RDot

RDot (https://rdot.org/forum/index.php)
-   Повышение привилегий/Privilege escalation (https://rdot.org/forum/forumdisplay.php?f=24)
-   -   Карта раздела (https://rdot.org/forum/showthread.php?t=1860)

b3 01.12.2011 00:25

Карта раздела
 
Карта раздела предназначена для быстрого ориентирование по данной ветке форума.

Правила размещения постов про повышение привелегий
Вопросы по повышению привелегий СТРОГО в теме.
FREEBSD:




LINUX:


System.map for servers

Заметка про task_struct в ядре Linux <=== !!!

Запуск эксплойтов из под Web на примере "Linux Kernel 2.6.23 - 2.6.24 vmsplice"



CVE-2016-5195 Dirty COW: privesc via MAP_PRIVATE COW
CVE-2015-1328, Published: 2015-06-15
CVE-2015-3202 - Published: 2015-05-21
CVE-2015-1318 & CVE-2015-1862 - Published: 2015-04-14
CVE: 2015-1815 - Published: 2015-03-30
Код:

- requires polkit authorization to add/mod VPN connections to NetworkManager (default on desktop user)
CVE-2014-3153 - Published: 2014-06-05
CVE-2014-0476 - Published: 2014-06-04
Код:

Restrictions: chkrootkit running from root (for example from CRON) and /tmp not mounted noexec
CVE-2014-0038 - Published: 2014-31-01
Код:

$ zgrep CONFIG_X86_X32 /proc/config.gz
$ zcat /proc/config.gz | grep CONFIG_X86_X32
$ cat /boot/config-`uname -r` | grep CONFIG_X86_X32

Exim with Dovecot RCE (OSVDB-ID: 93004) - Published: 2013-06-05
CVE-2013-2094 - Published: 2013-05-14
Код:

$ grep -i PERF_EVENTS /boot/config-$( uname -r )
$ zgrep -i PERF_EVENTS /proc/config.gz

CONFIG_HAVE_PERF_EVENTS=y
CONFIG_PERF_EVENTS=y
CONFIG_HAVE_PERF_EVENTS_NMI=y

CVE-2013-1763 - Published: 2013-02-24
CVE-2013-0871 - Published: 2013-02-18
CVE-2012-.........- Published: 2012-08-02CVE-2012-3524 - Published: 2012-07-17CVE-2012-2982 - Published: 2012-07-10CVE-2012-0056 - Published: 2012-01-21CVE-2011-4124 - Published: 2011-11-02CVE-2011-1485 - Published: 2011-04-01 - Уязвимость PolicyKit:Published: 2011-01-05 - Способы поднятия прав через CAPS:CVE-2010-3847 - Published: 2010-10-15 - Уязвимость Glibc:CVE-2010-4344 - Published: 2010-12-11 - EximCVE-2010-4221 - Published: 2010-10-29 - ProFTPD before 1.3.3cCVE-2010-4170 - Published: 2010-11-26 - Уязвимость staprun:
Код:

$ ls -lha /usr/bin/staprun
---s--x--x 1 root root 63012 Mar 23 2010 /usr/bin/staprun

CVE-2010-3904 - Published: 2010-10-19 - Linux RDS Protocol Local Privilege Escalation (>=2.6.30-2.6.36rc8 19.10.2010):CVE-2010-3081 - Published: 2010-09-16 (>=2.6.26 x86_64)CVE-2010-4347 - Published: 2010-12-18 - /sys/kernel/debug/acpi/custom_methodCVE-2010-4258 - Published: 2010-12-07 CVE-2010-3301 - Published: 2010-09-16CVE-2010-4073 - Published: 2011-09-05CVE-2010-2959 - Published: 2010-08-27CVE-2010-0832 - Published: 2010-07-12CVE-2010-2961 - Published: 2010-09-08CVE-2009-3547 - Published: 2009-11-05CVE-2009-2698 - Published: 2009-09-02CVE-2009-1895 - Published: 2009-07-13 (before 2.6.31-rc3)CVE-2009-1185 - Published: 2009-04-30CVE-2009-2692 - Published: 2009-08-24linux-sendpage2 - Published: 2009-09-09linux-sendpage3 - Published: 2009-08-31CVE: 2009-1337 - Published: 2009-04-08 <2.6.29 exit_notify()
  • http://www.exploit-db.com/exploits/8369/
CVE-2008-568 - Published: 2011-01-10CVE-2008-0009 - Published: 2008-02-09

Инструментарий:

Автоматизация сбора информации на сервере.
https://rdot.org/forum/showthread.php?t=2014
https://rdot.org/forum/attachment.ph...0&d=1343389768

Enlightenment - Linux Null PTR Dereference Exploit Framework
Цитата:

Choose your exploit:
[0] Cheddar Bay: Linux 2.6.30/2.6.30.1 /dev/net/tun local root
[1] MooseCox: Linux <= 2.6.31.5 pipe local root
[2] Paokara: Linux 2.6.19->2.6.31.1 eCryptfs local root
[3] Powerglove: Linux 2.6.31 perf_counter local root
[4] The Rebel: Linux < 2.6.19 udp_sendmsg() local root
[5] CVE-2009-2267: VMWare vm86 guest local root
[6] Wunderbar Emporium: Linux 2.X sendpage() local root

ЧИСТКА ЛОГОВ:

WhiteCat logcleaner version 1.0 [edition]
Log-Wipers

Закрепление в системе:
Дополнительные полезные ссылки:
  • http://www.win.tue.nl/~aeb/linux/hh/hh.html
  • http://www.exploit-db.com/local/
  • http://www.securityfocus.com/vulnerabilities
  • https://bugzilla.redhat.com/query.cgi
  • http://xorl.wordpress.com/
  • http://th3-0utl4ws.com/localroot/
  • http://pool-27-1.na.tl:90/Local_Root_Exploits/
  • http://poc-hack.blogspot.ru/2012/08/...el-1-part.html <== видео
  • http://g0tmi1k.blogspot.ru/2012/09/v...r-scene-1.html <== продвинутый чел, пишет видео, их там много
    Цитата:

    • Scanned the network to locate the target [Net Discover]
    • Port scanned the target to discover services [Unicorn Scan]
    • Banner grabbed the services running on the open port(s) [NMap]
    • Interacted with the web server by testing the default page, then brute forced to discover folders & files in the web root [Firefox & DirB]
    • Cloned the FTP root folder with credentials learned from the web service [ftp]
    • Analysed the 'loot' collected from the FTP service, in which to locate an additional file positioned on the web server [grep & cURL]
    • Impersonated 'Dev Server Backup', and waited for the target to communicate to the attacker using the information collected from the FTP & Web services [Unicorn Scan & IPTables & NetCat]
    • Injected a PHP payload into the backup logs, creating a backdoor into the system [Netcat & WebHandler]
    • Discovered unprotected SSH credentials, which, as it turns out are for a 'privileged' account
    • Used a kernel exploit to modify a restricted file to view what additional functions the wheel group can execute [UDEV]
    • Downloaded the user credentials for the operating system and brute forced the passwords [John The Ripper]
    • Remote logged back into the system via SSH and logged in with valid credentials for the super user
    • Discovered the flag in a different user's home folder, which has been deleted but not yet, removed from the operating system
    • Explored the 'backup service' which was also triggered at the same time as the log port.


Другие методы повышения привелегий:


Часовой пояс GMT +3, время: 00:30.

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot