Skip to content

Latest commit

 

History

History
65 lines (55 loc) · 2.66 KB

tricks.md

File metadata and controls

65 lines (55 loc) · 2.66 KB

Here you can find some tricks I learned over the years of doing security work

Python one line import

Python allows one line imports with the __import__ method. This can be used to run module code in one line to bypass restrictions.

__import__('some_module').some_function()

Upgrade Reverse Shell with Python

When catching a reverse shell it's often just a primitive shell, that does not allow tab completion, ctrl-c or clear functionality. Upgrading a primitive shell can solve these issues. First you need to spawn a proper pseudoterminal that acts like a normal terminal. This can be done via python with:

python -c "import pty; pty.spawn('/bin/bash')" # Spawn pseudo tty

This allows you to interact with everything like you would with a normal terminal. No we disable the echo so that our commands are not displayed twice and enable raw tty to pass commands like ctrl-c straight through to our pseudo terminal with:

# Press ctrl-z to background the reverse shell
stty -echo raw;fg # Run this in your terminal not. (If you run zsh the ;fg is needed otherwise it can be done in two commands)
# You might need to press enter one or two times
export TERM=xterm # Run in the pseudo terminal again to allow clear command

Infinite Ping

On linux machines doing a ping results in a infinite running command. Thus pinging to check for command injection should be done with a max number of pings:

ping -c 5

OS Fingerprinting with Ping

Different operating system have different inital TTL values when responding to a ping and thus can be fingerprinted:

ping -c 5 some_ip
# Linux TTL: Around 64
# Windows TTL Around 128

Temporary Files

The /dev/shm 'directory' in Linux is a tempfs. The files placed in there are living in RAM only and thus are deleted with each reboot. This makes it fast to write to and read from.

SSH Port Forwarding after connecting

When enabling EnableEscapeCommandline in your SSH config it is possible to use ~C to change the SSH connection parameters allowing to enable port forwarding and more. See here

Restriction Space Restrictions

If you are restricted of using spaces in your command inputs you might be able to bypass it with the following methods:

# 1. bash curly brace expansion
{echo,test} == echo test
# 2. IFS Variable
echo${IFS}test == echo test

Fast root shell

If you only have restricted command injection as root you can try to change the permissions of /bin/bash to have the suid bit set, if you are already on the system with another user.

chmod u+s /bin/bash
/bin/bash -p # as the other user