OSCP备考的干货知识~
- 各种shell的姿势汇总:https://github.com/swisskyrepo/PayloadsAllTheThings
Linux 信息收集
-
Linux SUID 提权
suid 辅助信息收集脚本: linux-pe-suid.sh
原理:
#以下命令将尝试查找具有root权限的SUID的文件,不同系统适用于不同的命令,请逐个尝试
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000-print2>/dev/null
find / -user root -perm -4000-exec ls -ldb {} \;
已知的可用来提权的linux可行性的文件列表如下:
| 表头 | 表头 | 表头 |
|---|---|---|
| ash | chroot | docker |
| base32 | csh | emacs |
| base64 | curl | gdb |
| bash | cut | env |
| busybox | dash | eqn |
| cp | date | expand |
| cat | dd | expect |
| chmod | dialog | file |
| chown | diff | find |
| docker | dmsetup | flock |
| fmt | jq | nano |
| fold | jrunscript | |
| gimp | ksh | nice |
| grep | ksshell | nl |
| gtester | ld.so | node |
| hd | less | nohup |
| head | logsave | od |
| hexdump | look | openssl |
| highlight | lwp-download | perl |
| iconv | lwp-request | pg |
| ionice | make | php |
| ip | more | pico |
| jjs | mv | python |
| readelf | setarch | strings |
| restic | shuf | sysctl |
| rlwrap | soelim | systemctl |
| rpm | sort | tac |
| rpmquery | start | tail |
| rsync | stop | taskset |
| run-parts | daemon | tclsh |
| rvim | stdbuf | tcpdump(未验证) |
| sed | strace | tee |
| tftp | uniq | watch |
| time | unshare | wget |
| timeout | uudecode | xargs |
| ul | uuencode | xxd |
| unexpand | vim/vi | xz |
| zsh | zsoelim | 其他脚本文件 |
Windows系统与版本号对比:
提权方法:
Windows 自动化提权工具: