Scripting

Hack Responsibly.

Always ensure you have explicit permission to access any computer system before using any of the techniques contained in these documents. You accept full responsibility for your actions by applying any knowledge gained here.

TODO: Separate Bash and Python scripting pages...and add more

Bash

Bash Scripting Basics

[+] Shebang:

#!/bin/bash

[+] Variables

name=Bob
echo $name
user=$(whoami)
echo $user
echo 'Hello' $name. 'You are running as' $user.

[+] Simple script example

#!/bin/bash
clear
echo "Hello World"
name=Bob
ip=`ifconfig | grep "Bcast:" | cut -d":" -f2 | cut -d" " -f1`
echo "Hello" $name "Your IP address is:" $ip

[+] User Input

read -p "IP: " IP

Example script with read

#!/bin/bash
echo "Please input the IP address"
read -p "IP: " IP
ping -c 5 $IP

[+] Check For No User Input

if [ -z $domain ]; then
	echo
	echo "#########################"
	echo
	echo "Invalid choice."
	echo
	exit
fi

[+] For loops

#!/bin/bash
for host in $(cat hosts.txt)
do
	echo $host
done

[+] Port Scan one liner

for port in $(cat Ports.txt); do nc -nzv 192.168.0.1 $port & sleep 0.5; done

Check for root privileges

When user account created a user ID is assigned to each user. BASH shell stores the user ID in the $UID environment variable. The effective user ID is stored in the $EUID variable.

You can easily add a simple check at the start of a script to make sure it is being run with root privileges.

Old way to check for root privileges

#!/bin/bash

# Make sure only the root user can run the script
# Or it is run with sudo
if [ "$(id -u)" != "0" ]; then
   echo "This script must be run as root." 1>&2
   exit 1
fi

New way: Using EUID

#!/bin/bash

# Make sure only the root user can run our script
# Or it is run with sudo
if [[ $EUID -ne 0 ]]; then
   echo "This script must be run as root." 1>&2
   exit 1
fi

MISC

https://www.techbrown.com/most-useful-bash-scripts-linux-sysadmin/

wget https://raw.githubusercontent.com/sathisharthar/Admin-Scripts/master/sysinop

Add to multitool.sh:create wordlists with cewl & Hashcat; add add options to use mangling rules;

Add to multitool.sh: crack passwords with Hashcat

#crack passwords with hashcat; 

#get user input for attack type - make attack type listing with numeric selections;

#get user input for hash type 

hashcat --help | grep -i $hash_selection 
#|>then prompt user to input the hash type # identifier; 

#Get user input for file with hashes to crack
#|>Check if hashlist includes usernames (in format username:hash)
#|>if so add --username to hashcat syntax

#Get user input for password list to use for cracking

#Ask user if they want to apply any mangling rules or a mask
#|>if mask is chosen display a short help screen of default mask types
#|>as well as describe -1 and -2 user masks
#|>make sure character escapes work properly and don't cause problems below

echo '\?l = abcdefghijklmnopqrstuvwxyz'
echo '\?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ'
echo '\?d = 0123456789'
echo '\?s = \!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\]\^\_\`\{\|\}\~'
echo '\?a = \?l\?u\?d\?s'
echo '\?b = 0x00 - 0xff'

#basic execution syntax: 
hashcat -D1,2 -O --force -a $attack_type -m $hash_id $hash_list $pass_list

#find out if hashcat has problems with blank variables
#|>if not then add variables for the proper flags + user input for mangling/masks
#|>ex: rules="-r $user_rules"

Python

Python Functions

Dealing with Sockets

https://pequalsnp-team.github.io/cheatsheet/socket-basics-py-js-rb

MISC

#checks the output from crypto and sees if at least 60% is ascii letters and returns true for possible plaintext
def is_plaintext(ptext):
    num_letters = sum(map(lambda x : 1 if x in string.ascii_letters else 0, ptext))
    if num_letters / len(ptext) >= .6:
      return True

PHP

PHP Functions

PHP Server

https://www.php.net/manual/en/features.commandline.webserver.php When starting php -S on a mac (in my case macOS Sierra) to host a local server, I had trouble with connecting from legacy Java. As it turned out, if you started the php server with php -S localhost:80 the server will be started with ipv6 support only! To access it via ipv4, you need to change the start up command like so: php -S 127.0.0.1:80 which starts server in ipv4 mode only.

It’s not mentioned directly, and may not be obvious, but you can also use this to create a virtual host. This, of course, requires the help of your hosts file. Here are the steps:

1    /etc/hosts
    127.0.0.1    www.example.com
2    cd [root folder]
    php -S www.example.com:8000
3    Browser:
    http://www.example.com:8000/index.php

In order to set project specific configuration options, simply add a php.ini file to your project, and then run the built-in server with this flag: php -S localhost:8000 -c php.ini

Example #6 Accessing the CLI Web Server From Remote Machines You can make the web server accessible on port 8000 to any interface with: $ php -S 0.0.0.0:8000

Example #2 Starting with a specific document root directory

$ cd ~/public_html
$ php -S localhost:8000 -t foo/
Listening on localhost:8000
Document root is /home/me/public_html/foo

PHP Jail Escape

With file_get_contents()

print file_get_contents('flag.txt');

With readfile()

echo readfile("flag.txt");

With popen()

popen("vi", "w");

:r flag.txt
   or
:!/bin/bash

With highlight_file()

highlight_file(glob("flag.txt")[0]);
   or
highlight_file(glob("fl*txt")[0]);

With highlight_source()

highlight_source("flag.txt");
   or
highlight_source(glob("*")[4]);

With Finfo()

new Finfo(0,glob(hex2bin(hex2bin(3261)))[0]);

If you like this content and would like to see more, please consider buying me a coffee!

Last updated