Повышение прав [задай вопрос - получи ответ]

Имеется web shell на Windows платформе

Spoiler: Win

Windows NT 6.3 build 9600 (Windows Server 2012 R2 Standard Edition) i586
Microsoft Windows [Version 6.3.9600]
PHP/5.6.31
Microsoft-IIS/8.5
cURLMySQL/mysqlnd 5.0.11-dev

----
Host Name: SERVER1
OS Name: Microsoft Windows Server 2012 R2 Standard
OS Version: 6.3.9600 N/A Build 9600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Server
OS Build Type: Multiprocessor Free
Registered Owner: Windows User
Registered Organization:
Original Install Date: 7/24/2015, 6:06:36 PM
System Boot Time: 7/24/2017, 8:50:48 PM
System Manufacturer: Supermicro
System Model: SYS-6018R-MT
System Type: x64-based PC
Processor(s): 2 Processor(s) Installed.
[01]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~1200 Mhz
[02]: Intel64 Family 6 Model 63 Stepping 2 GenuineIntel ~1200 Mhz
BIOS Version: American Megatrends Inc. 2.0, 12/18/2015
Windows Directory: C:\Windows
System Directory: C:\Windows\system32
Boot Device: \Device\HarddiskVolume2
System Locale: en-us;English (United States)
Input Locale: en-us;English (United States)
Time Zone: (UTC-05:00) Eastern Time (US & Canada)
Total Physical Memory: 65,426 MB
Available Physical Memory: 19,966 MB
Virtual Memory: Max Size: 130,962 MB
Virtual Memory: Available: 79,531 MB
Virtual Memory: In Use: 51,431 MB
Page File Location(s): C:\pagefile.sys
Domain: WORKGROUP
Logon Server: N/A
Hotfix(s): N/A
Network Card(s): 2 NIC(s) Installed.
[01]: Intel(R) I210 Gigabit Network Connection
Connection Name: Ethernet 8
DHCP Enabled: No
IP address(es)
[01]: ---IP---
[02]: ---MAC---
[02]: Intel(R) I210 Gigabit Network Connection
Connection Name: Internet
DHCP Enabled: No
IP address(es)
[01]: ---IP--- <----ПО ДАННОМУ IP ДОСТУПЕН САЙТ
Hyper-V Requirements: VM Monitor Mode Extensions: Yes
Virtualization Enabled In Firmware: Yes
Second Level Address Translation: Yes
Data Execution Prevention Available: Yes

server1\iwpd_1(---DELETE---)

Как поднять права на данной машине?
PS Посоветуйте web shell для windows

 

1) Выполни на серваке команду "systeminfo > C:\temp\1.txt" полученный файл мне в лс.
2) passthru вместо system, ибо system по дефолту cmd не понимает.

 

1) Дай вывод sudo -l
2) Вывод /etc/cron или файлы в cron.d
3) что находится в tmp, opt
4) Попробуй sudo -i (а вдруг ты уже в sudoers )
5) Попробуй создать symlink
6) Попробуй скриптик http://www.securitysift.com/download/linuxprivchecker.py

 

UPDATE: Sysinfo кинул. Лови список

Spoiler: Список

Code:

[M] MS16-075: Security Update for Windows SMB Server (3164038) - Important
[*]   https://github.com/foxglovesec/RottenPotato
[*]   https://github.com/Kevin-Robertson/Tater
[*]   https://bugs.chromium.org/p/project-zero/issues/detail?id=222 -- Windows: Local WebDAV NTLM Reflection Elevation of Privilege
[*]   https://foxglovesecurity.com/2016/01/16/hot-potato/ -- Hot Potato - Windows Privilege Escalation
[*]
[E] MS16-032: Security Update for Secondary Logon to Address Elevation of Privile (3143141) - Important
[*]   https://www.exploit-db.com/exploits/40107/ -- MS16-032 Secondary Logon Handle Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39574/ -- Microsoft Windows 8.1/10 - Secondary Logon Standard Handles Missing Sanitization Privilege Escalation (MS16-032), PoC
[*]   https://www.exploit-db.com/exploits/39719/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (PowerShell), PoC
[*]   https://www.exploit-db.com/exploits/39809/ -- Microsoft Windows 7-10 & Server 2008-2012 (x32/x64) - Local Privilege Escalation (MS16-032) (C#)
[*]
[M] MS16-016: Security Update for WebDAV to Address Elevation of Privilege (3136041) - Important
[*]   https://www.exploit-db.com/exploits/40085/ -- MS16-016 mrxdav.sys WebDav Local Privilege Escalation, MSF
[*]   https://www.exploit-db.com/exploits/39788/ -- Microsoft Windows 7 - WebDAV Privilege Escalation Exploit (MS16-016) (2), PoC
[*]   https://www.exploit-db.com/exploits/39432/ -- Microsoft Windows 7 SP1 x86 - WebDAV Privilege Escalation (MS16-016) (1), PoC
[*]
[E] MS15-102: Vulnerabilities in Windows Task Management Could Allow Elevation of Privilege (3089657) - Important
[*]   https://www.exploit-db.com/exploits/38202/ -- Windows CreateObjectTask SettingsSyncDiagnostics Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38200/ -- Windows Task Scheduler DeleteExpiredTaskAfter File Deletion Privilege Escalation, PoC
[*]   https://www.exploit-db.com/exploits/38201/ -- Windows CreateObjectTask TileUserBroker Privilege Escalation, PoC
[*]
[M] MS15-051: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of Privilege (3057191) - Important
[*]   https://github.com/hfiref0x/CVE-2015-1701, Win32k Elevation of Privilege Vulnerability, PoC
[*]   https://www.exploit-db.com/exploits/37367/ -- Windows ClientCopyImage Win32k Exploit, MSF
[*]
[E] MS14-040: Vulnerability in Ancillary Function Driver (AFD) Could Allow Elevation of Privilege (2975684) - Important
[*]   https://www.exploit-db.com/exploits/39525/ -- Microsoft Windows 7 x64 - afd.sys Privilege Escalation (MS14-040), PoC
[*]   https://www.exploit-db.com/exploits/39446/ -- Microsoft Windows - afd.sys Dangling Pointer Privilege Escalation (MS14-040), PoC
[*]
[E] MS14-026: Vulnerability in .NET Framework Could Allow Elevation of Privilege (2958732) - Important
[*]   http://www.exploit-db.com/exploits/35280/, -- .NET Remoting Services Remote Command Execution, PoC

 

Подскажите как повысить привилегии. Каким эксплойтом?

есть два сервера
1:
$ uname -a
Linux ks209234.kimsufi.com 2.6.38.2-xxxx-std-ipv6-64 #2 SMP Thu Aug 25 16:43:23 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux

$ cat /etc/*-release
CentOS release 6.2 (Final)
CentOS release 6.2 (Final)
CentOS release 6.2 (Final)


2:
$ uname -a
Linux php54-web-21 4.4.0-53-generic #74-Ubuntu SMP Fri Dec 2 15:59:10 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux


$ cat /etc/*-release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.2 LTS"
NAME="Ubuntu"
VERSION="16.04.2 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.2 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial

Спасибо

 

http://www.securitysift.com/download/linuxprivchecker.py - вывод скрипта мне в лс

 

Хелп
* uname -a

Code:

Linux ip-10-149-5-107 2.6.32-431.1.2.0.1.el6.x86_64 #1 SMP Fri Dec 13 13:06:13 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux

* ls -la /boot

Code:

total 39464
dr-xr-xr-x.  4 root root    4096 Dec 23  2013 .
drwxr-xr-x. 24 root root    4096 Jun 20 06:40 ..
-rw-r--r--.  1 root root     171 Oct 16  2012 .vmlinuz-2.6.32-279.11.1.el6.x86_64.hmac
-rw-r--r--.  1 root root     170 Mar 12  2013 .vmlinuz-2.6.32-358.2.1.el6.x86_64.hmac
-rw-r--r--.  1 root root     174 Dec 13  2013 .vmlinuz-2.6.32-431.1.2.0.1.el6.x86_64.hmac
-rw-r--r--.  1 root root 2342243 Oct 16  2012 System.map-2.6.32-279.11.1.el6.x86_64
-rw-r--r--.  1 root root 2407544 Mar 12  2013 System.map-2.6.32-358.2.1.el6.x86_64
-rw-r--r--.  1 root root 2518212 Dec 13  2013 System.map-2.6.32-431.1.2.0.1.el6.x86_64
-rw-r--r--.  1 root root  101977 Oct 16  2012 config-2.6.32-279.11.1.el6.x86_64
-rw-r--r--.  1 root root  104085 Mar 12  2013 config-2.6.32-358.2.1.el6.x86_64
-rw-r--r--.  1 root root  105203 Dec 13  2013 config-2.6.32-431.1.2.0.1.el6.x86_64
drwxr-xr-x.  3 root root    4096 Oct 30  2012 efi
drwxr-xr-x.  2 root root    4096 Dec 23  2013 grub
-rw-r--r--.  1 root root 6512664 Oct 30  2012 initramfs-2.6.32-279.11.1.el6.x86_64.img
-rw-r--r--.  1 root root 6619790 Apr 22  2013 initramfs-2.6.32-358.2.1.el6.x86_64.img
-rw-------.  1 root root 6921745 Dec 23  2013 initramfs-2.6.32-431.1.2.0.1.el6.x86_64.img
-rw-r--r--.  1 root root  179202 Oct 16  2012 symvers-2.6.32-279.11.1.el6.x86_64.gz
-rw-r--r--.  1 root root  185828 Mar 12  2013 symvers-2.6.32-358.2.1.el6.x86_64.gz
-rw-r--r--.  1 root root  193760 Dec 13  2013 symvers-2.6.32-431.1.2.0.1.el6.x86_64.gz
-rwxr-xr-x.  1 root root 3987760 Oct 16  2012 vmlinuz-2.6.32-279.11.1.el6.x86_64
-rwxr-xr-x.  1 root root 4043920 Mar 12  2013 vmlinuz-2.6.32-358.2.1.el6.x86_64
-rwxr-xr-x.  1 root root 4128784 Dec 13  2013 vmlinuz-2.6.32-431.1.2.0.1.el6.x86_64

* ls -la --full-time /lib

Code:

dr-xr-xr-x.  9 root root 4096 2013-12-15 12:30:03.701829792 -0800 .
drwxr-xr-x. 24 root root 4096 2017-06-20 06:40:08.269205113 -0700 ..
lrwxrwxrwx.  1 root root   14 2013-12-15 12:30:03.698829792 -0800 cpp -> ../usr/bin/cpp
drwxr-xr-x. 42 root root 4096 2013-11-22 11:09:17.000000000 -0800 firmware
drwxr-xr-x.  6 root root 4096 2012-10-30 18:33:20.000000000 -0700 kbd
drwxr-xr-x.  2 root root 4096 2013-05-09 17:49:28.605425768 -0700 lsb
dr-xr-xr-x.  5 root root 4096 2013-12-23 02:31:35.810829793 -0800 modules
drwxr-xr-x.  2 root root 4096 2013-12-15 12:32:06.450829793 -0800 security
drwxr-xr-x.  6 root root 4096 2012-10-30 18:33:20.000000000 -0700 terminfo
drwxr-xr-x.  5 root root 4096 2013-12-23 02:31:18.871829793 -0800 udev

* cat /etc/*-release

Code:

CentOS release 6.5 (Final)
LSB_VERSION=base-4.0-amd64:base-4.0-noarch:core-4.0-amd64:core-4.0-noarch:graphics-4.0-amd64:graphics-4.0-noarch:printing-4.0-amd64:printing-4.0-noarch
CentOS release 6.5 (Final)
CentOS release 6.5 (Final)

 

Не пробовали dirtyc0w ?

 

Приветствую всех.. Есть проблема, залился на сервак, а там все конкретно урезано.
Не могу сделать бекконект, gcc не работает , perl тоже. Может у когото есть соображения.
Server software :PHP/5.2.17-pl0-gentoo Apache cURL MySQL/5.1.62
User info :uid=81(apache) gid=445(usergrp)
Disable functions : escapeshellarg, escapeshellcmd, exec, passthru, proc_close, proc_get_status, proc_nice, proc_open, proc_terminate, shell_exec, system, popen, pcntl_alarm, pcntl_fork, pcntl_waitpid, pcntl_wait, pcntl_wifexited, pcntl_wifstopped, pcntl_wifsignaled, pcntl_wexitstatus, pcntl_wtermsig, pcntl_wstopsig, pcntl_signal, pcntl_signal_dispatch, pcntl_get_last_error, pcntl_strerror, pcntl_sigprocmask, pcntl_sigwaitinfo, pcntl_sigtimedwait, pcntl_exec, pcntl_getpriority, pcntl_setpriority

 

Средствами php, можно творить многие вещи. Например читать файл не через system('cat flag') а file_get_contents('flag.txt'). Получить листинг так через другие функции. а в списках запрещенных функций я не вижу eval и call_user_func. С помощью PHP ты можешь записать переменную окружения, посмотреть, а то и попробовать, прописаться в крон ну и так далее. А perl, gcc, могут быть просто не установлены. Посмотри питон, или лучше глянь папку /usr/bin, /bin, /usr/sbin и т.п. Какие интерпретаторы/компиляторы стоят теми и пробуй прокинуть reverse connect. В конечном итоге через php можно открыть сокет....

 

пых не самый свежий, попробуй обойти блокировку функций http://blog.safebuff.com/2016/05/06/disable-functions-bypass/

 

Подскажите есть что-то под этого зверя...

Spoiler: Linux http5 3.2.83

apache@http5 / $ uname -a

Linux http5 3.2.83 #1 SMP Sat Oct 22 11:27:37 CEST 2016 x86_64 Intel(R) Xeon(R) CPU E5320 @ 1.86GHz GenuineIntel GNU/Linux

apache@http5 / $ ls -la /boot

total 16392
drwxr-xr-x 4 root root 1024 Oct 22 2016 .
drwxr-xr-x 22 root root 4096 Sep 14 2012 ..
lrwxrwxrwx 1 root root 1 Nov 14 2007 boot -> .
drwxr-xr-x 2 root root 1024 Oct 22 2016 grub
-rw-r--r-- 1 root root 0 Sep 14 2012 .keep
-rw-r--r-- 1 root root 1631704 Mar 9 2008 kernel-2.6.23-gentoo-r9
-rw-r--r-- 1 root root 1685240 May 27 2008 kernel-2.6.24-gentoo-r8
-rw-r--r-- 1 root root 2001344 Jan 12 2010 kernel-2.6.31-gentoo-r6
-rw-r--r-- 1 root root 2126896 Jul 14 2010 kernel-2.6.34-gentoo-r1
-rw-r--r-- 1 root root 2127984 Oct 12 2010 kernel-2.6.34-gentoo-r11
-rw-r--r-- 1 root root 2366768 Oct 22 2016 kernel-3.2.83
-rw-r--r-- 1 root root 2369296 Aug 20 2012 kernel-3.3.8-gentoo
-rw-r--r-- 1 root root 2386912 Sep 14 2012 kernel-3.4.9-gentoo
drwx------ 2 root root 1024 Nov 14 2007 lost+found

apache@http5 / $ mount

rootfs on / type rootfs (rw)
/dev/root on / type ext3 (rw,noatime,errors=continue,barrier=1,data=writeback)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /run type tmpfs (rw,nosuid,nodev,relatime,mode=755)
rc-svcdir on /lib64/rc/init.d type tmpfs (rw,nosuid,nodev,noexec,relatime,size=1024k,mode=755)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=10240k,nr_inodes=1021437,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620)
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime)
/dev/md0 on /boot type ext3 (rw,noatime)
/dev/md3 on /tmp type ext3 (rw,noexec,nosuid,nodev,noatime)
/tmp on /var/tmp type none (rw,noexec,nosuid,nodev,bind,noatime)
10.0.0.41:/data/nfs/userhomes/userhome3 on /home type nfs (rw,nosuid,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)
10.0.0.41:/data/nfs/vhosts/vhosts3/vhosts.in_one on /etc/apache2/vhosts.d type nfs (ro,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)
10.0.0.41:/data/nfs/checkdirs/checkdir3 on /checkdir type nfs (rw,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)
10.0.0.41:/data/nfs/php/php3 on /etc/php/nfs type nfs (ro,noatime,rsize=524288,wsize=524288,intr,tcp,nfsvers=3,addr=10.0.0.41)

apache@http5 / $ df -h
df -h

Filesystem Size Used Avail Use% Mounted on
rootfs 37G 19G 17G 55% /
/dev/root 37G 19G 17G 55% /
tmpfs 3.9G 68K 3.9G 1% /run
rc-svcdir 1.0M 68K 956K 7% /lib64/rc/init.d
udev 10M 4.0K 10M 1% /dev
shm 3.9G 0 3.9G 0% /dev/shm
/dev/md0 99M 23M 72M 24% /boot
/dev/md3 132G 189M 126G 1% /tmp
10.0.0.41:/data/nfs/userhomes/userhome3 3.2T 2.1T 1.1T 66% /home
10.0.0.41:/data/nfs/vhosts/vhosts3/vhosts.in_one 3.2T 2.1T 1.1T 66% /etc/apache2/vhosts.d
10.0.0.41:/data/nfs/checkdirs/checkdir3 3.2T 2.1T 1.1T 66% /checkdir
10.0.0.41:/data/nfs/php/php3 3.2T 2.1T 1.1T 66% /etc/php/nfs

apache@http5 / $ cat /etc/issue
cat /etc/issue

This is \n.\O (\s \m \r) \t

apache@http5 / $ cat /etc/crontab
cat /etc/crontab
# for vixie cron
# $Header: /var/cvsroot/gentoo-x86/sys-process/vixie-cron/files/crontab-3.0.1-r4,v 1.3 2011/09/20 15:13:51 idl0r Exp $

# Global variables
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# check scripts in cron.hourly, cron.daily, cron.weekly and cron.monthly
59 * * * * root rm -f /var/spool/cron/lastrun/cron.hourly
9 3 * * * root rm -f /var/spool/cron/lastrun/cron.daily
19 4 * * 6 root rm -f /var/spool/cron/lastrun/cron.weekly
29 5 1 * * root rm -f /var/spool/cron/lastrun/cron.monthly
*/10 * * * * root test -x /usr/sbin/run-crons && /usr/sbin/run-crons

29 0,6,12,18 * * * root /root/bin/apache-restart.sh >> /root/bin/apache-restart.log 2>&1

3-58/5 * * * * root /root/bin/copy_loghost_shorewall_rules.sh > /dev/null 2>&1

apache@http5 / $ cat /proc/version
cat /proc/version
Linux version 3.2.83 (root@http5) (gcc version 4.5.4 (Gentoo 4.5.4 p1.0, pie-0.4.7) ) #1 SMP Sat Oct 22 11:27:37 CEST 2016

apache@http5 / $ cat /proc/sys/vm/mmap_min_addr
cat /proc/sys/vm/mmap_min_addr
65536

apache@http5 / $ pwd
pwd
/
apache@http5 / $ ls -la /usr/bin/staprun
ls -la /usr/bin/staprun
ls: cannot access /usr/bin/staprun: No such file or directory

apache@http5 / $ find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
-r-s--x--x 1 root root 102784 Sep 14 2012 /sbin/mount.nfs
-rws--x--x 1 root root 31152 Sep 14 2012 /sbin/unix_chkpwd
-rws--x--x 1 root root 39672 Sep 14 2012 /bin/ping
-rws--x--x 1 root root 60672 Sep 14 2012 /bin/umount
-rws--x--x 1 root root 82064 Sep 14 2012 /bin/mount
-rws--x--x 1 root root 42592 Sep 14 2012 /bin/passwd
-rws--x--x 1 root root 36680 Sep 14 2012 /bin/su
-rws--x--x 1 root root 259144 Sep 14 2012 /usr/lib64/misc/ssh-keysign
-rws--x--x 1 root root 10184 Sep 14 2012 /usr/lib64/misc/glibc/pt_chown
-rws--x--x 1 root root 36296 Sep 14 2012 /usr/bin/newgrp
-rws--x--x 1 root root 59520 Sep 14 2012 /usr/bin/gpasswd
-rws--x--x 1 root root 41664 Sep 14 2012 /usr/bin/chfn
-rws--x--x 1 root root 36896 Sep 14 2012 /usr/bin/chsh
-rws--x--x 1 root root 58848 Sep 14 2012 /usr/bin/chage
-rwsr-x--x 1 root root 544534 Aug 14 2011 /usr/bin/sudo
-rws--x--x 1 root root 23064 Sep 14 2012 /usr/bin/expiry

 

Помогите поднять права на Win Server 2016 x64
Есть учётка юзера.

 

Подскажите, возможно ли повышение прав?

$ uname -a
Linux /-hiddenlink-/ 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017 x86_64 x86_64 x86_64 GNU/Linux

Spoiler: Информация

$ uname -a

Linux /-hiddenlink-/ 2.6.32-042stab123.3 #1 SMP Fri May 5 12:29:05 MSK 2017 x86_64 x86_64 x86_64 GNU/Linux

$ ls -la /boot

total 34040
dr-xr-xr-x 3 root root 4096 Dec 12 2011 .
drwxr-xr-x 24 root root 4096 Sep 5 22:07 ..
-rw-r--r-- 1 root root 171 Nov 23 2011 .vmlinuz-2.6.32-131.21.1.el6.x86_64.hmac
-rw-r--r-- 1 root root 170 Jun 27 2011 .vmlinuz-2.6.32-71.29.1.el6.x86_64.hmac
-rw-r--r-- 1 root root 2280032 Nov 23 2011 System.map-2.6.32-131.21.1.el6.x86_64
-rw-r--r-- 1 root root 2228188 Jun 27 2011 System.map-2.6.32-71.29.1.el6.x86_64
-rw-r--r-- 1 root root 100203 Nov 23 2011 config-2.6.32-131.21.1.el6.x86_64
-rw-r--r-- 1 root root 97911 Jun 27 2011 config-2.6.32-71.29.1.el6.x86_64
drwxr-xr-x 2 root root 4096 Aug 29 2011 grub
-rw-r--r-- 1 root root 11547111 Dec 12 2011 initramfs-2.6.32-131.21.1.el6.x86_64.img
-rw-r--r-- 1 root root 10562525 Sep 13 2011 initramfs-2.6.32-71.29.1.el6.x86_64.img
-rw-r--r-- 1 root root 165881 Nov 23 2011 symvers-2.6.32-131.21.1.el6.x86_64.gz
-rw-r--r-- 1 root root 160602 Jun 27 2011 symvers-2.6.32-71.29.1.el6.x86_64.gz
-rwxr-xr-x 1 root root 3882160 Nov 23 2011 vmlinuz-2.6.32-131.21.1.el6.x86_64
-rwxr-xr-x 1 root root 3795744 Jun 27 2011 vmlinuz-2.6.32-71.29.1.el6.x86_64

$ ls -la --full-time /lib

total 6564
dr-xr-xr-x 10 root root 4096 2015-01-29 21:32:21.000000000 +0400 .
drwxr-xr-x 24 root root 4096 2017-09-05 22:07:46.541133565 +0400 ..
lrwxrwxrwx 1 root root 14 2014-07-04 10:55:52.000000000 +0400 cpp -> ../usr/bin/cpp
drwxr-xr-x 39 root root 4096 2011-12-12 12:33:25.000000000 +0400 firmware
drwxr-xr-x 3 root root 4096 2015-01-27 22:41:16.000000000 +0400 i686
drwxr-xr-x 6 root root 4096 2011-09-13 10:39:04.000000000 +0400 kbd
-rwxr-xr-x 1 root root 141144 2015-01-27 23:11:03.000000000 +0400 ld-2.12.so
lrwxrwxrwx 1 root root 10 2015-01-29 21:32:21.000000000 +0400 ld-linux.so.2 -> ld-2.12.so
-rwxr-xr-x 1 root root 7224 2015-01-27 23:11:05.000000000 +0400 libBrokenLocale-2.12.so
lrwxrwxrwx 1 root root 23 2015-01-29 21:32:21.000000000 +0400 libBrokenLocale.so.1 -> libBrokenLocale-2.12.so
-rwxr-xr-x 1 root root 20376 2015-01-27 23:11:04.000000000 +0400 libSegFault.so
lrwxrwxrwx 1 root root 15 2014-07-04 10:55:20.000000000 +0400 libacl.so.1 -> libacl.so.1.1.0
-rwxr-xr-x 1 root root 29788 2011-09-23 15:25:08.000000000 +0400 libacl.so.1.1.0
-rwxr-xr-x 1 root root 13416 2015-01-27 23:11:04.000000000 +0400 libanl-2.12.so
lrwxrwxrwx 1 root root 14 2015-01-29 21:32:21.000000000 +0400 libanl.so.1 -> libanl-2.12.so
lrwxrwxrwx 1 root root 16 2014-07-04 10:55:19.000000000 +0400 libattr.so.1 -> libattr.so.1.1.0
-rwxr-xr-x 1 root root 17904 2011-09-23 22:52:26.000000000 +0400 libattr.so.1.1.0
lrwxrwxrwx 1 root root 15 2014-07-04 10:55:20.000000000 +0400 libbz2.so.1 -> libbz2.so.1.0.4
-rwxr-xr-x 1 root root 70464 2011-06-25 05:44:14.000000000 +0400 libbz2.so.1.0.4
-rwxr-xr-x 1 root root 1902892 2015-01-27 23:11:06.000000000 +0400 libc-2.12.so
lrwxrwxrwx 1 root root 12 2015-01-29 21:32:21.000000000 +0400 libc.so.6 -> libc-2.12.so
-rwxr-xr-x 1 root root 190992 2015-01-27 23:11:03.000000000 +0400 libcidn-2.12.so
lrwxrwxrwx 1 root root 15 2015-01-29 21:32:21.000000000 +0400 libcidn.so.1 -> libcidn-2.12.so
lrwxrwxrwx 1 root root 17 2014-07-04 10:55:19.000000000 +0400 libcom_err.so.2 -> libcom_err.so.2.1
-rwxr-xr-x 1 root root 10340 2011-07-19 15:54:50.000000000 +0400 libcom_err.so.2.1
-rwxr-xr-x 1 root root 38380 2015-01-27 23:11:04.000000000 +0400 libcrypt-2.12.so
lrwxrwxrwx 1 root root 16 2015-01-29 21:32:21.000000000 +0400 libcrypt.so.1 -> libcrypt-2.12.so
-rwxr-xr-x 1 root root 17896 2015-01-27 23:11:03.000000000 +0400 libdl-2.12.so
lrwxrwxrwx 1 root root 13 2015-01-29 21:32:21.000000000 +0400 libdl.so.2 -> libdl-2.12.so
lrwxrwxrwx 1 root root 13 2014-07-04 10:55:17.000000000 +0400 libe2p.so.2 -> libe2p.so.2.3
-rwxr-xr-x 1 root root 23892 2011-07-19 15:54:50.000000000 +0400 libe2p.so.2.3
lrwxrwxrwx 1 root root 16 2014-07-04 10:55:20.000000000 +0400 libext2fs.so.2 -> libext2fs.so.2.4
-rwxr-xr-x 1 root root 197140 2011-07-19 15:54:50.000000000 +0400 libext2fs.so.2.4
-rw-r--r-- 1 root root 478 2011-10-04 05:55:29.000000000 +0400 libfreebl3.chk
-rwxr-xr-x 1 root root 298084 2011-10-04 05:55:29.000000000 +0400 libfreebl3.so
-rwxr-xr-x 1 root root 120672 2011-12-06 19:16:03.000000000 +0400 libgcc_s-4.4.6-20110824.so.1
lrwxrwxrwx 1 root root 28 2014-07-04 10:55:17.000000000 +0400 libgcc_s.so.1 -> libgcc_s-4.4.6-20110824.so.1
lrwxrwxrwx 1 root root 22 2014-07-04 10:55:17.000000000 +0400 libgio-2.0.so.0 -> libgio-2.0.so.0.2200.5
-rwxr-xr-x 1 root root 723100 2011-07-19 03:04:26.000000000 +0400 libgio-2.0.so.0.2200.5
lrwxrwxrwx 1 root root 23 2014-07-04 10:55:19.000000000 +0400 libglib-2.0.so.0 -> libglib-2.0.so.0.2200.5
-rwxr-xr-x 1 root root 953224 2011-07-19 03:04:26.000000000 +0400 libglib-2.0.so.0.2200.5
lrwxrwxrwx 1 root root 26 2014-07-04 10:55:20.000000000 +0400 libgmodule-2.0.so.0 -> libgmodule-2.0.so.0.2200.5
-rwxr-xr-x 1 root root 10548 2011-07-19 03:04:26.000000000 +0400 libgmodule-2.0.so.0.2200.5
lrwxrwxrwx 1 root root 26 2014-07-04 10:55:19.000000000 +0400 libgobject-2.0.so.0 -> libgobject-2.0.so.0.2200.5
-rwxr-xr-x 1 root root 278148 2011-07-19 03:04:26.000000000 +0400 libgobject-2.0.so.0.2200.5
lrwxrwxrwx 1 root root 26 2014-07-04 10:55:17.000000000 +0400 libgthread-2.0.so.0 -> libgthread-2.0.so.0.2200.5
-rwxr-xr-x 1 root root 15424 2011-07-19 03:04:26.000000000 +0400 libgthread-2.0.so.0.2200.5
-rwxr-xr-x 1 root root 200024 2015-01-27 23:11:05.000000000 +0400 libm-2.12.so
lrwxrwxrwx 1 root root 12 2015-01-29 21:32:21.000000000 +0400 libm.so.6 -> libm-2.12.so
lrwxrwxrwx 1 root root 17 2014-07-04 10:55:19.000000000 +0400 libncurses.so.5 -> libncurses.so.5.7
-rwxr-xr-x 1 root root 139980 2010-08-18 19:33:59.000000000 +0400 libncurses.so.5.7
lrwxrwxrwx 1 root root 18 2014-07-04 10:55:17.000000000 +0400 libncursesw.so.5 -> libncursesw.so.5.7
-rwxr-xr-x 1 root root 195244 2010-08-18 19:33:59.000000000 +0400 libncursesw.so.5.7
-rwxr-xr-x 1 root root 113912 2015-01-27 23:11:05.000000000 +0400 libnsl-2.12.so
lrwxrwxrwx 1 root root 14 2015-01-29 21:32:21.000000000 +0400 libnsl.so.1 -> libnsl-2.12.so
-rwxr-xr-x 1 root root 40200 2015-01-27 23:11:04.000000000 +0400 libnss_compat-2.12.so
lrwxrwxrwx 1 root root 21 2015-01-29 21:32:21.000000000 +0400 libnss_compat.so.2 -> libnss_compat-2.12.so
-rwxr-xr-x 1 root root 25596 2015-01-27 23:11:05.000000000 +0400 libnss_dns-2.12.so
lrwxrwxrwx 1 root root 18 2015-01-29 21:32:21.000000000 +0400 libnss_dns.so.2 -> libnss_dns-2.12.so
-rwxr-xr-x 1 root root 58708 2015-01-27 23:11:04.000000000 +0400 libnss_files-2.12.so
lrwxrwxrwx 1 root root 20 2015-01-29 21:32:21.000000000 +0400 libnss_files.so.2 -> libnss_files-2.12.so
-rwxr-xr-x 1 root root 22140 2015-01-27 23:11:03.000000000 +0400 libnss_hesiod-2.12.so
lrwxrwxrwx 1 root root 21 2015-01-29 21:32:21.000000000 +0400 libnss_hesiod.so.2 -> libnss_hesiod-2.12.so
-rwxr-xr-x 1 root root 49712 2015-01-27 23:11:04.000000000 +0400 libnss_nis-2.12.so
lrwxrwxrwx 1 root root 18 2015-01-29 21:32:21.000000000 +0400 libnss_nis.so.2 -> libnss_nis-2.12.so
-rwxr-xr-x 1 root root 58712 2015-01-27 23:11:03.000000000 +0400 libnss_nisplus-2.12.so
lrwxrwxrwx 1 root root 22 2015-01-29 21:32:21.000000000 +0400 libnss_nisplus.so.2 -> libnss_nisplus-2.12.so
-rwxr-xr-x 1 root root 131220 2015-01-27 23:11:05.000000000 +0400 libpthread-2.12.so
lrwxrwxrwx 1 root root 18 2015-01-29 21:32:21.000000000 +0400 libpthread.so.0 -> libpthread-2.12.so
-rwxr-xr-x 1 root root 103388 2015-01-27 23:11:04.000000000 +0400 libresolv-2.12.so
lrwxrwxrwx 1 root root 17 2015-01-29 21:32:21.000000000 +0400 libresolv.so.2 -> libresolv-2.12.so
-rwxr-xr-x 1 root root 39712 2015-01-27 23:11:03.000000000 +0400 librt-2.12.so
lrwxrwxrwx 1 root root 13 2015-01-29 21:32:21.000000000 +0400 librt.so.1 -> librt-2.12.so
-rwxr-xr-x 1 root root 120780 2011-07-20 03:53:36.000000000 +0400 libselinux.so.1
-rwxr-xr-x 1 root root 31620 2015-01-27 23:11:05.000000000 +0400 libthread_db-1.0.so
lrwxrwxrwx 1 root root 19 2015-01-29 21:32:21.000000000 +0400 libthread_db.so.1 -> libthread_db-1.0.so
lrwxrwxrwx 1 root root 15 2014-07-04 10:55:17.000000000 +0400 libtinfo.so.5 -> libtinfo.so.5.7
-rwxr-xr-x 1 root root 98120 2010-08-18 19:33:59.000000000 +0400 libtinfo.so.5.7
-rwxr-xr-x 1 root root 12792 2015-01-27 23:11:03.000000000 +0400 libutil-2.12.so
lrwxrwxrwx 1 root root 15 2015-01-29 21:32:21.000000000 +0400 libutil.so.1 -> libutil-2.12.so
lrwxrwxrwx 1 root root 13 2014-07-04 10:55:20.000000000 +0400 libz.so.1 -> libz.so.1.2.3
-rwxr-xr-x 1 root root 75384 2013-02-22 03:01:21.000000000 +0400 libz.so.1.2.3
dr-xr-xr-x 15 root root 4096 2017-09-05 22:07:45.248133567 +0400 modules
drwxr-xr-x 3 root root 4096 2015-01-29 21:32:21.000000000 +0400 rtkaio
drwxr-xr-x 2 root root 4096 2011-07-20 04:23:00.000000000 +0400 security
drwxr-xr-x 6 root root 4096 2011-08-29 15:45:21.000000000 +0400 terminfo
drwxr-xr-x 5 root root 4096 2011-12-12 12:33:20.000000000 +0400 udev

$ mount

/dev/simfs on / type simfs (rw,relatime,usrquota,grpquota)
proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,relatime)
none on /dev type devtmpfs (rw,relatime,mode=755)
none on /dev/pts type devpts (rw,relatime,mode=600,ptmxmode=000)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw,relatime)

$ df -h

Filesystem Size Used Avail Use% Mounted on
/dev/simfs 120G 28G 93G 23% /
none 2.0G 4.0K 2.0G 1% /dev

$ cat /etc/issue

CentOS release 6.1 (Final)
Kernel \r on an \m

$ cat /etc/crontab

SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed


$ cat /proc/version
Linux version 2.6.32-042stab123.3 ([email protected]) (gcc version 4.4.6 20120305 (Red Hat 4.4.6-4) (GCC) ) #1 SMP Fri May 5 12:29:05 MSK 2017

$ cat /proc/sys/vm/mmap_min_addr
4096

$ pwd
/var/www/-hiddenlink-/data/www/-hiddenlink-

$ ls -la /usr/bin/staprun

$ find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null
-r-sr-xr-x 1 root root 53992 Aug 1 2013 /usr/local/ispmgr/cgi/download
-r-sr-xr-x 1 root root 13024 Aug 1 2013 /usr/local/ispmgr/cgi/login
-r-sr-xr-x 1 root root 38264 Aug 1 2013 /usr/local/ispmgr/cgi/xml2csv
-r-sr-xr-x 1 root root 49016 Aug 1 2013 /usr/local/ispmgr/cgi/upload
-r-sr-xr-x 1 root root 8280 Aug 1 2013 /usr/local/ispmgr/cgi/ispmgr
-r-sr-xr-x 1 root root 140408 Aug 1 2013 /usr/local/ispmgr/cgi/getuser
-r-sr-xr-x 1 root root 53248 Aug 1 2013 /usr/local/ispmgr/cgi/cronrun
-r-sr-xr-x 1 root root 53280 Aug 1 2013 /usr/local/ispmgr/cgi/mindterm
-r-sr-xr-x 1 root root 140888 Aug 1 2013 /usr/local/ispmgr/cgi/bdownload
-r-sr-xr-x 1 root root 19816 Aug 1 2013 /usr/local/ispmgr/cgi/outlook
-r-sr-xr-x 1 root root 32752 Aug 1 2013 /usr/local/ispmgr/cgi/dbdownload
-r-sr-xr-x 1 root root 57344 Aug 1 2013 /usr/local/ispmgr/cgi/certdownload
-r-sr-xr-x 1 root root 1547912 Aug 1 2013 /usr/local/ispmgr/bin/ispmgr
-r-sr-xr-x 1 root root 1146280 Aug 1 2013 /usr/local/ispmgr/sbin/pbackup
-r-sr-xr-x 1 root root 5704 Sep 29 2015 /usr/local/ispmgr/sbin/suexec
-r-sr-xr-x 1 root root 66392 Aug 1 2013 /usr/local/ispmgr/sbin/responder
-r-sr-xr-x 1 root root 36480 Aug 1 2013 /usr/local/ispmgr/sbin/vacation
-r-sr-xr-x 1 root root 1774704 Aug 1 2013 /usr/local/ispmgr/sbin/usermove
-rwsr-xr-x 1 root root 18080 Jun 25 2011 /usr/bin/pkexec
-rwsr-xr-x 1 root root 51784 Nov 23 2013 /usr/bin/crontab
-rwsr-xr-x 1 root root 59440 Jul 19 2011 /usr/bin/chage
-rws--x--x 1 root root 20056 Jul 20 2011 /usr/bin/chsh
---s--x--x 2 root root 212904 Sep 23 2011 /usr/bin/sudo
-rwsr-xr-x 1 root root 25304 Aug 22 2010 /usr/bin/passwd
-rwsr-xr-x 1 root root 64688 Jul 19 2011 /usr/bin/gpasswd
-rws--x--x 1 root root 20184 Jul 20 2011 /usr/bin/chfn
-rwsr-xr-x 1 root root 54240 Jun 25 2011 /usr/bin/at
-rwsr-xr-x 1 root root 33192 Jul 19 2011 /usr/bin/newgrp
---s--x--x 2 root root 212904 Sep 23 2011 /usr/bin/sudoedit
-rws--x--x 1 root root 14280 Jan 27 2015 /usr/libexec/pt_chown
-rws--x--x 1 vcsa root 7352 Aug 23 2010 /usr/libexec/mc/cons.saver
-rwsr-xr-x 1 root root 224912 Oct 24 2011 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x 1 root root 11080 Jun 25 2011 /usr/libexec/polkit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 1118184 May 24 2011 /usr/sbin/exim
-rws--x--x 1 root root 33952 Aug 22 2010 /usr/sbin/userhelper
-r-s--x--- 1 root apache 13984 Apr 4 2014 /usr/sbin/suexec
-rwsr-xr-x 1 root root 9000 Dec 3 2011 /usr/sbin/usernetctl
-rwsr-xr-x 1 root root 34904 Nov 22 2011 /bin/su
-rwsr-xr-x 1 root root 36488 Jul 19 2011 /bin/ping6
-rwsr-xr-x 1 root root 76152 Jul 20 2011 /bin/mount
-rwsr-xr-x 1 root root 50272 Jul 20 2011 /bin/umount
-rwsr-xr-x 1 root root 40760 Jul 19 2011 /bin/ping
-rwsr-x--- 1 root dbus 46232 Sep 13 2012 /lib64/dbus-1/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 32160 Jul 20 2011 /sbin/unix_chkpwd
-rwsr-xr-x 1 root root 9632 Jul 20 2011 /sbin/pam_timestamp_check

 

Подскажите как дальше действовать?
Создал пользователя с помощью DirtyCow. Но по SSH не коннектится(даже логин не спрашивает, сразу connection timeout). Есть залитый шелл(wso).
Каким образом выполнять команды от рута? Или как сменить user:group на шелле?

Spoiler: Info

Linux version 2.6.18-408.el5 ([email protected]) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-55)) #1 SMP Tue Jan 19 08:14:00 EST 2016

CentOS release 5.11 (Final)
Kernel \r on an \m

Userful: gcc, cc, ld, make, php, perl, python, ruby, tar, gzip, bzip2, nc, locate
Danger: clamd, iptables, tripwire, logwatch
Downloaders: wget, lynx, links, curl, lwp-mirror

 

Апач - права доступа шелла nobody .
Есть скрипты nobody и пользователя.
При заливке шелла от nobody - будет нободи, а если от пользователя?
Или не в зависимости от этого все права будут под 0 урезаны?

 

не важно чьи скрипты,важно от чьего имени они исполняются

если у вас есть возможность залить веб шелл от имени пользователя, то апач исполнит его от nobody,так как в конфиге апача прописано от чьего имени исполнять php
но конфиги могут быть разными для каждого сайта, тоесть в конфиге для сайта site1 может быть прописано исполнять php скрипты от user1, а в конфиге для сайта site2 - исполнять от user2

 

Здравствуйте, вопрос по рутанью Linux машин. Дело обстоит так, есть некоторые права на сервере и доступ через SSH. Есть некоторая инфа Linux localhost.localdomain 2.6.32-696.13.2.el6.i686. Вопрос: какой дальнейший шаг нужно предпринять? Искать сплоиты под ядро и учиться их юзать?
Спасибо!

 

для начала вот

Сообщение с вопросом должно содержать информацию из вывода следующих команд:

• uname -a
• ls -la /boot
• lls -la --full-time /lib (или /lib64)
• mount
• df -h
• cat /etc/issue
• cat /etc/crontab (ls -la cron.d, cron.hourly, cron.monthly, cron.weekly) + вывод содержимого каждого файла из этих директорий.
• cat /proc/version
• cat /proc/sys/vm/mmap_min_addr
• pwd
• ls -la /usr/bin/staprun
• find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null

Так же обязательно писать всё, что вы пробовали для повышения привилегий, какие возникли ошибки.

 

uname -a
Linux localhost.localdomain 2.6.32-696.13.2.el6.i686 #1 SMP Thu Oct 5 20:42:25 UTC 2017 i686 i686 i386 GNU/Linux

ls -la /boot
total 46022
dr-xr-xr-x. 5 root root 1024 Nov 3 10:26 .
dr-xr-xr-x. 21 root root 4096 Dec 28 09:15 ..
-rw-r--r--. 1 root root 109953 Nov 22 2013 config-2.6.32-431.el6.i686
-rw-r--r--. 1 root root 112821 Oct 6 02:47 config-2.6.32-696.13.2.el6.i686
drwxr-xr-x. 3 root root 1024 Nov 3 09:51 efi
drwxr-xr-x. 2 root root 1024 Nov 3 10:26 grub
-rw-------. 1 root root 14825818 Nov 3 09:53 initramfs-2.6.32-431.el6.i686.img
-rw-------. 1 root root 19445667 Nov 3 10:26 initramfs-2.6.32-696.13.2.el6.i686.img
drwx------. 2 root root 12288 Nov 3 09:45 lost+found
-rw-r--r--. 1 root root 190104 Nov 22 2013 symvers-2.6.32-431.el6.i686.gz
-rw-r--r--. 1 root root 211993 Oct 6 02:48 symvers-2.6.32-696.13.2.el6.i686.gz
-rw-r--r--. 1 root root 1982877 Nov 22 2013 System.map-2.6.32-431.el6.i686
-rw-r--r--. 1 root root 2064350 Oct 6 02:47 System.map-2.6.32-696.13.2.el6.i686
-rwxr-xr-x. 1 root root 4002656 Nov 22 2013 vmlinuz-2.6.32-431.el6.i686
-rw-r--r--. 1 root root 164 Nov 22 2013 .vmlinuz-2.6.32-431.el6.i686.hmac
-rwxr-xr-x. 1 root root 4137568 Oct 6 02:47 vmlinuz-2.6.32-696.13.2.el6.i686
-rw-r--r--. 1 root root 169 Oct 6 02:47 .vmlinuz-2.6.32-696.13.2.el6.i686.hmac

mount
/dev/mapper/VolGroup-lv_root on / type ext4 (rw)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
devpts on /dev/pts type devpts (rw,gid=5,mode=620)
tmpfs on /dev/shm type tmpfs (rw)
/dev/sda1 on /boot type ext4 (rw)
/dev/sdb1 on /usr/home type ext3 (rw)
none on /proc/sys/fs/binfmt_misc type binfmt_misc (rw)

df -h
Filesystem Size Used Avail Use% Mounted on
/dev/mapper/VolGroup-lv_root
35G 1.5G 31G 5% /
tmpfs 503M 0 503M 0% /dev/shm
/dev/sda1 477M 48M 404M 11% /boot
/dev/sdb1 74G 49G 22G 70% /usr/home

cat /etc/issue
CentOS release 6.9 (Final)
Kernel \r on an \m

cat /etc/crontab
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
HOME=/

# For details see man 4 crontabs

# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed


cat /proc/version
Linux version 2.6.32-696.13.2.el6.i686 ([email protected]) (gcc version 4.4.7 20120313 (Red Hat 4.4.7-18) (GCC) ) #1 SMP Thu Oct 5 20:42:25 UTC 2017
cat /proc/sys/vm/mmap_min_addr
4096

ls -la /usr/bin/staprun
---s--x--- 1 root stapusr 178148 Mar 22 2017 /usr/bin/staprun
find / -type f -perm -u+s -exec ls -la {} \; 2>/dev/null

-rwsr-x---. 1 root dbus 46120 Apr 22 2015 /lib/dbus-1/dbus-daemon-launch-helper
-rws--x--x. 1 root root 13028 Jun 20 2017 /usr/libexec/pt_chown
-rws--x--x. 1 vcsa root 6064 May 11 2016 /usr/libexec/mc/cons.saver
-rwsr-xr-x. 1 root root 256572 Aug 31 23:36 /usr/libexec/openssh/ssh-keysign
-rwsr-xr-x. 1 root root 7060 Oct 4 08:24 /usr/sbin/usernetctl
-rwsr-xr-x. 1 root root 18448 Oct 15 2014 /usr/sbin/scponlyc
-rwsr-xr-x. 1 root root 25980 Nov 23 2015 /usr/bin/passwd
-rwsr-xr-x. 1 root root 46780 Aug 24 2016 /usr/bin/crontab
-rwsr-xr-x. 1 root root 69452 May 11 2016 /usr/bin/chage
---s--x--x. 1 root root 126720 Jun 23 2017 /usr/bin/sudo
-rws--x--x. 1 root root 16616 Mar 22 2017 /usr/bin/chfn
-rwsr-xr-x. 1 root root 34828 May 11 2016 /usr/bin/newgrp
-rwsr-xr-x. 1 root root 74064 May 11 2016 /usr/bin/gpasswd
---s--x--- 1 root stapusr 178148 Mar 22 2017 /usr/bin/staprun
-rws--x--x. 1 root root 15432 Mar 22 2017 /usr/bin/chsh
-rwsr-xr-x. 1 root root 34168 Mar 22 2017 /sbin/unix_chkpwd
-rwsr-xr-x. 1 root root 9596 Mar 22 2017 /sbin/pam_timestamp_check
-rwsr-xr-x. 1 root root 34188 Mar 23 2017 /bin/su
-rwsr-xr-x. 1 root root 77456 Mar 22 2017 /bin/mount
-rwsr-xr-x. 1 root root 32080 Mar 22 2017 /bin/ping6
-rwsr-xr-x. 1 root root 50312 Mar 22 2017 /bin/umount
-rwsr-xr-x. 1 root root 36732 Mar 22 2017 /bin/ping

Пробовать я не знаю, что ибо впервые предпринимаю попытку что-либо рутировать. Мне бы алгоритм... как примерно получают рут права узнать. А дальше попробую в одну харю разобраться