最新消息:

Ubuntu最新提权漏洞复现

渗透测试 jishuzhain 815浏览 0评论

## ubuntu16.04 查看内核,升级内核,删除内核

### 1:查看内核列表
“`cpp
sudo dpkg –get-selections |grep linux-image

linux-image-4.4.0-21-generic
install

linux-image-4.4.0-66-generic deinstall

linux-image-4.4.0-70-generic deinstall

linux-image-4.4.0-71-generic install

linux-image-4.4.0-72-generic install
“`

### 2:查看当前使用的内核
“`cpp
uname -r

4.4.0-21-generic
“`

### 3:升级/安装内核

sudo apt-get install linux-image-4.4.0-75-generic

### 4:删除内核

tip:删除当前版本重启会使用低一级的已安装内核,如果是最后一个内核版本删除之后重启会进入BIOS界面

sudo apt-get remove linux-image-4.4.0-75-generic

### 5:切换内核

参考:http://blog.csdn.net/u011304615/article/details/70920171

切换内核启动

1.该命令显示内核的启动顺序

zgw@zgw-ThinkPad:~$ grep menuentry /boot/grub/grub.cfg
if [ x"${feature_menuentry_id}" = xy ]; then
menuentry_id_option="--id"
menuentry_id_option=""
export menuentry_id_option
menuentry 'Ubuntu' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-simple-5bce3795-da96-4c6f-bed2-67d37185a77d' {
submenu 'Ubuntu 高级选项' $menuentry_id_option 'gnulinux-advanced-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu,Linux 4.8.0-26-lowlatency' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-45-lowlatency-advanced-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu, with Linux 4.8.0-26-lowlatency (upstart)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-45-lowlatency-init-upstart-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu, with Linux 4.8.0-26-lowlatency (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-45-lowlatency-recovery-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu,Linux 4.8.0-26-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-45-generic-advanced-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu, with Linux 4.8.0-26-generic (upstart)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-45-generic-init-upstart-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu, with Linux 4.8.0-26-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-45-generic-recovery-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu,Linux 4.4.0-21-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-21-generic-advanced-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu, with Linux 4.4.0-21-generic (upstart)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-21-generic-init-upstart-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Ubuntu, with Linux 4.4.0-21-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.4.0-21-generic-recovery-5bce3795-da96-4c6f-bed2-67d37185a77d' {
menuentry 'Memory test (memtest86+)' {
menuentry 'Memory test (memtest86+, serial console 115200)' {

2.假设你要以4.4.0-21内核版本启动,则将文件/etc/default/grub中GRUB_DEFAULT=0 改为 GRUB_DEFAULT=6或者改为GRUB_DEFAULT=”Ubuntu,Linux 4.4.0-21-generic“保存后

3.然后使用命令sudo update-grub

4.重新启动后输入uname -r查看,内核即为想要的内核。

5.直接把/boot/中4.8.0-26相关的文件及文件夹全部删除。命令如下:

sudo rm -rf *4.8.0-26*

6.然后修改了配置文件:/boot/grub/grub.cfg
“`cpp
sudo cp /etc/boot/grub/grub.cfg /etc/boot/grub/grub.cfg.bak.zgw
sudo vim /etc/boot/grub/grub.cfg
“`
7.找到如下代码块(我的为148,149行):
“`cpp
linux /vmlinuz-4.8.0-26-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro quiet splash $vt_handoff
initrd /initrd.img-4.8.0-26-generic
“`
将其改为自己想使用的内核,我的如下:
“`cpp
linux /vmlinuz-4.4.0-45-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro quiet splash $vt_handoff
initrd /initrd.img-4.5.0-45-generic
“`
8.然后重启电脑就可以了,如若不行,请找如下代码块(我的为151行)。

submenu ‘Ubuntu 高级选项’ $menuentry_id_option ‘gnulinux-advanced-5bce3795-da96-4c6f-bed2-67d37185a77d’

9.将此行代码下的与4.8.0-26相关的代码全部删除(我的为152~263行)然后重启就可以了。

```cpp
menuentry 'Ubuntu,Linux 4.8.0-26-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.8.0-26-generic-advanced-5bce3795-da96-4c6f-bed2-67d37185a77d' {
recordfail
load_video
gfxmode $linux_gfx_mode
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 88421677-a988-4ff9-bf29-6c56aa4a9027
else
search --no-floppy --fs-uuid --set=root 88421677-a988-4ff9-bf29-6c56aa4a9027
fi
echo '载入 Linux 4.8.0-26-generic ...'
linux /vmlinuz-4.8.0-26-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro quiet splash $vt_handoff
echo '载入初始化内存盘...'
initrd /initrd.img-4.8.0-26-generic
}
menuentry 'Ubuntu, with Linux 4.8.0-26-generic (upstart)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.8.0-26-generic-init-upstart-5bce3795-da96-4c6f-bed2-67d37185a77d' {
recordfail
load_video
gfxmode $linux_gfx_mode
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 88421677-a988-4ff9-bf29-6c56aa4a9027
else
search --no-floppy --fs-uuid --set=root 88421677-a988-4ff9-bf29-6c56aa4a9027
fi
echo '载入 Linux 4.8.0-26-generic ...'
linux /vmlinuz-4.8.0-26-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro quiet splash $vt_handoff init=/sbin/upstart
echo '载入初始化内存盘...'
initrd /initrd.img-4.8.0-26-generic
}
menuentry 'Ubuntu, with Linux 4.8.0-26-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.8.0-26-generic-recovery-5bce3795-da96-4c6f-bed2-67d37185a77d' {
recordfail
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 88421677-a988-4ff9-bf29-6c56aa4a9027
else
search --no-floppy --fs-uuid --set=root 88421677-a988-4ff9-bf29-6c56aa4a9027
fi
echo '载入 Linux 4.8.0-26-generic ...'
linux /vmlinuz-4.8.0-26-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro recovery nomodeset
echo '载入初始化内存盘...'
initrd /initrd.img-4.8.0-26-generic
}
menuentry 'Ubuntu,Linux 4.8.0-22-generic' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.8.0-22-generic-advanced-5bce3795-da96-4c6f-bed2-67d37185a77d' {
recordfail
load_video
gfxmode $linux_gfx_mode
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 88421677-a988-4ff9-bf29-6c56aa4a9027
else
search --no-floppy --fs-uuid --set=root 88421677-a988-4ff9-bf29-6c56aa4a9027
fi
echo '载入 Linux 4.8.0-22-generic ...'
linux /vmlinuz-4.8.0-22-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro quiet splash $vt_handoff
echo '载入初始化内存盘...'
initrd /initrd.img-4.8.0-22-generic
}
menuentry 'Ubuntu, with Linux 4.8.0-22-generic (upstart)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.8.0-22-generic-init-upstart-5bce3795-da96-4c6f-bed2-67d37185a77d' {
recordfail
load_video
gfxmode $linux_gfx_mode
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 88421677-a988-4ff9-bf29-6c56aa4a9027
else
search --no-floppy --fs-uuid --set=root 88421677-a988-4ff9-bf29-6c56aa4a9027
fi
echo '载入 Linux 4.8.0-22-generic ...'
linux /vmlinuz-4.8.0-22-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro quiet splash $vt_handoff init=/sbin/upstart
echo '载入初始化内存盘...'
initrd /initrd.img-4.8.0-22-generic
}
menuentry 'Ubuntu, with Linux 4.8.0-22-generic (recovery mode)' --class ubuntu --class gnu-linux --class gnu --class os $menuentry_id_option 'gnulinux-4.8.0-22-generic-recovery-5bce3795-da96-4c6f-bed2-67d37185a77d' {
recordfail
load_video
insmod gzio
if [ x$grub_platform = xxen ]; then insmod xzio; insmod lzopio; fi
insmod part_msdos
insmod ext2
set root='hd0,msdos1'
if [ x$feature_platform_search_hint = xy ]; then
search --no-floppy --fs-uuid --set=root --hint-bios=hd0,msdos1 --hint-efi=hd0,msdos1 --hint-baremetal=ahci0,msdos1 88421677-a988-4ff9-bf29-6c56aa4a9027
else
search --no-floppy --fs-uuid --set=root 88421677-a988-4ff9-bf29-6c56aa4a9027
fi
echo '载入 Linux 4.8.0-22-generic ...'
linux /vmlinuz-4.8.0-22-generic root=UUID=5bce3795-da96-4c6f-bed2-67d37185a77d ro recovery nomodeset
echo '载入初始化内存盘...'
initrd /initrd.img-4.8.0-22-generic
}
```

参考:http://blog.csdn.net/u011304615/article/details/70919711

**Ubuntu 更换内核**

方法一:想到了使用bbr一键脚本时,会自动升级内核,查看脚本找到方法。这里还是使用注明的方法吧。

如果是 Debian/Ubuntu 系统,则需要手动下载最新版内核来安装升级。

如果系统是 64 位,则下载 amd64 的 linux-image 中含有 generic 这个 deb 包;

如果系统是 32 位,则下载 i386 的 linux-image 中含有 generic 这个 deb 包;

安装的命令如下(以的 64 位 4.9.3 举例而已,请替换为下载好的 deb 包):

dpkg -i linux-image-4.9.3-040903-generic_4.9.3-040903.201701120631_amd64.deb

安装完成后,再执行命令:

/usr/sbin/update-grub

最后,重启 VPS 即可。

最后自己失败了,使用了Ubuntu替换内核,无奈,春秋出了实验环境,正好就试试吧,非常轻松就提升了权限。
https://www.ichunqiu.com/course/61487?trec=b

下载exploit文件

登陆到普通用户

成功

http://ovi0g999d.bkt.clouddn.com/201803211831_135.c

### 谨以此文致敬那些年用过的Ubuntu

转载请注明:即刻安全 » Ubuntu最新提权漏洞复现

您必须 登录 才能发表评论!



合作伙伴