sudo提权详解
⼀、sudo命令
1、man⼿册
某个⽤户能够以另外哪⼀个⽤户⾝份、通过哪些主机、执⾏哪些命令
who which_host=(run_as)TAG:cmd
root ALL=(ALL)NOPASSWD:ALL Ur_Alias Host_Alias=(Runas_Alias)Cmnd_Alias
配置⽂件/etc/sudoers,修改该⽂件⼀般不直接vi,常使⽤visudo命令修改。
sudoers⽂件中Alias定义格式:
Alias_Type NAME = item1, item2, …
Alias_Type = [‘Ur_Alias’,‘Runas_Alias’,‘Host_Alias’,‘Cmnd_Alias’]
⽤户直接⽤⽤户名,如root。组使⽤%引导表⽰,如%wheel。
2、实例测试
新建test⽤户,使⽤uradd,urmod命令测试sudo。
[test@cpsword ~]$ ls -l /usr/sbin/uradd
-rwxr-x---. 1 root root 103096 12⽉ 8 2011 /usr/sbin/uradd
[test@cpsword ~]$ uradd
-bash: /usr/sbin/uradd: 权限不够
[test@cpsword ~]$ sudo uradd
[sudo] password for test:
test is not in the sudoers file. This incident will be reported.
visudo编辑/etc/sudoers⽂件加⼊⼀条记录
test ALL=(root) NOPASSWD:/usr/sbin/uradd,/usr/sbin/urmod
再次测试sudo uradd命令成功执⾏,sudo成功。
[test@cpsword ~]$ sudo uradd
[sudo] password for test:
Usage: uradd[options] LOGIN
Options:
-b, --ba-dir BASE_DIR ba directory for the home directory of the
new account
雷姆污图
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
3、sudo常⽤选项
减字木兰花秦观-l 参数
[test@cpsword ~]$ sudo -l
[sudo] password for test:
Matching Defaults entries for test on this host:
requiretty, !visiblepw, always_t_home, env_ret, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep +="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
嗝嗝老师观后感
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", e nv_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
cure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
Ur test may run the following commands on this host:
(root) /usr/sbin/uradd, (root) /usr/sbin/urmod
-k 参数,⽴即消除5分钟timestamp的时效性。下次sudo必须输⼊密码。
⼆、渗透提权思路
⾸先通过信息收集,查看是否存在sudo配置不当的可能。如果存在,寻找低权限sudo⽤户的密码,进⽽提权。
1、以的bulldog为例
通过查看/etc/passwd⽂件找到登录⽤户
django@bulldog:/home/django/bulldog$ cat /etc/passwd |grep sh$
cat /etc/passwd |grep sh$
root:x:0:0:root:/root:/bin/bash
bulldogadmin:x:1000:1000:bulldogadmin,,,:/home/bulldogadmin:/bin/bash
django:x:1001:1001:,,,:/home/django:/bin/bash
通过id命令查看两个⽤户所属组,发现两id都在sudo组中
django@bulldog:/home/django/bulldog$ id django
id django
uid=1001(django) gid=1001(django) groups=1001(django),27(sudo)
django@bulldog:/home/django/bulldog$ id bulldogadmin
id bulldogadmin
uid=1000(bulldogadmin) gid=1000(bulldogadmin) groups=1000(bulldogadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116 (sambashare)
通过查看/etc/group⽂件查看sudo组成员
django@bulldog:/home/django/bulldog$ cat /etc/group |grep sudo
cat /etc/group |grep sudo
sudo:x:27:bulldogadmin,django
通过查看各登录⽤户家⽬录隐藏⽂件,寻找.sudo_as_admin_ccessful⽂件,证实sudo成功使⽤。
django@bulldog:/home/django$ ls -al
ls -al
total 40
drwxr-xr-x 5 django django 4096 Sep 21 2017 .
drwxr-xr-x 4 root root 4096 Aug 24 2017 ..
-rw-r--r-- 1 django django 220 Aug 24 2017 .bash_logout
-rw-r--r-- 1 django django 3771 Aug 24 2017 .bashrc
drwxrwxr-x 3 django django 4096 Dec 20 07:20 bulldog
drwx------ 2 django django 4096 Sep 21 2017 .cache
drwxrwxr-x 2 django django 4096 Aug 26 2017 .nano
-rw-r--r-- 1 django django 655 Aug 24 2017 .profile
-
rw-r--r-- 1 django django 0 Aug 24 2017 .sudo_as_admin_successful
-rw------- 1 django django 741 Sep 21 2017 .viminfo
-rw-rw-r-- 1 django django 217 Aug 24 2017 .wget-hsts
在某些时刻sudo被设置为NOPASSWD如下,可以sudo -l
[test@cpsword ~]$ sudo -l
职务英文Matching Defaults entries for test on this host:
requiretty, !visiblepw, always_t_home, env_ret, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep +="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", e nv_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
cure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
Ur test may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/uradd, (root) /usr/sbin/urmod
歌曲儿歌对于centos操作系统,其中wheel组,类似于上⾯的sudo组
2、以运维⾓度看,为何会出现此问题
debian和ubuntu等linux发⾏版的配置⽂件默认如下
在这⾥插⼊代码root@bulldog:~# cat /etc/sudoers
cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Plea consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_ret
Defaults mail_badpass
Defaults cure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# Ur alias specification
# Cmnd alias specification
# Ur privilege specification
韩剧迷
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
杯中物
#includedir /etc/sudoers.d⽚
很多linux运维由于对sudo命令理解不深,只是单纯以为加⼊sudo组的⽤户可以赋予root权限,⽽没有对权限分配作细化分配,就如很多linux运维在chomod +x file时候直接给与chomd 777 file⼀样,过⼤了分配了权限,虽然能够达到其使⽤的功能,但实际给⿊客提权留下了操作漏洞。因此,这个提权漏洞完全是因为linux运维的配置不当引起的。
三、蓝队防御思路
1、⽇志提取
查看/f⽂件,查看auth,authpriv.*类别的⽇志保存的⽂件位置。
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*; -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#ur.* -/var/log/ur.log
通过grep命令过滤出sudo⾏为的动作,从⽽清晰找到提权动作。
root@bulldog:/etc/rsyslog.d# grep 'sudo' /var/log/auth.log
Dec 24 20:25:14 bulldog sudo: django : TTY=pts/0 ; PWD=/home/bulldogadmin/.hiddenadmindirectory ; USER=root ; COMMAND=/bin/su -Dec 24 21:11:10 bulldog sudo: django : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/tmp/LinEnum ; USER=root ; COMMAND=list Dec 25 04:04:26 bulldog sudo: django : TTY=pts/0 ; PWD=/tmp/LinEnum ; USER=root ; COMMAND=list
范冰冰面相Dec 25 04:05:26 bulldog sudo: django : TTY=pts/0 ; PWD=/tmp/LinEnum ; USER=root ; COMMAND=/bin/su -
