sudo提权详解
一、sudo命令
1、man手册
- 某个用户能够以另外哪一个用户身份、通过哪些主机、执行哪些命令
| who | which_host=(run_as) | TAG:cmd |
|---|---|---|
| root | ALL=(ALL) | NOPASSWD:ALL |
| User_Alias | Host_Alias=(Runas_Alias) | Cmnd_Alias |
- 配置文件/etc/sudoers,修改该文件一般不直接vi,常使用visudo命令修改。
- sudoers文件中Alias定义格式:
Alias_Type NAME = item1, item2, …
Alias_Type = [‘User_Alias’,‘Runas_Alias’,‘Host_Alias’,‘Cmnd_Alias’] - 用户直接用用户名,如root。组使用%引导表示,如%wheel。
2、实例测试
- 新建test用户,使用useradd,usermod命令测试sudo。
[test@cpsword ~]$ ls -l /usr/sbin/useradd
-rwxr-x---. 1 root root 103096 12月 8 2011 /usr/sbin/useradd
[test@cpsword ~]$ useradd
-bash: /usr/sbin/useradd: 权限不够
[test@cpsword ~]$ sudo useradd
[sudo] password for test:
test is not in the sudoers file. This incident will be reported.
- visudo编辑/etc/sudoers文件加入一条记录
test ALL=(root) NOPASSWD:/usr/sbin/useradd,/usr/sbin/usermod
- 再次测试sudo useradd命令成功执行,sudo成功。
[test@cpsword ~]$ sudo useradd
[sudo] password for test:
Usage: useradd [options] LOGIN
Options:
-b, --base-dir BASE_DIR base directory for the home directory of the
new account
-c, --comment COMMENT GECOS field of the new account
-d, --home-dir HOME_DIR home directory of the new account
3、sudo常用选项
- -l 参数
[test@cpsword ~]$ sudo -l
[sudo] password for test:
Matching Defaults entries for test on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User test may run the following commands on this host:
(root) /usr/sbin/useradd, (root) /usr/sbin/usermod
- -k 参数,立即消除5分钟timestamp的时效性。下次sudo必须输入密码。
二、渗透提权思路
首先通过信息收集,查看是否存在sudo配置不当的可能。如果存在,寻找低权限sudo用户的密码,进而提权。
1、以vulnhub.com的bulldog为例
- 通过查看/etc/passwd文件找到登录用户
django@bulldog:/home/django/bulldog$ cat /etc/passwd | grep sh$
cat /etc/passwd | grep sh$
root:x:0:0:root:/root:/bin/bash
bulldogadmin:x:1000:1000:bulldogadmin,,,:/home/bulldogadmin:/bin/bash
django:x:1001:1001:,,,:/home/django:/bin/bash
- 通过id命令查看两个用户所属组,发现两id都在sudo组中
django@bulldog:/home/django/bulldog$ id django
id django
uid=1001(django) gid=1001(django) groups=1001(django),27(sudo)
django@bulldog:/home/django/bulldog$ id bulldogadmin
id bulldogadmin
uid=1000(bulldogadmin) gid=1000(bulldogadmin) groups=1000(bulldogadmin),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
- 通过查看/etc/group文件查看sudo组成员
django@bulldog:/home/django/bulldog$ cat /etc/group | grep sudo
cat /etc/group | grep sudo
sudo:x:27:bulldogadmin,django
- 通过查看各登录用户家目录隐藏文件,寻找.sudo_as_admin_seccessful文件,证实sudo成功使用。
django@bulldog:/home/django$ ls -al
ls -al
total 40
drwxr-xr-x 5 django django 4096 Sep 21 2017 .
drwxr-xr-x 4 root root 4096 Aug 24 2017 ..
-rw-r--r-- 1 django django 220 Aug 24 2017 .bash_logout
-rw-r--r-- 1 django django 3771 Aug 24 2017 .bashrc
drwxrwxr-x 3 django django 4096 Dec 20 07:20 bulldog
drwx------ 2 django django 4096 Sep 21 2017 .cache
drwxrwxr-x 2 django django 4096 Aug 26 2017 .nano
-rw-r--r-- 1 django django 655 Aug 24 2017 .profile
-rw-r--r-- 1 django django 0 Aug 24 2017 .sudo_as_admin_successful
-rw------- 1 django django 741 Sep 21 2017 .viminfo
-rw-rw-r-- 1 django django 217 Aug 24 2017 .wget-hsts
- 在某些时刻sudo被设置为NOPASSWD如下,可以sudo -l
[test@cpsword ~]$ sudo -l
Matching Defaults entries for test on this host:
requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE
LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User test may run the following commands on this host:
(root) NOPASSWD: /usr/sbin/useradd, (root) /usr/sbin/usermod
- 对于centos操作系统,其中wheel组,类似于上面的sudo组
2、以运维角度看,为何会出现此问题
debian和ubuntu等linux发行版的配置文件默认如下
在这里插入代码root@bulldog:~# cat /etc/sudoers
cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults env_reset
Defaults mail_badpass
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"
# Host alias specification
# User alias specification
# Cmnd alias specification
# User privilege specification
root ALL=(ALL:ALL) ALL
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# See sudoers(5) for more information on "#include" directives:
#includedir /etc/sudoers.d片
很多linux运维由于对sudo命令理解不深,只是单纯以为加入sudo组的用户可以赋予root权限,而没有对权限分配作细化分配,就如很多linux运维在chomod +x file时候直接给与chomd 777 file一样,过大了分配了权限,虽然能够达到其使用的功能,但实际给黑客提权留下了操作漏洞。因此,这个提权漏洞完全是因为linux运维的配置不当引起的。
三、蓝队防御思路
1、日志提取
查看/etc/rsysylog.conf文件,查看auth,authpriv.*类别的日志保存的文件位置。
# First some standard log files. Log by facility.
#
auth,authpriv.* /var/log/auth.log
*.*;auth,authpriv.none -/var/log/syslog
#cron.* /var/log/cron.log
#daemon.* -/var/log/daemon.log
kern.* -/var/log/kern.log
#lpr.* -/var/log/lpr.log
mail.* -/var/log/mail.log
#user.* -/var/log/user.log
通过grep命令过滤出sudo行为的动作,从而清晰找到提权动作。
root@bulldog:/etc/rsyslog.d# grep 'sudo' /var/log/auth.log
Dec 24 20:25:14 bulldog sudo: django : TTY=pts/0 ; PWD=/home/bulldogadmin/.hiddenadmindirectory ; USER=root ; COMMAND=/bin/su -
Dec 24 21:11:10 bulldog sudo: django : 1 incorrect password attempt ; TTY=pts/0 ; PWD=/tmp/LinEnum ; USER=root ; COMMAND=list
Dec 25 04:04:26 bulldog sudo: django : TTY=pts/0 ; PWD=/tmp/LinEnum ; USER=root ; COMMAND=list
Dec 25 04:05:26 bulldog sudo: django : TTY=pts/0 ; PWD=/tmp/LinEnum ; USER=root ; COMMAND=/bin/su -