ext4 (rw)
    /dev/sdb1 on /usr/home type ext3 (rw)
    none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

    df -h

    Filesystem Size Used Avail Use% Mounted on
    /dev/mapper/VolGroup-lv_root
    35G 1.5G 31G 5% /
    tmpfs 503M 0 503M 0% /dev/shm
    /dev/sda1 477M 48M 404M 11% /boot
    /dev/sdb1 74G 49G 22G 70% /usr/home

    cat /etc/issue
    CentOS release 6.9 (Final)
    Kernel \r on an \m

    cat /etc/crontab
    SHELL=/bin/bash
    PATH=/sbin:/bin:/usr/sbin:/usr/bin
    MAILTO=root
    HOME=/

    # For details see man 4 crontabs

    # Example of job definition:
    # .---------------- minute (0 - 59)
    # | .------------- hour (0 - 23)
    # | | .---------- day of month (1 - 31)
    # | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
    # | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
    # | | | | |
    # * * * * * user-name command to be executed


    cat /proc/version
    Linux version 2.6.32-696.13.2.el6.i686 ([email protected]) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) ) #1 SMP Thu Oct 5 20:42:25 UTC 2017
    cat /proc/sys/vm/mmap_min_addr
    4096

    ls -la /usr/bin/staprun
    ---s--x--- 1 root stapusr 178148 Mar 22 2017 /usr/bin/staprun
    find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null

    -rwsr-x---. 1 root dbus 46120 Apr 22 2015 /lib/dbus-1/dbus-daemon-launch-helper
    -rws--x--x. 1 root root 13028 Jun 20 2017 /usr/libexec/pt_chown
    -rws--x--x. 1 vcsa root 6064 May 11 2016 /usr/libexec/mc/cons.saver
    -rwsr-xr-x. 1 root root 256572 Aug 31 23:36 /usr/libexec/openssh/ssh-keysign
    -rwsr-xr-x. 1 root root 7060 Oct 4 08:24 /usr/sbin/usernetctl
    -rwsr-xr-x. 1 root root 18448 Oct 15 2014 /usr/sbin/scponlyc
    -rwsr-xr-x. 1 root root 25980 Nov 23 2015 /usr/bin/passwd
    -rwsr-xr-x. 1 root root 46780 Aug 24 2016 /usr/bin/crontab
    -rwsr-xr-x. 1 root root 69452 May 11 2016 /usr/bin/chage
    ---s--x--x. 1 root root 126720 Jun 23 2017 /usr/bin/sudo
    -rws--x--x. 1 root root 16616 Mar 22 2017 /usr/bin/chfn
    -rwsr-xr-x. 1 root root 34828 May 11 2016 /usr/bin/newgrp
    -rwsr-xr-x. 1 root root 74064 May 11 2016 /usr/bin/gpasswd
    ---s--x--- 1 root stapusr 178148 Mar 22 2017 /usr/bin/staprun
    -rws--x--x. 1 root root 15432 Mar 22 2017 /usr/bin/chsh
    -rwsr-xr-x. 1 root root 34168 Mar 22 2017 /sbin/unix_chkpwd
    -rwsr-xr-x. 1 root root 9596 Mar 22 2017 /sbin/pam_timestamp_check
    -rwsr-xr-x. 1 root root 34188 Mar 23 2017 /bin/su
    -rwsr-xr-x. 1 root root 77456 Mar 22 2017 /bin/mount
    -rwsr-xr-x. 1 root root 32080 Mar 22 2017 /bin/ping6
    -rwsr-xr-x. 1 root root 50312 Mar 22 2017 /bin/umount
    -rwsr-xr-x. 1 root root 36732 Mar 22 2017 /bin/ping

    Пробовать я не знаю, что ибо впервые предпринимаю попытку что-либо рутировать. Мне бы алгоритм... как примерно получают рут права узнать. А дальше попробую в одну харю разобраться