Prev Предыдущее сообщение   Следующее сообщение Next
Старый 30.11.2011, 23:25   #1
Аватар для b3
Регистрация: 18.08.2010
Сообщений: 352
Репутация: 105
Exclamation Карта раздела

Карта раздела предназначена для быстрого ориентирование по данной ветке форума.

Правила размещения постов про повышение привелегий
Вопросы по повышению привелегий СТРОГО в теме.

LINUX: for servers

Заметка про task_struct в ядре Linux <=== !!!

Запуск эксплойтов из под Web на примере "Linux Kernel 2.6.23 - 2.6.24 vmsplice"

CVE-2016-5195 Dirty COW: privesc via MAP_PRIVATE COW
CVE-2015-1328, Published: 2015-06-15
CVE-2015-3202 - Published: 2015-05-21
CVE-2015-1318 & CVE-2015-1862 - Published: 2015-04-14
CVE: 2015-1815 - Published: 2015-03-30
- requires polkit authorization to add/mod VPN connections to NetworkManager (default on desktop user)
CVE-2014-3153 - Published: 2014-06-05
CVE-2014-0476 - Published: 2014-06-04
Restrictions: chkrootkit running from root (for example from CRON) and /tmp not mounted noexec
CVE-2014-0038 - Published: 2014-31-01
$ zgrep CONFIG_X86_X32 /proc/config.gz
$ zcat /proc/config.gz | grep CONFIG_X86_X32
$ cat /boot/config-`uname -r` | grep CONFIG_X86_X32
Exim with Dovecot RCE (OSVDB-ID: 93004) - Published: 2013-06-05
CVE-2013-2094 - Published: 2013-05-14
$ grep -i PERF_EVENTS /boot/config-$( uname -r )
$ zgrep -i PERF_EVENTS /proc/config.gz

CVE-2013-1763 - Published: 2013-02-24
CVE-2013-0871 - Published: 2013-02-18
CVE-2012-.........- Published: 2012-08-02CVE-2012-3524 - Published: 2012-07-17CVE-2012-2982 - Published: 2012-07-10CVE-2012-0056 - Published: 2012-01-21CVE-2011-4124 - Published: 2011-11-02CVE-2011-1485 - Published: 2011-04-01 - Уязвимость PolicyKit:Published: 2011-01-05 - Способы поднятия прав через CAPS:CVE-2010-3847 - Published: 2010-10-15 - Уязвимость Glibc:CVE-2010-4344 - Published: 2010-12-11 - EximCVE-2010-4221 - Published: 2010-10-29 - ProFTPD before 1.3.3cCVE-2010-4170 - Published: 2010-11-26 - Уязвимость staprun:
$ ls -lha /usr/bin/staprun
---s--x--x 1 root root 63012 Mar 23 2010 /usr/bin/staprun
CVE-2010-3904 - Published: 2010-10-19 - Linux RDS Protocol Local Privilege Escalation (>=2.6.30-2.6.36rc8 19.10.2010):CVE-2010-3081 - Published: 2010-09-16 (>=2.6.26 x86_64)CVE-2010-4347 - Published: 2010-12-18 - /sys/kernel/debug/acpi/custom_methodCVE-2010-4258 - Published: 2010-12-07 CVE-2010-3301 - Published: 2010-09-16CVE-2010-4073 - Published: 2011-09-05CVE-2010-2959 - Published: 2010-08-27CVE-2010-0832 - Published: 2010-07-12CVE-2010-2961 - Published: 2010-09-08CVE-2009-3547 - Published: 2009-11-05CVE-2009-2698 - Published: 2009-09-02CVE-2009-1895 - Published: 2009-07-13 (before 2.6.31-rc3)CVE-2009-1185 - Published: 2009-04-30CVE-2009-2692 - Published: 2009-08-24linux-sendpage2 - Published: 2009-09-09linux-sendpage3 - Published: 2009-08-31CVE: 2009-1337 - Published: 2009-04-08 <2.6.29 exit_notify()
CVE-2008-568 - Published: 2011-01-10CVE-2008-0009 - Published: 2008-02-09


Автоматизация сбора информации на сервере.

Enlightenment - Linux Null PTR Dereference Exploit Framework
Choose your exploit:
[0] Cheddar Bay: Linux 2.6.30/ /dev/net/tun local root
[1] MooseCox: Linux <= pipe local root
[2] Paokara: Linux 2.6.19-> eCryptfs local root
[3] Powerglove: Linux 2.6.31 perf_counter local root
[4] The Rebel: Linux < 2.6.19 udp_sendmsg() local root
[5] CVE-2009-2267: VMWare vm86 guest local root
[6] Wunderbar Emporium: Linux 2.X sendpage() local root


WhiteCat logcleaner version 1.0 [edition]

Закрепление в системе:
Дополнительные полезные ссылки:
  • <== видео
  • <== продвинутый чел, пишет видео, их там много
    • Scanned the network to locate the target [Net Discover]
    • Port scanned the target to discover services [Unicorn Scan]
    • Banner grabbed the services running on the open port(s) [NMap]
    • Interacted with the web server by testing the default page, then brute forced to discover folders & files in the web root [Firefox & DirB]
    • Cloned the FTP root folder with credentials learned from the web service [ftp]
    • Analysed the 'loot' collected from the FTP service, in which to locate an additional file positioned on the web server [grep & cURL]
    • Impersonated 'Dev Server Backup', and waited for the target to communicate to the attacker using the information collected from the FTP & Web services [Unicorn Scan & IPTables & NetCat]
    • Injected a PHP payload into the backup logs, creating a backdoor into the system [Netcat & WebHandler]
    • Discovered unprotected SSH credentials, which, as it turns out are for a 'privileged' account
    • Used a kernel exploit to modify a restricted file to view what additional functions the wheel group can execute [UDEV]
    • Downloaded the user credentials for the operating system and brute forced the passwords [John The Ripper]
    • Remote logged back into the system via SSH and logged in with valid credentials for the super user
    • Discovered the flag in a different user's home folder, which has been deleted but not yet, removed from the operating system
    • Explored the 'backup service' which was also triggered at the same time as the log port.

Другие методы повышения привелегий:

Последний раз редактировалось b3; 12.12.2016 в 10:16..
b3 вне форума   Ответить с цитированием

Опции темы Поиск в этой теме
Поиск в этой теме:

Расширенный поиск
Опции просмотра

Ваши права в разделе
Вы не можете создавать новые темы
Вы не можете отвечать в темах
Вы не можете прикреплять вложения
Вы не можете редактировать свои сообщения

BB коды Вкл.
Смайлы Вкл.
[IMG] код Вкл.
HTML код Выкл.

Быстрый переход

Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd. Перевод: zCarot